Rename test class for testing simple commands, add test

The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.

Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

.freeipa-pr-ci.yaml

@@ -87,14 +87,14 @@ jobs:
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-28/test_ipa_cli:
+  fedora-28/test_commands:
     requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
         build_url: '{fedora-28/build_url}'
-        test_suite: test_integration/test_ipa_cli.py
+        test_suite: test_integration/test_commands.py
         template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl

ipatests/pytest_plugins/integration/tasks.py

@@ -1376,6 +1376,18 @@ def ldappasswd_user_change(user, oldpw, newpw, master):
     master.run_command(args)
 
 
+def ldappasswd_sysaccount_change(user, oldpw, newpw, master):
+    container_sysaccounts = dict(DEFAULT_CONFIG)['container_sysaccounts']
+    basedn = master.domain.basedn
+
+    userdn = "uid={},{},{}".format(user, container_sysaccounts, basedn)
+    master_ldap_uri = "ldap://{}".format(master.external_hostname)
+
+    args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
+            '-s', newpw, '-x', '-ZZ', '-H', master_ldap_uri]
+    master.run_command(args)
+
+
 def add_dns_zone(master, zone, skip_overlap_check=False,
                  dynamic_update=False, add_a_record_hosts=None):
     """

ipatests/test_integration/test_commands.py

@@ -7,7 +7,8 @@ from __future__ import absolute_import
 
 import base64
 import ssl
-
+from tempfile import NamedTemporaryFile
+import textwrap
 
 from ipaplatform.paths import paths
 
@@ -16,6 +17,11 @@ from ipatests.pytest_plugins.integration import tasks
 
 
 class TestIPACommand(IntegrationTest):
+    """
+    A lot of commands can be executed against a single IPA installation
+    so provide a generic class to execute one-off commands that need to be
+    tested without having to fire up a full server to run one command.
+    """
     topology = 'line'
 
     def get_cert_base64(self, host, path):
@@ -93,3 +99,37 @@ class TestIPACommand(IntegrationTest):
         )
         assert result.returncode == 1
         assert "Number of permissions added 0" in result.stdout_text
+
+    def test_change_sysaccount_password_issue7561(self):
+        sysuser = 'system'
+        original_passwd = 'Secret123'
+        new_passwd = 'userPasswd123'
+
+        master = self.master
+
+        base_dn = str(master.domain.basedn)  # pylint: disable=no-member
+        tf = NamedTemporaryFile()
+        ldif_file = tf.name
+        entry_ldif = textwrap.dedent("""
+            dn: uid=system,cn=sysaccounts,cn=etc,{base_dn}
+            changetype: add
+            objectclass: account
+            objectclass: simplesecurityobject
+            uid: system
+            userPassword: {original_passwd}
+            passwordExpirationTime: 20380119031407Z
+            nsIdleTimeout: 0
+        """).format(
+            base_dn=base_dn,
+            original_passwd=original_passwd)
+        master.put_file_contents(ldif_file, entry_ldif)
+        arg = ['ldapmodify',
+               '-h', master.hostname,
+               '-p', '389', '-D',
+               str(master.config.dirman_dn),   # pylint: disable=no-member
+               '-w', master.config.dirman_password,
+               '-f', ldif_file]
+        master.run_command(arg)
+
+        tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
+                                           new_passwd, master)