Since DNS configuration is no longer needed for running trust tests, this method's contents are removed. Method is left empty as reference for others, should they have issues with DNS configuration.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
these tests cover various scenarios such as:
* trying to remove master that would disconnect topology in one of the
suffixes
* forcing master removal regardless of topology state before/after removal
* trying to remove last CA/DNS server/DNSSec key master
* forcing removal of the last DNSSec key master
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
A master can only be delegated a zone authority, if this zone contains A
records of the master and ALL replicas
https://fedorahosted.org/freeipa/ticket/5848
Reviewed-By: Martin Basti <mbasti@redhat.com>
A freshly created dnssec-enabled zone does not always display the signature
until you restart named-pkcs11. Added restarting of this service after each
dnssec-enabled zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixed a false negative related to replication taking some time: added
wait_for_replication call before checking for new object in replicas.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The following testcases were automated:
1. Test one command replica installation
2. Test csreplica-manage-(del, connect, disconnect) are disabled in domain
level 1
3. Client enrollment and replica promotion by an unprivileged user are
prohibited
4. Replica uninstallation is prohibited if it disconnects a part of existing
topology (is possible only with --ignore-topology-disconnect option)
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
teardown_method is a standard pytest method used to put any code to be executed
after each test method is executed. While treated correctly by our integration
tests, this method is misinterpreted by in-tree tests in the following way:
in-tree tests try to execute it even if all the test methods are skipped due to
test resources being not configured. This causes the tests, that otherwise would
have been skipped, to fail
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Basti <mbasti@redhat.com>
Test will use tasks methods instead of custom commands to be able work
with domain levels.
https://fedorahosted.org/freeipa/ticket/5606
Reviewed-By: Milan Kubik <mkubik@redhat.com>
authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls
It should have effect primarily on el5 systems.
https://fedorahosted.org/freeipa/ticket/5654
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.
https://fedorahosted.org/freeipa/ticket/5625
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for
any n >= 0:
* every server has replication agreement with 2 - 4 other servers.
* at least two agreements must fail in order to disconnect the topology.
Otherwise there can be server(s) with single agreement on the edge of the
topology.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Explicitly specifying ip-address of the replica messes up with the current
bind-dyndb-ldap logic, causing reverse zone not to be created.
Enabled reverse-zone creation for the clients residing in different subnet from
master
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.
Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes the install invocation in the test to use domain and
realm correctly. Also makes the test aware of domain levels.
https://fedorahosted.org/freeipa/ticket/5605
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When resolv.conf is set to point to the master's ip before installation, the
ipa-server-install does not create a reverse zone for it's ip even despite
--auto-reverse option provided. The fix is not to mess around with resolv.conf
before master installation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Without realm provided explicitly, installation calculates it automatically
from the current hostname which may be inconsistent with the configured domain
name. Which, in turn, causes failures in integration tests in the lab.
Reviewed-By: Martin Basti <mbasti@redhat.com>
fix for https://fedorahosted.org/freeipa/ticket/4933 made ipa-dns-install to
use LDAPI and deprecated -p option for directory manager password. This patche
remove the option from calls to ipa-dns-install in CI tests so that
deprecation warning does not clutter the logs.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
IPA sudo tests worked under the assumption that the clients
that are executing the sudo commands have their IPs assigned
within 255.255.255.0 hostmask.
Removes this (invalid) assumption and adds a
dynamic detection of the hostmask of the IPA client.
https://fedorahosted.org/freeipa/ticket/5501
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Test tests topologies listed bellow with and without CA on replicas:
star topology: 3 replicas
line topology: 3 replicas
complete topology: 3 replicas
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
When creating an A record we used to provide full hostname as a record name,
while we should have provided only the first part of the hostname
https://fedorahosted.org/freeipa/ticket/5419
Reviewed-By: Martin Basti <mbasti@redhat.com>
As of 4.3 the replica installation is performed without preparing a gpg file on
master, but rather enrolling a future replica as a client with subsequent
promotion of the client. This required the corresponding change in the
integration tests
https://fedorahosted.org/freeipa/ticket/5379
Reviewed-By: Martin Basti <mbasti@redhat.com>
In some cases replication may take much more time than we expected. This
patch adds explicit cech if DS records has been replicated.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.
https://fedorahosted.org/freeipa/ticket/5331
Reviewed-By: Martin Basti <mbasti@redhat.com>
In FreeIPA CI-tests the install_master task automatically performs kinit after
successfull installation. This may break some backup/restore tests which
perform backup into previously installed IPA master. In this case it is
neccessary to re-kinit after restore.
https://fedorahosted.org/freeipa/ticket/5326
Reviewed-By: Martin Basti <mbasti@redhat.com>
In beaker lab the situation when master and replica have ip addresses from
different subnets is quite frequent. When a replica has ip from different
subnet than master's, ipa-replica-prepare looks up a proper reverse zone to
add a pointer record, and if it does not find it, it asks a user for permission
to create it automatically. It breaks the tests adding the unexpected input.
The workaround is to always create a reverse zone for a new replica.
Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5306
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, filter() returns an iterator.
Use list comprehensions instead.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The patch fixes bug in the construction of ipa-replica-install arguments in
test_integration/tasks.install_replica. Due to this bug the replica
installation during certain integration tests involved CA setup even when
setup_ca was set to False.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Replace setUp()/tearDown() methods with a pytest.fixture for proper client
setup/teardown during test_forced_client_reenrollment
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Tests:
* install master, replica, then instal DNSSEC on master
* test if zone is signed (added on master)
* test if zone is signed (added on replica)
* install master with DNSSEC, then install replica
* test if root zone is signed
* add zone, verify signatures using our root zone
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Milan Kubik <mkubik@redhat.com>
- Add test for invalid run of the ipa-advise command
- Add tests for valid runs of the ipa-advise command
https://fedorahosted.org/freeipa/ticket/4029
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Multihost object was is not passed to the install method in the super construction.
This fixes setup errors in AD Trust, Forced client reenrollment, CALess and Sudo
tests.
https://fedorahosted.org/freeipa/ticket/4809
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Move the IPA-specific log collection out of the Beakerlib plugin.
Add the --logfile-dir option to tests and ipa-test-task, so that logs
can be collected even if BeakerLib is not used.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The hack of storing the config on the class is left in;
it would be too much work for too little gain at this time.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
IPA uses both named and named-pkcs11 service.
If named is masked use named-pkcs11, instead of raising exception
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
SSSD does not support sudo rules for local users;
these should be added in a local sudoers file.
https://fedorahosted.org/freeipa/ticket/4608
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Adds an integration tests that checks that all trustdomains are
able to be found by trustdomain-find command right after the
trust has been established.
Also moves some code to allow easier adding common test cases for
both POSIX and non-POSIX test classes.
https://fedorahosted.org/freeipa/ticket/4208
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Properly configure forwarders to the AD zone with respect to
newly created ipa dnsforwardzone commands.
https://fedorahosted.org/freeipa/ticket/4401
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Makes sure sudorules behave correctly both when adding new entries
with corresponding category set to ALL, and when setting the
category to all when corresponding entries exist.
The only exception of deny commands with cmdcategory ALL is
covered as well.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Covers functionality of external entries for:
* users
* runAsUsers
* groups of RunAsUsers
* runAsGroups
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In legacy client integration test, the test cases that query information
from subdomain about subdomain users and group expected subdomain
users and groups to have the UIDs/GIDs as users and groups in the root
domain.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When creating a BaseHost instance, the machine's hostname was
reconfigured to have the same shortname prepended the domain name
of the domain where it was defined.
However, it makes sense in certain use cases to define hosts
that have hostnames other than belonging directly in the domain
they were defined in.
Treat input hostnames with trailing dots as static FQDNs that
will not be changed by the name of the domain they were defined in.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When serial numbers were generated with $RANDOM, there
could be collisions.
Use sequential numbers instead.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
In test_trust.py, several tests did case sensitive search on the output of
the ipa idrange-show command. This could cause false negatives.
Part of: https://fedorahosted.org/freeipa/ticket/4267
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Information from the AD about the home directories is not leveraged at
all, but is generated from the username and domain. Fix the assumptions
in the tests.
Also changes 'Subdomain Test User' to 'Subdomaintest User' to be more
consistent.
https://fedorahosted.org/freeipa/ticket/4184
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the test backup directory was never created (for example if
there was an early failure, or install was never run),
we don't want the test to fail.
Do not restore if the backup dir is not there.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
