IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
95df14634663f5ef57875b8ce1e54ca14c111a75
freeipa/tests/test_xmlrpc/test_host_plugin.py

721 lines
25 KiB
Python
Raw Normal View History

Add unit tests for new plugins.
2009-06-24 15:12:27 +02:00
# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
#
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
# Copyright (C) 2008, 2009 Red Hat
Add unit tests for new plugins.
2009-06-24 15:12:27 +02:00
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 13:59:11 +01:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Add unit tests for new plugins.
2009-06-24 15:12:27 +02:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 13:59:11 +01:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
Add unit tests for new plugins.
2009-06-24 15:12:27 +02:00
"""
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
Test the `ipalib.plugins.host` module.
Add unit tests for new plugins.
2009-06-24 15:12:27 +02:00
"""
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
from ipalib import api, errors, x509
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
from ipalib.dn import *
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
from tests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_digits
Fix invalid issuer in unit tests Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
2011-07-27 11:02:00 +02:00
from tests.test_xmlrpc.xmlrpc_test import fuzzy_hash, fuzzy_date, fuzzy_issuer
Display serial number as HEX (DECIMAL) when showing certificates. https://fedorahosted.org/freeipa/ticket/1991
2012-03-06 15:53:07 -05:00
from tests.test_xmlrpc.xmlrpc_test import fuzzy_hex
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
from tests.test_xmlrpc import objectclasses
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 15:16:53 -04:00
import base64
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
fqdn1 = u'testhost1.%s' % api.env.domain
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
short1 = u'testhost1'
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn1 = DN(('fqdn',fqdn1),('cn','computers'),('cn','accounts'),
api.env.basedn)
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
service1 = u'dns/%s@%s' % (fqdn1, api.env.realm)
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
service1dn = DN(('krbprincipalname',service1.lower()),('cn','services'),
('cn','accounts'),api.env.basedn)
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
fqdn2 = u'shouldnotexist.%s' % api.env.domain
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn2 = DN(('fqdn',fqdn2),('cn','computers'),('cn','accounts'),
api.env.basedn)
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
fqdn3 = u'testhost2.%s' % api.env.domain
short3 = u'testhost2'
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn3 = DN(('fqdn',fqdn3),('cn','computers'),('cn','accounts'),
api.env.basedn)
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
fqdn4 = u'testhost2.lab.%s' % api.env.domain
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn4 = DN(('fqdn',fqdn4),('cn','computers'),('cn','accounts'),
api.env.basedn)
Only apply validation rules when adding and updating. There may be cases, for whatever reason, that an otherwise illegal entry gets created that doesn't match the criteria for a valid user/host/group name. If this happens (i.e. migration) there is no way to remove this using the IPA tools because we always applied the name pattern. So you can't, for example, delete a user with an illegal name. Primary keys are cloned with query=True in PKQuery which causes no rules to be applied on mod/show/find. This reverts a change from commit 3a5e26a0 which applies class rules when query=True (for enforcing no white space). Replace rdnattr with rdn_is_primary_key. This was meant to tell us when an RDN change was necessary to do a rename. There could be a disconnect where the rdnattr wasn't the primary key and in that case we don't need to do an RDN change, so use a boolean instead so that it is clear that RDN == primary key. Add a test to ensure that nowhitespace is actually enforced. https://fedorahosted.org/freeipa/ticket/2115 Related: https://fedorahosted.org/freeipa/ticket/2089 Whitespace tickets: https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 13:31:20 -05:00
invalidfqdn1 = u'foo_bar.lab.%s' % api.env.domain
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
# We can use the same cert we generated for the service tests
fd = open('tests/test_xmlrpc/service.crt', 'r')
servercert = fd.readlines()
servercert = ''.join(servercert)
servercert = x509.strip_header(servercert)
fd.close()
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
class test_host(Declarative):
cleanup_commands = [
('host_del', [fqdn1], {}),
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
('host_del', [fqdn2], {}),
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
('host_del', [fqdn3], {}),
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
('host_del', [fqdn4], {}),
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
('service_del', [service1], {}),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Try to update non-existent %r' % fqdn1,
command=('host_mod', [fqdn1], dict(description=u'Nope')),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Try to delete non-existent %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Create %r' % fqdn1,
command=('host_add', [fqdn1],
dict(
description=u'Test host 1',
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
l=u'Undisclosed location 1',
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
force=True,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
fqdn=[fqdn1],
description=[u'Test host 1'],
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
l=[u'Undisclosed location 1'],
Fuzzy feelings
2009-12-17 06:16:18 -07:00
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
objectclass=objectclasses.host,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
ipauniqueid=[fuzzy_uuid],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[fqdn1],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
),
dict(
desc='Try to create duplicate %r' % fqdn1,
command=('host_add', [fqdn1],
dict(
description=u'Test host 1',
localityname=u'Undisclosed location 1',
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
force=True,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
expected=errors.DuplicateEntry(),
),
dict(
desc='Retrieve %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
fqdn=[fqdn1],
description=[u'Test host 1'],
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
has_keytab=False,
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_password=False,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[fqdn1],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
),
dict(
desc='Retrieve %r with all=True' % fqdn1,
command=('host_show', [fqdn1], dict(all=True)),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
cn=[fqdn1],
fqdn=[fqdn1],
description=[u'Test host 1'],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
# FIXME: Why is 'localalityname' returned as 'l' with --all?
# It is intuitive for --all to return additional attributes,
# but not to return existing attributes under different
# names.
Fuzzy feelings
2009-12-17 06:16:18 -07:00
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
serverhostname=[u'testhost1'],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
objectclass=objectclasses.host,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[fqdn1],
Add a list of managed hosts Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993
2011-06-13 16:23:09 +02:00
managing_host=[fqdn1],
Fuzzy feelings
2009-12-17 06:16:18 -07:00
ipauniqueid=[fuzzy_uuid],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
),
dict(
desc='Search for %r' % fqdn1,
command=('host_find', [fqdn1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
Fuzzy feelings
2009-12-17 06:16:18 -07:00
result=[
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
fqdn=[fqdn1],
description=[u'Test host 1'],
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn1],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
Fuzzy feelings
2009-12-17 06:16:18 -07:00
],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
dict(
desc='Search for %r with all=True' % fqdn1,
command=('host_find', [fqdn1], dict(all=True)),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
Fuzzy feelings
2009-12-17 06:16:18 -07:00
result=[
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
cn=[fqdn1],
fqdn=[fqdn1],
description=[u'Test host 1'],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
# FIXME: Why is 'localalityname' returned as 'l' with --all?
# It is intuitive for --all to return additional attributes,
# but not to return existing attributes under different
# names.
Fuzzy feelings
2009-12-17 06:16:18 -07:00
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
serverhostname=[u'testhost1'],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
objectclass=objectclasses.host,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
ipauniqueid=[fuzzy_uuid],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn1],
Add a list of managed hosts Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993
2011-06-13 16:23:09 +02:00
managing_host=[u'%s' % fqdn1],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
Fuzzy feelings
2009-12-17 06:16:18 -07:00
],
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
dict(
desc='Update %r' % fqdn1,
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 15:16:53 -04:00
command=('host_mod', [fqdn1], dict(description=u'Updated host 1',
usercertificate=servercert)),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
Fuzzy feelings
2009-12-17 06:16:18 -07:00
description=[u'Updated host 1'],
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn1],
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 15:16:53 -04:00
usercertificate=[base64.b64decode(servercert)],
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)),
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
serial_number=fuzzy_digits,
Display serial number as HEX (DECIMAL) when showing certificates. https://fedorahosted.org/freeipa/ticket/1991
2012-03-06 15:53:07 -05:00
serial_number_hex=fuzzy_hex,
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
Fix invalid issuer in unit tests Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
2011-07-27 11:02:00 +02:00
issuer=fuzzy_issuer,
Retrieve password/keytab state when modifying a host. ticket https://fedorahosted.org/freeipa/ticket/1714
2011-08-25 09:24:47 -04:00
has_keytab=False,
has_password=False,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
),
dict(
desc='Retrieve %r to verify update' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Fuzzy feelings
2009-12-17 06:16:18 -07:00
fqdn=[fqdn1],
description=[u'Updated host 1'],
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 16:34:21 -05:00
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 15:16:53 -04:00
has_keytab=False,
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_password=False,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn1],
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 15:16:53 -04:00
usercertificate=[base64.b64decode(servercert)],
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)),
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
serial_number=fuzzy_digits,
Display serial number as HEX (DECIMAL) when showing certificates. https://fedorahosted.org/freeipa/ticket/1991
2012-03-06 15:53:07 -05:00
serial_number_hex=fuzzy_hex,
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 16:45:19 -04:00
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
Fix invalid issuer in unit tests Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
2011-07-27 11:02:00 +02:00
issuer=fuzzy_issuer,
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
),
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
dict(
desc='Create %r' % fqdn3,
command=('host_add', [fqdn3],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn3,
summary=u'Added host "%s"' % fqdn3,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn3,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn3],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
),
),
),
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
dict(
desc='Create %r' % fqdn4,
command=('host_add', [fqdn4],
dict(
description=u'Test host 4',
l=u'Undisclosed location 4',
force=True,
),
),
expected=dict(
value=fqdn4,
summary=u'Added host "%s"' % fqdn4,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn4,
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
fqdn=[fqdn4],
description=[u'Test host 4'],
l=[u'Undisclosed location 4'],
krbprincipalname=[u'host/%s@%s' % (fqdn4, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn4],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
),
),
),
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
dict(
desc='Add managedby_host %r to %r' % (fqdn1, fqdn3),
command=('host_add_managedby', [fqdn3],
dict(
host=u'%s' % fqdn1,
),
),
expected=dict(
completed=1,
failed=dict(
managedby = dict(
host=tuple(),
),
),
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn3,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1],
),
),
),
dict(
desc='Retrieve %r' % fqdn3,
command=('host_show', [fqdn3], {}),
expected=dict(
value=fqdn3,
summary=None,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn3,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
has_keytab=False,
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_password=False,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1],
),
),
),
Add missing managing hosts filtering options Host object has a virtual attribute "managing" containing all hosts it manages (governed by managedBy attribute). This patch also adds standard membership filtering options: --man-hosts=HOSTS: Only hosts managing _all_ HOSTS are returned --not-man-hosts=HOSTS: Only hosts which do not manage _any_ host in HOSTS are returned https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 13:41:39 +01:00
dict(
desc='Search for hosts with --man-hosts and --not-man-hosts',
command=('host_find', [], {'man_host' : fqdn3, 'not_man_host' : fqdn1}),
expected=dict(
count=1,
truncated=False,
summary=u'1 host matched',
result=[
dict(
dn=lambda x: DN(x) == dn3,
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[u'%s' % fqdn3, u'%s' % fqdn1],
),
],
),
),
dict(
desc='Try to search for hosts with --man-hosts',
command=('host_find', [], {'man_host' : [fqdn3,fqdn4]}),
expected=dict(
count=0,
truncated=False,
summary=u'0 hosts matched',
result=[],
),
),
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
dict(
desc='Remove managedby_host %r from %r' % (fqdn1, fqdn3),
command=('host_remove_managedby', [fqdn3],
dict(
host=u'%s' % fqdn1,
),
),
expected=dict(
completed=1,
failed=dict(
managedby = dict(
host=tuple(),
),
),
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn3,
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
fqdn=[fqdn3],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
managedby_host=[u'%s' % fqdn3],
),
),
),
find_entry_by_attr() should fail if multiple entries are found It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
2011-07-05 13:36:48 -04:00
dict(
desc='Show a host with multiple matches %s' % short3,
command=('host_show', [short3], {}),
expected=errors.SingleMatchExpected(found=2),
),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
Allow RDN changes for users, groups, rolegroups and taskgroups. To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
2010-10-18 14:53:32 -04:00
dict(
desc='Try to rename %r' % fqdn1,
command=('host_mod', [fqdn1], dict(setattr=u'fqdn=changed')),
expected=errors.NotAllowedOnRDN()
),
Add support for storing MAC address in host entries. macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers <hostname> I tested nslcd and it only returned one macaddress value. https://fedorahosted.org/freeipa/ticket/1132
2012-01-20 15:10:44 -05:00
dict(
desc='Add MAC address to %r' % fqdn1,
command=('host_mod', [fqdn1], dict(macaddress=u'00:50:56:30:F6:5F')),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)),
serial_number=fuzzy_digits,
Display serial number as HEX (DECIMAL) when showing certificates. https://fedorahosted.org/freeipa/ticket/1991
2012-03-06 15:53:07 -05:00
serial_number_hex=fuzzy_hex,
Add support for storing MAC address in host entries. macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers <hostname> I tested nslcd and it only returned one macaddress value. https://fedorahosted.org/freeipa/ticket/1132
2012-01-20 15:10:44 -05:00
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
macaddress=[u'00:50:56:30:F6:5F'],
issuer=fuzzy_issuer,
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add another MAC address to %r' % fqdn1,
command=('host_mod', [fqdn1], dict(macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'])),
expected=dict(
value=fqdn1,
summary=u'Modified host "%s"' % fqdn1,
result=dict(
description=[u'Updated host 1'],
fqdn=[fqdn1],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[u'%s' % fqdn1],
usercertificate=[base64.b64decode(servercert)],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
subject=lambda x: DN(x) == \
DN(('CN',api.env.host),('O',api.env.realm)),
serial_number=fuzzy_digits,
Display serial number as HEX (DECIMAL) when showing certificates. https://fedorahosted.org/freeipa/ticket/1991
2012-03-06 15:53:07 -05:00
serial_number_hex=fuzzy_hex,
Add support for storing MAC address in host entries. macaddress is a multi-valued attribute and we allow multiple entries. This is from the objectclass ieee802device. This is added manually when doing a mod or add and not as a default to support existing host entries that do not have this objectclass. If this were added to the defaults then existing hosts missing this objectclass would not be found by host-find. It is possible to get ethers data out of nss by configuring nsswitch.conf to use ldap for ethers and running getent ethers <hostname> I tested nslcd and it only returned one macaddress value. https://fedorahosted.org/freeipa/ticket/1132
2012-01-20 15:10:44 -05:00
md5_fingerprint=fuzzy_hash,
sha1_fingerprint=fuzzy_hash,
macaddress=[u'00:50:56:30:F6:5F', u'00:50:56:2C:8D:82'],
issuer=fuzzy_issuer,
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Add an illegal MAC address to %r' % fqdn1,
command=('host_mod', [fqdn1], dict(macaddress=[u'xx'])),
expected=errors.ValidationError(name='macaddress', error='invalid \'macaddress\': Must be of the form HH:HH:HH:HH:HH:HH, where each H is a hexadecimal character.'),
),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
dict(
desc='Delete %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=u'Deleted host "%s"' % fqdn1,
Display the entries that failed when deleting with --continue. We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
2011-01-07 11:17:55 -05:00
result=dict(failed=u''),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
),
),
dict(
desc='Try to retrieve non-existent %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Try to update non-existent %r' % fqdn1,
command=('host_mod', [fqdn1], dict(description=u'Nope')),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Try to delete non-existent %r' % fqdn1,
command=('host_del', [fqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
# Test deletion using a non-fully-qualified hostname. Services
# associated with this host should also be removed.
dict(
desc='Re-create %r' % fqdn1,
command=('host_add', [fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
force=True,
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn1,
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn1],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
),
),
),
dict(
desc='Add a service to host %r' % fqdn1,
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
command=('service_add', [service1], {'force': True}),
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
dn=lambda x: DN(x) == service1dn,
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
krbprincipalname=[service1],
objectclass=objectclasses.service,
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 22:41:32 -04:00
managedby_host=[fqdn1],
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Delete using host name %r' % short1,
command=('host_del', [short1], {}),
expected=dict(
value=short1,
summary=u'Deleted host "%s"' % short1,
Display the entries that failed when deleting with --continue. We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
2011-01-07 11:17:55 -05:00
result=dict(failed=u''),
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
),
),
dict(
desc='Search for services for %r' % fqdn1,
command=('service_find', [fqdn1], {}),
expected=dict(
count=0,
truncated=False,
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 22:41:32 -04:00
summary=u'0 services matched',
Deleting a non-fully-qualified hostname should still delete its services We were being left with orphan services if the host entry was not removed using the FQDN.
2010-03-29 11:31:10 -04:00
result=[
],
),
),
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
dict(
desc='Try to add host not in DNS %r without force' % fqdn2,
command=('host_add', [fqdn2], {}),
expected=errors.DNSNotARecordError(reason='Host does not have corresponding DNS A record'),
),
dict(
desc='Try to add host not in DNS %r with force' % fqdn2,
command=('host_add', [fqdn2],
dict(
description=u'Test host 2',
l=u'Undisclosed location 2',
force=True,
),
),
expected=dict(
value=fqdn2,
summary=u'Added host "%s"' % fqdn2,
result=dict(
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
2011-08-09 21:21:56 -04:00
dn=lambda x: DN(x) == dn2,
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
fqdn=[fqdn2],
description=[u'Test host 2'],
l=[u'Undisclosed location 2'],
krbprincipalname=[u'host/%s@%s' % (fqdn2, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
Add managedby to Host entries This will allow others to provision on behalf of the host. ticket 280
2010-11-10 16:47:29 -05:00
managedby_host=[u'%s' % fqdn2],
Change the way has_keytab is determined, also check for password. We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-22 16:24:07 -04:00
has_keytab=False,
has_password=False,
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 14:16:22 -04:00
),
),
),
Don't allow IPA master hosts or important services be deleted. Deleting these would cause the IPA master to blow up. For services I'm taking a conservative approach and only limiting the deletion of known services we care about. https://fedorahosted.org/freeipa/ticket/2425
2012-02-22 17:42:38 -05:00
# This test will only succeed when running against lite-server.py
# on same box as IPA install.
dict(
desc='Delete the current host (master?) %s should be caught' % api.env.host,
command=('host_del', [api.env.host], {}),
expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted'),
),
Only apply validation rules when adding and updating. There may be cases, for whatever reason, that an otherwise illegal entry gets created that doesn't match the criteria for a valid user/host/group name. If this happens (i.e. migration) there is no way to remove this using the IPA tools because we always applied the name pattern. So you can't, for example, delete a user with an illegal name. Primary keys are cloned with query=True in PKQuery which causes no rules to be applied on mod/show/find. This reverts a change from commit 3a5e26a0 which applies class rules when query=True (for enforcing no white space). Replace rdnattr with rdn_is_primary_key. This was meant to tell us when an RDN change was necessary to do a rename. There could be a disconnect where the rdnattr wasn't the primary key and in that case we don't need to do an RDN change, so use a boolean instead so that it is clear that RDN == primary key. Add a test to ensure that nowhitespace is actually enforced. https://fedorahosted.org/freeipa/ticket/2115 Related: https://fedorahosted.org/freeipa/ticket/2089 Whitespace tickets: https://fedorahosted.org/freeipa/ticket/1285 https://fedorahosted.org/freeipa/ticket/1286 https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 13:31:20 -05:00
dict(
desc='Test that validation is enabled on adds',
command=('host_add', [invalidfqdn1], {}),
expected=errors.ValidationError(name='fqdn', error='may only include letters, numbers, and -'),
),
# The assumption on these next 4 tests is that if we don't get a
# validation error then the request was processed normally.
dict(
desc='Test that validation is disabled on mods',
command=('host_mod', [invalidfqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Test that validation is disabled on deletes',
command=('host_del', [invalidfqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Test that validation is disabled on show',
command=('host_show', [invalidfqdn1], {}),
expected=errors.NotFound(reason='no such entry'),
),
dict(
desc='Test that validation is disabled on find',
command=('host_find', [invalidfqdn1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 hosts matched',
result=[],
),
),
host and hostgroup summary messages, declarative tests; fix tests for 'dn'
2009-12-15 13:36:14 -07:00
]
Reference in New Issue Copy Permalink