Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.
https://pagure.io/freeipa/issue/7622
Reviewed-By: Christian Heimes <cheimes@redhat.com>
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.
ipa console now uses compile() to compile the code with print_function
__future__ feature.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.
See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.
Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.
See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow callers to pass abitrary extra arguments to the installer.
This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.
Related to:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
related ticket: https://pagure.io/freeipa/issue/7316
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Replaced hardcoded issuer CN for external ca with constant
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.
Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.
See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.
This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.
This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.
This reverts commit 8bc6775122
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.
Run DNSSEC tests on PR-CI
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Check for nsds5ReplicaReleaseTimeout option was set
relates to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.
https://pagure.io/freeipa/issue/6610
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.
TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.
related ticket: https://pagure.io/freeipa/issue/7247
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:
1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked
Related: https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.
Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).
Related to:
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.
Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Error response used to contain bytes instead of text, which triggered an
exception.
See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.
Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.
Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.
Usage:
ipa-server-install --external-ca ...
python3 -m ipatests.create_external_ca
ipa-server-install --external-cert-file=/tmp/rootca.pem \
--external-cert-file=/tmp/ipaca.pem
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add new test for client and server installation when authselect tool
is used instead of authconfig
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.
Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type
https://pagure.io/freeipa/issue/7508
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
File : ipatests/test_integration/test_external_ca.py
Scenario1: Manual renew external CA cert with invalid file
when ipa-server is installed with external-ca
and renew with invalid cert file the renewal
should fail.
Scenario2: install CA cert manually
Install ipa-server. Create rootCA, using
ipa-cacert-manage install option install
new cert from RootCA
Signed-off-by: Anuja More <amore@redhat.com>
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The full chain is not required by mod_ssl.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
