Commit Graph

615 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
b3d650370c ipatests: fix test_crlgen_manage
The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.

The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-29 11:17:13 +01:00
Florence Blanc-Renaud
8cf4271aae ipatests: fix teardown
The uninstall method of some tests can be skipped as the cleanup is
already done before.

Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-29 11:17:13 +01:00
Florence Blanc-Renaud
7dfc6e004b ipatests: generic uninstall should call ipa server-del
At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master

Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-29 11:17:13 +01:00
Christian Heimes
095d3f9bc9 Add test case for OTP login
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.

Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-28 16:09:07 +01:00
Sergey Orlov
e87357749e ipatests: add check that ipa-adtrust-install generates sane smb.conf
Related to: https://pagure.io/freeipa/issue/6951

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-11-26 11:14:41 +01:00
Rob Crittenden
c02cc93c14 Add integration test for Kerberos ticket policy
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Christian Heimes
b216701d9a Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.

Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 17:08:40 +01:00
Christian Heimes
8124b1bd4c Test installation with (fake) userspace FIPS
Based on userspace FIPS mode by Ondrej Moris.

Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.

Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-14 16:01:15 +01:00
Sergey Orlov
c2b230ce64 ipatests: replace ad hoc backup with FileBackup helper
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Christian Heimes
0f4c41ab26 Add tests for member management
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Sergey Orlov
f16c08b7d6 ipatests: in DNS zone file add A record for name server
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Sergey Orlov
14be271533 ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:49:09 -04:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
Fraser Tweedale
e767386e71 test_integration: add tests for custom CA subject DN
Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
Sergey Orlov
0d7f89c5a0 ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-10-10 13:27:03 +02:00
Mohammad Rizwan Yusuf
c2c1000e2d Installation of replica against a specific server
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.

related ticket: https://pagure.io/freeipa/issue/7566

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-07 08:08:35 +02:00
Mohammad Rizwan Yusuf
7aec6f1037 Check file ownership and permission for dirsrv log instance
Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.

related ticket : https://pagure.io/freeipa/issue/7725

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 08:17:55 -04:00
Florence Blanc-Renaud
121971a51e ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.

The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254

As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
    for host in hosts_unexpected:
        value = host.hostname if rtype == 'SRV' else host.ip
>       assert value not in txt
E       AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E         '192.168.121.25' is contained here:
E           ipa-ca.ipa.test. 1 IN A 192.168.121.254
E         ?                         ++++++++++++++

This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.

Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-01 09:37:36 +02:00
Rafael Guterres Jeffman
c898be1df9 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Florence Blanc-Renaud
2919237753 ipatests: ensure that backup/restore restores pkcs 11 modules config file
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.

Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-22 20:29:41 +03:00
Anuja More
e5e0693aa2 Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044

If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-09-19 15:52:51 +02:00
Sergey Orlov
4ab2842b76 ipatests: add tests for cached_auth_timeout in sssd.conf
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain

Related to: https://bugzilla.redhat.com/1685581

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
Sergey Orlov
4ea9aead5c ipatests: refactoring: use library function to check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-19 10:26:58 +02:00
ndehadra
6064365aa0 Hidden Replica: Add a test for Automatic CRL configuration
Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra <ndehadra@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-13 14:46:46 +02:00
Sergey Orlov
1d033b040d ipatests: refactor and extend tests for IPA-Samba integration
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba

Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Florence Blanc-Renaud
b48fe19fe5 ipatests: fix wrong xfail in test_domain_resolution_order
The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.

The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.

Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-30 10:16:52 +02:00
François Cami
03a228aaf6 ipatests: remove xfail in TestIpaClientAutomountFileRestore
Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.

Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-08-29 17:34:27 +02:00
sumenon
b24359cafa Added testcase to check capitalization fix while running ipa user-mod
1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of  the user is applied.

2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions

Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-29 10:07:32 +02:00
François Cami
405dcc6bec ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.

Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Michal Polovka
a71c59c7c8 ipatests: Test for ipa-backup with ipa not configured
Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.

https://pagure.io/freeipa/issue/6843

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2019-08-27 12:04:45 +02:00
Alexander Bokovoy
24c6ce27b2 Mark failing test as xfail for use of python-dns make_ds method
https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.

Mark the test as expecting to fail until python-dns is fixed in Fedora.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-22 09:43:51 -03:00
Christian Heimes
69138c848d Test external CA with DNS name constraints
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-06 12:39:46 +02:00
Tibor Dudlák
d0efb9ea48 ipatests: refactor TestNTPoptions
Move common and error messages to class scope to be reused again.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-31 14:21:37 +02:00
Tibor Dudlák
2bc7fb7fd0 ipatests: Add tests for interactive chronyd config
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.

Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-31 14:21:37 +02:00
François Cami
80561224ab test_nfs.py: switch to master_3repl
test_nfs.py historically used master_2repl_1client.
Now that master_3client exists, switch to that as it allows removal
of custom install/cleanup steps.

Fixes: https://pagure.io/freeipa/issue/8027
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-30 23:42:54 +02:00
François Cami
526b85a66e ipatests: rename config_replica_resolvconf_with_master_data()
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-30 23:42:54 +02:00
François Cami
21cd9775ec test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data()
Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.

Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-30 23:42:54 +02:00
Sumedh Sidhaye
de1fa7cc74 Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing

Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-26 15:18:53 +02:00
François Cami
ed6ee90c54 ipatests: test ipa-client-samba after --uninstall
Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-07-26 10:49:54 +02:00
François Cami
68b85703d8 ipatests: test multiple invocations of ipa-client-samba --uninstall
Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-07-26 10:49:54 +02:00
Sumedh Sidhaye
b52d40b0c1 Test: To check ipa replica-manage del <FQDN> does not fail
Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.

ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   changetype: modify
   delete: ipaconfigstring
   ipaconfigstring: enabledService

   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   add: ipaconfigstring
   ipaconfigstring: configuredService
4. On master,
   run ipa-replica-manage del <replicaFQDN> --cleanup --force

Related Ticket: https://pagure.io/freeipa/issue/7929

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-25 15:21:39 -04:00
Fraser Tweedale
65d9a9be52 ipatests: test ipa-server-upgrade in CA-less deployment
Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
80e76f094c Collapse --external-ca-profile tests into single class
To avoid having to spawn new CI hosts for each kind of
--external-ca-profile argument we are testing, collapse the three
separate test classes into one.  Uninstall the half-installed IPA
after each section of tests.

This change is in response to review comment
https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Fraser Tweedale
b15bd50e6d Add more tests for --external-ca-profile handling
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.

ipa-ca-install and ipa-cacert-manage remain untested at present.

Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Fraser Tweedale
130e1dc343 move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Sergey Orlov
843f57abe4 ipatests: new test for trust with partially unreachable AD topology
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.

Relates to: https://pagure.io/freeipa/issue/7895.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-15 14:35:51 +02:00
Stanislav Levin
ac1ea0ec67 Fix test_webui.test_selinuxusermap
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-15 14:41:23 +03:00
Sergey Orlov
4740655260 ipatests: mark test_domain_resolution_order as expectedly failing
SSSD fix have not yet landed in Fedora 29 and below.
Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-04 15:46:59 +02:00
Sergey Orlov
0d15eb78d4 ipatests: add test for sudo with runAsUser and domain resolution order.
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.

Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-04 15:46:59 +02:00
Stanislav Levin
b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00