Commit Graph

13473 Commits

Author SHA1 Message Date
Stanislav Levin
292d686c0b pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Alexander Bokovoy
ff547a2777 install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.

Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.

Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-02-12 11:45:39 +01:00
Florence Blanc-Renaud
cec1ddc39e ipatests: fix modify_sssd_conf()
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).

Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.

Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-02-11 17:28:19 +01:00
Sumedh Sidhaye
f0f2c2645e Added a test to check if ipa host-find --pkey-only does not return SSH public key
It checks if 'SSH public key fingerprint' is
not present in the output of the command

Related: https://pagure.io/freeipa/issue/8029

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-02-11 17:24:37 +01:00
Florence Blanc-Renaud
60f746d998 ipatests: update packages for rawhide and updates-testing nightlies
The nightly tests for rawhide and updates_testing are expected
to set
        update_packages: True
in all the job definitions to make sure that dnf/yum update is called
before starting the tests.

This tag was missing for some jobs, this commit fixes the issue.

Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-02-10 15:22:54 +01:00
Serhii Tsymbaliuk
a4634a59c9
WebUI tests: Fix broken reference to parent facet in table record check
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).

Ticket: https://pagure.io/freeipa/issue/8157

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-02-06 10:21:36 +01:00
Armando Neto
19f0142e79 prci: Bump version of all templates
These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-02-05 14:48:34 -03:00
Serhii Tsymbaliuk
9418042ee7
WebUI tests: Fix 'Button is not displayed' exception
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.

Ticket: https://pagure.io/freeipa/issue/8169

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-02-05 12:04:50 +01:00
sumenon
d7830d900d Adding back temp config definition removed
fedora-latest/temp_commit section was removed from
temp_commit.yaml file while working with PR4108, adding it back.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-02-05 10:02:37 +01:00
sumenon
000703c89f Nightly definition for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-02-04 09:20:23 -05:00
sumenon
b5c8efa33c Tier-1 test for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-02-04 09:20:23 -05:00
Endi S. Dewata
edfe95b120 Removed hard-coded default profile subsystem class name
Previously in order to enable the LDAP profile subsystem
the ca_enable_ldap_profile_subsystem() would check the
current value of the profile subsystem class parameter in
CS.cfg. If the parameter was still set to the default value
(i.e. ProfileSubsystem), the code would change it to
LDAPProfileSubsystem.

There is a effort in PKI to clean up the profile subsystem
classes which may require changing the default value for
this parameter. However, this improvement is blocked since
the ca_enable_ldap_profile_subsystem() is implicitly assuming
that the default value will always be ProfileSubsystem.

This patch modifies the code such that instead of checking
for a specific value that needs to be changed, it will check
whether it has the desired value already. This mechanism
will reduce potential conflicts with future PKI improvements.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-02-04 19:34:26 +11:00
Anuja More
ab1999deb6 After mounting "Unspecified GSS failure" should not be in logs.
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.

This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
2020-02-04 07:57:43 +01:00
Isaac Boukris
c940f96b70 Fix legacy S4U2Proxy in DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-01 10:05:46 +02:00
Isaac Boukris
d92f21ae1b Fix DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-01 10:05:46 +02:00
Robbie Harwood
93e81cfd0c Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-31 14:36:31 +01:00
Robbie Harwood
ff10f3fa18 Support DAL version 8.0
Provide stubs for backward compatibility.  DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-31 14:36:31 +01:00
Robbie Harwood
1c787cc36c Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.

Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-31 14:36:31 +01:00
Gaurav Talreja
7862e9bec5 Normalize title of test external_ca in prci-definition
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336

Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-01-30 11:53:20 +01:00
Sergey Orlov
15fd36612e ipatests: add check for output contents of ipa-client-samba
Check that ipa-client-samba  tool reports specific properties of domains:
name, netbios name, sid and id range

Related to https://pagure.io/freeipa/issue/8149

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-30 11:47:54 +01:00
Fraser Tweedale
769180c2c6 Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-29 21:47:14 +11:00
Rob Crittenden
8e71605c54 Add tests for ipa-cacert-manage delete command
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)

As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Rob Crittenden
6cb4f4bd50 ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Rob Crittenden
acfb6191a1 Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Gaurav Talreja
4a1f56ecdc Normalize test definations titles
Rename job titles to match their test suites and how they are defined in nightly yamls.

Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336

Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-27 09:38:20 -03:00
Christian Heimes
e9ae7c4b89 lite-setup: configure lite-server test env
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.

The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:

    $ contrib/lite-setup.py master.ipa.example
    $ source ~/.ipa/activate.sh
    (ipaenv) $ kinit username
    (ipaenv) $ make lite-server

IPA server UI is available on http://localhost:8888/ipa/

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-24 08:35:47 -05:00
Christian Heimes
0a55e82d91 Add tracemalloc support to profile memory usage
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-24 08:35:47 -05:00
Sergey Orlov
0ad4f4c86a
ipatests: add test_winsyncmigrate suite to nightly runs
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-23 16:38:56 +01:00
Christian Heimes
10b62ad6bc Make assert_error compatible with Python 3.6
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.

Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-01-22 13:15:19 -05:00
Christian Heimes
e107b8e4fe Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-17 15:47:00 +01:00
Robbie Harwood
df6a89be51 Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit.  Refactor function to use a
single exit path to prevent this.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Robbie Harwood
ab4e910c52 Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function.  Fixes an "incompatible pointer type" compiler warning.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Robbie Harwood
3ccf73bfd6 Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Florence Blanc-Renaud
ae140ae406 ipatests: fix backup and restore
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."

As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.

The fix makes a stricter comparison, looking for /bin/gzip.

Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-14 16:27:50 -05:00
Rob Crittenden
b5b9efeb57 Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.

This CA helper can do a number of things:

- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
  LDAP

A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.

There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
   certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
   URL to be passed to dogtag.

For the purposes of clarity "cookie" here is the value within
the JSON.

The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.

This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.

The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.

Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).

There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.

An example of a cookie when retrieving a new RA Agent certificate
is:

{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}

This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857

For a renewal, the reconstructed cookie will consist of:

{"profile": "caServerCert", "cookie": ""}

https://pagure.io/freeipa/issue/8164

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-13 10:08:38 -05:00
Anuja More
f35738ef22 Add xmlrpc test with input validation check for kerberos ticket policy.
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-01-13 13:05:47 +01:00
Florence Blanc-Renaud
e2d69380fb AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error

The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:

$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized

with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access:  Invalid credentials

Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-01-10 17:07:57 +01:00
François Cami
5fe8fc6298 ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.

Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-06 09:42:21 -05:00
François Cami
5b95d4cc50 ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.

Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-06 09:42:21 -05:00
Armando Neto
a22e873480 prci: update packages for rawhide nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-03 09:43:40 -03:00
Jayesh Garg
fb3c2c1402 Nightly definations commit
Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-12-23 12:56:30 +01:00
Jayesh
ad3bf5042d Test for ipa-ca-install on replica
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method

Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-12-23 12:56:30 +01:00
Anuja More
bfc998eae2 Fix fedora version for xfail for sssd test
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-23 10:21:25 +01:00
Anuja More
83ec9296a9 Add integration test for otp kerberos ticket policy.
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-20 16:29:30 +02:00
Jayesh
09a5192f25 Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions

Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-20 16:17:42 +02:00
Fraser Tweedale
2a2cc96166 ipatests: add test for certinstall with notBefore in the future
Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-19 15:50:44 +01:00
Jayesh Garg
d7b3aafc63 Test if ipactl starts services stopped by systemctl
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.

Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2019-12-18 18:48:36 +01:00
Alexander Bokovoy
2ed5eca762 Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-18 14:16:33 +01:00
Gaurav Talreja
775bbb919a prci: bump template version for nightly_rawhide
New template is based on Fedora-Cloud-Base-Vagrant-Rawhide-20191201.n.0.x86_64.vagrant-libvirt.box

Template used : https://app.vagrantup.com/freeipa/boxes/ci-master-frawhide/versions/0.0.10

Tested at : https://github.com/freeipa-pr-ci2/freeipa/pull/94

Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-12-17 15:53:31 -03:00
Fraser Tweedale
c4b0cf4d63 Fix test regressions caused by certificate validation changes
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages.  Update the
error message assertions to get these tests going again.

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-17 09:20:43 +01:00