Commit Graph

1703 Commits

Author SHA1 Message Date
Armando Neto
99d6845dbe prci: bump fedora release
Fedora 31 is the latest release, Fedora 30 is now the previous release.

New template boxes were built for current tests definitions with
updated dependencies.

Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Armando Neto
c62bd1608e prci: rename definitions files and jobs to change how fedora releases are referenced
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.

Future changes would only require to update the name and version of the template used.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Sergey Orlov
f58fb573d1
ipatests: enable test_smb.py in gating.yaml
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
c2b230ce64
ipatests: replace ad hoc backup with FileBackup helper
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
72540c4233
ipatests: refactor FileBackup helper
* `cp` now preserves all attributes of original file, there is no reason
  to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk

Related to: https://pagure.io/freeipa/issue/8115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Christian Heimes
0f4c41ab26 Add tests for member management
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Sergey Orlov
f16c08b7d6
ipatests: in DNS zone file add A record for name server
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Sergey Orlov
b10e43c3ea
ipatests: strip newline character when getting name of temp file
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Sergey Orlov
14be271533 ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:49:09 -04:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
François Cami
f44b73b97c ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore
The fixes for https://pagure.io/freeipa/issue/8054 and
https://pagure.io/freeipa/issue/8038 are intended for f30.
Given that the fixes will not be backported to f29, disable
that test.

Fixes: https://pagure.io/freeipa/issue/8063
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 22:40:00 +02:00
Armando Neto
3d8a444f62 prci: increase timeout argument for test_sssd.py
Follow-up for commit a4ca34261a.

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci@380c8b8.

This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.

This also adds a missing but available topology to `temp_commit.yaml`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-10-18 11:27:09 -03:00
Stanislav Levin
1ed7dd4bf1 Install language packs for tests
* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive

* 'en_US' is a commonly used locale
AP warns regularly:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:29:06 +02:00
Stanislav Levin
16149831da Restore running of 'test_ipaserver' tests on Azure
`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:29:06 +02:00
Fraser Tweedale
e767386e71 test_integration: add tests for custom CA subject DN
Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
François Cami
e6db4980d8 ipatests: temporarily remove test_smb from gating
test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-16 12:14:19 +02:00
Sergey Orlov
0d7f89c5a0
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-10-10 13:27:03 +02:00
Mohammad Rizwan Yusuf
c77bbe7899 Add test to nightly yamls
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-07 08:08:35 +02:00
Mohammad Rizwan Yusuf
c2c1000e2d Installation of replica against a specific server
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.

related ticket: https://pagure.io/freeipa/issue/7566

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-07 08:08:35 +02:00
Armando Neto
a4ca34261a prci: increase timeout for jobs that required AD
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after 380c8b8c78.

This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-10-03 09:01:16 -03:00
Mohammad Rizwan Yusuf
7aec6f1037 Check file ownership and permission for dirsrv log instance
Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.

related ticket : https://pagure.io/freeipa/issue/7725

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 08:17:55 -04:00
Florence Blanc-Renaud
121971a51e
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.

The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254

As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
    for host in hosts_unexpected:
        value = host.hostname if rtype == 'SRV' else host.ip
>       assert value not in txt
E       AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E         '192.168.121.25' is contained here:
E           ipa-ca.ipa.test. 1 IN A 192.168.121.254
E         ?                         ++++++++++++++

This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.

Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 09:37:36 +02:00
Florence Blanc-Renaud
387ee6e60f ipatests: add XMLRPC test for user-add when UPG plugin is disabled
Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
  as the default group for new users is not POSIX (ipausers), the
  command is expected to fail
- create a user with the --gid parameter
  The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
  As the UPG plugin is disabled, the user creation will not trigger
  the creation of a group with the same name, and command is
  expected to succeed
- re-enable the UPG plugin for other tests

Related to: https://pagure.io/freeipa/issue/4972

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-27 15:33:15 +02:00
Rafael Guterres Jeffman
73529e065c Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
d4fab33605 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
51e0f56487 Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Rafael Guterres Jeffman
c898be1df9 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Florence Blanc-Renaud
6127aa0eac ipatests: fix fedora29 nightly definition
test_sssd is using a wrong dependency (fedora30 build instead
of fedora29 build). As a result, this test is not triggered
by PRCI because it's waiting forever for a dependency.
(See the status: fedora-30/test_sssd Pending — unassigned)

Fix the version in the fedora 29 nightly definition.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-25 15:59:51 -04:00
Stanislav Levin
feae9de73e Setup DNS for AP Docker container
Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	ipa.example.test ipa

cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```

As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder.
It's not desirable to rely on this.
Let's clear test environment.

[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-25 20:14:06 +10:00
Armando Neto
98ee5f2472 prci: update packages for pki and testing nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-23 12:23:37 -03:00
Florence Blanc-Renaud
2919237753 ipatests: ensure that backup/restore restores pkcs 11 modules config file
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.

Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-22 20:29:41 +03:00
Florence Blanc-Renaud
a2313114fb ipatests: enable 389-ds audit log and collect audit file
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on

and collect the generated audit file. This will help troubleshoot failures
related to DS.

Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-20 13:14:18 -04:00
Armando Neto
78d27f8252 Update definitions for nightly tests
Update nightly definitions used to test if FreeIPA works when repo
`updates-testing` is enabled.

These changes include all tests currently defined in `nightly_master.yaml`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-20 08:12:21 -03:00
Anuja More
e5e0693aa2 Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044

If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-09-19 15:52:51 +02:00
Sergey Orlov
4ab2842b76
ipatests: add tests for cached_auth_timeout in sssd.conf
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain

Related to: https://bugzilla.redhat.com/1685581

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Sergey Orlov
4ea9aead5c
ipatests: refactoring: use library function to check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Sergey Orlov
7dde3a4220
ipatests: add new utilities for file management
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Serhii Tsymbaliuk
4dbc6926b1 WebUI: Fix new test initialization on "HBAC Test" page
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.

New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.

Ticket: https://pagure.io/freeipa/issue/8031

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 18:12:43 -03:00
Serhii Tsymbaliuk
755154318a
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.

Ticket: https://pagure.io/freeipa/issue/7961

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 08:35:32 +02:00
ndehadra
6064365aa0 Hidden Replica: Add a test for Automatic CRL configuration
Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra <ndehadra@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-13 14:46:46 +02:00
Francisco Trivino
991d508a5c prci: increase gating tasks priority
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.

This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-12 11:17:15 +02:00
Serhii Tsymbaliuk
123c93f92c WebUI: Make 'Unlock' option is available only on locked user page
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-11 18:26:34 +02:00
Armando Neto
2e0850e70e prci: fix typo on nightly test definitions
PR-CI breaks if the class to execute the tests doesn't exist.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-11 18:16:11 +02:00
Changmin Teng
d0570404ef Extend the list of supported pre-auth mechanisms in IPA server API
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Michal Polovka
8ce0e6bf60
ipatests: add tests for ipa host-add with non-default maxhostnamelength
Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:

    - check that maxhostname cannot be changed to a value < 64
    - check that ipa host-add is refused if the hostname length is > maxhostname
    - check that ipa host-add is OK if the hostname length is <= maxhostname

Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-09 12:12:39 +02:00
Sergey Orlov
1d033b040d
ipatests: refactor and extend tests for IPA-Samba integration
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba

Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
1fe69f352b
ipatests: modify run_command to allow specify successful return codes
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
3fa7865ff8
ipatests: add utility functions related to using and managing user accounts
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
074bf285f1
ipatests: allow to pass additional options for clients installation
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Florence Blanc-Renaud
c1af6aa27c ipatests: add nightly definition for DS integration tests
This commit is a first step in order to run nightly
integration tests with the 389-ds Directory Server.
It is updating the tests that should be run against
a nightly build of 389-ds.

The vagrant box freeipa/389ds-master-f30 version 0.0.1 has already
been created, available in vagrant cloud.
freeipa-pr-ci workspace also already contains the nightly scheduler
definition for this job (saturdays 00:10, using nightly_master_389ds.yaml)
but the cron job is not scheduled yet.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-06 09:05:52 +02:00