Commit Graph

329 Commits

Author SHA1 Message Date
Michal Reznik
a3c99367bf
test_caless: add SAN dNSName extensions for wildcard tests
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.

https://pagure.io/freeipa/issue/7100

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-11 13:53:44 +02:00
Michal Reznik
1ff356241c
test_caless: add replica ca-less to ca-full test (master caless)
Add replica ca-less to ca-full test when master stays caless. Cover
Pagure issue: https://pagure.io/freeipa/issue/6226

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
7a5b1cc140
test_caless: add server_replica ca-less to ca-full test
Add server_replica ca-less to ca-full test as we are currently missing
one. Cover Pagure issue: https://pagure.io/freeipa/issue/6207

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
4caabb140e
tests: fix external_ca test suite failing due to missing SKI
external_ca test suite is failing during installation due to
missing SKI extension.

https://pagure.io/freeipa/issue/7099

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 10:54:05 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Martin Babinsky
1e5f55e791 Do not delete DS and PKI users during backup/restore tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Martin Babinsky
2624cf2e4c test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Michal Reznik
d5e84d7065 test_caless: mark TestCertinstall intermediate CA tests as xfail
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved

https://pagure.io/freeipa/issue/6959

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Michal Reznik
f7c4039e41 test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

https://pagure.io/freeipa/issue/6854

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Christian Heimes
dd6b72e418 pytest 3.x compatibility
pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 18:03:14 +02:00
Christian Heimes
24161a6190
Move remaining util functions to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8aadd55c93
Move function run_repeatedly to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8867412adc
Move hosts module to ipatests.pytest_plugins.integration.hosts
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
313ae46b57
Move tasks module to ipatests.pytest_plugins.integration.tasks
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
1406dbc8c2
Move env_config module to ipatests.pytest_plugins.integration.env_config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
2895e3931d
Move config module to ipatests.pytest_plugins.integration.config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
fd1b4f6ec9 Add options to run only ipaclient unittests
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py ........
util.py ..
test_ipaclient/test_csrgen.py ..............ssss...
test_ipalib/test_aci.py ...................
test_ipalib/test_backend.py ........
test_ipalib/test_base.py ...............
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...............
test_ipalib/test_crud.py ...............
test_ipalib/test_errors.py .......
test_ipalib/test_frontend.py ........................................
test_ipalib/test_messages.py ....
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .............................................................
test_ipalib/test_plugable.py ........
test_ipalib/test_rpc.py ......ssssssss
test_ipalib/test_text.py .............................
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py ............
test_ipapython/test_dn.py ...........................
test_ipapython/test_ipautil.py ..................................................................
test_ipapython/test_ipavalidate.py ..........
test_ipapython/test_kerberos.py ..............
test_ipapython/test_keyring.py ..........
test_ipapython/test_ssh.py ...............................
test_pkcs10/test_pkcs10.py .....

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-17 15:02:13 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Martin Basti
25fa2bb6c9 tests: use --setup-kra in tests
This will allow to test --setup-kra option together with
ipa-server-install in install tests

Separate installation using ipa-kra-install is already covered.

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 15:50:30 +01:00
Martin Babinsky
612ea7f66e Provide basic integration tests for built-in AD trust installer
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Ganna Kaihorodova
10494b1bb3 Tests: Basic coverage with tree root domain
Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-01 12:29:25 +01:00
Martin Basti
5bd8217423 Test: DNS nsupdate from dns-update-system-records
Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Basti
ad1a5551d5 Tests: fix wait_for_replication task
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.

Both formats were kept to allow tests run on older and new
versions of DS.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-02-08 14:15:53 +01:00
Petr Čech
dc99d3c04e ipatests: nested netgroups (intg)
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 11:56:14 +01:00
Ganna Kaihorodova
822a119100 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Petr Spacek
8bc6775122 Remove named-pkcs11 workarounds from DNSSEC tests.
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-19 13:10:48 +01:00
Oleg Fayans
fad87a9962 Test: uniqueness of certificate renewal master
https://fedorahosted.org/freeipa/ticket/6504

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-08 17:26:04 +01:00
Oleg Fayans
503d0929e9 Test: basic kerberos over http functionality
https://fedorahosted.org/freeipa/ticket/6446

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Oleg Fayans
c7fd46e42a Test: made kinit_admin a returning function
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
David Kupka
4225484356 tests: Mark 389-ds acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
David Kupka
3e53bbcc34 tests: Mark Dogtag acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
Lenka Doudova
4df1d9d1a5 Tests: Providing trust tests with tree root domain
https://fedorahosted.org/freeipa/ticket/6347

Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-11-15 13:34:38 +01:00
Oleg Fayans
232a0391d3 Test for installing rules with service principals
https://fedorahosted.org/freeipa/ticket/6481

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Oleg Fayans
91c8911a9e Test: integration tests for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Oleg Fayans
f1c9c56f40 Added interface to certutil
Added generic method to run certutil with arbitrary set of paramenters

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-11-14 18:29:48 +01:00
Lenka Doudova
3938698e07 Tests: Provide AD cleanup for legacy client tests
Providing cleanup of trust information from AD machines for legacy client tests.

https://fedorahosted.org/freeipa/ticket/6396

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-14 14:32:10 +01:00
Lenka Doudova
8a177732af Tests: Provide AD cleanup for trust tests
Providing cleanup of trust information from AD machines for trusts tests.

https://fedorahosted.org/freeipa/ticket/6396

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-14 14:32:10 +01:00
Florence Blanc-Renaud
808b1436b4 Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Oleg Fayans
dc58f8f2a1 Automated ipa-replica-manage del tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Oleg Fayans
6d812a0d52 tests: Automated clean-ruv subcommand tests
https://fedorahosted.org/freeipa/ticket/6451

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Lenka Doudova
e3b7d235d5 Tests: Fix integration sudo test
Tests with sudorules using only RunAsGroups attributes with empty RunAsUsers
attribute fail due to different expected value than is really returned. This is
caused by improper behaviour of sudo in versions before 1.8.18 (see [1]), to
which the tests were originally fitted. Changing the expected value to proper
one.

[1] - https://www.sudo.ws/pipermail/sudo-workers/2016-November/001025.html

https://fedorahosted.org/freeipa/ticket/6378

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-07 12:39:06 +01:00
Tomas Krizek
5b81dbfda1 ipaldap: merge IPAdmin to LDAPClient
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
    IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
    enable_replication_version_checking()

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00