Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type
https://pagure.io/freeipa/issue/7508
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
File : ipatests/test_integration/test_external_ca.py
Scenario1: Manual renew external CA cert with invalid file
when ipa-server is installed with external-ca
and renew with invalid cert file the renewal
should fail.
Scenario2: install CA cert manually
Install ipa-server. Create rootCA, using
ipa-cacert-manage install option install
new cert from RootCA
Signed-off-by: Anuja More <amore@redhat.com>
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The full chain is not required by mod_ssl.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.
The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.
This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.
Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.
That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
replica0.ipa.test.
ipapython.admintool: ERROR The ipa-server-install command failed
```
This commit changes the order of how a replica should be removed from
the topology.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.
This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.
https://pagure.io/freeipa/issue/7439
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
test to verify that replica is able to sign a certificate with
new sub CA.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working
https://pagure.io/freeipa/issue/7313
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.
This patch removes the above mentioned commands in order to
properly test the scenario.
https://pagure.io/freeipa/issue/7309
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.
This commit also adds integration test for non-regression.
https://pagure.io/freeipa/issue/7342
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)
This test check if files are owned by dirsrv and db2ldif doesn't
fails
related ticket: https://pagure.io/freeipa/issue/7010
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.
This patch fixes it. Also added regression test.
https://pagure.io/freeipa/issue/7234
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.
It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.
https://pagure.io/freeipa/issue/7357
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This test checks if second phase installs successfully when dirsrv
is stoped.
related ticket: https://pagure.io/freeipa/issue/6611
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
related ticket: https://pagure.io/freeipa/issue/6894
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.
related ticket https://pagure.io/freeipa/issue/7247
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.
Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.
https://pagure.io/freeipa/issue/7233
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add test case for setting renewal master using command
ipa-csreplica-manage.
Automation related to upstream ticket #7120. Testing using
config-mod already covered.
https://pagure.io/freeipa/issue/7321
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.
Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict
https://pagure.io/freeipa/issue/7346
Reviewed-By: Christian Heimes <cheimes@redhat.com>
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
lines.
* Remove nose dependency
I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.
https://pagure.io/freeipa/issue/7301
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.
A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
replica install might fail because of existing entry for replica like
`cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
may arise due to incorrect uninstall of replica or ipa server-del is
not executed on master.
related bug : https://pagure.io/freeipa/issue/7174
Fixes: https://pagure.io/freeipa/issue/7276
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag. This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts. There is still a possibility for this
kind of failure, but the delay minimises it.
FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.
Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some tests from installation suite fail.
The issues are:
* ipa-replica-install --setup-kra if first KRA in topology fails
https://pagure.io/freeipa/issue/7008
* Third KRA installation in topology fails
https://pagure.io/freeipa/issue/7220
This patch marks those tests as failing.
Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.
https://pagure.io/freeipa/issue/7265
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
