Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.
https://pagure.io/freeipa/issue/6956
Reviewed-By: Martin Basti <mbasti@redhat.com>
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved
https://pagure.io/freeipa/issue/6959
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
pytest 3.x does no longer support plain pytest.skip() on module level.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This will allow to test --setup-kra option together with
ipa-server-install in install tests
Separate installation using ipa-kra-install is already covered.
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated
https://fedorahosted.org/freeipa/ticket/6585
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.
Both formats were kept to allow tests run on older and new
versions of DS.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups
The test case tests for direct and indirect membership.
https://fedorahosted.org/freeipa/ticket/6439
Reviewed-By: Martin Basti <mbasti@redhat.com>
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.
https://fedorahosted.org/freeipa/ticket/6600
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.
Fix some renamed modules, module members and functions.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Providing cleanup of trust information from AD machines for legacy client tests.
https://fedorahosted.org/freeipa/ticket/6396
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers
attribute fail due to different expected value than is really returned. This is
caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to
which the tests were originally fitted. Changing the expected value to proper
one.
[1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.htmlhttps://fedorahosted.org/freeipa/ticket/6378
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When master is without KRA installed, on domain level0 we cannot install
KRA replicas, thus this tests must be skipped on DL0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Currently tests were not testing one-step installation of KRA together
with replica. Adding --setup-kra to replica installation instead of
calling ipa-kra-install after.
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
KRA should be tested with warious replication topologies as well, mainly
in domain level 0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.
https://fedorahosted.org/freeipa/ticket/6401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.
https://fedorahosted.org/freeipa/ticket/6274
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We only need to verify installation of replica under domain level 1, otherwise
replica is not installed but only a gpg file is prepared
Reviewed-By: David Kupka <dkupka@redhat.com>
setUp method does not get executed in recent versions of pytest
Replaced with the install method derived from the parent IntegrationTest class
Reviewed-By: David Kupka <dkupka@redhat.com>
Unapply fixes removes the temporary testing folder at ~/ipatests, which
contains some artifacts like root.pem that need to be persistent between tests
in the test_caless testsuite. There has to be the way to skip the deletion of
this testfolder
Reviewed-By: David Kupka <dkupka@redhat.com>
Negative testing was enabled by introducing an optional raiseonerr parameter
with True by default to both master and replica installation methods
Also the methods were updated to support intractive installation
Reviewed-By: David Kupka <dkupka@redhat.com>
Master and replica installation methods were made to utilize corresponding
methods from tasks.py for the sake of DRY
Reviewed-By: David Kupka <dkupka@redhat.com>
The IntegrationTest.install method installs the full topology while in ca-less
tests we need to check server installation, thus the nodes should not have
server or replica installed
Reviewed-By: David Kupka <dkupka@redhat.com>
Upon uninstallation IPA does not remove certs from the system, see
https://fedorahosted.org/freeipa/ticket/4639 for details. This causes
installation failures in several tests. The workaround is to manually remove
certs from all certificate databases used by IPA after each server
uninstallation
Reviewed-By: David Kupka <dkupka@redhat.com>
The installator has changed the question sequence so the stdin used for
interactive server installation has to be changed accordingly
Reviewed-By: David Kupka <dkupka@redhat.com>
The IPA installer refuses to accept certs signed with a CA-signature that does
not have basic constraints enabled (Described in RFC 5280)
Reviewed-By: David Kupka <dkupka@redhat.com>
When the same host is used for numerous server/replica
installations/uninstallations at some point the /etc/openldap/ldap.conf file
gets corruped which results in ldapsearch unaware of the default ldap_uri to
connect. The workaround would be to provide ldap hostname for each ldapsearch.
Attention: please unapply this fix once the original issue is resolved.
https://fedorahosted.org/freeipa/ticket/5880
Reviewed-By: David Kupka <dkupka@redhat.com>
krb5kdc.service restart is necessary for proper running of integration trust
related tests.
https://fedorahosted.org/freeipa/ticket/6322
Reviewed-By: Martin Basti <mbasti@redhat.com>
SSSD restart has been mistakenly added to integration tests
(test_integration/tasks.py::uninstall_master). When system setup is correct,
this restart has no significance, moreover it makes tests fail, hence its
removal is necessary.
https://fedorahosted.org/freeipa/ticket/6338
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Also created a decorator that removes the segment that the next test does not
expect.
https://fedorahosted.org/freeipa/ticket/6250
Reviewed-By: Martin Basti <mbasti@redhat.com>
As the segment name is a stochastic valu, which can have either of the two
nodes as the left node, we need to adapt the tests to not expect some
particular segment name but rather to calculate it dynamically based on node
names and the output of topologysegment-find ipa call
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adding 'defaults' sudorule to prevent requesting further user authentication.
Adding checks that if a user should be rejected access, a proper error message
is displayed.
https://fedorahosted.org/freeipa/ticket/6262
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
In test_one_command_installation the ipa-replica-install was missing '--server'
and '-U' options which resulted in false negative result. In
test_client_enrollment_by_unprivileged_user '--server' option was messing.
test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It
leaded to 3 failed cases.
https://fedorahosted.org/freeipa/ticket/6301
Reviewed-By: Martin Basti <mbasti@redhat.com>
The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0
https://fedorahosted.org/freeipa/ticket/6300
Reviewed-By: Martin Basti <mbasti@redhat.com>
Trust tests fail if they are executed after external trust tests. This is
caused my missing cleanup. Providing cleanup that would enable correct
execution of the tests regardless of their order.
https://fedorahosted.org/freeipa/ticket/6306
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In integration trust tests some values are checked using regular expressions.
Some of these expressions from recently added coverage have minor mistakes
which causes the comparisons to fail. Providing fix for these regular
expressions.
https://fedorahosted.org/freeipa/ticket/6285
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
domainlevel method is called upon each master uninstallation. Sometimes the
master uninstallation is called from within teardown method of some tests when
the master was not in fact installed, in which case the kinit_admin would
always raise an error.
https://fedorahosted.org/freeipa/ticket/6254
Reviewed-By: Martin Basti <mbasti@redhat.com>
Due to race conditions the test sometimes catches 2 one-way segments instead of
one bidirectional. We need to give the master time to merge the one-way
segments before we test the output.
https://fedorahosted.org/freeipa/ticket/6265
Reviewed-By: Martin Basti <mbasti@redhat.com>
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0
[https://fedorahosted.org/freeipa/ticket/6134]
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
usage of ipautil.run in get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307
This results in failure of all CA-less test.
https://fedorahosted.org/freeipa/ticket/6177
Reviewed-By: Martin Basti <mbasti@redhat.com>
The assert checked that the returncode of the replica uninstallation is zero
where in fact the uninstallation was expected to fail with the certain error
message
Reviewed-By: Martin Basti <mbasti@redhat.com>
assert_error was lately transfered from test_caless.py to tasks.py, which
started to cause import errors in replica promotion tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
Wildcard '*' has not been working for log collecting. I just set
the whole SSSD log directory to be collected. tar utility is able to
archive whole directories.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
We should collect as much as possible relevant logs to be able do better
investigation from test automation
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Providing missing test case verifying authentication as IPA user, namely:
"kinit -E ipauser@IPADOMAIN".
https://fedorahosted.org/freeipa/ticket/6036
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Basic set of tests to verify support of UPN functionality.
Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust
https://fedorahosted.org/freeipa/ticket/6094
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Provides basic coverage for external trust feature.
Test cases:
1. verify an external trust with AD subdomain can be established
- verify only one trustdomain is listed
- verify subdomain users are resolvable
- verify trust can be deleted
2. verify non-external trust with AD subdomain cannot be established
3. verify an external trust with AD forest root domain can be established
- verify that even if AD subdomain is specified, it is not associated with the trust
- verify trust can be deleted
https://fedorahosted.org/freeipa/ticket/6093
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This test is testing default IPA system records in locations, if
priority and weight were properly set per service, per server, per
location.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Since DNS configuration is no longer needed for running trust tests, this method's contents are removed. Method is left empty as reference for others, should they have issues with DNS configuration.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
these tests cover various scenarios such as:
* trying to remove master that would disconnect topology in one of the
suffixes
* forcing master removal regardless of topology state before/after removal
* trying to remove last CA/DNS server/DNSSec key master
* forcing removal of the last DNSSec key master
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
A master can only be delegated a zone authority, if this zone contains A
records of the master and ALL replicas
https://fedorahosted.org/freeipa/ticket/5848
Reviewed-By: Martin Basti <mbasti@redhat.com>
A freshly created dnssec-enabled zone does not always display the signature
until you restart named-pkcs11. Added restarting of this service after each
dnssec-enabled zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixed a false negative related to replication taking some time: added
wait_for_replication call before checking for new object in replicas.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The following testcases were automated:
1. Test one command replica installation
2. Test csreplica-manage-(del, connect, disconnect) are disabled in domain
level 1
3. Client enrollment and replica promotion by an unprivileged user are
prohibited
4. Replica uninstallation is prohibited if it disconnects a part of existing
topology (is possible only with --ignore-topology-disconnect option)
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
teardown_method is a standard pytest method used to put any code to be executed
after each test method is executed. While treated correctly by our integration
tests, this method is misinterpreted by in-tree tests in the following way:
in-tree tests try to execute it even if all the test methods are skipped due to
test resources being not configured. This causes the tests, that otherwise would
have been skipped, to fail
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Basti <mbasti@redhat.com>
Test will use tasks methods instead of custom commands to be able work
with domain levels.
https://fedorahosted.org/freeipa/ticket/5606
Reviewed-By: Milan Kubik <mkubik@redhat.com>
authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls
It should have effect primarily on el5 systems.
https://fedorahosted.org/freeipa/ticket/5654
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.
https://fedorahosted.org/freeipa/ticket/5625
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for
any n >= 0:
* every server has replication agreement with 2 - 4 other servers.
* at least two agreements must fail in order to disconnect the topology.
Otherwise there can be server(s) with single agreement on the edge of the
topology.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Explicitly specifying ip-address of the replica messes up with the current
bind-dyndb-ldap logic, causing reverse zone not to be created.
Enabled reverse-zone creation for the clients residing in different subnet from
master
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.
Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes the install invocation in the test to use domain and
realm correctly. Also makes the test aware of domain levels.
https://fedorahosted.org/freeipa/ticket/5605
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When resolv.conf is set to point to the master's ip before installation, the
ipa-server-install does not create a reverse zone for it's ip even despite
--auto-reverse option provided. The fix is not to mess around with resolv.conf
before master installation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Without realm provided explicitly, installation calculates it automatically
from the current hostname which may be inconsistent with the configured domain
name. Which, in turn, causes failures in integration tests in the lab.
Reviewed-By: Martin Basti <mbasti@redhat.com>
fix for https://fedorahosted.org/freeipa/ticket/4933 made ipa-dns-install to
use LDAPI and deprecated -p option for directory manager password. This patche
remove the option from calls to ipa-dns-install in CI tests so that
deprecation warning does not clutter the logs.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
IPA sudo tests worked under the assumption that the clients
that are executing the sudo commands have their IPs assigned
within 255.255.255.0 hostmask.
Removes this (invalid) assumption and adds a
dynamic detection of the hostmask of the IPA client.
https://fedorahosted.org/freeipa/ticket/5501
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Test tests topologies listed bellow with and without CA on replicas:
star topology: 3 replicas
line topology: 3 replicas
complete topology: 3 replicas
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
When creating an A record we used to provide full hostname as a record name,
while we should have provided only the first part of the hostname
https://fedorahosted.org/freeipa/ticket/5419
Reviewed-By: Martin Basti <mbasti@redhat.com>
As of 4.3 the replica installation is performed without preparing a gpg file on
master, but rather enrolling a future replica as a client with subsequent
promotion of the client. This required the corresponding change in the
integration tests
https://fedorahosted.org/freeipa/ticket/5379
Reviewed-By: Martin Basti <mbasti@redhat.com>
In some cases replication may take much more time than we expected. This
patch adds explicit cech if DS records has been replicated.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.
https://fedorahosted.org/freeipa/ticket/5331
Reviewed-By: Martin Basti <mbasti@redhat.com>
In FreeIPA CI-tests the install_master task automatically performs kinit after
successfull installation. This may break some backup/restore tests which
perform backup into previously installed IPA master. In this case it is
neccessary to re-kinit after restore.
https://fedorahosted.org/freeipa/ticket/5326
Reviewed-By: Martin Basti <mbasti@redhat.com>
In beaker lab the situation when master and replica have ip addresses from
different subnets is quite frequent. When a replica has ip from different
subnet than master's, ipa-replica-prepare looks up a proper reverse zone to
add a pointer record, and if it does not find it, it asks a user for permission
to create it automatically. It breaks the tests adding the unexpected input.
The workaround is to always create a reverse zone for a new replica.
Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5306
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, filter() returns an iterator.
Use list comprehensions instead.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The patch fixes bug in the construction of ipa-replica-install arguments in
test_integration/tasks.install_replica. Due to this bug the replica
installation during certain integration tests involved CA setup even when
setup_ca was set to False.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Replace setUp()/tearDown() methods with a pytest.fixture for proper client
setup/teardown during test_forced_client_reenrollment
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Tests:
* install master, replica, then instal DNSSEC on master
* test if zone is signed (added on master)
* test if zone is signed (added on replica)
* install master with DNSSEC, then install replica
* test if root zone is signed
* add zone, verify signatures using our root zone
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Milan Kubik <mkubik@redhat.com>
- Add test for invalid run of the ipa-advise command
- Add tests for valid runs of the ipa-advise command
https://fedorahosted.org/freeipa/ticket/4029
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Multihost object was is not passed to the install method in the super construction.
This fixes setup errors in AD Trust, Forced client reenrollment, CALess and Sudo
tests.
https://fedorahosted.org/freeipa/ticket/4809
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Move the IPA-specific log collection out of the Beakerlib plugin.
Add the --logfile-dir option to tests and ipa-test-task, so that logs
can be collected even if BeakerLib is not used.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The hack of storing the config on the class is left in;
it would be too much work for too little gain at this time.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
IPA uses both named and named-pkcs11 service.
If named is masked use named-pkcs11, instead of raising exception
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
SSSD does not support sudo rules for local users;
these should be added in a local sudoers file.
https://fedorahosted.org/freeipa/ticket/4608
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds an integration tests that checks that all trustdomains are
able to be found by trustdomain-find command right after the
trust has been established.
Also moves some code to allow easier adding common test cases for
both POSIX and non-POSIX test classes.
https://fedorahosted.org/freeipa/ticket/4208
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Properly configure forwarders to the AD zone with respect to
newly created ipa dnsforwardzone commands.
https://fedorahosted.org/freeipa/ticket/4401
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Makes sure sudorules behave correctly both when adding new entries
with corresponding category set to ALL, and when setting the
category to all when corresponding entries exist.
The only exception of deny commands with cmdcategory ALL is
covered as well.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Covers functionality of external entries for:
* users
* runAsUsers
* groups of RunAsUsers
* runAsGroups
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In legacy client integration test, the test cases that query information
from subdomain about subdomain users and group expected subdomain
users and groups to have the UIDs/GIDs as users and groups in the root
domain.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When creating a BaseHost instance, the machine's hostname was
reconfigured to have the same shortname prepended the domain name
of the domain where it was defined.
However, it makes sense in certain use cases to define hosts
that have hostnames other than belonging directly in the domain
they were defined in.
Treat input hostnames with trailing dots as static FQDNs that
will not be changed by the name of the domain they were defined in.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When serial numbers were generated with $RANDOM, there
could be collisions.
Use sequential numbers instead.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
In test_trust.py, several tests did case sensitive search on the output of
the ipa idrange-show command. This could cause false negatives.
Part of: https://fedorahosted.org/freeipa/ticket/4267
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Information from the AD about the home directories is not leveraged at
all, but is generated from the username and domain. Fix the assumptions
in the tests.
Also changes 'Subdomain Test User' to 'Subdomaintest User' to be more
consistent.
https://fedorahosted.org/freeipa/ticket/4184
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the test backup directory was never created (for example if
there was an early failure, or install was never run),
we don't want the test to fail.
Do not restore if the backup dir is not there.
Reviewed-By: Martin Kosek <mkosek@redhat.com>