Commit Graph

1214 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
7364c268eb ipa host-add --ip-address: properly handle NoNameservers
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
    $ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
    ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.

This commit properly handles the exception, and adds a test.

https://pagure.io/freeipa/issue/7397

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-12 17:30:52 +01:00
Aleksei Slaikovskii
93b7c40158 Enable and start oddjobd after ipa-restore if it's not running.
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.

This patch fixes it. Also added regression test.

https://pagure.io/freeipa/issue/7234

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-02-09 09:44:11 +01:00
Rob Crittenden
8821f7ae8e Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.

https://pagure.io/freeipa/issue/7389

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-02-08 09:39:18 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Michal Reznik
e5a508a749 ipa_tests: test subca key replication
Test if key replication is not failing.

https://pagure.io/freeipa/issue/7387

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 20:02:53 +01:00
Felipe Barreto
d945583cc7 Make IntegrationTest fail if an error happened during uninstall
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.

It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.

https://pagure.io/freeipa/issue/7357

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 13:24:46 +01:00
Felipe Barreto
7b7edd57cd IntegrationTests now collects logs from all test methods
logs_dict should not be cleared. It's filled once per class and it
should not be cleared after running the first test.

https://pagure.io/freeipa/issue/7310
https://pagure.io/freeipa/issue/7335

Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-02-06 15:53:08 +01:00
Mohammad Rizwan Yusuf
1ad27076a5 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Mohammad Rizwan Yusuf
f1f180985f When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.

related ticket: https://pagure.io/freeipa/issue/6611

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Mohammad Rizwan Yusuf
9c208ea14d
IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
related ticket: https://pagure.io/freeipa/issue/6894

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:13:50 +01:00
Florence Blanc-Renaud
86a78ca244 test_integration: backup custodia conf and keys
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.

related ticket https://pagure.io/freeipa/issue/7247

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-29 11:19:56 +01:00
Felipe Barreto
cd660d1922
Fixing test_backup_and_restore assert to do not rely on the order
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.

Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-17 16:01:13 +01:00
Michal Reznik
e55969f7e0 test_caless: add SAN extension to other certs
Currently when testing we are using SAN extension only in
KDC, wildcard certs and not in the other certs.
During replica installation we then see a warning about certs
having no `subjectAltName`.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-17 12:52:16 +01:00
Christian Heimes
0cab090f4d
ipa-run-tests: make --ignore absolute, too
ipa-run-tests now applies the same logic to --ignore then to included
paths.

https://pagure.io/freeipa/issue/7355

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-01-12 13:47:06 +01:00
Michal Reznik
3bdac1a84d tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
ad996d79c6 test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
efe21a1bda test_tasks: add sign_ca_and_transport() function
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
434d7d423c test_caless: test PKINIT install and anchor update
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.

https://pagure.io/freeipa/issue/7233

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:37:24 +01:00
Michal Reznik
dbb7784b90 test_renewal_master: add ipa csreplica-manage test
Add test case for setting renewal master using command
ipa-csreplica-manage.

Automation related to upstream ticket #7120. Testing using
config-mod already covered.

https://pagure.io/freeipa/issue/7321

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:36:33 +01:00
Felipe Barreto
f5c01c5e86 Fixing test_testconfig with proper asserts
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.

Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict

https://pagure.io/freeipa/issue/7346

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 08:03:49 +01:00
Aleksei Slaikovskii
a70dcb1e18 test_backup_and_restore.py AssertionError fix
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-09 08:02:29 +01:00
Florence Blanc-Renaud
830866d68a Idviews: fix objectclass violation on idview-add
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.

The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.

Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.

Fixes:
https://pagure.io/freeipa/issue/7350

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-09 07:58:52 +01:00
Christian Heimes
beb6d74b81 LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
1ed4461f33 LGTM: Use of exit() or quit()
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
93c158b058 ipa-run-tests: replace chdir with plugin
The ipa-run-tests command used os.chdir() to change into the ipatests/
directory. The approach works for simple cases but breaks some pytest
features. For example it makes it impossible to selects tests by their
fully qualified test name.

Further more, coverage statistics break because path and module names
get messed up by chdir.

A name plugin takes care of adjusting paths relative to ipatests and to
add ipatests as base. It's now possible to run tests with qualified test
names, e.g.

  ipa-run-tests ipatests/test_ipalib/test_base.py::test_ReadOnly::test_lock

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-04 19:36:27 +01:00
Michal Reznik
65c592334a test_cert_plugin: check if SAN is added with default profile
https://pagure.io/freeipa/issue/7334

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-04 16:28:14 +01:00
Michal Reznik
23d729e0de test_help: test "help" command without cache
This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.

https://pagure.io/freeipa/issue/7325

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-19 14:03:24 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Pavel Vomacka
4d9d953663 Extend ui_driver to support geckodriver log_path
Geckodriver automatically logs into geckodriver.log file which
is placed in the same directory from which tests are run. In case
of running tests using ipa-run-tests the current working directory is
/usr/lib/python*/site-packages/ipatests where most of users cannot
write because of priviledges.

By adding "geckodriver_log_path" into test configuration we allow to
set path where user who run tests have priviledges to write.

Config file might be seen here:
https://www.freeipa.org/page/Web_UI_Integration_Tests#Running_tests

Fixes: https://pagure.io/freeipa/issue/7311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-12 14:19:44 +01:00
Christian Heimes
f4001e1c53 Add safe DirectiveSetter context manager
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.

The new DirectiveSetter context manager wraps everything under an easy
to use interface.

https://pagure.io/freeipa/issue/7312

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Fraser Tweedale
f688b5d8a7 Add tests for installutils.set_directive
Part of: https://pagure.io/freeipa/issue/7288

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Michal Reznik
29d0f8673c test_x509: test very long OID
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.

https://pagure.io/freeipa/issue/7300

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:05:16 +01:00
Mohammad Rizwan Yusuf
feee70d7bb ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
    `cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
    may arise due to incorrect uninstall of replica or ipa server-del is
    not executed on master.

    related bug : https://pagure.io/freeipa/issue/7174

Fixes: https://pagure.io/freeipa/issue/7276

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 08:32:39 +01:00
Fraser Tweedale
ba411b0f6d Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag.  This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts.  There is still a possibility for this
kind of failure, but the delay minimises it.

FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.

Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:03:30 +01:00
Christian Heimes
be09823fd5 Skip test_rpcclient_context in client tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Christian Heimes
c1f275f9eb Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.

Remove some old code for compatibility with very old python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Rob Crittenden
e8a26afb94 Add test to ensure that properties are being set in rpcclient
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Michal Reznik
1ec3d54d55 test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.

E.g.: unknown command 'b'ping''

https://pagure.io/freeipa/issue/7131

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-30 15:51:24 +01:00
Alexander Bokovoy
64f4c71dd6 test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.

To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00
Christian Heimes
4069c129ea Add workaround for pytest 3.3.0 bug
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.

See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-28 19:43:15 +01:00
Petr Čech
cd80036b6b
tests: Mark failing tests as failing
Some tests from installation suite fail.
The issues are:

* ipa-replica-install --setup-kra if first KRA in topology fails
  https://pagure.io/freeipa/issue/7008

* Third KRA installation in topology fails
  https://pagure.io/freeipa/issue/7220

This patch marks those tests as failing.

Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-11-28 09:45:32 +01:00
Christian Heimes
191605efd6 Reproducer for bug in structured dnsrecord_show
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record

https://pagure.io/freeipa/issue/7275

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-27 11:46:54 +01:00
Michal Reznik
d3a2a9be24 test_vault: increase WAIT_AFTER_ARCHIVE
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.

https://pagure.io/freeipa/issue/7265

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-22 15:19:52 +01:00
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Christian Heimes
64a88d597c Py3: Fix vault tests
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret

https://pagure.io/freeipa/issue/7033

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:50:58 +01:00
Michal Reznik
cedd52d7f9 test_caless: fix http.p12 is not valid
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().

Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Michal Reznik
495b85793c test_caless: fix TypeError on domain_level compare
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Abhijeet Kasurde
f6adf4f3a8 Trivial typo fix.
Fix adds correction to word 'enforce'

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-15 11:14:15 +01:00
Christian Heimes
8bbeedc93f
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-13 18:10:54 +01:00
Tomas Krizek
c45a989506
ipatests: fix circular import for collect_logs
Move collect_logs function from util to avoid a circular import.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-13 13:49:51 +01:00
Christian Heimes
3ca77456ee
Py3: fix fetching of tar files
pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.

https://pagure.io/freeipa/issue/7131

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-10 13:18:47 +01:00
Abhijeet Kasurde
222cef1a4d
ipatests: Fix interactive prompt in ca_less tests
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.

Fixes: https://pagure.io/freeipa/issue/7182

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2017-11-10 08:05:21 +01:00
Aleksei Slaikovskii
905ab93c95 Prevent installation with single label domains
Adds validation to prevent user to install ipa with single label
domain.

https://pagure.io/freeipa/issue/7207

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-09 11:32:31 +01:00
Stanislav Laznicka
983234c91b
caless tests: decode cert bytes in debug log
Bytes would cause the logger to throw up while interpolating the
string.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Stanislav Laznicka
a3009b392a
caless tests: make debug log of certificates sensible
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Michal Reznik
02c1d0e8e5
test_external_dns: add missing test cases
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.

The test cases are added as extension into test_dns_locations suite.

https://pagure.io/freeipa/issue/6091

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-07 10:17:17 +01:00
Michal Reznik
5e4f76b043
test_caless: open CA cert in binary mode
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:53:14 +01:00
Michal Reznik
59e136e8ba
test_forced_client: decode get_file_contents() result
Decode get_file_contents() in order to not get bytes when running py3

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:51:00 +01:00
Felipe Barreto
16da7c612e
Fix log capture when running pytests_multihosts commands
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.

Previously, before commit 07229c8ff6,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.

This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.

As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2]   * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2]   * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2]   * Create and configure an instance of Directory Server
[[...].Host.master.cmd2]   * Create and configure a Kerberos Key Distribution Center (KDC)
```

Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-11-06 16:22:18 +01:00
Tomas Krizek
1d190092d3
ipatests: collect logs for external_ca test suite
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-11-06 14:05:25 +01:00
Stanislav Laznicka
4cc9451271 x509: remove subject_base() function
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
71a8026496
py3: pass raw entries to LDIFWriter
LDIFWriter.unparse() expects the scalar values of the attributes
of the entries to be bytes as it applies a byte regular expression
to check whether to base64-encode the values or not. Previously,
we were passing the scalar attribute values as strings which
was breaking the LDIFWriter.unparse() exectution.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-10-26 12:43:47 +02:00
Stanislav Laznicka
0d7daf0495 Remove pkcs10 module contents
This removes pkcs10 module contents and adds a warning message
about its future removal.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:46:41 +02:00
Stanislav Laznicka
f350b5698a Add tests for CertificateSigningRequest
https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Tomas Krizek
be6f1a67cb
ipatests: set default 389-ds log level to 0
During integration tests, the log level of 8192 (replication debugging)
was excessive and made reading 389-ds logs very hard without providing
any useful information.

Part of: https://pagure.io/freeipa/issue/7162
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-23 18:13:36 +02:00
Felipe Barreto
be66eadb62
Fixing tox and pylint errors
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.

https://pagure.io/freeipa/issue/7132

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-23 18:11:30 +02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Petr Čech
3a0410267f ipatests: Fix on logs collection
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.

This situation is not optimal because we need to see what happend
during the debbuging the tests.

So, this patch solves this situation and it adds try--finally
construction.

https://pagure.io/freeipa/issue/7214

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-10-18 17:01:53 +02:00
Abhijeet Kasurde
c8dbd0cfbe
tests: correct usage of hostname in logger in tasks
This fix adds correct usage of host.hostname in logger.

Fixes: https://pagure.io/freeipa/issue/7190

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-18 12:13:55 +02:00
Felipe Barreto
3822120077 Fixing param-{find,show} and output-{find,show} commands
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.

https://pagure.io/freeipa/issue/7134

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-17 13:42:11 +02:00
David Kupka
53abf0105b
tests: Add LDAP URI to ldappasswd explicitly
Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.

https://fedorahosted.org/freeipa/ticket/6622

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-13 17:03:23 +02:00
Michal Reznik
a2a6cf381e tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.

https://pagure.io/freeipa/issue/7124

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-10-11 13:06:57 +02:00
Michal Reznik
3b5e979334 tests_py3: decode get_file_contents() result
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().

https://pagure.io/freeipa/issue/7131

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-10-06 09:22:37 +02:00
Stanislav Laznicka
af1b8513ab Remove the message attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-06 09:19:46 +02:00
Michal Reznik
f2b32759b9 test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.

https://pagure.io/freeipa/issue/7155

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-04 10:18:11 +02:00
Fraser Tweedale
d43cf35cca Add tests for external CA profile specifiers
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Michal Reznik
7902fc9a06 test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-09-27 11:51:20 +02:00
Fraser Tweedale
ee87b66bd3
py3: fix pkcs7 file processing
https://pagure.io/freeipa/issue/7131

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-22 11:57:15 +02:00
Alexander Bokovoy
8661611d3e OTP import: support hash names with HMAC- prefix
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.

Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().

Fixes https://pagure.io/freeipa/issue/7146

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-18 11:37:31 +02:00
Stanislav Laznicka
c8161fc40c certmap testing: fix wrong cert construction
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-14 14:06:09 +02:00
Stanislav Laznicka
fab589d7f5 pylint: disable __hash__ for some classes
pylint requires all classes implementing __eq__ to also implement
__hash__. We disable hashing for the classes that miss the ability,
should they ever be required to use it, it can be implemented then.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
f2701f3a0b pylint: make unsupported-assignment-operation check local
unsupported-assignment-operation is useful at times, make it only
local, not global.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Florence Blanc-Renaud
a077c705fe
Fix ipa config-mod --ca-renewal-master
commit bddb90f38a added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.

When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.

https://pagure.io/freeipa/issue/7120

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-05 14:13:46 +02:00
Nathaniel McCallum
bc05ab9922
ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.

https://pagure.io/freeipa/issue/7035

Signed-off-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-01 10:50:34 +02:00
Tomas Krizek
4028f1aebb
ipatests: collect log after ipa-ca-install
Make sure logs are collected after calling ipa-ca-install command.

Related: https://pagure.io/freeipa/issue/7060

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-31 13:41:27 +02:00
David Kupka
bda3dd722b
tests: certmap: Add test for user-{add,remove}-certmap
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
7bce62d5d4
tests: tracker: Add CertmapdataMixin tracker
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
e574f5d65e
tests: certmap: Add test for certmapconfig-{mod,show}
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
0ccde44501
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
eabd397154
tests: certmap: Test permissions for certmap
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
c6a43ffcad
tests: certmap: Add basic tests for certmaprule commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
aee200816e
tests: tracker: Add CertmapTracker for testing certmap-* commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
3113bfb0cf
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
7b015a2e76
tests: tracker: Add EnableTracker to test *-{enable,disable} commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
ac7712c93e
tests: tracker: Split Tracker into one-purpose Trackers
There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.

https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
Michal Reznik
a3c99367bf
test_caless: add SAN dNSName extensions for wildcard tests
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.

https://pagure.io/freeipa/issue/7100

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-11 13:53:44 +02:00
Abhijeet Kasurde
8d3924dc98
Vault testcase improvement
* Collect logs for install KRA

Related: https://pagure.io/freeipa/issue/7098

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:13:21 +02:00
Michal Reznik
1ff356241c
test_caless: add replica ca-less to ca-full test (master caless)
Add replica ca-less to ca-full test when master stays caless. Cover
Pagure issue: https://pagure.io/freeipa/issue/6226

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
7a5b1cc140
test_caless: add server_replica ca-less to ca-full test
Add server_replica ca-less to ca-full test as we are currently missing
one. Cover Pagure issue: https://pagure.io/freeipa/issue/6207

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
4caabb140e
tests: fix external_ca test suite failing due to missing SKI
external_ca test suite is failing during installation due to
missing SKI extension.

https://pagure.io/freeipa/issue/7099

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 10:54:05 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
bf4dae70e0 tests: fix failing HTTPS connection
Recent certificate refactoring probably unclogged some failure
in handling certificates which causes test_changepw to correctly
fail since it is trying to connect using an HTTPS connection
without the CA certificate. This patch adds the CA cert to the
connection.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Tomas Krizek
ba5f7afedc logging: make sure logging level is set to proper value
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-26 15:57:56 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
f62a0fdb90 logging: port to standard Python logging
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.

Disable the logging-not-lazy and logging-format-interpolation pylint
checks.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tomas Krizek
7f8d79f637
ipatests: do not finalize api when IPA is not configured
Pytest can be executed from a machine that doesn't have IPA configured.
In this case, api can't be finalized because values such as basedn are
unknown and missing.

Fixes https://pagure.io/freeipa/issue/7046

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 09:12:36 +02:00
Tibor Dudlák
19f3eda790 Add test: test_xmlrpc/test_whoami_plugin.py
Tests for whoami command with user,
host, and service principal's tgt.

Resolves: https://pagure.io/freeipa/issue/6745
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-07-12 15:54:55 +02:00
Jan Cholasta
8f849a77f5 test_ldap: drop redundant URI argument
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument. The default URI might be ldapi://, so make sure
autobind is not attempted where the custom URI was ldap://.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Basti
902f736a2b py3: test_otptoken_import: fix bytes usage
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
637d259361 py3: ipa_otptoken_import: fix hex decoding
codecs.decode() must be used instead of .decode() method

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
8416d5772d py3: Remove comparison >=2 of debnug log level
We have only one debug log level and it causes issues with py3.
...
  File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
    response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
10d4fb7ea8 py3: test_location_plugin: fix iteration over changed dict
In py3 dict.items() doesn't return list so we must create a list to
avoid changing dictionary over iteration.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
8116a7b450 py3: test_kerberos_principal_aliases: fix code scope
In py3 the variable is valid only in the block where it is defined. We
must move test definition to global scope.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
6024165101 CheckedIPAddress: remove match_local param
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Tomas Krizek
44e3496bd1 ipatests: do not collect systemd journal when logfile_dir is missing
If logs aren't collected to logfile_dir, skip collection of systemd
journal.

Related https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-15 13:52:50 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Tomas Krizek
906c4c9459 ipatests: change logdir naming pattern for multihost tests
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.

Related: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Martin Babinsky
1e5f55e791 Do not delete DS and PKI users during backup/restore tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Martin Babinsky
2624cf2e4c test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Christian Heimes
090eadbe4e Reimplement yield tests are parametrized tests
https://pagure.io/freeipa/issue/6591

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:28:51 +02:00
Christian Heimes
af140b0bc1 Silence pytest.yield_fixture deprecation warning
pytest >= 2.10 supports yield based fixtures with pytest.fixture. In
pytest < 2.10 pytest.yield_fixture is required. But that function
also raises a deprecation warning in pytest >= 3.0. FreeIPA has to stay
compatible with pytest < 2.10 for RHEL 7 testing.

https://docs.pytest.org/en/latest/fixture.html#fixture-finalization-executing-teardown-code

https://pagure.io/freeipa/issue/6591

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:28:51 +02:00
Martin Babinsky
58fd229a1d test_serverroles: Get rid of MockLDAP and use ldap2 instead
The test fixture haphazardly intermixed MockLDAP and ldap2 calls in
setup and teardown code, greatly hampering extension of the code and
also porting efforts to Python 3. Get rid of MockLDAP and use ldap2 for
all LDAP operations.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
d8bb23ac38 Add an attribute reporting client PKINIT-capable servers
A new multi-valued server attribute `pkinit_server` was added which
reports IPA masters that have PKINIT configuration usable by clients.

The existing tests were modified to allow for testing the new attribute.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
bddb90f38a Allow for multivalued server attributes
In order to achieve the task, the following changes were required:

* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
  accepts/returns single-value lists in order to not break Liskov
  substitution principle
* Existing attributes inherit from the child class

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Michal Reznik
d5e84d7065 test_caless: mark TestCertinstall intermediate CA tests as xfail
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved

https://pagure.io/freeipa/issue/6959

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Michal Reznik
f7c4039e41 test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

https://pagure.io/freeipa/issue/6854

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Felipe Volpone
d973168e89 Fixing the cert-request comparing whole email address case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-16 09:50:22 +02:00
Christian Heimes
26ab51ddf4 Correct PyPI package dependencies
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-26 12:31:11 +02:00
Gabe
38276d3473 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-26 10:20:42 +00:00
Michal Reznik
2493f81204 - added krb5kdc.log to pytest logging
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-12 17:34:32 +02:00
Christian Heimes
3a5b3be8b9 tox testing support for client wheel packages
Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-12 16:53:22 +02:00
Martin Basti
e8f2a415b3 Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 09:54:10 +02:00
Florence Blanc-Renaud
342dccea47 tests: add non-reg for idrange-add
Add non regression test for issue 6404: when idrange-add is called with
empty dom-name, the command returns
ipa: ERROR: an internal error has occurred

https://pagure.io/freeipa/issue/6404

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 12:45:32 +02:00
Martin Basti
fd597f83ae collect audit.log for easier selinux investigation
Audit log contains useful information about selinux issues

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-04-06 10:08:54 +02:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00