ipatests: refactor test_trust.py

Tests in test_trust.py were organized in ten classes, one for each trust type, requiring ten cycles of ipaserver installation/uninstallation and the full test run lasted for about 5500 seconds. There is no need in reinstallation of ipaserver between establishing different types of trust. I moved all tests to sinle class, preserving test logic. Additional changes: * TestEnforcedPosixADTrust was totally removed as it was duplicate of TestPosixADTrust * code of repeated checks was moved to methods * A task was cretated for cleaning up DNS configuration changes made for establishing trust Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-28 13:44:51 +01:00 · 2019-03-28 13:44:51 +01:00 · c819716521
commit c819716521
parent 94a6cb11ea
2 changed files with 219 additions and 325 deletions
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -568,6 +568,7 @@ def install_adtrust(host):
 def disable_dnssec_validation(host):
    backup_file(host, paths.NAMED_CONF)
    named_conf = host.get_file_contents(paths.NAMED_CONF)
    named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;',
                        named_conf)
@ -575,11 +576,10 @@ def disable_dnssec_validation(host):
    restart_named(host)
-def configure_dns_for_trust(master, ad):
+def restore_dnssec_validation(host):
-    """
+    restore_files(host)
-    This configures DNS on IPA master according to the relationship of the
+    restart_named(host)
-    IPA's and AD's domains.
+
    """
 def is_subdomain(subdomain, domain):
    subdomain_unpacked = subdomain.split('.')
@ -599,6 +599,12 @@ def configure_dns_for_trust(master, ad):
    return subdomain
 def configure_dns_for_trust(master, ad):
    """
    This configures DNS on IPA master according to the relationship of the
    IPA's and AD's domains.
    """
    kinit_admin(master)
    if is_subdomain(ad.domain.name, master.domain.name):
@ -621,6 +627,23 @@ def configure_dns_for_trust(master, ad):
                            ])
 def unconfigure_dns_for_trust(master, ad):
    """
    This undoes changes made by configure_dns_for_trust
    """
    kinit_admin(master)
    if is_subdomain(ad.domain.name, master.domain.name):
        master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
                            '%s.%s' % (ad.shortname, ad.netbios),
                            '--a-rec', ad.ip])
        master.run_command(['ipa', 'dnsrecord-del', master.domain.name,
                            ad.netbios,
                            '--ns-rec', '%s.%s' % (ad.shortname, ad.netbios)])
    else:
        master.run_command(['ipa', 'dnsforwardzone-del', ad.domain.name])
        restore_dnssec_validation(master)
 def establish_trust_with_ad(master, ad_domain, extra_args=()):
    """
    Establishes trust with Active Directory. Trust type is detected depending
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@ -1,21 +1,4 @@
-# Authors:
+# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
 #   Tomas Babej <tbabej@redhat.com>
 #
 # Copyright (C) 2013  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from __future__ import absolute_import
@ -24,45 +7,38 @@ import unittest
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
 from ipaplatform.paths import paths
-class ADTrustBase(IntegrationTest):
+class TestTrust(IntegrationTest):
    """Provides common checks for the AD trust integration testing."""
    topology = 'line'
    num_ad_domains = 1
    num_ad_subdomains = 1
    num_ad_treedomains = 1
    upn_suffix = 'UPNsuffix.com'
    upn_username = 'upnuser'
    upn_name = 'UPN User'
    upn_principal = '{}@{}'.format(upn_username, upn_suffix)
    upn_password = 'Secret123456'
    @classmethod
    def install(cls, mh):
        if not cls.master.transport.file_exists('/usr/bin/rpcclient'):
            raise unittest.SkipTest("Package samba-client not available "
                                    "on {}".format(cls.master.hostname))
-        super(ADTrustBase, cls).install(mh)
+        super(TestTrust, cls).install(mh)
-        cls.ad = cls.ads[0]
+        cls.ad = cls.ads[0]  # pylint: disable=no-member
        cls.ad_domain = cls.ad.domain.name
-        cls.install_adtrust()
+        tasks.install_adtrust(cls.master)
        cls.check_sid_generation()
-        cls.child_ad = cls.ad_subdomains[0]
+        cls.child_ad = cls.ad_subdomains[0]  # pylint: disable=no-member
        cls.ad_subdomain = cls.child_ad.domain.name
-        cls.tree_ad = cls.ad_treedomains[0]
+        cls.tree_ad = cls.ad_treedomains[0]  # pylint: disable=no-member
        cls.ad_treedomain = cls.tree_ad.domain.name
        cls.configure_dns_and_time()
    @classmethod
    def install_adtrust(cls):
        """Test adtrust support installation"""
        tasks.install_adtrust(cls.master)
    @classmethod
    def check_sid_generation(cls):
        """Test SID generation"""
        command = ['ipa', 'user-show', 'admin', '--all', '--raw']
        # TODO: remove duplicate definition and import from common module
@ -74,72 +50,52 @@ class ADTrustBase(IntegrationTest):
        tasks.run_repeatedly(cls.master, command,
                             test=lambda x: re.search(stdout_re, x))
-    @classmethod
+    def configure_dns_and_time(self, ad_host):
-    def configure_dns_and_time(cls):
+        tasks.configure_dns_for_trust(self.master, ad_host)
-        tasks.configure_dns_for_trust(cls.master, cls.ad)
+        tasks.sync_time(self.master, ad_host)
        tasks.sync_time(cls.master, cls.ad)
-    def test_establish_trust(self):
+    def check_trustdomains(self, realm, expected_ad_domains):
-        """Tests establishing trust with Active Directory"""
+        """Check that ipa trustdomain-find lists all expected domains"""
        result = self.master.run_command(['ipa', 'trustdomain-find', realm])
        for domain in expected_ad_domains:
            expected_text = 'Domain name: %s\n' % domain
            assert expected_text in result.stdout_text
        expected_text = ("Number of entries returned %s\n" %
                         len(expected_ad_domains))
        assert expected_text in result.stdout_text
-        tasks.establish_trust_with_ad(self.master, self.ad_domain,
+    def check_range_properties(self, realm, expected_type, expected_size):
            extra_args=['--range-type', 'ipa-ad-trust'])
    def test_all_trustdomains_found(self):
        """
        Tests that all trustdomains can be found.
        """
        result = self.master.run_command(['ipa',
                                          'trustdomain-find',
                                          self.ad_domain])
        # Check that all trustdomains appear in the result
        assert self.ad_domain in result.stdout_text
        assert self.ad_subdomain in result.stdout_text
        assert "Number of entries returned 2" in result.stdout_text
 class ADTrustSubdomainBase(ADTrustBase):
    """
    Base class for tests involving subdomains of trusted forests
    """
    @classmethod
    def configure_dns_and_time(cls):
        tasks.configure_dns_for_trust(cls.master, cls.child_ad)
        tasks.sync_time(cls.master, cls.child_ad)
 class ADTrustTreedomainBase(ADTrustBase):
    """
    Base class for tests involving tree root domains of trusted forests
    """
    @classmethod
    def configure_dns_and_time(cls):
        tasks.configure_dns_for_trust(cls.master, cls.tree_ad)
        tasks.sync_time(cls.master, cls.tree_ad)
 class TestBasicADTrust(ADTrustBase):
    """Basic Integration test for Active Directory"""
    def test_range_properties_in_nonposix_trust(self):
        """Check the properties of the created range"""
-
+        range_name = realm.upper() + '_id_range'
        range_name = self.ad_domain.upper() + '_id_range'
        result = self.master.run_command(['ipa', 'idrange-show', range_name,
                                          '--all', '--raw'])
        expected_text = 'ipaidrangesize: %s\n' % expected_size
        assert expected_text in result.stdout_text
        expected_text = 'iparangetype: %s\n' % expected_type
        assert expected_text in result.stdout_text
-        iparangetype_regex = r'ipaRangeType: ipa-ad-trust'
+    def remove_trust(self, ad):
-        iparangesize_regex = r'ipaIDRangeSize: 200000'
+        tasks.remove_trust_with_ad(self.master, ad.domain.name)
        tasks.unconfigure_dns_for_trust(self.master, ad)
        tasks.clear_sssd_cache(self.master)
-        assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
+    # Tests for non-posix AD trust
-        assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)
+
    def test_establish_nonposix_trust(self):
        self.configure_dns_and_time(self.ad)
        tasks.establish_trust_with_ad(
            self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust'])
    def test_trustdomains_found_in_nonposix_trust(self):
        self.check_trustdomains(
            self.ad_domain, [self.ad_domain, self.ad_subdomain])
    def test_range_properties_in_nonposix_trust(self):
        self.check_range_properties(self.ad_domain, 'ipa-ad-trust', 200000)
    def test_user_gid_uid_resolution_in_nonposix_trust(self):
        """Check that user has SID-generated UID"""
        # Using domain name since it is lowercased realm name for AD domains
        testuser = 'testuser@%s' % self.ad_domain
        result = self.master.run_command(['getent', 'passwd', testuser])
@ -151,9 +107,10 @@ class TestBasicADTrust(ADTrustBase):
                         % (re.escape(self.ad_domain),
                            re.escape(self.ad_domain))
-        assert re.search(testuser_regex, result.stdout_text)
+        assert re.search(
            testuser_regex, result.stdout_text), result.stdout_text
-    def test_ipauser_authentication(self):
+    def test_ipauser_authentication_with_nonposix_trust(self):
        ipauser = u'tuser'
        original_passwd = 'Secret123'
        new_passwd = 'userPasswd123'
@ -168,280 +125,11 @@ class TestBasicADTrust(ADTrustBase):
                                     self.master)
        # try to kinit as ipauser
-        self.master.run_command(
+        self.master.run_command([
-            ['kinit', '-E', '{0}@{1}'.format(ipauser,
+            'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)],
                                             self.master.domain.name)],
            stdin_text=new_passwd)
-    def test_remove_nonposix_trust(self):
+    # Tests for UPN suffixes
        tasks.remove_trust_with_ad(self.master, self.ad_domain)
        tasks.clear_sssd_cache(self.master)
 class TestPosixADTrust(ADTrustBase):
    """Integration test for Active Directory with POSIX support"""
    def test_establish_trust(self):
        tasks.establish_trust_with_ad(
            self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust-posix']
        )
    def test_range_properties_in_posix_trust(self):
        # Check the properties of the created range
        range_name = self.ad_domain.upper() + '_id_range'
        result = self.master.run_command(['ipa', 'idrange-show', range_name,
                                          '--all', '--raw'])
        # Check the range type and size
        iparangetype_regex = r'ipaRangeType: ipa-ad-trust-posix'
        iparangesize_regex = r'ipaIDRangeSize: 200000'
        assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE)
        assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE)
    def test_user_uid_gid_resolution_in_posix_trust(self):
        # Check that user has AD-defined UID
        # Using domain name since it is lowercased realm name for AD domains
        testuser = 'testuser@%s' % self.ad_domain
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_stdout = "testuser@%s:*:10042:10047:"\
                          "Test User:/home/%s/testuser:/bin/sh"\
                          % (self.ad_domain, self.ad_domain)
        assert testuser_stdout in result.stdout_text
    def test_user_without_posix_attributes_not_visible(self):
        # Check that user has AD-defined UID
        # Using domain name since it is lowercased realm name for AD domains
        nonposixuser = 'nonposixuser@%s' % self.ad_domain
        result = self.master.run_command(['getent', 'passwd', nonposixuser],
                                         raiseonerr=False)
        # Getent exits with 2 for non-existent user
        assert result.returncode == 2
    def test_remove_trust_with_posix_attributes(self):
        tasks.remove_trust_with_ad(self.master, self.ad_domain)
        tasks.clear_sssd_cache(self.master)
 class TestEnforcedPosixADTrust(TestPosixADTrust):
    """
    This test is intented to copycat PosixADTrust, since enforcing the POSIX
    trust type should not make a difference.
    """
    """Re-difene method from test_establish_trust_with_posix_attributes
    to test_establish_trust. win server 2016 no more have support for MFU/NIS,
    so autodetection doesn't work"""
    def test_establish_trust(self):
        tasks.establish_trust_with_ad(self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust-posix'])
 class TestInvalidRangeTypes(ADTrustBase):
    """
    Tests invalid values being put into trust-add command.
    """
    def test_invalid_range_types(self):
        invalid_range_types = ['ipa-local',
                               'ipa-ad-winsync',
                               'ipa-ipa-trust',
                               'random-invalid',
                               're@ll%ybad12!']
        for range_type in invalid_range_types:
            tasks.kinit_admin(self.master)
            result = self.master.run_command(
                ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin',
                 'Administrator', '--range-type', range_type, '--password'],
                raiseonerr=False,
                stdin_text=self.master.config.ad_admin_password)
            # The trust-add command is supposed to fail
            assert result.returncode == 1
 class TestExternalTrustWithSubdomain(ADTrustSubdomainBase):
    """
    Test establishing external trust with subdomain
    """
    def test_establish_trust(self):
        """ Tests establishing external trust with Active Directory """
        tasks.establish_trust_with_ad(
            self.master, self.ad_subdomain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_all_trustdomains_found(self):
        """ Test that only one trustdomain is found """
        result = self.master.run_command(['ipa', 'trustdomain-find',
                                          self.ad_subdomain])
        assert self.ad_subdomain in result.stdout_text
        assert "Number of entries returned 1" in result.stdout_text
    def test_user_gid_uid_resolution_in_nonposix_trust(self):
        """ Check that user has SID-generated UID """
        testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_regex = (r"^subdomaintestuser@{0}:\*:(?!10142)(\d+):"
                          r"(?!10147)(\d+):Subdomaintest User:"
                          r"/home/{1}/subdomaintestuser:/bin/sh$".format(
                              re.escape(self.ad_subdomain),
                              re.escape(self.ad_subdomain)))
        assert re.search(testuser_regex, result.stdout_text)
    def test_remove_nonposix_trust(self):
        tasks.remove_trust_with_ad(self.master, self.ad_subdomain)
        tasks.clear_sssd_cache(self.master)
 class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase):
    """
    Tests that a non-external trust to a subdomain cannot be established
    """
    def test_establish_trust(self):
        """ Tests establishing non-external trust with Active Directory """
        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                 'HTTP/%s' % self.master.hostname])
        self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
        self.master.run_command(['kdestroy', '-A'])
        tasks.kinit_admin(self.master)
        self.master.run_command(['klist'])
        self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
        result = self.master.run_command([
            'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, '--admin',
            'Administrator', '--password', '--range-type', 'ipa-ad-trust'
            ], stdin_text=self.master.config.ad_admin_password,
            raiseonerr=False)
        assert result != 0
        assert ("Domain '{0}' is not a root domain".format(
            self.ad_subdomain) in result.stderr_text)
    def test_all_trustdomains_found(self):
        raise unittest.SkipTest(
            'Test case unapplicable, present for inheritance reason only')
 class TestExternalTrustWithTreedomain(ADTrustTreedomainBase):
    """
    Test establishing external trust with tree root domain
    """
    def test_establish_trust(self):
        """ Tests establishing external trust with Active Directory """
        tasks.establish_trust_with_ad(
            self.master, self.ad_treedomain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_all_trustdomains_found(self):
        """ Test that only one trustdomain is found """
        result = self.master.run_command(['ipa', 'trustdomain-find',
                                          self.ad_treedomain])
        assert self.ad_treedomain in result.stdout_text
        assert "Number of entries returned 1" in result.stdout_text
    def test_user_gid_uid_resolution_in_nonposix_trust(self):
        """ Check that user has SID-generated UID """
        testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_regex = (r"^treetestuser@{0}:\*:(?!10242)(\d+):"
                          r"(?!10247)(\d+):TreeTest User:"
                          r"/home/{1}/treetestuser:/bin/sh$".format(
                              re.escape(self.ad_treedomain),
                              re.escape(self.ad_treedomain)))
        assert re.search(testuser_regex, result.stdout_text)
    def test_remove_nonposix_trust(self):
        tasks.remove_trust_with_ad(self.master, self.ad_treedomain)
        tasks.clear_sssd_cache(self.master)
 class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
    """
    Tests that a non-external trust to a tree root domain cannot be established
    """
    def test_establish_trust(self):
        """ Tests establishing non-external trust with Active Directory """
        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                 'HTTP/%s' % self.master.hostname])
        self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
        self.master.run_command(['kdestroy', '-A'])
        tasks.kinit_admin(self.master)
        self.master.run_command(['klist'])
        self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
        result = self.master.run_command([
            'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
            'Administrator', '--password', '--range-type', 'ipa-ad-trust'
            ], stdin_text=self.master.config.ad_admin_password,
            raiseonerr=False)
        assert result != 0
        assert ("Domain '{0}' is not a root domain".format(
            self.ad_treedomain) in result.stderr_text)
    def test_all_trustdomains_found(self):
        raise unittest.SkipTest(
            'Test case unapplicable, present for inheritance reason only')
 class TestExternalTrustWithRootDomain(ADTrustBase):
    """
    Test establishing external trust with root domain
    Main purpose of this test is to verify that subdomains are not
    associated with the external trust, hence all tests are skipped
    if no subdomain is specified.
    """
    def test_establish_trust(self):
        """ Tests establishing external trust with Active Directory """
        tasks.establish_trust_with_ad(
            self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_all_trustdomains_found(self):
        """ Test that only one trustdomain is found """
        result = self.master.run_command(['ipa', 'trustdomain-find',
                                          self.ad_domain])
        assert self.ad_domain in result.stdout_text
        assert "Number of entries returned 1" in result.stdout_text
    def test_remove_nonposix_trust(self):
        tasks.remove_trust_with_ad(self.master, self.ad_domain)
        tasks.clear_sssd_cache(self.master)
 class TestTrustWithUPN(ADTrustBase):
    """
    Test support of UPN for trusted domains
    """
    upn_suffix = 'UPNsuffix.com'
    upn_username = 'upnuser'
    upn_name = 'UPN User'
    upn_principal = '{}@{}'.format(upn_username, upn_suffix)
    upn_password = 'Secret123456'
    def test_upn_in_nonposix_trust(self):
        """Check that UPN is listed as trust attribute"""
@ -462,13 +150,196 @@ class TestTrustWithUPN(ADTrustBase):
                self.upn_username, self.ad_domain, self.upn_name,
                self.ad_domain, self.upn_username)
        )
-        assert re.search(upnuser_regex, result.stdout_text)
+        assert re.search(upnuser_regex, result.stdout_text), result.stdout_text
-    def test_upn_user_authentication(self):
+    def test_upn_user_authentication_in_nonposix_trust(self):
        """ Check that AD user with UPN can authenticate in IPA """
        self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
                                stdin_text=self.upn_password)
    def test_remove_nonposix_trust(self):
-        tasks.remove_trust_with_ad(self.master, self.ad_domain)
+        self.remove_trust(self.ad)
-        tasks.clear_sssd_cache(self.master)
+
    # Tests for posix AD trust
    def test_establish_posix_trust(self):
        self.configure_dns_and_time(self.ad)
        tasks.establish_trust_with_ad(
            self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust-posix'])
    def test_trustdomains_found_in_posix_trust(self):
        """Tests that all trustdomains can be found."""
        self.check_trustdomains(
            self.ad_domain, [self.ad_domain, self.ad_subdomain])
    def test_range_properties_in_posix_trust(self):
        """Check the properties of the created range"""
        self.check_range_properties(self.ad_domain, 'ipa-ad-trust-posix',
                                    200000)
    def test_user_uid_gid_resolution_in_posix_trust(self):
        """Check that user has AD-defined UID"""
        # Using domain name since it is lowercased realm name for AD domains
        testuser = 'testuser@%s' % self.ad_domain
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_stdout = "testuser@%s:*:10042:10047:"\
                          "Test User:/home/%s/testuser:/bin/sh"\
                          % (self.ad_domain, self.ad_domain)
        assert testuser_stdout in result.stdout_text
    def test_user_without_posix_attributes_not_visible(self):
        """Check that user has AD-defined UID"""
        # Using domain name since it is lowercased realm name for AD domains
        nonposixuser = 'nonposixuser@%s' % self.ad_domain
        result = self.master.run_command(['getent', 'passwd', nonposixuser],
                                         raiseonerr=False)
        # Getent exits with 2 for non-existent user
        assert result.returncode == 2
    def test_remove_posix_trust(self):
        self.remove_trust(self.ad)
    # Tests for handling invalid trust types
    def test_invalid_range_types(self):
        invalid_range_types = ['ipa-local',
                               'ipa-ad-winsync',
                               'ipa-ipa-trust',
                               'random-invalid',
                               're@ll%ybad12!']
        self.configure_dns_and_time(self.ad)
        try:
            for range_type in invalid_range_types:
                tasks.kinit_admin(self.master)
                result = self.master.run_command(
                    ['ipa', 'trust-add', '--type', 'ad', self.ad_domain,
                     '--admin', 'Administrator',
                     '--range-type', range_type, '--password'],
                    raiseonerr=False,
                    stdin_text=self.master.config.ad_admin_password)
                # The trust-add command is supposed to fail
                assert result.returncode == 1
                assert "ERROR: invalid 'range_type'" in result.stderr_text
        finally:
            tasks.unconfigure_dns_for_trust(self.master, self.ad)
    # Tests for external trust with AD subdomain
    def test_establish_external_subdomain_trust(self):
        self.configure_dns_and_time(self.child_ad)
        tasks.establish_trust_with_ad(
            self.master, self.ad_subdomain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_trustdomains_found_in_external_subdomain_trust(self):
        self.check_trustdomains(
            self.ad_subdomain, [self.ad_subdomain])
    def test_user_gid_uid_resolution_in_external_subdomain_trust(self):
        """Check that user has SID-generated UID"""
        testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_regex = (r"^subdomaintestuser@{0}:\*:(?!10142)(\d+):"
                          r"(?!10147)(\d+):Subdomaintest User:"
                          r"/home/{1}/subdomaintestuser:/bin/sh$".format(
                              re.escape(self.ad_subdomain),
                              re.escape(self.ad_subdomain)))
        assert re.search(testuser_regex, result.stdout_text)
    def test_remove_external_subdomain_trust(self):
        self.remove_trust(self.child_ad)
    # Tests for non-external trust with AD subdomain
    def test_establish_nonexternal_subdomain_trust(self):
        self.configure_dns_and_time(self.child_ad)
        try:
            tasks.kinit_admin(self.master)
            result = self.master.run_command([
                'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain,
                '--admin',
                'Administrator', '--password', '--range-type', 'ipa-ad-trust'
            ], stdin_text=self.master.config.ad_admin_password,
                raiseonerr=False)
            assert result != 0
            assert ("Domain '{0}' is not a root domain".format(
                self.ad_subdomain) in result.stderr_text)
        finally:
            tasks.unconfigure_dns_for_trust(self.master, self.child_ad)
    # Tests for external trust with tree domain
    def test_establish_external_treedomain_trust(self):
        self.configure_dns_and_time(self.tree_ad)
        tasks.establish_trust_with_ad(
            self.master, self.ad_treedomain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_trustdomains_found_in_external_treedomain_trust(self):
        self.check_trustdomains(
            self.ad_treedomain, [self.ad_treedomain])
    def test_user_gid_uid_resolution_in_external_treedomain_trust(self):
        """Check that user has SID-generated UID"""
        testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
        result = self.master.run_command(['getent', 'passwd', testuser])
        testuser_regex = (r"^treetestuser@{0}:\*:(?!10242)(\d+):"
                          r"(?!10247)(\d+):TreeTest User:"
                          r"/home/{1}/treetestuser:/bin/sh$".format(
                              re.escape(self.ad_treedomain),
                              re.escape(self.ad_treedomain)))
        assert re.search(
            testuser_regex, result.stdout_text), result.stdout_text
    def test_remove_external_treedomain_trust(self):
        self.remove_trust(self.tree_ad)
    # Test for non-external trust with tree domain
    def test_establish_nonexternal_treedomain_trust(self):
        self.configure_dns_and_time(self.tree_ad)
        try:
            tasks.kinit_admin(self.master)
            result = self.master.run_command([
                'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain,
                '--admin',
                'Administrator', '--password', '--range-type', 'ipa-ad-trust'
            ], stdin_text=self.master.config.ad_admin_password,
                raiseonerr=False)
            assert result != 0
            assert ("Domain '{0}' is not a root domain".format(
                self.ad_treedomain) in result.stderr_text)
        finally:
            tasks.unconfigure_dns_for_trust(self.master, self.tree_ad)
    # Tests for external trust with root domain
    def test_establish_external_rootdomain_trust(self):
        self.configure_dns_and_time(self.ad)
        tasks.establish_trust_with_ad(
            self.master, self.ad_domain,
            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
    def test_trustdomains_found_in_external_rootdomain_trust(self):
        self.check_trustdomains(self.ad_domain, [self.ad_domain])
    def test_remove_external_rootdomain_trust(self):
        self.remove_trust(self.ad)