Commit Graph

1878 Commits

Author SHA1 Message Date
Christian Heimes
bb24641e8f Use api.env.container_sysaccounts
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')

Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 11:28:29 +02:00
sumenon
ba213aa448 ipatests: Test for ipahealthcheck tool for IPADomainCheck.
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-27 09:18:56 -04:00
Kaleemullah Siddiqui
bba41dc85c Test for check of HostKeyAlgorithms option in ssh_config
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.

https://pagure.io/freeipa/issue/8082

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-27 09:09:10 -04:00
sumenon
29fd9602c6 ipatests: Test for ipahealthcheck.ds.ruv check
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result

Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-23 10:29:33 -04:00
François Cami
7558e1413d doc/Makefile: use sphinx-build -W by default
Use -W with sphinx-build by default to turn warnings into errors.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-04-21 14:59:02 +02:00
Stanislav Levin
974395704a
ipatests: Specify shell implementation
The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Stanislav Levin
6d8d167036
ipatests: Specify Pytest XML report schema
Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
  /root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
  Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
    _issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```

For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.

The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.

[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Stanislav Levin
18500a3d01
ipatests: Remove no longer needed 'skip' compatibility
Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Stanislav Levin
f6b088effd
ipatests: Remove no longer needed 'capture' compatibility
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Stanislav Levin
be6ac7d4c9
ipatests: Remove no longer needed 'get_marker'
'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Stanislav Levin
d67846fa36
ipatests: Remove deprecated yield_fixture
'yield_fixture' is deprecated since Pytest3 [0].
FreeIPA requires at least 3.9.1. So, it can be safely removed.

[0]: https://docs.pytest.org/en/latest/yieldfixture.html

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Mohammad Rizwan Yusuf
2c54609d73 ipatests: Test to check password leak in apache error log
Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.

related: https://pagure.io/freeipa/issue/8017

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-20 08:44:00 -04:00
Michal Polovka
3a64ac08e1 Test for healthcheck being run on replica with stopped master
Test checks whether healthcheck  reports only that master is stopped
with no other false positives when services on IPA master are stopped.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-17 08:54:13 -04:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
François Cami
306adf6b51 ipatests: increase test_webui_server timeout
test_webui_server tends to take more than 3600s to run.
Increase timeout to 7200s.

Fixes: https://pagure.io/freeipa/issue/8266
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-04-14 14:11:11 +02:00
Alexander Bokovoy
dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
François Cami
8a793b7da5 ipatests: increase test_ipahealthcheck timeout
test_ipahealthcheck tends to take more than 3600s to run.
Increate timeout to 4800s.

Fixes: https://pagure.io/freeipa/issue/8262
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-04-09 09:08:57 +03:00
Stanislav Levin
ba162b9b47 ipatests: Mark firewalld commands as no-op on non-firewalld distros
The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.

Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2020-04-08 16:33:35 +02:00
Stanislav Levin
d1b53ded8b Azure: Gather coredumps
Applications may crash.
If a crash happens on a remote system during CI run it's sometimes
very hard to understand the reason. The most important means to
analyze such is a stack trace. It's also very important to check
whether there was a core dump or not, even a test passed.

For Docker environment, the core dumps are collected by the host's
systemd-coredump, which knows nothing about such containers (for
now). To build an informative thread stack trace debuginfo packages
should be installed. But they can't be installed on the host OS
(ubuntu), That's why after all the tests completed an additional
container should be up and the host's core dumps and host's journal
should be passed into it.

Even if there weren't enough debuginfo packages at CI-runtime, the
core dump could be analyzed locally later.

Fixes: https://pagure.io/freeipa/issue/8251
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-08 11:27:45 +03:00
Stanislav Levin
aa5a3336a8 Azure: Allow distros to install Python they want
The platforms may have different Pythons.
But due to [0] the Python installed via the 'UsePythonVersion@0'
task should be compatible with the container's 'libpythonxx.so'.
'AZURE_PYTHON_VERSION' platform variable is introduced to cover
this. So, if your distro has Python3.8, set the mentioned variable
to '3.8', later, this version will be installed by the
'UsePythonVersion@0' Azure task for 'WebUI_Unit_Tests' and 'Tox'
jobs.

To allow tox to run any Python3 environment the 'py3' one is used.
'py3' is the well-known Tox's environment, which utilizes 'python3'
executable.

[0]: https://github.com/microsoft/azure-pipelines-tasks/issues/11070

Fixes: https://pagure.io/freeipa/issue/8254
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-04-07 15:22:47 -04:00
Rob Crittenden
3022bb5fd2 Perform baseline healthcheck
Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.

https://bugzilla.redhat.com/show_bug.cgi?id=1774032

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-04-06 12:54:20 -04:00
François Cami
a087fd9255 ipatests: move ipa_backup to tasks
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
  both the path to the backup and the whole result from run_command ;
  The path to the backup can be determined from the result.

Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
  the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
  returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-06 16:53:31 +02:00
Michal Polovka
f5f960ed2a Test for output being indented by default value if not stated implicitly.
Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.

Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-03 08:32:20 -04:00
Sergey Orlov
26233c887e
ipatests: mark test_trustdomain_disable test as expectedly failing
The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed
Fedora 30 version yet.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Sergey Orlov
84c94f7350
ipatests: add context manager for declaring part of test as xfail
This function provides functionality similar to pytest.mark.xfail
but for a block of code instead of the whole test function. This has
two benefits:
1) you can mark single line as expectedly failing without suppressing
   all other errors in the test function
2) you can use conditions which can not be evaluated before the test start.

The check is always done in "strict" mode, i.e. if test is expected to
fail but succeeds then it will be marked as failing.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Sergey Orlov
3ae0d0d724
ipatests: add utility for getting sssd version on remote host
This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Sergey Orlov
b238812b96
update prci definitions for test_sssd.py
The test now requires AD domain + subdomain

Related to: https://pagure.io/SSSD/sssd/issue/4078

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Sergey Orlov
d8135b7328
ipatests: add test for sssd behavior with disabled trustdomains
When a trusted subdomain is disabled in ipa, users from this domain
should not be able to access ipa resources.

Related to: https://pagure.io/SSSD/sssd/issue/4078

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
François Cami
0fb0d2f117
pr-ci templates: update test_fips timeouts
test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.

Fixes: https://pagure.io/freeipa/issue/8247
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-02 16:10:27 +02:00
Mohammad Rizwan Yusuf
a02df530a6 ipatests:Test if proper error thrown when AD user tries to run IPA commands
Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.

related: https://pagure.io/freeipa/issue/8163

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-02 14:30:52 +02:00
Sergey Orlov
9b3c3202ca
ipatests: add missing classes from test_nfs in nightly_previous run
Test class test_integration/test_nfs.py::TestIpaClientAutomountFileRestore
was missing in nightly_previous.yaml

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
1c4aa66b3c
ipatests: add missing classes from test_installation in nightly runs
The following test classes were missing in all nightly definitions:
* TestADTrustInstall
* TestADTrustInstallWithDNS_KRA_ADTrust
* TestKRAinstallAfterCertRenew

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
99a322a4ae
ipatests: run test_integration/test_cert.py in PR-CI
Execute test_integration/test_cert.py test in gating and generic
nightly test runs

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
b8e1a7d5ae
ipatests: run all cases from test_integration/test_idviews.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
98b6326a8e
ipatests: explicitly save output of certutil
The test setup was failing because output redirection does not work in
run_command() when specifued as list element.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
a2dee05b16
ipatests: add AD DC as a DNS forwarder before establishing trust
"ipa trust-add" was not able to establish trust because it could not
find the AD domain controller.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
e927396851
ipatests: add test_automember to "previous" nightly run
test_integration/test_smb.py was missing in nightly_previous.yaml
for no obvious reason.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
5e44fc80b8
ipatests: add test_fips to testing-fedora nightly run
test_integration/test_fips.py was missing in nightly_latest_testing.yaml
for no obvious reason.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
François Cami
9324bba6b7 test_backup_and_restore: add server role verification steps
Add calls to "ipa server-role" to check whether the server role
changes are applied before calling ipa-backup.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
François Cami
3a9b66b530 ipatests: test ipa-backup with different role configurations.
ipa-backup should refuse to execute if the local IPA server does not
have all the roles used in the cluster.
A --disable-role-check knob should also be provided to bypass the
check.

Add an integration test for the new behavior and the knob.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
sumenon
fd9f1b3d5b Test for ipahealthcheck.ipa.idns check when integrated DNS is setup
This testcase compares the output of ipahealtcheck.ipa.dns check
with the SRV records displayed by 'ipa dns-update-system-records --dry-run'
command executed on IPA server with integrated DNS setup.

https://bugzilla.redhat.com/show_bug.cgi?id=1695125

Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-03-31 11:52:42 -04:00
Alexander Bokovoy
6472a107d6 Allow rename of a host group
RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.

Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-31 09:21:37 +03:00
Sumedh Sidhaye
58ad7b74eb Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state
When a resubmit request is submitted an "invalid cookie"
error message is no longer shown

Earlier an "invlaid cookie" error message was shown when getcert list was called.

The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit

Pagure Issue: https://pagure.io/freeipa/issue/8164

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Fixup for test to verify that POLL will not error out on cookie

Author:    Rob Crittenden <rcritten@redhat.com>
Date:      Tue Mar 24 15:30:38 2020 -0400

Fixed review comments

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-30 15:07:48 -04:00
François Cami
ee80d0dbfb pr-ci templates: update test_fips timeouts
test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.

Fixes: https://pagure.io/freeipa/issue/8247
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-03-28 19:55:10 +01:00
Alexander Bokovoy
77ed0918a7 Remove Fedora repository fastmirror selection
Fast mirror selection somehow stopped working. If disabled, the
difference is around 20 seconds for the 'Prepare build environment' step
(2:49 versus 3:09), so while we are saving, currently it is not a lot.

Also remove explicit nodejs stream choice, it seems to be not needed
anymore (again).

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-03-28 19:55:10 +01:00
François Cami
f9804558bb ipatests: test_replica_promotion.py: test KRA on Hidden Replica
The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.

Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2020-03-26 13:18:14 +01:00
Mohammad Rizwan Yusuf
d07da41739 ipatests: Skip test using paramiko when FIPS is enabled
Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 15:18:57 +01:00
Rob Crittenden
8906689215 Test that pwpolicy only applied on Kerberos entries
Also test that a normal user has password history enforcement

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Rob Crittenden
ff6984e2ee Add ability to change a user password as the Directory Manager
This is to confirm that the Directory Manager is not affected by
password policy.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
a620ac0f6f ipatests: test sysaccount password change with a password policy applied
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.

The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
 - as a user: must succeeed
 - as a cn=Directory Manager: must succeed even with a password re-use
 - as a user again: must fail due to password re-use

Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00