Commit Graph

2259 Commits

Author SHA1 Message Date
Christian Heimes
24a5d4d06b Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.

* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs

Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-29 13:36:41 -05:00
Rob Crittenden
bd7214b91c ipatests: Update NSSDatabase DBM test on non-DBM-capable installs
The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.

https://pagure.io/freeipa/issue/8675

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-29 18:06:15 +01:00
Sergey Orlov
4a1cb7e719
ipatests: rewrite test for requests routing to subordinate suffixes
The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
  actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
  from checking original issue in case AD domain name did not match this
  hard coded value
* Invocation of commands on AD controller was failing in some environments

Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions

Related to https://pagure.io/freeipa/issue/8554

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-29 16:50:43 +01:00
Florence Blanc-Renaud
296f27dce4 ipatests: fix incomplete nightly def in nightly_previous
The job definition for fedora-previous/test_installation_client
is missing the .py in the test file:
        test_suite: test_integration/test_installation_client
should be instead:
        test_suite: test_integration/test_installation_client.py

Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-01-28 16:30:55 +01:00
Sergey Orlov
2c499e06f1
fix collecting log files which are symlinks
One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-27 17:50:49 +01:00
Stanislav Levin
fdd5ba3f48
ipatests: Don't assume sshd flush its logs immediately
sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.

Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-01-26 19:57:17 +01:00
Alexander Bokovoy
c91a1a078a ipatests: when talking to AD DCs, use FQDN credentials
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.

We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.

For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.

Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-26 13:05:27 -05:00
Alexander Bokovoy
642b81e99f test_trust: add tests for using AD users and groups in SUDO rules
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.

Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-26 13:05:27 -05:00
Alexander Bokovoy
09e06e0564 ipatests: fix test_sudorule_plugin's wrong argument use
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-26 13:05:27 -05:00
Florence Blanc-Renaud
0801d4c058 ipatests: fix expected output for ipahealthcheck.ipa.files
With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).

The test output needs to be fixed accordingly.

Fixes: https://pagure.io/freeipa/issue/8662

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:53:44 -05:00
Alexander Bokovoy
54e5ffc000 use a constant instead of /var/lib/sss/keytabs
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Sergey Orlov
9d19c08269 ipatests: use fully qualified name for AD admin when establishing trust
Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-22 12:21:33 -05:00
Florence Blanc-Renaud
9b2c05affc ipatests: fix discrepancies in nightly defs
- Build is using a prio of 100 while tests use 50, use consistent
values
- fix the requires for test_installation_client

Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-01-22 18:07:46 +01:00
François Cami
6ebfbda203 ipatests: test_ipahealthcheck: fix units
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.

Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-21 15:46:19 -05:00
Rob Crittenden
767232b478 Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Mohammad Rizwan
74b4d7e4df ipatests: Add test_uninstall.py to nightly definitions
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-21 13:46:18 +01:00
Mohammad Rizwan
69d480003b ipatests: Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls propelry.

related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-21 13:46:18 +01:00
Rob Crittenden
573d66e1f9 ipatests: test the cgroup v2 memory restrictions
Also rename a few tests to hopefully make their purpose clearer.

https://pagure.io/freeipa/issue/8635

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-20 15:59:27 +01:00
Florence Blanc-Renaud
279d8b7ec4 ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.

Fixes: https://pagure.io/freeipa/issue/8670

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2021-01-20 11:19:34 +01:00
Stanislav Levin
9fb222467b ipatests: Raise log level of 389-ds replication
- change log level for replication debugging
  According to the docs:
  ```
  default level of logging(16384) used for critical errors and other
  messages that are always written to the error log. Messages at this
  level are always included in the error log, regardless of the log
  level setting.
  ```

- always flush the access logs to filesystem
  During the testing access logs may be written with delay, this
  results in logs are not collected by this test node, but for example,
  the next one.

- as of now, the changes on `cn=config` are made after the installation
  of server or replica. If an error occurs during these stages, then the
  actual log level will be the default and not as expected.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-19 11:23:51 +01:00
Antonio Torres
79d9790c99 Check that IPA cert is added to trust store after server install
Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.

Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-01-19 11:21:29 +01:00
Antonio Torres
6f830ae1ad Test that IPA certs are removed on server uninstall
Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.

Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-01-19 11:21:29 +01:00
Florence Blanc-Renaud
4a3a39f59f ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser
389ds does not return any more additional information
about a failing bind (to avoid leaking information).

As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed.

Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-01-19 10:29:20 +01:00
Rob Crittenden
85d4f2d9c6 Revert "Remove test for minimum ACME support and rely on package deps"
This reverts commit 81c97bb992.

This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.

ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.

https://pagure.io/freeipa/issue/8634

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:07:33 +01:00
Florence Blanc-Renaud
6e0634bd72 ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.

Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-01-14 14:56:26 +01:00
Rob Crittenden
dfa084217e ipatests: See if nologin supports -c before asserting message
Per the ssh_config(5) man page under ProxyCommand:

"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."

<shell> -c <proxy command>

Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-13 17:44:20 +01:00
Rob Crittenden
8dd2eb45c6 ipatests: test that modifying a permission attrs handles failure
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.

https://pagure.io/freeipa/issue/8646

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-13 13:50:45 +01:00
Armando Neto
3e8e836544
ipatests: update PR-CI templates to Fedora 33
Gating tests are still on Fedora 32 because some tests are failing.

Rest is being updated to unblock nightly runs:
- "previous" updated to Fedora 32
- "latest" updated to Fedora 33
- 389ds, testing and pki definitions updated to Fedora 33

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-01-13 09:35:43 -03:00
Rob Crittenden
e619c9f448 Remove invalid test case for DNS SRV priority
Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.

Remove the sorting test for priority of -1.

https://pagure.io/freeipa/issue/8650

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-09 16:41:03 +01:00
Florence Blanc-Renaud
98711e8edf ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.

Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-07 16:21:16 +01:00
Florence Blanc-Renaud
b8ece644e8 ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.

Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found

Related: https://pagure.io/freeipa/issue/8618

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-07 16:21:16 +01:00
Rob Crittenden
8e9fecd72a ipatests: test that no errors are reported after ipa-certupdate
The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.

https://pagure.io/freeipa/issue/8644

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-07 14:01:26 +01:00
Sergey Orlov
b707af1c68
ipatests: do not set dns_lookup to true
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-01-07 13:36:28 +01:00
Florence Blanc-Renaud
1086f7a70f ipatests: clear initgroups cache in clear_sssd_cache
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.

Update the method to also remove this file.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-06 16:41:50 +01:00
Sudhir Menon
d91690d5df ipatests: ipahealthcheck remove test skipped in pytest run
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.

@pytest.mark.xfail(reason='BZ 1866558', strict=False)

Also changed the assert statement to search text in
stdout_text rather than sdterr_text

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-06 08:53:37 +01:00
Sudhir Menon
d7eece2ea1 ipatests: Test for IPATrustControllerPrincipalCheck
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-06 08:46:04 +01:00
Alexander Bokovoy
35ab6567af ipatests: fix race condition in finalizer of encrypted backup test
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.

Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-23 15:37:10 +02:00
Florence Blanc-Renaud
e7949e2a0f ipatests: fix expected error message in test_commands
389ds does not return any more additional information
about a failing bind (to avoid leaking information).

As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.

Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-12-23 14:01:43 +01:00
Florence Blanc-Renaud
d0a1606e77 ipatests: remove test_acme from gating
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed

Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-12-23 13:59:29 +01:00
Alexander Bokovoy
705f564eb6 tests_webui: fix wrong user name key for trail space case
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.

Fix the user name data according to the test.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-21 22:32:39 +02:00
Alexander Bokovoy
2c98105cf2 tests_webui: flip leading and trailing space password test
With commit 809d9cb80f we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-21 22:32:39 +02:00
François Cami
9ce2fe4474 set SELinux back to Permissive in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-19 23:11:42 +02:00
François Cami
f83195f5c1 set SELinux to Enforcing in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-18 20:35:15 +02:00
Antonio Torres Moríñigo
57ec5f4cc2 ipatests: test that trailing/leading whitespaces in passwords are allowed
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-18 16:47:59 +02:00
François Cami
18a1e7ee5c ipatests: make sure dns_lookup_kdc is always true
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Make sure dns_lookup_kdc is always set to true.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 13:35:06 +02:00
François Cami
82e45d1f12 PR-CI templates: add test_integration/test_installation_client.py
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-12-16 11:12:50 +01:00
Sudhir Menon
fc53c6bbd5 Modified YAML files
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-15 16:00:04 +01:00
Sudhir Menon
27987093f8 ipatests: Test for IPATrustDomainsCheck with external trust to AD
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-15 16:00:04 +01:00
Florence Blanc-Renaud
800bafe0a8 xmlrpctests: remove harcoded expiration date from test_user_plugin
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.

Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-10 09:45:44 +02:00
Florence Blanc-Renaud
526686ec1c ipatests: add test for PKI subsystem detection
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade

With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.

Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-09 09:54:58 +01:00
Armando Neto
cfa1d69bdb
ipatests: Update Rawhide template for PR-CI
New Rawhide aiming Fedora 34.

Template based on
`Fedora-Cloud-Base-Vagrant-Rawhide-20201116.n.0.x86_64.vagrant-libvirt.box`

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-08 16:50:03 -03:00
Rob Crittenden
df4380c11f Skip the ACME mod_md test when the client is in enforcing mode
mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.

Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.

https://pagure.io/freeipa/issue/8514

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-03 19:48:59 -05:00
Rob Crittenden
d460f02a0c Increase timeout for krbtpolicy to 4800
The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Rob Crittenden
865c0762ae ipatests: test that stale caches are removed using the sweeper
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Rob Crittenden
83813cf8f7 Convert reset_to_default_policy into a pytest fixture
This ensures that the ticket policy will be reset even on
failure.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Florence Blanc-Renaud
97aa70cd7a ipatests: fix TestTrust::test_subordinate_suffix
The test test_subordinate_suffix is failing when configuring the DNS
for the trust, because the dnsforwardzone already exists. It was
configured during the previous test for nonposix trust.

At the end of the tests for nonposix trust, unconfigure the DNS
and the trust before calling the subordinate_suffix test, and add
a test cleaning up subordinate_suffix test.

Fixes: https://pagure.io/freeipa/issue/8601
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-02 21:54:26 +02:00
Rob Crittenden
81c97bb992 Remove test for minimum ACME support and rely on package deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-12-02 14:07:39 +02:00
Rob Crittenden
5d8c04448f ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect
https://pagure.io/freeipa/issue/8595

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-02 14:05:36 +02:00
Rob Crittenden
0037b698ed Test that the KRA profiles can renewal its three certificates
The KRA was previously configured with Internal CA profiles
which did not work with the IPA RA.

Use public, common profiles to manage renewal of the KRA
subsystem certificates.

https://pagure.io/freeipa/issue/8545

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-12-01 12:56:03 +01:00
Sudhir Menon
442038c41a ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-26 12:00:57 +02:00
Robbie Harwood
9e0084ba98 Fix krbtpolicy tests
0d67180f7d introduced the with_admin
fixture using class scope, which caused test failures as pytest
instantiated it before the multihost fixture.

It additionally failed to account for jitter - the issued ticket becomes
within a window of the expected lifetime, so we need to include the
ticket lifetime jitter into that calculation.

Finally, the PKINIT test could not have ever worked because PKINIT is
not set up as part of policy testing.

Related: https://pagure.io/freeipa/issue/8590

Also-authored-by: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-25 18:02:25 -05:00
Armando Neto
b6004cf88f ipatests: Bump PR-CI templates
Update box to force update dependencies on pki-* and
selinux-policy.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
75e3803b68 ipatests: Increase timeout for ACME in gating.yaml
Increase to 7200 from 3600 to match other executions.

Related: https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
e6489dcb8c ipatests: honor class inheritance in TestACMEwithExternalCA
TestACMEwithExternalCA subclasses TestACME which subclasses
CALessBase.

CALessBase is necessary to generate the certificates for the
test_third_party_certs() test.

This means that the TestACME install classmethod needs to be
called by its subclasses. But the install actually does the
installation of the servers as well so needs to be aborted
at that point in the case of a subclass.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
3a9fc01156 ipatests: configure MDStoreDir for mod_md ACME test
This directory defines the location for ACME-related files
used by mod_md. Specify and create it rather than relying
on defaults to both fix a test failure and to make the
files accessable for debugging purposes.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
70306515f7 ipatests: Clean up existing ACME registration and certs
The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
89fddb0750 ipatests: Configure a replica in TestACMEwithExternalCA
This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
790b765598 ipatests: call the CALess install method to generate the CA
https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Michal Polovka
89c846a1f6
WebUI: Test if links are opened in new tab correctly
Test for PF#7137: [RFE]: Able to browse different links
from IPA web gui in new tabs

Test verifies whether opening target link in new tab
navigates to target (desired behaviour) compared to creation of copy of
current state of page on new tab (old behaviour).

WebUI: Add method for opening link in a new tab

Add `navigate_to_row_record_in_new_tab`  method.
`navigate_to_row_record_in_new_tab` works as
`navigate_to_row_record` but opens link in new tab instead and focuses
on it.

Related: https://pagure.io/freeipa/issue/7137
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2020-11-23 13:02:32 +01:00
Rob Crittenden
16616e576d ipatests: Test that Match ProxyCommand masks on no shell exec
Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-23 09:04:27 +01:00
Sudhir Menon
cd9b4efa91 ipatests: Tests for ipahealthcheck.ds.nss_ssl
test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring

This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-11-20 09:27:48 +01:00
Rob Crittenden
d30939ebfd ipatests: Test that ipa-certupdate can run without credentials
https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-11-18 16:27:12 +02:00
Mohammad Rizwan
b84f5d87ee ipatests: Test certmonger IPA responder switched to JSONRPC
This is to test if certmonger IPA responder swithed to JSONRPC
from XMLRPC

related: https://pagure.io/freeipa/issue/3299

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-11-18 08:16:58 -05:00
Alexander Bokovoy
f977629182 Azure CI: mask chronyd in the container
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
1bf0d62828 Azure CI: use PPA to provide newer libseccomp version
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.

When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).

libseccomp started to support faccessat2() in July 2020 with
5696c89640
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)

With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
6e1eaad873 Azure CI: use Ubuntu-20.04 image by default
Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
0d67180f7d ipa-kdb: implement AS-REQ lifetime jitter
Jitter is always enabled, so there is no additional configuration.

An earlier version of this patch was authored by Becky Shanley.

Fixes: https://pagure.io/freeipa/issue/8010

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:27:28 +02:00
Stanislav Levin
82e69008ad ipatests: Collect EPN log for debugging
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
17f430efc4 EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
32aa1540f0 EPN: Enable certificate validation and hostname checking
https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
977063a56e test_epn: Standardize EPN configs for deduplication
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
94adee3c73 EPN: Don't downgrade security
If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.

Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
be006ad6c4 ipatests: Respect platform's openssl dir
There are different build configurations of OpenSSL from one distro
to another. For example,

Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Florence Blanc-Renaud
a33530f2f6 ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating
The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.

In the meantime, remove the test from gating to avoid blocking the PRs.

Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 08:39:59 +01:00
Serhii Tsymbaliuk
69368fccdb WebUI tests: Add simple test to check topology graph page is available
Ticket: https://pagure.io/freeipa/issue/8523

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-11-16 16:04:40 +01:00
Armando Neto
3722013dcd
ipatests: Update PRCI Fedora 32 templates
Updating templates with upgraded packages installed.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-16 09:26:48 -03:00
Mohammad Rizwan
c4a6b0e566 Move acme client installation part to classmethod
Moved the acme client installation part to classmethod
so that it can be leveraged further.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Mohammad Rizwan
cbbfcd9b1e PEP8 fixes for test_acme.py
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Mohammad Rizwan
9dccf17a6c External-CA scenarios for ACME service
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.

related: https://pagure.io/freeipa/issue/4751

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Rob Crittenden
ca6fc689ba ipatests: Test that password reset unlocks users too
The basic idea is:

* add a user with a password
* kinit with a bad password for the user until lockout
* on another server administratively reset the password
* wait for replication to finish
* kinit on the original server again and the user should
  be able to kinit again meaning the lockout was removed

https://pagure.io/freeipa/issue/8551

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-11 10:29:25 +02:00
Fraser Tweedale
b153b23c75 dns: allow PTR records in arbitrary zones
PTR records in zones other than in-addr.arpa and in6.arpa are legal,
e.g. DNS-SD [RFC6763] uses such records.  If in a reverse zone
proceed with the existing checks, otherwise just accept the record.

Fixes: https://pagure.io/freeipa/issue/5566
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-11 10:24:38 +02:00
Florence Blanc-Renaud
3d2a4f25f7 ipatests: ipa-acme-manage status returns 3 on a CA-less server
test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica is
running ipa-acme-manage status on a CA-less server and wrongly
expects retcode =1. According to the man page, the command returns 3
when executed on a server where the CA is not installed.

Fixes: https://pagure.io/freeipa/issue/8572
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-09 16:06:40 -05:00
Florence Blanc-Renaud
ab9ef13f27 ipatests: IPADNSSystemRecordsCheck also checks for AAAA records
With commit 02c3b27 that has been included in ipa-healthcheck 0.7,
IPADNSSystemRecordsCheck also checks the presence of an AAAA record
for ipa-ca.

The test needs to handle this case and expect an error message for
missing ipa-ca AAAA record.

Fixes: https://pagure.io/freeipa/issue/8573
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-09 16:05:43 -05:00
Sudhir Menon
b7be1a2470 ipatests: ipa-healthcheck tests for DS checks
1. test_ipahealthcheck_ds_configcheck
   checks ensures that warning message is displayed by ConfigCheck
   when high resolution timestamp is disabled

2. test_ipahealthcheck_ds_fschecks
   Test has been now moved under Class TestIpaHealthCheckFileCheck
   This testcase checks that when permission of pwdfile.txt is changed
   to other than 400, FSCheck returns CRITICAL status

3. test_ds_configcheck_passwordstorage
   This test checks that critical status is displayed by
   ConfigCheck when rootpwstoragescheme is set to MD5 instead
   of the required PBKDF2_SHA256

4. test_ipahealthcheck_topology_with_ipactl_stop
   This testcase ensures that ipahealthcheck.ipa.topology check
   doesnot display 'source not found' on a system when ipactl
   stop is run

5. Modified testcase name
   the testcase name and description have been modified to match
   the actual testcase executed

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-09 09:06:11 +01:00
Alexander Bokovoy
91706690e0 wgi/plugins.py: ignore empty plugin directories
Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.

Check that 'foo/foo.js' actual exists when including a plugin into the
registry.

Test the registry generator by creating fake plugins and removing them
during the test.

Fixes: https://pagure.io/freeipa/issue/8567

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-11-06 16:38:37 -05:00
Rob Crittenden
f86250a9a5 Test that ipapwpolicy objectclass is added on upgrade
Use ldapmodify to remove the objectclass from the default
global policy then run ipa-server-upgrade to confirm
that it is properly added.

https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-11-06 16:29:41 -05:00
Sudhir Menon
2b1230e5b0 ipatests: Fix for test_ipahealthcheck_ds_riplugincheck
Fix for Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck

Pagure: https://pagure.io/freeipa/issue/8563

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-11-04 09:23:41 +01:00
Florence Blanc-Renaud
c053b5e0d6 ipatests: curl outputs the cookie in stderr and not in sdtout
The integration test test_trust.py::TestTrust::test_password_login_as_aduser
is expecting curl to output the cookie obtained after password login
in stdout but should use stderr instead.

Fixes: https://pagure.io/freeipa/issue/8559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-03 09:49:22 +02:00
Rob Crittenden
c8f13cd855 ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled
Test that:

1. With ACME enabled, SAN is required
2. With ACME disabled, SAN is not required

Also verify the ipa-acme-manage status command.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
e0ff82c884 Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00