Commit Graph

706 Commits

Author SHA1 Message Date
Sergey Orlov
13f20854b4 Remove obsolete tests from test_caless.py
Related issue #4270 is closed as "won't fix" after 4 years.
The tests are obsolete now.

See: https://pagure.io/freeipa/issue/4271
See: https://pagure.io/freeipa/issue/4270

Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-01-29 14:42:13 -05:00
Florence Blanc-Renaud
a91e645a14 ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.

Test added to nightly definitions.

Related to https://pagure.io/freeipa/issue/7369

Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-22 16:38:59 +01:00
Sergey Orlov
49cc72d5c9 Remove unused tests
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.

Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-17 14:36:27 +01:00
Christian Heimes
256f2982ac Mark failing NTP test as expected failure
See: https://pagure.io/freeipa/issue/7719
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-01-17 14:29:34 +01:00
Christian Heimes
965181362a Fix systemd-user HBAC rule
2ef6e14c5a added an invalid HBAC rule that
encoded the service wrongly.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-15 14:29:22 -05:00
Christian Heimes
2ef6e14c5a Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 16:45:05 +01:00
Florence Blanc-Renaud
64be3141da ipatests: add integration test for pkinit enable on replica
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA

Related to https://pagure.io/freeipa/issue/7795

Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-09 09:51:31 +01:00
François Cami
7c0b0f3471 ipatests: add a test for ipa-client-automount
Add an automount location then configure a client
to use it. Only runs nightly.

Related-to: https://pagure.io/freeipa/issue/7780
Related-to: https://pagure.io/freeipa/issue/7781
Related to: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-14 10:15:04 +01:00
Christian Heimes
f0e11dac2d Test smart card advise scripts
Create and execute the server and client smart card advise scripts.

See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Florence Blanc-Renaud
a81ea9af19 ipatests: fix test_full_backup_and_restore
The test is failing when calling (on the replica)
    ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.

The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.

Fixes https://pagure.io/freeipa/issue/7778

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-10 17:04:56 +01:00
Thomas Woerner
a6862bd7af ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Thomas Woerner
f86b410ff5 ipatests/test_integration/test_replica_promotion.py: Fix firewall config
The firewall needs to be configured before installing replicas.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Thomas Woerner
8e25ee64c8 ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Christian Heimes
5a2a7151d5 Add integration tests for idviews
Add several tests to verify new anchor override and general idview
override functionality.

Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 11:39:23 +01:00
Mohammad Rizwan Yusuf
e7581cc0d8
Test error when yubikey hardware not present
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.

related ticket : https://pagure.io/freeipa/issue/6979

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-06 14:33:14 +01:00
Florence Blanc-Renaud
4a938adca2 ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).

The fix re-connects before using the ldap handle.

Related to https://pagure.io/freeipa/issue/7775

Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-12-05 11:09:23 +01:00
Florence Blanc-Renaud
52c3c90875 ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable

At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.

The new test is added in the nightly definitons.

Related to https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:06:21 +01:00
Mohammad Rizwan Yusuf
b7ae9f7a3f Test KRA installtion after ca agent cert renewal
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.

related ticket: https://pagure.io/freeipa/issue/7288

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:00:52 +01:00
Varun Mylaraiah
dde2aa4b16
ipatests: add tests for NTP options usage on server, replica, and client
The following tests are added in test_ntp_options.py :: TestNTPoptions
  - test_server_and_client_install_without_option_n
  - test_server_and_client_install_with_option_n
  - test_server_and_client_install_with_multiple_ntp_server
  - test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
  - test_server_and_client_install_with_mixed_options
  - test_two_step_replica_install_using_ntp_options
  - test_two_step_replica_install_without_ntp_options

Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-12-03 13:58:19 +01:00
Thomas Woerner
3a7153c75c ipatests/test_integration/test_replica_promotion.py: Configure firewall
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
3ac830c7b4 ipatests/test_integration/test_dnssec.py: Enable dns firewall service
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
5a740144e0 ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.

The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.

The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
d427e4b2ba ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.

The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Florence Blanc-Renaud
93e3fc4d89 ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value

The upgrade should finish successfully and repair
the double-encoded cert.

Related to https://pagure.io/freeipa/issue/7775

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-30 11:05:17 +01:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Varun Mylaraiah
42fb0cc6a7 Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2018-11-23 10:42:44 +01:00
François Cami
a709da6748 Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691

Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
Sergey Orlov
8182ebc6c3
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.

https://pagure.io/freeipa/issue/7455

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-11-21 10:29:51 +01:00
Florence Blanc-Renaud
26e35dca41
ipatests: add test for ipa-replica-install options
Add a test checking that --password and --admin-password
options are mutually exclusive.

Related to https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-20 15:12:25 +01:00
Florence Blanc-Renaud
55c0a93271 ipatests: fix test_replica_uninstall_deletes_ruvs
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list

When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.

The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.

Fixes https://pagure.io/freeipa/issue/7545

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-20 13:34:07 +01:00
Christian Heimes
83cdd27f97 Fix comparison-with-callable
Pylint warns about comparing callable. Replace equality with identity
test.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
85286beb5b Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Florence Blanc-Renaud
8b7e17aa16 ipatests: update tests for ipa-server-certinstall
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).

The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).

The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.

The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).

Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.

Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:04:19 +01:00
Florence Blanc-Renaud
da4c12c3e6 ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>

This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.

Related to https://pagure.io/freeipa/issue/7570

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Christian Heimes
a606b44f3a Drop dependency on 389-ds-base-legacy-tools
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
8fb63966cd Use the newer way of removing the DS instance
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Florence Blanc-Renaud
1e6a77a6da ipatests: fix CA less expectations
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.

The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.

Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-11-13 10:51:07 +01:00
Rob Crittenden
3e8f550c29 Add tests for ipa-cacert-manage install
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7579

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-13 10:44:14 +01:00
Christian Heimes
4cede86673 Speed up test_customized_ds_config_install
Reuse master instance when installing replica with custom DS config.
This avoids one extra ipa-server-install and also tests replica
installation from a master with custom DS config.

See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-08 17:46:38 +01:00
Christian Heimes
8b0f3595fd Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.

The commit also fixes two related issues:

* The server upgrade code now enables ifp service in sssd.conf. The
  existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
  unrecognized service.

Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-07 16:28:35 +01:00
Sergey Orlov
324da5c379 ipatests: add test for ipa-advise for enabling sudo for admins group
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo

Related to https://pagure.io/freeipa/issue/7538

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-07 13:48:54 +01:00
Fraser Tweedale
4b920df483 Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.

Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Christian Heimes
204353e4dc Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Florence Blanc-Renaud
fa559808d7 ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.

Related to: https://pagure.io/freeipa/issue/7632

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Rob Crittenden
e59ee6099f Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.

These include:

1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')

Caused by check_client_configuration() not returning the correct
return value (2).

2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir

If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.

3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.

Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.

https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Rob Crittenden
235b5bd643 Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.

Related to https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Florence Blanc-Renaud
fbcb79af13 ipatests: fix path in expected error message
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.

Related to https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-17 15:51:10 +02:00
Rob Crittenden
5466eca048 Remove tests which install KRA on replica w/o KRA on master
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.

A KRA can be added afterward.

https://pagure.io/freeipa/issue/7651

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-16 11:16:41 +02:00
Florence Blanc-Renaud
f6793043ec ipatests: mark known failures as xfail
Commit 5dbcc1a9d3 marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail

Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).

Related to https://pagure.io/freeipa/issue/7651

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-10 11:32:26 +02:00
Florence Blanc-Renaud
6650d1b563 ipa tests: CA less
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.

Related to https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-09 14:53:56 +02:00
Florence Blanc-Renaud
4f04e91be2 ipatests: remove TestReplicaManageDel (dl0)
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.

Related to https://pagure.io/freeipa/issue/7689

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-05 08:59:34 -04:00
Fraser Tweedale
a2ad417490 Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option).  This regression was introduced in the
'cert' plugin in commit 5a44ca6383,
and reflected in the 'ca' plugin in commit
c7064494e5.

The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field.  Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.

Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).

Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-02 10:18:32 +02:00
Florence Blanc-Renaud
5dbcc1a9d3 ipatests: mark known failure for installation_TestInstallWithCA2
The test TestInstallWithCA2 and TestInstallWithCA_DNS2 fail in
test_replica0_with_ca_kra_dns_install because they both try to
install a (first instance of) KRA.

This is a known issue, thus marking as xfail.

Related to https://pagure.io/freeipa/issue/7651

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-28 10:27:18 +02:00
Christian Heimes
61156b0a50 Py3: Replace six.text_type with str
On Python 3, six.text_type (singular) is an alias for str.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Christian Heimes
4a58adf79e Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:

  DeprecationWarning: invalid escape sequence

There is still one warning that keeps repeating, though:

  source:264: DeprecationWarning: invalid escape sequence \d

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 10:23:03 +02:00
Florence Blanc-Renaud
2488813260 ipatests: mark known failures as xfail
The tests in test_integration/test_installation.py
that inherit from InstallTestBase2 all fail in
test_replica2_ipa_kra_install because of ticket
7654: ipa-kra-install fails on DL1

This is an issue linked to dogtag (see
https://pagure.io/dogtagpki/issue/3055), where the
installation of a KRA clone creates a range depletion
when multiple clones are created from the same master.

Marking the tests as known failure, waiting for dogtag's
fix.

Related to https://pagure.io/freeipa/issue/7654

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-24 08:42:40 +02:00
Rob Crittenden
2064c72bfb Fix uninstallation test, use different method to stop dirsrv
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-09-21 10:21:14 +02:00
Florence Blanc-Renaud
1a7e4b0ec1 tests: add test for uninstall with incomplete sysrestore.state
Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.

Related to https://pagure.io/freeipa/issue/7657

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-09-19 10:18:45 +02:00
Thomas Woerner
b689ba7e10 Remove DL0 specific code from ipatests/test_integration/test_caless.py
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-12 13:11:21 +02:00
Thomas Woerner
fca1167af4 Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py
These tests have been skipped already before. Therefore they can be removed.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-12 13:11:21 +02:00
Armando Neto
c049992c6f Add test for client installation with empty keytab file
Missing test case for cf1301fb06.

https://pagure.io/freeipa/issue/7625

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-06 17:40:58 +02:00
Florence Blanc-Renaud
b2ce20c6a7 Test: scenario replica install/uninstall should restore ssl.conf
Test that the scenario ipa-replica-install/ uninstall correctly
restores the file /etc/httpd/conf.d/ssl.conf

Related to https://pagure.io/freeipa/issue/7684

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-06 17:32:48 +02:00
Michal Reznik
31a92c1677
tests: sssd_ssh fd leaks when user cert converted into SSH key
https://pagure.io/freeipa/issue/7687

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 13:49:34 +02:00
Florence Blanc-Renaud
bcfd18f336 Tests: test successful PKINIT install on replica
Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica

Related to https://pagure.io/freeipa/issue/7566

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-06 11:49:53 +02:00
Florence Blanc-Renaud
739ddce653
tests: add test for server install with --no-dnssec-validation
Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.

Related to https://pagure.io/freeipa/issue/7666

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-03 13:56:39 +02:00
Pavel Picka
ad85cc8eae
PRCI failures fix
test_installation.py
- ticket 7008 closed so removing xfail
  - TestInstallWithCA1
  - TestInstallWithCA
  - TestInstallWithCA_DNS1
  - TestInstallWithCA_DNS2

nightly_master
- test_backup_and_restore_TestUser[r>R]ootFilesOwnership[Permission]

Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-08-28 10:32:30 +02:00
Mohammad Rizwan Yusuf
f0c3a35928 Test if WSGI worker process count is set to 4
related ticket : https://pagure.io/freeipa/issue/7587

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-27 14:31:32 -04:00
Michal Reznik
6a1409ec9d
test: client uninstall fails when installed using non-existing hostname
https://pagure.io/freeipa/issue/7620

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-23 08:21:22 +02:00
Mohammad Rizwan Yusuf
51240f3558
Check if user permssions and umask 0022 is set when executing ipa-restore
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.

related ticket: https://pagure.io/freeipa/issue/6844

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-16 14:23:32 +02:00
Tibor Dudlák
89799a14ce Add assert to check output of upgrade
Ckeck the output of ipa-server-upgrade script for error.

Related to: https://pagure.io/freeipa/issue/7644

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-16 12:45:00 +02:00
Christian Heimes
13000e2f19 Disable DL0 specific tests
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.

See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-08-13 18:49:05 +02:00
Thomas Woerner
c5cdd5a5f0 ipaclient: Remove --no-sssd and --no-ac options
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.

ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.

See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-08-13 12:23:53 +02:00
Michal Reznik
0aeccc0852
ipa_tests: test ssh keys login
Integration test for:

https://pagure.io/SSSD/sssd/issue/3747

IPA ticket: https://pagure.io/freeipa/issue/7664

Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-10 17:01:45 +02:00
Florence Blanc-Renaud
c1a0c3c556
Tests: add integration test for password changes by dir mgr
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd

Related to:
https://pagure.io/freeipa/issue/7601

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-08-06 16:51:56 +02:00
Christian Heimes
6414509343
Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.

Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-02 17:07:43 +02:00
Ganna Kaihorodova
fd34877370 Add check for occuring traceback during uninstallation ipa master
Modified master uninstall task for traceback check
That approach give us wide coverage and multiple scenarious
to catch traceback during uninstallation process
Add verbose option to uninstall server and set to False

Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1480502

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-20 13:03:59 -04:00
Armando Neto
717d59e2fe Fix regression: Handle unicode where str is expected
Regression caused by 947ac4bc1f when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.

Issue: https://pagure.io/freeipa/issue/7626

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-18 09:53:53 +02:00
Michal Reznik
4edcf8e53c Mark DL0 TestReplicaManageDel tests as xfail
Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.

https://pagure.io/freeipa/issue/7622

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-17 15:14:48 +02:00
Christian Heimes
87904b8f6b Fix ipa console filename
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.

ipa console now uses compile() to compile the code with print_function
__future__ feature.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-12 18:19:34 +02:00
Christian Heimes
ec65590c9f Fix XPASS in test_installation
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.

See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-07-11 10:50:33 +02:00
Christian Heimes
0c1010d6f7 Mark all expected failures as strict
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.

Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-07-11 10:50:33 +02:00
Christian Heimes
2b669c52a5 Wait for client certificates
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.

The --request-cert option also ensures that certmonger is enabled and
running.

See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-09 20:15:18 +02:00
Christian Heimes
811b0fdb46 Tune DS replication settings
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.

See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-07-09 18:20:17 +02:00
Armando Neto
e8d33ccfd1 ipa-server-install: fix zonemgr argument validator
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.

Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.

Issue: https://pagure.io/freeipa/issue/7612

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-05 23:09:27 +02:00
Christian Heimes
6896c90eb2 Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.

See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Nikhil Dehadrai
dcaa62f6a4 Test for improved Custodia key distribution
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.

Fixes: https://pagure.io/freeipa/issue/7518

Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-03 11:04:50 -04:00
Justin Stephenson
00dceb434d Skip zone overlap check with auto-reverse
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.

https://pagure.io/freeipa/issue/7239

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Rob Crittenden
627cb490d2 Extend CALessBase::installer_server to accept extra_args
Allow callers to pass abitrary extra arguments to the installer.

This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Anuja More
0128b3f92e
Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-29 10:31:50 +02:00
Florence Blanc-Renaud
7bf99e8dc5 Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.

Related to:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-28 11:41:17 +02:00
Mohammad Rizwan Yusuf
e90d90c5c3
Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca

related ticket: https://pagure.io/freeipa/issue/7316

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>

Replaced hardcoded issuer CN for external ca with constant

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-25 10:37:58 +02:00
Christian Heimes
3a8f0bb16b Remove restarted_named and xfail
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.

Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.

See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Christian Heimes
dae4aac912 Tests: Set default TTL for DNS zones to 1 sec
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.

This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.

This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Tomas Krizek
6fb45d2f56 test_dnssec: re-add named-pkcs11 workarounds
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc6775122
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Run DNSSEC tests on PR-CI

Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Ganna Kaihorodova
84ae625fe2 check nsds5ReplicaReleaseTimeout option was set
Check for nsds5ReplicaReleaseTimeout option was set

relates to: https://pagure.io/freeipa/issue/7488

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 12:42:51 +02:00
Anuja More
9ead70844e Test that host can remove there own services
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 10:06:39 +02:00
Florence Blanc-Renaud
eda831dba1 Installer: configure authselect with-sudo
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).

https://pagure.io/freeipa/issue/7562

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-19 08:51:02 +02:00
Anuja More
4f4835a724
Test for ipa-replica-install fails with PIN error for CA-less env.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-06-18 14:53:32 +02:00
Aleksei Slaikovskii
283987c1df Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
This reverts commit 415578a199.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-11 10:48:40 +02:00
Rob Crittenden
f976f6cfd8 Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-08 10:49:18 +02:00
Felipe Barreto
f03df5fe41
Adding xfail to failing tests
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.

TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-07 17:27:38 +02:00
Mohammad Rizwan Yusuf
4274b361fe Test to check second replica installation after master restore
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.

    related ticket: https://pagure.io/freeipa/issue/7247

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-31 12:18:34 +02:00
Rob Crittenden
59b3eb0433 Add tests for ipa-restore with DM password validation check
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:

1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked

Related: https://pagure.io/freeipa/issue/7136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 08:53:12 +02:00
Florence Blanc-Renaud
1d70ce850e Test for 7526
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.

Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).

Related to:
https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-28 21:25:47 +02:00
Rob Crittenden
7c5ecb8d08 Rename test class for testing simple commands, add test
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.

Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:08:21 +02:00
Christian Heimes
1e5c3d7c6a Reproducer for issue 5923 (bytes in error response)
Error response used to contain bytes instead of text, which triggered an
exception.

See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-25 16:26:14 +02:00
amitkumar50
d4f2f53eb2 ipa-advise: remove plugin config-fedora-authconfig
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.

Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-05-21 14:32:38 -04:00
Petr Vobornik
60e992ca56 Fix test_server_del::TestLastServices
The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.

Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
  DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-15 14:15:34 -04:00
Felipe Barreto
8a8b641c72 Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-10 16:52:42 -03:00
Stanislav Laznicka
392f44a38a
mod_ssl: add SSLVerifyDepth for external CA installs
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-10 10:03:02 +02:00
Florence Blanc-Renaud
63a5feb19f authselect test: skip test if authselect is not available
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-03 16:39:58 +02:00
Christian Heimes
606af69bbd Make ipatests' create_external_ca a script
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.

Usage:

   ipa-server-install --external-ca ...
   python3 -m ipatests.create_external_ca
   ipa-server-install --external-cert-file=/tmp/rootca.pem \
       --external-cert-file=/tmp/ipaca.pem

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-05-03 08:36:51 +02:00
Christian Heimes
c925b44f43 Load certificate files as binary data
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.

certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.

Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-30 20:42:00 +02:00
Stanislav Laznicka
d5e5bd501c Add absolute_import to test_authselect
This is to keep backward compatibility with Python 2

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-30 11:04:35 +02:00
Anuja More
51b9a82f7c Adding test-cases for ipa-cacert-manage
Scenario1:	Setup external CA1 and install ipa-server with CA1.
     		Setup exteranal CA2 and renew ipa-server with CA2.
		Get information to compare CA change for ca1 and CA2
     		it should show different Issuer between install
		and renewal.

Scenario2:	Renew CA Cert on Replica using ipa-cacert-manage
		verify that replica is caRenewalMaster

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 18:06:36 +02:00
Florence Blanc-Renaud
c36bd38360 New tests for authselect migration
Add new test for client and server installation when authselect tool
is used instead of authconfig

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Felipe Barreto
415578a199 Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.

Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 15:53:58 -03:00
Ganna Kaihorodova
5165afd501 Fix trust tests for Posix Support
Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type

https://pagure.io/freeipa/issue/7508

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-25 11:52:32 +02:00
Anuja More
6c4635e779 Adding test-cases for ipa-cacert-manage
File     :  ipatests/test_integration/test_external_ca.py

    Scenario1:  Manual renew external CA cert with invalid file
                when ipa-server is installed with external-ca
                and renew with invalid cert file the renewal
                should fail.

    Scenario2:  install CA cert manually
                Install ipa-server. Create rootCA, using
                ipa-cacert-manage install option install
                new cert from RootCA

Signed-off-by: Anuja More <amore@redhat.com>

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-24 11:20:08 +02:00
Rob Crittenden
4919bd9dae Remove xfail from CALes test test_http_intermediate_ca
The full chain is not required by mod_ssl.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-04-20 08:51:37 -04:00
Rob Crittenden
3384147ca1 Some PKCS#12 errors are reported with full path names
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-04-20 08:51:37 -04:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Ganna Kaihorodova
d4dd2b1ccb
Fix for integration tests dns_locations
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore

https://pagure.io/freeipa/issue/7499

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-04-18 09:31:02 +02:00
Christian Heimes
1b320ac3e7 Remove os.chdir() from test_ipap11helper
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-10 17:35:17 +02:00
Rob Crittenden
7b546ffedb
Break out of teardown in test_replica_promotion.py if no config
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.

Look at the config and break out if no domains are set.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-04-09 15:23:41 +02:00
Petr Vobornik
7b1b0b35ea Fix order of commands in test for removing topology segments
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.

Proper order is:
  master$ ipa server-del $REPLICA
  replica$ ipa-server-install --uninstall

Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.

At some point there  was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.

This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
  $ pytest --collect-test ipatests/test_integration

https://pagure.io/freeipa/issue/6250

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 09:02:40 +02:00
Felipe Barreto
a947695ab0 Fix TestSubCAkeyReplication providing the right path to pki log
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.

Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.

https://pagure.io/freeipa/issue/7095

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-03 14:20:18 +02:00
Felipe Barreto
e7c4f77d0d Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:10:01 +02:00
Ganna Kaihorodova
518e3578d1 Fix for test TestInstallMasterReservedIPasForwarder
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.

Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-03-20 10:44:22 +01:00
Rob Crittenden
68c7b03689 Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.

The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.

This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.

Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.

https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Felipe Barreto
2c05e42af6 Fixing cleanup process in test_caless
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.

That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR    Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
    replica0.ipa.test.
ipapython.admintool: ERROR    The ipa-server-install command failed
```

This commit changes the order of how a replica should be removed from
the topology.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-14 12:28:16 +01:00
Michal Reznik
5a04936f47 test_caless: adjust try/except to capture also IOError
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.

This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.

https://pagure.io/freeipa/issue/7439

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-14 12:26:42 +01:00
Michal Reznik
317c20e9dc
ipa_tests: test signing request with subca on replica
test to verify that replica is able to sign a certificate with
new sub CA.

https://pagure.io/freeipa/issue/7387

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-13 10:37:30 +01:00
Ganna Kaihorodova
9797309ef9
Overide trust methods for integration tests
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working

https://pagure.io/freeipa/issue/7313

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-08 09:05:01 +01:00
Michal Reznik
2a50a7daf0 tests: ca-less to ca-full - remove certupdate
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.

This patch removes the above mentioned commands in order to
properly test the scenario.

https://pagure.io/freeipa/issue/7309

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-02-26 10:11:33 +01:00
Florence Blanc-Renaud
d647072642
ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

This commit also adds integration test for non-regression.

https://pagure.io/freeipa/issue/7342

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 15:51:44 +01:00
Aleksei Slaikovskii
86a6fdcc43 test_backup_and_restore.py Fix logging
Use strings to log in restore_checker and backup functions.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-14 14:26:27 +01:00
Mohammad Rizwan Yusuf
80585f5c56 Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.
When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)

This test check if files are owned by dirsrv and db2ldif doesn't
fails

related ticket: https://pagure.io/freeipa/issue/7010

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-14 10:17:17 +01:00
Aleksei Slaikovskii
93b7c40158 Enable and start oddjobd after ipa-restore if it's not running.
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.

This patch fixes it. Also added regression test.

https://pagure.io/freeipa/issue/7234

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-02-09 09:44:11 +01:00
Rob Crittenden
8821f7ae8e Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.

https://pagure.io/freeipa/issue/7389

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-02-08 09:39:18 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Michal Reznik
e5a508a749 ipa_tests: test subca key replication
Test if key replication is not failing.

https://pagure.io/freeipa/issue/7387

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 20:02:53 +01:00
Felipe Barreto
d945583cc7 Make IntegrationTest fail if an error happened during uninstall
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.

It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.

https://pagure.io/freeipa/issue/7357

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 13:24:46 +01:00
Mohammad Rizwan Yusuf
1ad27076a5 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Mohammad Rizwan Yusuf
f1f180985f When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.

related ticket: https://pagure.io/freeipa/issue/6611

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Mohammad Rizwan Yusuf
9c208ea14d
IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
related ticket: https://pagure.io/freeipa/issue/6894

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:13:50 +01:00
Florence Blanc-Renaud
86a78ca244 test_integration: backup custodia conf and keys
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.

related ticket https://pagure.io/freeipa/issue/7247

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-29 11:19:56 +01:00
Felipe Barreto
cd660d1922
Fixing test_backup_and_restore assert to do not rely on the order
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.

Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-17 16:01:13 +01:00
Michal Reznik
3bdac1a84d tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
ad996d79c6 test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
434d7d423c test_caless: test PKINIT install and anchor update
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.

https://pagure.io/freeipa/issue/7233

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:37:24 +01:00
Michal Reznik
dbb7784b90 test_renewal_master: add ipa csreplica-manage test
Add test case for setting renewal master using command
ipa-csreplica-manage.

Automation related to upstream ticket #7120. Testing using
config-mod already covered.

https://pagure.io/freeipa/issue/7321

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:36:33 +01:00
Felipe Barreto
f5c01c5e86 Fixing test_testconfig with proper asserts
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.

Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict

https://pagure.io/freeipa/issue/7346

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 08:03:49 +01:00
Aleksei Slaikovskii
a70dcb1e18 test_backup_and_restore.py AssertionError fix
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-09 08:02:29 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Mohammad Rizwan Yusuf
feee70d7bb ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
    `cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
    may arise due to incorrect uninstall of replica or ipa server-del is
    not executed on master.

    related bug : https://pagure.io/freeipa/issue/7174

Fixes: https://pagure.io/freeipa/issue/7276

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 08:32:39 +01:00
Fraser Tweedale
ba411b0f6d Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag.  This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts.  There is still a possibility for this
kind of failure, but the delay minimises it.

FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.

Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:03:30 +01:00
Petr Čech
cd80036b6b
tests: Mark failing tests as failing
Some tests from installation suite fail.
The issues are:

* ipa-replica-install --setup-kra if first KRA in topology fails
  https://pagure.io/freeipa/issue/7008

* Third KRA installation in topology fails
  https://pagure.io/freeipa/issue/7220

This patch marks those tests as failing.

Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-11-28 09:45:32 +01:00
Michal Reznik
d3a2a9be24 test_vault: increase WAIT_AFTER_ARCHIVE
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.

https://pagure.io/freeipa/issue/7265

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-22 15:19:52 +01:00
Michal Reznik
cedd52d7f9 test_caless: fix http.p12 is not valid
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().

Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Michal Reznik
495b85793c test_caless: fix TypeError on domain_level compare
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Tomas Krizek
c45a989506
ipatests: fix circular import for collect_logs
Move collect_logs function from util to avoid a circular import.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-13 13:49:51 +01:00
Abhijeet Kasurde
222cef1a4d
ipatests: Fix interactive prompt in ca_less tests
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.

Fixes: https://pagure.io/freeipa/issue/7182

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2017-11-10 08:05:21 +01:00
Stanislav Laznicka
983234c91b
caless tests: decode cert bytes in debug log
Bytes would cause the logger to throw up while interpolating the
string.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Stanislav Laznicka
a3009b392a
caless tests: make debug log of certificates sensible
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Michal Reznik
02c1d0e8e5
test_external_dns: add missing test cases
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.

The test cases are added as extension into test_dns_locations suite.

https://pagure.io/freeipa/issue/6091

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-07 10:17:17 +01:00
Michal Reznik
5e4f76b043
test_caless: open CA cert in binary mode
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:53:14 +01:00
Michal Reznik
59e136e8ba
test_forced_client: decode get_file_contents() result
Decode get_file_contents() in order to not get bytes when running py3

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:51:00 +01:00
Tomas Krizek
1d190092d3
ipatests: collect logs for external_ca test suite
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-11-06 14:05:25 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Felipe Barreto
be66eadb62
Fixing tox and pylint errors
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.

https://pagure.io/freeipa/issue/7132

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-23 18:11:30 +02:00
Michal Reznik
a2a6cf381e tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.

https://pagure.io/freeipa/issue/7124

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-10-11 13:06:57 +02:00
Michal Reznik
f2b32759b9 test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.

https://pagure.io/freeipa/issue/7155

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-04 10:18:11 +02:00
Michal Reznik
7902fc9a06 test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-09-27 11:51:20 +02:00
Michal Reznik
a3c99367bf
test_caless: add SAN dNSName extensions for wildcard tests
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.

https://pagure.io/freeipa/issue/7100

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-11 13:53:44 +02:00
Michal Reznik
1ff356241c
test_caless: add replica ca-less to ca-full test (master caless)
Add replica ca-less to ca-full test when master stays caless. Cover
Pagure issue: https://pagure.io/freeipa/issue/6226

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
7a5b1cc140
test_caless: add server_replica ca-less to ca-full test
Add server_replica ca-less to ca-full test as we are currently missing
one. Cover Pagure issue: https://pagure.io/freeipa/issue/6207

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
4caabb140e
tests: fix external_ca test suite failing due to missing SKI
external_ca test suite is failing during installation due to
missing SKI extension.

https://pagure.io/freeipa/issue/7099

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 10:54:05 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Martin Babinsky
1e5f55e791 Do not delete DS and PKI users during backup/restore tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Martin Babinsky
2624cf2e4c test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Michal Reznik
d5e84d7065 test_caless: mark TestCertinstall intermediate CA tests as xfail
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved

https://pagure.io/freeipa/issue/6959

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Michal Reznik
f7c4039e41 test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

https://pagure.io/freeipa/issue/6854

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Christian Heimes
dd6b72e418 pytest 3.x compatibility
pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 18:03:14 +02:00
Christian Heimes
24161a6190
Move remaining util functions to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8aadd55c93
Move function run_repeatedly to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8867412adc
Move hosts module to ipatests.pytest_plugins.integration.hosts
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
313ae46b57
Move tasks module to ipatests.pytest_plugins.integration.tasks
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
1406dbc8c2
Move env_config module to ipatests.pytest_plugins.integration.env_config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
2895e3931d
Move config module to ipatests.pytest_plugins.integration.config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
fd1b4f6ec9 Add options to run only ipaclient unittests
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py ........
util.py ..
test_ipaclient/test_csrgen.py ..............ssss...
test_ipalib/test_aci.py ...................
test_ipalib/test_backend.py ........
test_ipalib/test_base.py ...............
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...............
test_ipalib/test_crud.py ...............
test_ipalib/test_errors.py .......
test_ipalib/test_frontend.py ........................................
test_ipalib/test_messages.py ....
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .............................................................
test_ipalib/test_plugable.py ........
test_ipalib/test_rpc.py ......ssssssss
test_ipalib/test_text.py .............................
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py ............
test_ipapython/test_dn.py ...........................
test_ipapython/test_ipautil.py ..................................................................
test_ipapython/test_ipavalidate.py ..........
test_ipapython/test_kerberos.py ..............
test_ipapython/test_keyring.py ..........
test_ipapython/test_ssh.py ...............................
test_pkcs10/test_pkcs10.py .....

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-17 15:02:13 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Martin Basti
25fa2bb6c9 tests: use --setup-kra in tests
This will allow to test --setup-kra option together with
ipa-server-install in install tests

Separate installation using ipa-kra-install is already covered.

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 15:50:30 +01:00
Martin Babinsky
612ea7f66e Provide basic integration tests for built-in AD trust installer
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Ganna Kaihorodova
10494b1bb3 Tests: Basic coverage with tree root domain
Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-01 12:29:25 +01:00
Martin Basti
5bd8217423 Test: DNS nsupdate from dns-update-system-records
Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Basti
ad1a5551d5 Tests: fix wait_for_replication task
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.

Both formats were kept to allow tests run on older and new
versions of DS.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-02-08 14:15:53 +01:00
Petr Čech
dc99d3c04e ipatests: nested netgroups (intg)
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 11:56:14 +01:00
Ganna Kaihorodova
822a119100 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Petr Spacek
8bc6775122 Remove named-pkcs11 workarounds from DNSSEC tests.
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-19 13:10:48 +01:00
Oleg Fayans
fad87a9962 Test: uniqueness of certificate renewal master
https://fedorahosted.org/freeipa/ticket/6504

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-08 17:26:04 +01:00
Oleg Fayans
503d0929e9 Test: basic kerberos over http functionality
https://fedorahosted.org/freeipa/ticket/6446

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Oleg Fayans
c7fd46e42a Test: made kinit_admin a returning function
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
David Kupka
4225484356 tests: Mark 389-ds acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
David Kupka
3e53bbcc34 tests: Mark Dogtag acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
Lenka Doudova
4df1d9d1a5 Tests: Providing trust tests with tree root domain
https://fedorahosted.org/freeipa/ticket/6347

Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-11-15 13:34:38 +01:00
Oleg Fayans
232a0391d3 Test for installing rules with service principals
https://fedorahosted.org/freeipa/ticket/6481

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Oleg Fayans
91c8911a9e Test: integration tests for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Oleg Fayans
f1c9c56f40 Added interface to certutil
Added generic method to run certutil with arbitrary set of paramenters

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Lenka Doudova
3938698e07 Tests: Provide AD cleanup for legacy client tests
Providing cleanup of trust information from AD machines for legacy client tests.

https://fedorahosted.org/freeipa/ticket/6396

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-14 14:32:10 +01:00
Lenka Doudova
8a177732af Tests: Provide AD cleanup for trust tests
Providing cleanup of trust information from AD machines for trusts tests.

https://fedorahosted.org/freeipa/ticket/6396

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-14 14:32:10 +01:00
Florence Blanc-Renaud
808b1436b4 Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Oleg Fayans
dc58f8f2a1 Automated ipa-replica-manage del tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Oleg Fayans
6d812a0d52 tests: Automated clean-ruv subcommand tests
https://fedorahosted.org/freeipa/ticket/6451

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Lenka Doudova
e3b7d235d5 Tests: Fix integration sudo test
Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers
attribute fail due to different expected value than is really returned. This is
caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to
which the tests were originally fitted. Changing the expected value to proper
one.

[1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html

https://fedorahosted.org/freeipa/ticket/6378

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-07 12:39:06 +01:00
Tomas Krizek
5b81dbfda1 ipaldap: merge IPAdmin to LDAPClient
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
    IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
    enable_replication_version_checking()

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
de58a5c605 ipaldap: merge simple_bind into LDAPClient
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Martin Basti
9408085c58 CI: Disable KRA install tests on DL0
When master is without KRA installed, on domain level0 we cannot install
KRA replicas, thus this tests must be skipped on DL0

https://fedorahosted.org/freeipa/ticket/6088

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-26 15:06:36 +02:00
Martin Basti
11d7b774c4 CI: use --setup-kra with replica installation
Currently tests were not testing one-step installation of KRA together
with replica. Adding --setup-kra to replica installation instead of
calling ipa-kra-install after.

https://fedorahosted.org/freeipa/ticket/6088

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-26 15:06:36 +02:00
Martin Basti
84ca1fc220 CI: extend replication layouts tests with KRA
KRA should be tested with warious replication topologies as well, mainly
in domain level 0

https://fedorahosted.org/freeipa/ticket/6088

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-26 15:06:36 +02:00
Oleg Fayans
5710ecddca Reverted the essertion for replica uninstall returncode
As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/6401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-10-18 17:30:37 +02:00
Martin Basti
91b51e702f CI: workaround: wait for dogtag before replica-prepare
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.

https://fedorahosted.org/freeipa/ticket/6274

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-10-13 17:40:11 +02:00
Oleg Fayans
8b0faa25d1 Test: disabled wrong client domain tests for domlevel 0
These tests are only relevant for domain level 1

https://fedorahosted.org/freeipa/ticket/6382

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:53:41 +02:00
Martin Basti
49b29591aa Pylint: remove unused variables in tests
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
9d83be3647 Remove unused variables in tests
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Oleg Fayans
47c808afa3 tests: Fixed code styling in caless tests to make pep8 happy
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
9870c5804a tests: Reverted erroneous asserts in 4 tests
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
7412f0cb20 tests: fixed certinstall method
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
f1f94a7b9f tests: fixed super method invocation
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
8be0906b04 tests: added verbose assert to test_service_disable_doesnt_revoke
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
106f37c26f tests: Standardized replica_preparation in test_no_certs
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
b8968d923c tests: Implemented check for domainlevel before installation verification
We only need to verify installation of replica under domain level 1, otherwise
replica is not installed but only a gpg file is prepared

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
43994e6697 tests: Fixed Usage of improper certs in ca-less tests
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
804aae8196 tests: fixed expects of incorrect error messages
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
b8cf212e8b tests: Replaced unused setUp method with install
setUp method does not get executed in recent versions of pytest
Replaced with the install method derived from the parent IntegrationTest class

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
dbf0d141c5 tests: Replaced hardcoded certutil with imported from paths
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00
Oleg Fayans
bb4205b582 tests: Enabled negative testing for cleaning replication agreements
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-22 15:20:42 +02:00