WIP: Enable AD DC tests using ipalab-config

ipalab-config allows the creation of complex IPA environments using
rootless containers. The tool provides the means to create an
environment where a trust can be set between IPA and Samba AD DC,
which is similar enough to Windows AD DC to be used in ansible-freeipa
testing.

To start a test scenario run 'infra/scenarios/start-scenario' passing
the scenario configuration as parameter. The configuration for the
scenario will be generated with 'ipalab-config', the containers will be
started, all the nodes will be deployed and the initial configuration
will be applied to the scenario. The configuration directory will be
moved to the repository root.

Test playbooks can be executed using this scenario, or it can be used
with 'pytest'.

Only one scenario can be run at a single time.

When the tests are finished, 'infra/scenarios/stop-scenario' will
cleanup the environment, and a new scenario can be started.

The configuration directory created will not be removed, but will be
overwritten if a new scenario is created.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

.gitignore

@@ -11,5 +11,9 @@ importer_result.json
 /.tox/
 /.venv/
 
+# ansible-freeipa test environments
+/**/ansible-freeipa-scenario/
+
+# test output files
 tests/logs/
 TEST*.xml

infra/scenarios/README.md

@@ -0,0 +1,44 @@
+ansible-freeipa testing scenarios
+=================================
+
+The ansible-freeipa testing scenarios are a collection of scripts and configuration files to aid on the creation of environments composed of single or multiple IPA deployments, each one with one or more hosts, and external hosts like name servers or Samba Active Directory Domain Controllers.
+
+The environment created is based on rootless containers (what itself may impose some limits and restrictions on testing) that are part of a `pod`. A custom bridge network is used for the `pod`.
+
+
+Dependencies
+------------
+
+* ipalab-config version 0.10.2 or later
+* podman-compose
+* podman
+
+All dependencies can be installed in a Python virtual environment.
+
+
+Scenarios
+---------
+
+The following test scenarios are currently available:
+
+**ipa-ad-trust.yml**
+
+A scenario with one server, one client and one node not part of the IPA deployment running Samba AD DC. This scenario can be used to run AD related tests.
+
+
+Restrictions
+------------
+
+When creating new scenarios, these rules apply:
+
+* All scenarios `lab_name` must be `ansible-freeipa-scenario`
+* All playbooks to be executed when starting a scenario must named starting with `config_`
+* There's no guarantee on the order the configuration playbooks will be executed
+* Non-IPA nodes are deployed before the IPA clusters
+
+
+Usage Example
+-------------
+
+In this example we will run
+

infra/scenarios/ipa-ad-trust.yml

@@ -0,0 +1,54 @@
+# IPA trust to Samba AD DC.
+#
+# Steps to set trust on 'server':
+#   # kinit admin <<< SomeADMINpassword
+#   # ipa dnsforwardzone-add ad.ipa.test. --forwarder=192.168.13.250
+#   # ipa trust-add ad.ipa.test --type ad --range-type ipa-ad-trust --two-way true --admin=Administrator --password <<< Secret123
+#
+# Create samba user on 'addc':
+#   # samba-tool user create jdoe --given-name John --surname Doe
+#
+# Checking user on IPA server:
+#
+#  # getent passwd jdoe@AD.IPA.TEST
+#  # kinit jdoe@AD.IPA.TEST
+#
+---
+lab_name: ansible-freeipa-scenario
+subnet: "192.168.13.0/24"
+extra_data:
+  - playbooks/config_trust_users.yml
+external:
+  hosts:
+  - name: addc
+    hostname: dc.ad.ipa.test
+    role: addc
+    ip_address: 192.168.13.250
+    options:
+      forwarder: 192.168.13.100
+ipa_deployments:
+  - name: ipa
+    domain: linux.ipa.test
+    admin_password: SomeADMINpassword
+    dm_password: SomeDMpassword
+    cluster:
+      servers:
+        - name: server
+          capabilities: ["DNS", "AD", "KRA"]
+          ip_address: 192.168.13.100
+          vars:
+            ipaserver_netbios_name: IPA
+            ipaserver_idstart: 60000
+            ipaserver_idmax: 62000
+            ipaserver_rid_base: 63000
+            ipaserver_secondary_rid_base: 70000
+            # trust test vars
+            winserver_domain: ad.ipa.test
+            winserver_admin_password: Secret123
+            winserver_ip: 192.168.13.250
+            # external users vars
+            test_ad_user: 'jdoe@DC'
+            test_alt_user: 'jdoe@ad.ipa.test'
+      clients:
+        - name: cli01
+          dns: server

infra/scenarios/playbooks/config_trust_users.yml

@@ -0,0 +1,17 @@
+---
+- name: Add some users to Samba AD DC
+  hosts: addc
+  become: false
+  gather_facts: false
+
+  tasks:
+  - name: Add users to AD DC
+    ansible.builtin.shell: samba-tool user create {{ item.login }} --given-name {{ item.first }} --surname {{ item.last }}
+    args:
+      stdin: |
+        Secret123
+        Secret123
+    loop:
+      - {login: "jdoe", first: "John", last: "Doe"}
+      - {login: "lanne", first: "Lisa", last: "Anne"}
+      - {login: "zica", first: "Zoe", last: "Ica"}

infra/scenarios/requirements.txt

@@ -0,0 +1,2 @@
+ipalab-config>=0.10.2
+podman-compose>=1.2.0

infra/scenarios/start-scenario

@@ -0,0 +1,84 @@
+#!/bin/bash -eu
+
+die() {
+    echo "FATAL: $*" >&2
+    exit 1
+}
+
+check_dependencies() {
+    for dep in "$@"
+    do
+        command -v "$dep" >/dev/null || die "Required dependency missing: ${dep}"
+    done
+}
+
+usage() {
+    cat << EOF
+usage: start-scenario [-h] [-D] CONFIG
+
+Start an ansible-freeipa testing scenario described by CONFIG.
+
+Options:
+
+    -h       Display this help screen
+    -D       Create configuration but don't start the environment
+
+EOF
+}
+
+
+while getopts ":hD" option
+do
+    case "${option}" in
+        h) usage && exit 0 ;;
+        D) DEPLOY="N" ;;
+        *) die "Invalid option: ${option}" ;;
+    esac
+done
+
+shift $((OPTIND - 1))
+
+check_dependencies "ipalab-config" "podman-compose" "podman" "ansible-playbook"
+
+[ $# -eq 1 ] || die "A single scenario description must be provided."
+
+TEST_SCENARIO="ansible-freeipa-scenario"
+
+BASEDIR="$(readlink -f "$(dirname "$0")")"
+TOPDIR="$(readlink -f "${BASEDIR}/../..")"
+LABDIR="${TOPDIR}/${TEST_SCENARIO}"
+
+# Check if a testing scenario already exists
+pod="$(podman pod ps --filter "name=${TEST_SCENARIO}" --format "{{ .Name }}")"
+[ -z "${pod}" ] || die "Testing scenario is running."
+
+# Generate configuration
+cd "${BASEDIR}"
+rm -rf "${LABDIR}"
+ipalab-config "$(readlink -f "$1")"
+mv "${TEST_SCENARIO}" "${LABDIR}"
+
+[ "${DEPLOY:-"Y"}" == "Y" ] || exit 0
+
+cd "${LABDIR}"
+
+# Start compose
+echo Starting compose
+podman-compose up -d > /tmp/ansible-freeipa-scenario.log 2>&1
+
+# Deploy external nodes
+echo Deploying external nodes
+ansible-playbook -i inventory.yml playbooks/deploy_*.yml
+
+# Deploy IPA cluster
+echo Deploying IPA cluster
+ansible-playbook -i inventory.yml playbooks/install-cluster.yml
+
+# Initial scenario configuration
+echo Deploying scenario initial configuration
+ansible-playbook -i inventory.yml playbooks/config_*.yml
+
+# Print container names
+echo -e "\n\nScenario containers:"
+podman pod ps --filter "name=pod_${TEST_SCENARIO}" --format "{{ .ContainerNames }}" \
+  | sed "s/^/\t/;s/,/\n\t/g"

infra/scenarios/stop-scenario

@@ -0,0 +1,30 @@
+#!/bin/bash -eu
+
+TEST_SCENARIO="ansible-freeipa-scenario"
+
+BASEDIR="$(readlink -f "$(dirname "$0")")"
+TOPDIR="$(readlink -f "${BASEDIR}/../..")"
+LABDIR="${TOPDIR}/${TEST_SCENARIO}"
+
+die() {
+    echo "FATAL: $*" >&2
+    exit 1
+}
+
+[ -n "$(podman pod ls --filter "name=pod_${TEST_SCENARIO}")" ] && echo "Found scenario running."
+
+if ! pushd "${LABDIR}" >/dev/null 2>/dev/null
+then
+    [ "${1:-""}" == "--force" ] || die "Could not change to config directory."
+    echo "Forcing scenario shutdown"
+    (
+        podman pod stop "pod_${TEST_SCENARIO}" ||:
+        podman pod rm "pod_${TEST_SCENARIO}" ||:
+        podman network rm "ipanet-${TEST_SCENARIO}" ||:
+    ) 2>&1 | tee -a /tmp/ansible-freeipa-scenario.log
+    exit 0
+fi
+
+podman-compose down >> /tmp/ansible-freeipa-scenario.log
+
+popd >/dev/null