Scenarii:
- idrange-add prevents --auto-private-groups with a local id range
- idrange-mod prevents --auto-private-groups with a local id range
- auto-private-groups accepts only true/false/hybrid/empty values
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test checks if the user is enabled, able to reset their password and
authentication types in both CA and CA-less environment.
Related: https://pagure.io/freeipa/issue/8203
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
During client installation, the installer calls sudo -V
to check if sudo command is installed. The output must not
be displayed in stdout.
Related: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test test_replica_promotion.py::TestRenewalMaster::
test_automatic_renewal_master_transfer_ondelete is calling
ipa-server-install --uninstall directly without performing first
ipa server-del. This can lead to incomplete uninstallation and
test failures.
Call tasks.uninstall_replica instead of tasks.uninstall_master.
This is equivalent to ipa-replica-manage del + uninstall
(ipa-replica-manage del works in DL0 and DL1 and internally calls
ipa server-del in DL1).
Fixes: https://pagure.io/freeipa/issue/8792
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test TestIpaHealthCheck has been updated with commit
e86ff48 and now needs 1 master, 1 replica and 1 client
in order to execute.
Update the nightly definitions accordingly.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
test_ipahealthcheck_hidden_replica fails due to:
https://pagure.io/freeipa/issue/8582
Mark it as expected failure.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Rename a test and split a test in two.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Use dns_update_system_records after restoring the replica
to force-update the DNS records.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Use wait_for_ipa_to_start to wait until the restored replica is online.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Add a frontend to "ipa dns-update-system-records" to tasks.py.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
The testcase checks that when ipa-healthcheck tool is run
on ipa-client it will display warning message "IPA is not configured"
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.
Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.
Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Ubuntu 20.04's docker meets the requirement(4+).
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2 capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1 capname="dac_override"
So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
reference it in container's configuration. This requires the
knowledge of profile syntax at least, not to difficult, but
potentially hard to maintain.
2) disable conflicting profile on Host;
Azure will warn about AVC in either case.
The second one was chosen as more simple.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.
It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The journal of Host is useful for AVC/SECCOMP analyzing.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The syncing time stuff is required by IPA NTP tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
is expecting a specific message for the RIPluginCheck
but the message has been updated to fix
4656 - Remove problematic language from UI/CLI/lib389
("enable referint on all suppliers" instead of
"enable referint on all masters").
Shorten the expected msg so that it fits both situations.
Fixes: https://pagure.io/freeipa/issue/8779
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Template the autoconf phase.
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.
Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.
certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.
A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.
A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).
During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.
This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.
This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.
This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.
fixes: https://pagure.io/freeipa/issue/8725
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.
The Apache password will be updated if needed elsewhere in the
upgrade process.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
When the reply from AD is split into several TCP packets the kdc
proxy software cannot handle it and returns a false error message
indicating it cannot contact the KDC server.
This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets
This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
single 88 port we now block all outgoing traffic except few essential
ports
* add basic tests for using kdcproxy to communicate between IPA client
and AD DC.
Reviewed-By: Anuja More <amore@redhat.com>
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".
Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The test was temporarily removed because of a known issue
but the issue is now fixed.
Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.
Fixes: https://pagure.io/freeipa/issue/8747
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.
related: https://pagure.io/freeipa/issue/8553
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.
Reviewed-By: Francois Cami <fcami@redhat.com>
* Update template images to include updated packages
* Bump rawhide to use branched F34 template
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.
Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The TestInstallWithoutSudo entry referenced fedora-latest instead
of testing-fedora for its build dependency. Fix it.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:
* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution
Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:
* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
systems with NetworkManager and systemd-resolved.
This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved
For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.
The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.
The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Those config files are valuable for debugging issues relate to DNS
resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.
Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With commit ec6698f , the error message has changed from
Unable to communicate with CMS (503)
to
Request failed with status 503: Non-2xx response from CA REST API: 503. (503)
Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.
In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.
In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has
been reformatted.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add test for prune option of ipa-cacert-manage.
After a certificate is installed, a jump in time
is performed to a date where the certificate is expired,
and then it is pruned.
Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold
Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'
Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.
Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).
Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.
When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.
The fix consists in calling 'stat -L' because the command follows
links.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.
Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Modal dialog transition is currently set to 300ms, we have to wait
for it to appear in order to interact with it. Double that time is a
safe value.
Resolves: https://pagure.io/freeipa/issue/8684
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.
If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
in this case scope of test case changes without being noticed
If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls propelry.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This reverts commit 69d480003b.
this test will be moved to existing test_uninstallation.py file
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
from checking original issue in case AD domain name did not match this
hard coded value
* Invocation of commands on AD controller was failing in some environments
Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions
Related to https://pagure.io/freeipa/issue/8554
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The job definition for fedora-previous/test_installation_client
is missing the .py in the test file:
test_suite: test_integration/test_installation_client
should be instead:
test_suite: test_integration/test_installation_client.py
Reviewed-By: Armando Neto <abiagion@redhat.com>
One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.
Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.
We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.
For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.
Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.
Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).
The test output needs to be fixed accordingly.
Fixes: https://pagure.io/freeipa/issue/8662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- Build is using a prio of 100 while tests use 50, use consistent
values
- fix the requires for test_installation_client
Reviewed-By: Armando Neto <abiagion@redhat.com>
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls propelry.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Also rename a few tests to hopefully make their purpose clearer.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.
Fixes: https://pagure.io/freeipa/issue/8670
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other
messages that are always written to the error log. Messages at this
level are always included in the error log, regardless of the log
level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with delay, this
results in logs are not collected by this test node, but for example,
the next one.
- as of now, the changes on `cn=config` are made after the installation
of server or replica. If an error occurs during these stages, then the
actual log level will be the default and not as expected.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
This reverts commit 81c97bb992.
This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.
ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.
https://pagure.io/freeipa/issue/8634
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.
Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Per the ssh_config(5) man page under ProxyCommand:
"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."
<shell> -c <proxy command>
Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Gating tests are still on Fedora 32 because some tests are failing.
Rest is being updated to unblock nightly runs:
- "previous" updated to Fedora 32
- "latest" updated to Fedora 33
- 389ds, testing and pki definitions updated to Fedora 33
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.
Remove the sorting test for priority of -1.
https://pagure.io/freeipa/issue/8650
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.
Reviewed-By: Francois Cami <fcami@redhat.com>
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.
Update the method to also remove this file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.
@pytest.mark.xfail(reason='BZ 1866558', strict=False)
Also changed the assert statement to search text in
stdout_text rather than sdterr_text
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.
Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.
Fix the user name data according to the test.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With commit 809d9cb80f we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Make sure dns_lookup_kdc is always set to true.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.
Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.
Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.
https://pagure.io/freeipa/issue/8514
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This ensures that the ticket policy will be reset even on
failure.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
The test test_subordinate_suffix is failing when configuring the DNS
for the trust, because the dnsforwardzone already exists. It was
configured during the previous test for nonposix trust.
At the end of the tests for nonposix trust, unconfigure the DNS
and the trust before calling the subordinate_suffix test, and add
a test cleaning up subordinate_suffix test.
Fixes: https://pagure.io/freeipa/issue/8601
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>