Commit Graph

329 Commits

Author SHA1 Message Date
Martin Basti
5de70e3199 py3: tests_xmlrpc: do not call str() on bytes
Calling str() on bytes causes undesired side effect: it adds prefix "b"
to the result of conversion. The method decode() should be used instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-02 13:43:16 +01:00
Ganna Kaihorodova
91c050b4e0 User Tracker: Test to create user with minimal values
Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
fa7aaef1de User Tracker: creation of user with minimal values
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
c391f6ba58 Stage User: Test to create stage user with minimal values
Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Ganna Kaihorodova
a336de630e Tests: Stage User Tracker implementation
Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Stanislav Laznicka
721105c53d Generate sha256 ssh pubkey fingerprints for hosts
Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-12 11:09:46 +01:00
Fraser Tweedale
bdbb1c34a2 Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-21 17:04:18 +01:00
David Kupka
b1a20599c4 tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 17:46:12 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Fraser Tweedale
dfbdb53238 cert-request: match names against principal aliases
Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-12-06 16:13:45 +01:00
Oleg Fayans
452dc97aba tests: Added basic tests for certs in idoverrides
https://fedorahosted.org/freeipa/ticket/6412

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-29 18:30:44 +01:00
Oleg Fayans
ccd3677b50 Created idview tracker
Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-29 18:30:44 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Lenka Doudova
4b3bd54242 Document make_delete_command method in UserTracker
https://fedorahosted.org/freeipa/ticket/6485

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-15 17:02:13 +01:00
Lenka Doudova
414ed0d182 Tests: Verify that validity info is present in cert-show and cert-find command
https://fedorahosted.org/freeipa/ticket/6419

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-14 17:30:47 +01:00
Martin Babinsky
8480d0e333 Modernize ipa-getkeytab test suite
The test suite is now leveraging host/service tracker objects as test case
fixture, removing much of ad-hoc setup/teardown.

https://fedorahosted.org/freeipa/ticket/6409

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-11-08 17:02:44 +01:00
Lenka Doudova
42d1a06bd1 Tests: Verify that cert commands show CA without --all
Verify that command cert-find, cert-show and cert-request show CA even without
--all.

https://fedorahosted.org/freeipa/ticket/6410

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-10-26 16:53:27 +02:00
Ganna Kaihorodova
9b0b970733 Unaccessible variable self.attrs in Tracker
In tracker, 'self.attrs' variable is created and filled in track_create method.
Some objects are not created but still require access to this variable.
Created 'self.attrs' variable in init

https://fedorahosted.org/freeipa/ticket/6125

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-10-25 14:09:14 +02:00
Lenka Doudova
8f04d1a793 Tests: Certificate revocation
Providing tests for certificate revocation to replace deleted tests from
test_cert_find.

https://fedorahosted.org/freeipa/ticket/6349

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-12 10:45:16 +02:00
Lenka Doudova
c9c92e3a7f Tests: Remove invalid certplugin tests
A bunch of certplugin tests were testing number of revoked certificates with
various revocation reasons. Since existence of revoked certificates often
depends on other parts of IdM than IPA, it is not really valid to check their
presence unless creation of revoked certificate is intentionally tested.

https://fedorahosted.org/freeipa/ticket/6349

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-12 10:45:16 +02:00
Martin Babinsky
29829cc55a remove trailing newlines form python modules
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Petr Spacek
8683cbf124 Tests: print what was expected from callables in xmlrpc_tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 16:52:37 +02:00
Petr Spacek
f363dfbeed DNS: Support URI resource record type
https://fedorahosted.org/freeipa/ticket/6344

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 16:48:47 +02:00
Lenka Doudova
74e52e8686 Tests: Remove silent deleting and creating entries by tracker
https://fedorahosted.org/freeipa/ticket/6123

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-10-06 19:16:37 +02:00
Milan Kubík
10b4b155b6 ipatests: Implement tests with CSRs requesting SAN
The patch implements several test cases testing the enforcement
of CA ACLs on certificate requests with subject alternative names.

https://fedorahosted.org/freeipa/ticket/6366

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-10-04 18:03:03 +02:00
Milan Kubík
7eb78aa8db ipatests: Fix name property on a service tracker
https://fedorahosted.org/freeipa/ticket/6366

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-10-04 18:03:03 +02:00
Martin Basti
95aa9369cb Fix: find OSCP certificate test
Test should check if any OSCP certificate has been returned

https://fedorahosted.org/freeipa/ticket/6359

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-30 13:13:57 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
9d83be3647 Remove unused variables in tests
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
9b68d2a1f8 Pylint: enable global-variable-not-assigned check
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 09:23:41 +02:00
Jan Barta
275e85d076 pylint: fix unneeded-not
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Martin Basti
929086e099 Test: dont use global variable for iteration in test_cert_plugin
Iteration over global variable causes unwanted value changes outside
method

https://fedorahosted.org/freeipa/ticket/5755

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-22 15:22:56 +02:00
Lenka Doudova
8a947e2fd0 Tests: Fix host attributes in ipa-join host test
Fixing discrepancies between returned and checked attributes in ipa-join host
test, that arose after recent changes in behavior.

https://fedorahosted.org/freeipa/ticket/6326

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-21 18:46:37 +02:00
Lenka Doudova
c0fcfb31ec Tests: Update host test with ipa-join
Updating path to ipa-join command to allow execution of
test_xmlrpc/test_host::TestHostFalsePwdChange::test_join_host.

https://fedorahosted.org/freeipa/ticket/6326

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-21 18:46:37 +02:00
Lenka Doudova
522766a565 Tests: Remove unnecessary attributes from base tracker
https://fedorahosted.org/freeipa/ticket/6128

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-21 18:41:04 +02:00
Lenka Doudova
a07c4bdd4f Tests: Remove --force options from tracker base class
Removing --force option from tracker base class so it would not be required to
be implemented in every specific tracker, even though it's not necessary.
Modifying existing trackers to reflect this change.

https://fedorahosted.org/freeipa/ticket/6124

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-21 18:39:56 +02:00
Lenka Doudova
60e88038c4 Tests: Add missing attributes to test_xmlrpc/test_trust tests
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.

https://fedorahosted.org/freeipa/ticket/6276

Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-31 15:05:41 +02:00
Lenka Doudova
36979ad0b6 Tests: Random issuer certificate can be added to a service
Changing negative test case that verified that a certificate with different
than expected issuer cannot be added to a service to a positive one that
verifies that this operation now proceeds successfully. Corresponds to changes
made in scope of https://fedorahosted.org/freeipa/ticket/4559 implementation.

https://fedorahosted.org/freeipa/ticket/6258

Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-31 14:29:00 +02:00
Petr Spacek
eabe248957 Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
was using DNS zone 'fwzone2.test.' and expected to get warning
'Forwarding policy conflicts with some automatic empty zones.'
(aka 'DNSForwardPolicyConflictWithEmptyZone').

This does not make sense because 'test.' zone is not listed in IANA registry
'Locally-Served DNS Zones':
http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml

To fix this I simply removed the warning from set of expected results.

https://fedorahosted.org/freeipa/ticket/6213

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-30 10:45:12 +02:00
Petr Spacek
8f1ba05c26 Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
had server IP and zone name interchanged in "expected" dictionart.

I do not understand how this happened.

https://fedorahosted.org/freeipa/ticket/6213

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-30 10:40:01 +02:00
gkaihoro
572bb55da4 Test for caacl-add-service
Test for caacl-add-service: incorrect error message when service does not exists

https://fedorahosted.org/freeipa/ticket/6171

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-30 10:35:58 +02:00
Lenka Doudova
9021b64966 Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.

[1] https://fedorahosted.org/freeipa/ticket/5764

Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-24 16:00:25 +02:00
Lenka Doudova
3a555ece79 Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.

[1] https://fedorahosted.org/freeipa/ticket/5764

Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-24 16:00:25 +02:00
Lenka Doudova
775c37bb81 Tests: ID views tests do not recognize krbcanonicalname attribute
https://fedorahosted.org/freeipa/ticket/6242

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:20:53 +02:00
Lenka Doudova
fef4b95309 Tests: Duplicate declaration on variables in ID views tests
In ipatests/test_xmlrpc/test_idviews_plugin several variables are declared
twice, while never using the first declaration. The duplicate declaration is
hereby removed.

https://fedorahosted.org/freeipa/ticket/6246

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-23 12:31:52 +02:00
Petr Spacek
3ac2709f4b config-mod: normalize attribute names for --usersearch/--groupsearch
https://fedorahosted.org/freeipa/ticket/6236

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:53:31 +02:00
Lenka Doudova
3d159c39c7 Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
Due to implementation of [1], new attribute 'ipakrboktoauthasdelegate' was presented, but is not recognized by ID views tests, thus causing them to fail.

[1] https://fedorahosted.org/freeipa/ticket/5764

https://fedorahosted.org/freeipa/ticket/6241

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 14:11:16 +02:00
Milan Kubík
b92b1d7d7f ipatests: Fix wrong fixture in kerberos principal alias test
https://fedorahosted.org/freeipa/ticket/6197

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:13:30 +02:00
Peter Lacko
019f3611c2 Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.

https://fedorahosted.org/freeipa/ticket/5881

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:07:46 +02:00
Stanislav Laznicka
9f26e395e5 Removed objectclass from LDAP*ReverseMember based tests
Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.

https://fedorahosted.org/freeipa/ticket/6198

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 13:53:55 +02:00