Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.
Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami@redhat.com>
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The firewall needs to be configured before installing replicas.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.
related ticket : https://pagure.io/freeipa/issue/6979
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.
related ticket: https://pagure.io/freeipa/issue/7288
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The following tests are added in test_ntp_options.py :: TestNTPoptions
- test_server_and_client_install_without_option_n
- test_server_and_client_install_with_option_n
- test_server_and_client_install_with_multiple_ntp_server
- test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
- test_server_and_client_install_with_mixed_options
- test_two_step_replica_install_using_ntp_options
- test_two_step_replica_install_without_ntp_options
Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.
The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.
The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.
The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint warns about comparing callable. Replace equality with identity
test.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).
The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).
The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.
The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).
Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.
Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.
The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.
Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reuse master instance when installing replica with custom DS config.
This avoids one extra ipa-server-install and also tests replica
installation from a master with custom DS config.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo
Related to https://pagure.io/freeipa/issue/7538
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.
Related to: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On a plain uninstall there should not be a bunch of confusing
warning/error messages.
Related to https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.
A KRA can be added afterward.
https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit 5dbcc1a9d3 marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail
Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option). This regression was introduced in the
'cert' plugin in commit 5a44ca6383,
and reflected in the 'ca' plugin in commit
c7064494e5.
The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field. Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.
Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).
Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test TestInstallWithCA2 and TestInstallWithCA_DNS2 fail in
test_replica0_with_ca_kra_dns_install because they both try to
install a (first instance of) KRA.
This is a known issue, thus marking as xfail.
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The tests in test_integration/test_installation.py
that inherit from InstallTestBase2 all fail in
test_replica2_ipa_kra_install because of ticket
7654: ipa-kra-install fails on DL1
This is an issue linked to dogtag (see
https://pagure.io/dogtagpki/issue/3055), where the
installation of a KRA clone creates a range depletion
when multiple clones are created from the same master.
Marking the tests as known failure, waiting for dogtag's
fix.
Related to https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.
Related to https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
These tests have been skipped already before. Therefore they can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test that the scenario ipa-replica-install/ uninstall correctly
restores the file /etc/httpd/conf.d/ssl.conf
Related to https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica
Related to https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.
Related to https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
related ticket : https://pagure.io/freeipa/issue/7587
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd
Related to:
https://pagure.io/freeipa/issue/7601
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.
Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Modified master uninstall task for traceback check
That approach give us wide coverage and multiple scenarious
to catch traceback during uninstallation process
Add verbose option to uninstall server and set to False
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1480502
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Regression caused by 947ac4bc1f when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.
Issue: https://pagure.io/freeipa/issue/7626
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.
https://pagure.io/freeipa/issue/7622
Reviewed-By: Christian Heimes <cheimes@redhat.com>
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.
ipa console now uses compile() to compile the code with print_function
__future__ feature.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.
See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.
Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.
See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow callers to pass abitrary extra arguments to the installer.
This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.
Related to:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
related ticket: https://pagure.io/freeipa/issue/7316
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Replaced hardcoded issuer CN for external ca with constant
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.
Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.
See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.
This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.
This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.
This reverts commit 8bc6775122
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.
Run DNSSEC tests on PR-CI
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Check for nsds5ReplicaReleaseTimeout option was set
relates to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.
https://pagure.io/freeipa/issue/6610
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.
TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.
related ticket: https://pagure.io/freeipa/issue/7247
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:
1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked
Related: https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.
Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).
Related to:
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.
Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Error response used to contain bytes instead of text, which triggered an
exception.
See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.
Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.
Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.
Usage:
ipa-server-install --external-ca ...
python3 -m ipatests.create_external_ca
ipa-server-install --external-cert-file=/tmp/rootca.pem \
--external-cert-file=/tmp/ipaca.pem
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add new test for client and server installation when authselect tool
is used instead of authconfig
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.
Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type
https://pagure.io/freeipa/issue/7508
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
File : ipatests/test_integration/test_external_ca.py
Scenario1: Manual renew external CA cert with invalid file
when ipa-server is installed with external-ca
and renew with invalid cert file the renewal
should fail.
Scenario2: install CA cert manually
Install ipa-server. Create rootCA, using
ipa-cacert-manage install option install
new cert from RootCA
Signed-off-by: Anuja More <amore@redhat.com>
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The full chain is not required by mod_ssl.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.
The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.
This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.
Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.
That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
replica0.ipa.test.
ipapython.admintool: ERROR The ipa-server-install command failed
```
This commit changes the order of how a replica should be removed from
the topology.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.
This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.
https://pagure.io/freeipa/issue/7439
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
test to verify that replica is able to sign a certificate with
new sub CA.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working
https://pagure.io/freeipa/issue/7313
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.
This patch removes the above mentioned commands in order to
properly test the scenario.
https://pagure.io/freeipa/issue/7309
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.
This commit also adds integration test for non-regression.
https://pagure.io/freeipa/issue/7342
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)
This test check if files are owned by dirsrv and db2ldif doesn't
fails
related ticket: https://pagure.io/freeipa/issue/7010
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.
This patch fixes it. Also added regression test.
https://pagure.io/freeipa/issue/7234
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.
It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.
https://pagure.io/freeipa/issue/7357
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This test checks if second phase installs successfully when dirsrv
is stoped.
related ticket: https://pagure.io/freeipa/issue/6611
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
related ticket: https://pagure.io/freeipa/issue/6894
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.
related ticket https://pagure.io/freeipa/issue/7247
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.
Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.
https://pagure.io/freeipa/issue/7233
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add test case for setting renewal master using command
ipa-csreplica-manage.
Automation related to upstream ticket #7120. Testing using
config-mod already covered.
https://pagure.io/freeipa/issue/7321
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.
Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict
https://pagure.io/freeipa/issue/7346
Reviewed-By: Christian Heimes <cheimes@redhat.com>
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
lines.
* Remove nose dependency
I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.
https://pagure.io/freeipa/issue/7301
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.
A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
replica install might fail because of existing entry for replica like
`cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
may arise due to incorrect uninstall of replica or ipa server-del is
not executed on master.
related bug : https://pagure.io/freeipa/issue/7174
Fixes: https://pagure.io/freeipa/issue/7276
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag. This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts. There is still a possibility for this
kind of failure, but the delay minimises it.
FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.
Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some tests from installation suite fail.
The issues are:
* ipa-replica-install --setup-kra if first KRA in topology fails
https://pagure.io/freeipa/issue/7008
* Third KRA installation in topology fails
https://pagure.io/freeipa/issue/7220
This patch marks those tests as failing.
Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.
https://pagure.io/freeipa/issue/7265
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.
https://pagure.io/freeipa/issue/7124
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Add caless to external CA test as the suite is currently
missing one.
https://pagure.io/freeipa/issue/7155
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.
https://pagure.io/freeipa/issue/7100
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
external_ca test suite is failing during installation due to
missing SKI extension.
https://pagure.io/freeipa/issue/7099
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.
https://pagure.io/freeipa/issue/5603
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().
The new makepki adds SKI and AKI extensions for correct
cert validation.
Other minor changes needed as we do not use NSS to store our
certificates on the test controller.
https://pagure.io/freeipa/issue/7030
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.
Fixes: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.
https://pagure.io/freeipa/issue/6956
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.
https://pagure.io/freeipa/issue/6956
Reviewed-By: Martin Basti <mbasti@redhat.com>
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved
https://pagure.io/freeipa/issue/6959
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
pytest 3.x does no longer support plain pytest.skip() on module level.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This will allow to test --setup-kra option together with
ipa-server-install in install tests
Separate installation using ipa-kra-install is already covered.
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated
https://fedorahosted.org/freeipa/ticket/6585
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.
Both formats were kept to allow tests run on older and new
versions of DS.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups
The test case tests for direct and indirect membership.
https://fedorahosted.org/freeipa/ticket/6439
Reviewed-By: Martin Basti <mbasti@redhat.com>
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.
https://fedorahosted.org/freeipa/ticket/6600
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.
Fix some renamed modules, module members and functions.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Providing cleanup of trust information from AD machines for legacy client tests.
https://fedorahosted.org/freeipa/ticket/6396
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers
attribute fail due to different expected value than is really returned. This is
caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to
which the tests were originally fitted. Changing the expected value to proper
one.
[1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.htmlhttps://fedorahosted.org/freeipa/ticket/6378
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When master is without KRA installed, on domain level0 we cannot install
KRA replicas, thus this tests must be skipped on DL0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Currently tests were not testing one-step installation of KRA together
with replica. Adding --setup-kra to replica installation instead of
calling ipa-kra-install after.
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
KRA should be tested with warious replication topologies as well, mainly
in domain level 0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.
https://fedorahosted.org/freeipa/ticket/6401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.
https://fedorahosted.org/freeipa/ticket/6274
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We only need to verify installation of replica under domain level 1, otherwise
replica is not installed but only a gpg file is prepared
Reviewed-By: David Kupka <dkupka@redhat.com>
setUp method does not get executed in recent versions of pytest
Replaced with the install method derived from the parent IntegrationTest class
Reviewed-By: David Kupka <dkupka@redhat.com>