The test fixture haphazardly intermixed MockLDAP and ldap2 calls in
setup and teardown code, greatly hampering extension of the code and
also porting efforts to Python 3. Get rid of MockLDAP and use ldap2 for
all LDAP operations.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
A new multi-valued server attribute `pkinit_server` was added which
reports IPA masters that have PKINIT configuration usable by clients.
The existing tests were modified to allow for testing the new attribute.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to achieve the task, the following changes were required:
* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
accepts/returns single-value lists in order to not break Liskov
substitution principle
* Existing attributes inherit from the child class
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved
https://pagure.io/freeipa/issue/6959
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Now, the cert-request command compares the domain part of the
email case-insensitively.
https://pagure.io/freeipa/issue/5919
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user
https://pagure.io/freeipa/issue/6896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add non regression test for issue 6404: when idrange-add is called with
empty dom-name, the command returns
ipa: ERROR: an internal error has occurred
https://pagure.io/freeipa/issue/6404
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.
https://pagure.io/freeipa/issue/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The test class depends on a working Kerberos configuration and session.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Doctests of ipatests.util fail under Python 3.
The old test scenario does no longer work on Python 3 since u'how are you'
and 'how are you' have identical type, but u'how are you' != b'how are you'.
It works with int / float on all Python versions.
Python 2 has <type 'int'> while Python 3 uses <class 'int'>.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow the sudorule objects to be renamed.
https://pagure.io/freeipa/issue/2466
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow HBAC rule objects to be renamed.
https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
pytest 3.x does no longer support plain pytest.skip() on module level.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The changes made to ipa-run-tests script in fd1b4f6 broke the
ipa-test-config and ipa-test-task scripts which are not executed
via pytest.
To fix the issue, all helper code and dependencies of the integration
plugin are moved out of ipatests.test_integration and into the
integration plugin. As first step ipatests.pytest_plugins.integration
is turned into a package.
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Bunch of tests for WebUI Vault Management.
Covers:
Adding vaults
Modifying vaults
Adding members and owners to all types of vaults
https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This will allow to test --setup-kra option together with
ipa-server-install in install tests
Separate installation using ipa-kra-install is already covered.
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Commit ada91c2 introduced changes in "csrgen/templates/openssl_base.tmpl"
which broke the following 2 tests:
test_CSRGenerator.test_userCert_OpenSSL
test_CSRGenerator.test_caIPAserviceCert_OpenSSL
The tests use files caIPAserviceCert_openssl.sh and userCert_openssl.sh
as expected scripts in order to compare scripts generated by CSRGenerator.
E.g. as other parameter was introduced we are now not checking with
"if [[ $# -ne 2 ]]" but rather with if "[[ $# -lt 2 ]]".
https://pagure.io/freeipa/issue/6724
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
test_ldap just imported nss.nss to call nss_init_nodb(). It should be
safe to remove the call. Let's see what CI has to say.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Setting fips_mode to object would fail if ipaplatform.tasks module
wasn't present.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
* add missing default_backend
* unpad encrypted data
* use cryptography's hashes and HMAC construct
* remove hard dependency on python-nss from setup.py
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
