Commit Graph

64 Commits

Author SHA1 Message Date
Rob Crittenden
b842b825ab Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-03 10:59:10 +01:00
Christian Heimes
80794f6b5e Make tab completion in console more useful
tab completion and dir() now show registered plugins in API name spaces.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-07 12:36:10 +02:00
Stanislav Levin
fec66942d4 pytest: Migrate unittest/nose to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Stanislav Levin
292d686c0b pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Jayesh
09a5192f25 Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions

Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-20 16:17:42 +02:00
Christian Heimes
0fc4b8c25c Fix wrong use of identity operation
Strings should not be compared with the identity operation 'is' or
'is not'.

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 10:30:07 +02:00
Rob Crittenden
cef4edd384 Fix expected return code in tests when server is uninstalled
It is likely that these were fixed by the original change
b96906156b but was uncaught because
these tests are not executed in CI because the server is configured.

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-07 11:24:45 +02:00
Alexander Bokovoy
a9bcf531a6 ipa-pwd-extop: do not remove MagicRegen mod, replace it
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
46234f0cb9 test_ipagetkeytab: test retrieval of explicit encryption types
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.

Add a test case that performs this operation.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
0f891c6a3f test_ipagetkeytab: factor out DM password reader
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
6163cbc166 test_ipagetkeytab: allow testing LDAP connection beyond bind operation
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.

This is required to perform actual tests for use of the retrieved keys.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Florence Blanc-Renaud
4e3a64f703 Test: add new tests for ipa-crlgen-manage
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.

Related to: https://pagure.io/freeipa/issue/5803

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
Christian Heimes
53e0b2255d ipa-getkeytab: resolve symlink
Resolve one level of symbolic links to support a dangling symlink as
keytab target. To prevent symlink attacks, only resolve symlink when the
symlink is owned by the current effective user and group, or by root.

Fixes: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-30 08:06:02 +01:00
Christian Heimes
85286beb5b Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
e569afb04e Fix test_cli_fsencoding on Python 3.7, take 2
0a5a7bdef7 introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-11-08 16:03:21 +01:00
Christian Heimes
0a5a7bdef7 Fix test_cli_fsencoding on Python 3.7
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now
supports UTF-8 file system encoding with non-UTF-8 C locale.

See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538
See: https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-07 13:11:48 +01:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Florence Blanc-Renaud
10c6258929 Test: test ipa-* commands when IPA is not configured
Add a test checking that ipa-* commands properly display
'IPA is not configured on this system' when called on a
system without IPA.

Related to: https://pagure.io/freeipa/issue/6261

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-08-23 12:08:45 +02:00
Christian Heimes
c925b44f43 Load certificate files as binary data
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.

certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.

Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-30 20:42:00 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Michal Reznik
23d729e0de test_help: test "help" command without cache
This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.

https://pagure.io/freeipa/issue/7325

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-19 14:03:24 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Christian Heimes
dd6b72e418 pytest 3.x compatibility
pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 18:03:14 +02:00
Christian Heimes
fd1b4f6ec9 Add options to run only ipaclient unittests
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py ........
util.py ..
test_ipaclient/test_csrgen.py ..............ssss...
test_ipalib/test_aci.py ...................
test_ipalib/test_backend.py ........
test_ipalib/test_base.py ...............
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...............
test_ipalib/test_crud.py ...............
test_ipalib/test_errors.py .......
test_ipalib/test_frontend.py ........................................
test_ipalib/test_messages.py ....
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .............................................................
test_ipalib/test_plugable.py ........
test_ipalib/test_rpc.py ......ssssssss
test_ipalib/test_text.py .............................
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py ............
test_ipapython/test_dn.py ...........................
test_ipapython/test_ipautil.py ..................................................................
test_ipapython/test_ipavalidate.py ..........
test_ipapython/test_kerberos.py ..............
test_ipapython/test_keyring.py ..........
test_ipapython/test_ssh.py ...............................
test_pkcs10/test_pkcs10.py .....

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-17 15:02:13 +01:00
Abhijeet Kasurde
b3c41f21e5 Add fix for ipa plugins command
Fix adds count of plugins loaded to return dict

Fixes https://fedorahosted.org/freeipa/ticket/6513

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-02-17 10:22:07 +01:00
Martin Babinsky
3ecda74d14 test_ipagetkeytab: use system-wide IPA CA cert location in tests
Since /etc/ipa/ca.crt should be always present on the test runner, we should
use it in bind method tests and not rely on its presence in user conf dir.

https://fedorahosted.org/freeipa/ticket/6409

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-11-09 16:39:39 +01:00
Martin Babinsky
2725e440bf Extend keytab retrieval test suite to cover new options
All new retrieval methods are covered including testing for excluded option
combinations.

https://fedorahosted.org/freeipa/ticket/6409

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-11-08 17:02:44 +01:00
Martin Babinsky
8480d0e333 Modernize ipa-getkeytab test suite
The test suite is now leveraging host/service tracker objects as test case
fixture, removing much of ad-hoc setup/teardown.

https://fedorahosted.org/freeipa/ticket/6409

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-11-08 17:02:44 +01:00
Martin Basti
9d83be3647 Remove unused variables in tests
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
866e59bdce Tests: extend DNS cmdline tests with lowercased record type
https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-09-08 17:30:29 +02:00
David Kupka
05878f1153 test: test_cli: Do not expect defaults in kwargs.
Client is no longer forwarding in arguments with default values to the server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-06 19:53:59 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
56c66f44a0 rpc: specify connection options in API config
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
ed4c2d9252 plugable: turn Plugin attributes into properties
Implement the `name`, `doc` and `summary` Plugin attributes as properties
to allow them to be overriden in sub-classes.

Always use .doc rather than .__doc__ to access plugin documentation.

Remove the mostly unused `module`, `fullname`, `bases` and `label`
attributes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Petr Viktorin
200614872e tests: Use absolute imports
https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-17 10:41:29 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Milan Kubík
aa648bcedc ipatests: replace the test-example.com domain in tests
Latest DNS patches introduced checks for the added zones.
If a zone exists, the add fails if not forced. The domain
test-example.com is resolvable thus causing errors in the test.

Also adds missing __init__.py to the ipatests.test_cmdline package.

Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-12-17 15:15:28 +01:00
Martin Basti
e1cb802d15 Tests: test_ipagetkeytab: fix assert that is always true
Fixes:
/usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_ipagetkeytab.py:116:
SyntaxWarning: assertion is always true, perhaps remove parentheses?
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-14 14:22:30 +01:00
Petr Viktorin
099cf98307 Refactor ipautil.run
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.

The stdout and stderr of all commands are logged (unless skip_output is given).

The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.

The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.

All calls are changed to reflect this.

A use of Popen in cainstance is changed to ipautil.run.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-14 10:54:23 +01:00
Milan Kubik
0a64e9bd70 Applied tier0 and tier1 marks on unit tests and xmlrpc tests
Web UI tests were marked as tier1 tests.

The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.

The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:

    $ py.test -v -m tier1 ipatests

or in case of out of tree tests:

    $ ipa-run-tests -m tier1

Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-11-09 11:49:17 +01:00
Petr Viktorin
8a2b65a357 Fix more bytes/unicode issues
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-22 18:34:46 +02:00
Petr Viktorin
65e3b9edc6 Use six.Stringio instead of StringIO.StringIO
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Robert Kuska
01da4a8de3 Replace StandardError with Exception
StandardError was removed in Python3 and instead
Exception should be used.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-30 10:51:36 +02:00
Jan Cholasta
23507e6124 Alias "unicode" to "str" under Python 3
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-09-17 11:08:43 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Tomas Babej
083c64eb70 tests: Version is currently generated during command call
In the previous versions, version in the response was generated
as part of the process_keyword_arguments method. This is no longer true,
and so the explicit check for it should be removed.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:11:32 +02:00