https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.
Mark the test as expecting to fail until python-dns is fixed in Fedora.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py
The following tests was missing from nightly_f29:
- test_integration/test_smb.py
The following test was missing from nightly_rawhide:
- test_integration/test_smb.py
Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move common and error messages to class scope to be reused again.
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.
Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When moving a preserved user to the stage area, check that the
custom attributes are not lost ( = the attr for which there is
no specific user_stage option).
Test scenario:
- add a stage user with --setattr "businesscategory=value"
- activate the user, check that businesscategory is still present
- delete (preserve) the user, check that attr is still present
- stage the user, check that attr is still present
Related: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.
Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test scenario:
- create a hostgroup
- create a host
- create an automember rule for the hostgroup with a condition fulfilled
by the host
- delete the hostgroup
- call automember-rebuild (1)
- call automember-find-orphans to remove the orphan automember group
- call automember-rebuild(2)
The test was expecting the first rebuild command to fail but this
assumption is not true if the DS version is >= 1.4.0.22 because of the
fix for https://pagure.io/389-ds-base/issue/50077
Modify the test so that it expects failure only when DS is older.
Fixes: https://pagure.io/freeipa/issue/7902
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The azure pipeline defines a "prepare build" step that
installs the FreeIPA development dependencies but the
step does not report failures of the dnf builddep command.
As a consequence, subsequent steps may fail (for instance
because of components not installed such as tox) but are
hard to diagnose.
The fix reports the command failure.
Fixes: https://pagure.io/freeipa/issue/8022
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.
ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
Related Ticket: https://pagure.io/freeipa/issue/7929
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Azure Pipelines provide counters for running test jobs, these split into
System.StageAttempt and System.PhaseAttempt. Use them to make test
artifacts unique.
For XML test results we don't need to name them differently as they
aren't uploaded as artifacts but rather presented in a separate test
pane.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.
Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:
> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.
>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.
Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.
About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)
Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:
ipa-run-tests --slices=2 --slice-num=1 test_cmdline
- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:
ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
--slice-num=2 test_cmdline
Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is a sort of rollback to the pre #93c158b05 state with
several improvements.
For now, the nodeids calculation by ipa-run-tests is not stable,
since it depends on current working directory. Nodeids (tests
addresses) are utilized by the other plugins, for example.
Unfortunately, the `pytest_load_initial_conftests` hook doesn't
correctly work with pytest internal paths, since it is called
after the calculation of rootdir was performed, for example.
Eventually, it's simpler to follow the default convention for
Python test discovery.
There is at least one drawback of new "old" implementation.
The ignore rules don't support globs, because pytest 4.3.0+
has the same facility via `--ignore-glob`:
> Add the `--ignore-glob` parameter to exclude test-modules with
> Unix shell-style wildcards. Add the collect_ignore_glob for
> conftest.py to exclude test-modules with Unix shell-style
> wildcards.
Upon switching to pytest4 it will be possible to utilize this.
Anyway, tests for checking current basic facilities of
ipa-run-tests were added.
Fixes: https://pagure.io/freeipa/issue/8007
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.
Relates to: https://pagure.io/freeipa/issue/7895.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Display which dnf repositories were available at the
prepare-build step via metalink.
Also display the fastestmirror cache.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Sometimes the prepare-build step of azure pipelines fails
with download errors:
"configure: error: Package requirements (nspr) were not met:"
This can be due to fastestmirror not being used to check
mirror availability and sometimes speed. Combined with a
too-low default number of retries, and a high timeout this
can lead to download failures that could be avoided.
Activate fastestmirror, add more download workers, and tune
timeout/retries to make dnf more reliable.
Fixes: https://pagure.io/freeipa/issue/7999
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This exercises the removal of 3DES and RC4 via Samba.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
