Commit Graph

2562 Commits

Author SHA1 Message Date
Stanislav Levin
4fa6afa922 ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.

It's useful to see what is happening during kinit in case of any
issues.

Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 10:16:54 +02:00
Stanislav Levin
a941e8f602 azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```

This is expected failure since processes are not stopped during logs
collection and can flush their logs.

Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 08:48:13 +02:00
Florence Blanc-Renaud
a2e06c385e ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).

As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.

Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-14 14:56:42 -04:00
Florence Blanc-Renaud
0342e18e1f ipatests: fix logic waiting for repl in TestIPACommand
The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master

The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
    Note that this waits for updates originating on this host, not those
    coming from other hosts.

Fixes: https://pagure.io/freeipa/issue/8975

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-09-08 16:46:21 +02:00
Florence Blanc-Renaud
b18cd122fa ipatests: rpcclient now uses --use-kerberos=desired
The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)

Adapt the test to be compatible with both old and new versions.

Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-09-08 08:16:14 +02:00
Christian Heimes
f1c58fb646 Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.

Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.

See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-31 18:28:27 -04:00
Florence Blanc-Renaud
7b5ef8aede ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.

If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.

Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: François Cami <fcami@redhat.com>
2021-08-25 11:00:03 +02:00
Stanislav Levin
42067e5610 Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.

- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.

- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.

- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.

Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2021-08-24 16:49:10 +02:00
Mohammad Rizwan
c963adc727 ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:48:02 +02:00
Mohammad Rizwan
50c6359f3d ipatests: wait while http/ldap/pkinit cert get renew on replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.

This test adds check for replication before calling ipa-cert-fix
on replica.

Fixes: https://pagure.io/freeipa/issue/8815

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:48:02 +02:00
Stanislav Levin
77e7ac3592 ipatests: Add tests for schema Command
- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered

- allow testing of the plugin in `development` mode(locked API).

Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:44:26 +02:00
Rob Crittenden
c0d6c05d00 ipatests: Verify that securitydomain is updated on server-del
For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-16 09:12:55 +02:00
Michal Polovka
d46f5b2cc3
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.

Resolves: https://pagure.io/freeipa/issue/8949

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-13 09:19:48 +02:00
Anuja More
dabf2763f8 ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.

When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.

Related : https://pagure.io/freeipa/issue/8402

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-12 16:35:52 -04:00
Stanislav Levin
bb628aebaf ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.

Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-12 16:34:17 -04:00
Anuja More
16b3788f68 ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.

Related: https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-10 11:12:52 +02:00
Anuja More
cd665e2d5c ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 14:49:21 +02:00
Anuja More
7cac63faef ipatests: Test ldapsearch with base scope works with compat tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 14:49:21 +02:00
Christian Heimes
c75be14bee Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.

Also check for 'debian' platform.

Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 08:42:39 +02:00
Rob Crittenden
e3304ff3aa pr-ci definitions: add custom plugin-related jobs
Related: https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-05 17:36:46 +02:00
Rob Crittenden
7b77fef75a ipatests: add suite for testing custom plugins
Ensure that attributes and objectclasses are case-insensitive.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-05 17:36:46 +02:00
François Cami
e914a59738 ipatests: use krb5_trace in TestIpaAdTrustInstall
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.

Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-08-05 15:19:33 +02:00
Antonio Torres
715987a82e ipatests: expect SOA serial option deprecation warning
Tests must be updated to expect the new deprecation warning.

Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
2021-08-04 14:09:45 +02:00
Mohammad Rizwan
bb38fbca91 ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-04 12:10:33 +02:00
Rob Crittenden
3272780439 ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.

Verify that it is present in the output.

https://bugzilla.redhat.com/show_bug.cgi?id=1940261

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-08-03 11:09:28 -04:00
Anuja More
81b6157877 ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.

Related : https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-03 08:32:25 +02:00
Christian Heimes
8170659d15 Fix ldapupdate.get_sub_dict() for missing named user
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.

Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-30 08:58:25 -04:00
Rob Crittenden
7729b1c8ff ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-30 08:45:08 -04:00
Armando Neto
1457bc602b ipatests: bump prci boxes + move gating to f34
Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.

Issue: https://pagure.io/freeipa/issue/8935

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2021-07-27 15:44:44 +02:00
Antonio Torres
42447c4540 ipatests: test if KRA install fails when ca_host is overriden
KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.

Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-27 13:27:36 +02:00
François Cami
8a4a338c09 ipatests: refactor test_ipa_cert_fix with tasks
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-07-27 09:55:27 +02:00
Rob Crittenden
f470f64908 Fix automountlocation-tofiles expected output in xmlrpc test
The previous output matched the bad behavior of only displaying
one orphaned key.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
Rob Crittenden
14062c774b ipatests: Add test for ipa automountlocation-tofiles
Only the first key of orphaned automount keys was being
displayed.

tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
François Cami
d4d545a1c0 gating.yaml: Fix TestInstallMaster timeout
test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
François Cami
baed2e6f91 Azure: temporarily disable problematic tests, #2
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061

The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1

Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
François Cami
b71009b31a Azure: temporarily disable problematic tests, #1
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
Rob Crittenden
2097776e5e ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-22 14:39:24 -04:00
François Cami
93fad5a89c test_acme: make password renewal more robust
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.

Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 15:27:31 +02:00
François Cami
82ab9245a5 test_acme: refactor with tasks
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 15:27:31 +02:00
François Cami
4618c3c24a tasks.py: fix flake8-reported issues
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 11:29:00 +02:00
François Cami
cbe5151e12 ipatests: smbclient "-k" => "--use-kerberos=desired"
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt

As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".

Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-20 11:11:28 +02:00
Florence Blanc-Renaud
319aa7a4b1 webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.

With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.

Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-16 14:35:48 -04:00
Florence Blanc-Renaud
4bd1d15b60 webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.

Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-07-14 14:31:51 -04:00
Rob Crittenden
bd0d437450 Fall back to krbprincipalname when validating host auth indicators
When adding a new host the principal cannot be determined because it
relies on either:

a) an entry to already exist
b) krbprincipalname be a component of the dn

As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.

Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.

https://pagure.io/freeipa/issue/8206

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-13 17:57:28 -04:00
Michal Polovka
3189e501fb
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.

Related: https://pagure.io/freeipa/issue/8795

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-13 16:52:57 +02:00
François Cami
4616c125b6 pr-ci definitions: add subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-13 15:03:46 +02:00
Michal Polovka
b43ac4fdd2 ipatests: test_ipahealthcheck: print a message if a system is healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).

Related: https://pagure.io/freeipa/issue/8892

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-12 17:11:10 -04:00
Mohammad Rizwan
ea8f4b69a8 ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-12 19:59:06 +02:00
Florence Blanc-Renaud
eb8a6d0782 ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-07-12 10:43:39 +02:00
Sudhir Menon
c64eaa49c4 ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Related: https://pagure.io/freeipa/issue/8889

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-12 09:07:53 +02:00
Rob Crittenden
02e19d0a39 Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-09 13:21:00 -04:00
Christian Heimes
aae6c029da Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
c78d1341ad Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Florence Blanc-Renaud
05d69c8c32 XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-06 08:14:33 +02:00
Antonio Torres
da72a57658 ipatests: ensure auth indicators can't be added to internal IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.

Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2021-07-05 11:07:02 +02:00
François Cami
69497f4a02 ipatests: smoke test for server debug mode.
Add a smoke test to make sure the server can be set in debug mode
without issue.

Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-01 13:15:48 -04:00
Rob Crittenden
19d5b3b621 Return a copy of cached entries, only with requested attributes
Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.

In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.

The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:

    old_entry = ldap.get_entry(dn, [attr])
    for regex in old_entry.keys():
        if not isinstance(entry_attrs[regex], (list, tuple)):

old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.

To return a copy of the entry and requested attributes on a
search HIT.

Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.

This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.

Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.

https://pagure.io/freeipa/issue/8897

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-29 14:55:50 +03:00
Sudhir Menon
cf26159e9c Increase timeout for test_commands.py
test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400

Ref: https://github.com/freeipa-pr-ci2/freeipa/pull/996

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-06-28 14:25:02 +03:00
Stanislav Levin
fe86359416 ipatests: Add tests for env plugin
Previously there were no tests for `ipalib.misc` module.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 14:16:56 +03:00
Stanislav Levin
cc212e552f ipatests: Add tests for plugins plugin
Previously there were no tests for `ipalib.misc` module.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 14:16:56 +03:00
Stanislav Levin
3597ab9bac ipatests: healthcheck: Update IPAHostKeytab assumptions
As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.

Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-23 13:16:01 -04:00
Sudhir Menon
0c2530efe5 ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted
Pagure: https://pagure.io/freeipa/issue/7752

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-06-22 16:42:14 +02:00
Armando Neto
c14d52f436 ipatests: Bump PR-CI rawhide template
Update system's Python to 3.10

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/435

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-06-21 18:58:59 +02:00
Mohammad Rizwan
16057898af ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg
This test checks that if 'selftests.container.order.startup' directive
is missing from CS.cfg, ipa-cert-fix fails and throw proper error
message. It also checks that underlying command 'pki-server cert-fix'
should fail to renew the cert.

related: https://pagure.io/freeipa/issue/8721

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-18 10:49:07 -04:00
Antonio Torres
3e77d3132f ipatests: test host update using shortname
Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.

Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-18 10:46:29 -04:00
Florence Blanc-Renaud
0faddc9180 ipatests: use non-ascii chars in CA-less install
The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.

Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-06-16 11:25:08 -04:00
Christian Heimes
e6f09c1b5f Also drop Custodia client and forwarder
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-16 10:28:17 -04:00
Christian Heimes
470bb6ed45 Add Custodia tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-16 10:28:17 -04:00
Rob Crittenden
6434968a7c When loading certificates verify that it is X.509 v3
Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.

https://pagure.io/freeipa/issue/8817

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-14 15:19:42 -04:00
Sergey Orlov
accc27e663 ipatests: disable test_nfs.py::TestNFS in nightly runs on Fedora 33
Also disable in Fedora 33 as it also has the faulty version of sssd
which produces multi-gigabyte log file

Related to https://pagure.io/freeipa/issue/8877

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-06-10 20:56:46 +02:00
Sergey Orlov
bcb8d4d4a6 ipatests: temporary disable execution of test_nfs.py::TestNFS in nightly runs
During test run on Fedora 34 and 35 sssd produces multi-gigabyte log file
which causes test runners to run out of disk space.

Related to https://pagure.io/freeipa/issue/8877

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-06-08 15:10:08 -04:00
Florence Blanc-Renaud
6f49cc0656 ipatests: delete the replica before uninstallation
The test
test_installation.py::TestInstallWithCA1::test_install_with_bad_ldap_conf
is uninstalling a replica by calling ipa-server-install --uninstall
directly, instead of deleting the replica first.

Use tasks.uninstall_replica instead of tasks.uninstall_master
to perform a proper uninstallation.

Fixes: https://pagure.io/freeipa/issue/8876
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-08 08:36:09 +02:00
Florence Blanc-Renaud
5c83ec06fa ipatests: set selinux context for fips mode
In order to test FIPS mode, the test is faking a user-space
FIPS environment by creating a file /var/tmp/userspace-fips
and bind-mounting this file as /proc/sys/crypto/fips_enabled

The security context needs to be properly set otherwise
/proc/sys/crypto/fips_enabled inherits the security context
unconfined_u:object_r:user_tmp_t:s0 and cannot be read,
resulting in the test seeing fips_mode=false.

Fixes: https://pagure.io/freeipa/issue/8868
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-07 16:33:15 -04:00
Armando Neto
ba5b9c565d ipatests: Bump PR-CI boxes
Update Fedora 34 and 33 boxes to include new packages

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-06-04 08:51:01 +03:00
Serhii Tsymbaliuk
d8b8f54bce WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page
Add test_range_auto_private_groups test case to test_trust WebUI test suite to cover the field.

Ticket: https://pagure.io/freeipa/issue/8837

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-06-03 14:55:56 +02:00
Stanislav Levin
c82ed2eb33 ipatests: Fetch sudo rules without time offset
As of 2.5.0 SSSD introduces a random timeout for the refresh
of the SUDO rules [0]. With that change it's no longer possible
to immediate fetch of SUDO rules unless the feature is disabled
[1].

[0]: https://github.com/SSSD/sssd/issues/5609
[1]: https://github.com/SSSD/sssd/issues/5635

Related: https://pagure.io/freeipa/issue/8844
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-03 09:21:45 +03:00
Alexander Bokovoy
b4b2c10e23 ds: Support renaming of a replication plugin in 389-ds
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute

See https://github.com/389ds/389-ds-base/issues/4786 for details

Fixes: https://pagure.io/freeipa/issue/8799

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2021-06-01 17:09:28 +03:00
Stanislav Levin
10461b7091 azure: Make it possible to adjust Docker resources per test env
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
6c2db326f8 azure: coredump: Wait for systemd fully booted
Otherwise, 'Check for coredumps' task fails with:
```
Verifying        : samba-debugsource-2:4.14.4-0.fc34.x86_64             20/20
[Errno 2] No such file or directory: '/var/lib/dnf/rpmdb_lock.pid'
Finishing: Check for coredumps
```

This is due to systemd-tmpfiles(not ready yet).

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
01553572d4 azure: Re-balance tests envs
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
a893852b4f azure: Warn about extra and missing gating tests compared to PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
26ee44bcfd ipatests: dnssec: Add alternative approach for checking chain of trust
drill is currently broken on F34. Fortunately, there are another
tools for checking DNSSEC trust. One of them is `delv`:

> delv is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as named.

delv sends to a specified name server all queries needed to fetch and
validate the requested data; this includes the original requested query,
subsequent queries to follow CNAME or DNAME chains, queries for DNSKEY,
and DS records to establish a chain of trust for DNSSEC validation. It
does not perform iterative resolution, but simulates the behavior of a
name server configured for DNSSEC validating and forwarding.

Related: https://pagure.io/freeipa/issue/8793
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
611b49e42b azure: Collect installed packages
The list of installed packages may be useful for checking the
versions of packages for analysis. Previously, only the newly
installed packages can be observed on Build phase.

This is convenient for experienced users of PR-CI.

Note: the read-only access provided for non-master containers
to be able to execute Azure scripts. The logs are still collected
only on controller.

Only RPM-based collection is implemented for Fedora. By default
nothing is collected.

Users may want to override `installed_packages` function
in the corresponding `ipatests/azure/scripts/variables-DISTRO.sh`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
4a4c078b80 ipatests: Suppress list trust or certificates
There are tons of useless information in test's runner log on
server uninstallation about list trust and certificates, such
as:

```
RUN ['trust', 'list']
pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert
    type: certificate
    label: ACCVRAIZ1
    trust: anchor
    category: authority

pkcs11:id=%F7%7D%C5%FD%C4%E8%9A%1B%77%64%A7%F5%1D%A0%CC%BF%87%60%9A%6D;type=cert
    type: certificate
    label: AC RAIZ FNMT-RCM
    trust: anchor
    category: authority

pkcs11:id=%52%D8%88%3A%C8%9F%78%66%ED%89%F3%7B%38%70%94%C9%02%02%36%D0;type=cert
    type: certificate
    label: Actalis Authentication Root CA
    trust: anchor
    category: authority

...

```

This improves the readability of test logs.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
afef09ccba ipatests: Ignore warnings on failed to read files on tarring
There are tons of useless warnings about missing files on collecting
logs, such as:

```
tar: /var/log/ipaserver-kra-install.log: Warning: Cannot stat: No such file or directory
tar: /var/log/ipaepn.log: Warning: Cannot stat: No such file or directory
tar: /etc/NetworkManager/NetworkManager.conf: Warning: Cannot stat: No such file or directory
tar: /var/log/ipabackup.log: Warning: Cannot stat: No such file or directory
tar: /var/log/iparestore.log: Warning: Cannot stat: No such file or directory
...

```

Since `--ignore-failed-read` option is passed to tar the caller
doesn't care about not readable(mostly missing) files and these warnings
may be filtered out.

This improves the readability of test logs.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
3889d8654a pytest: Show extra summary information for all except passed tests
By default pytest reports in summary section about tests failures and errors.
It will be helpful to see skipped, xfailed and xpassed tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
cc72a988d6 ipatests: Handle network-isolated mode
Since the dns plugin's tests have no access to wild resolvers
nobody answer such requests but authoritative NS.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
fc0c6b44a8 azure: Run Base and XMLRPC tests is isolated network
The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.

In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.

By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
65700bf743 ipatests: Setup and collect BIND logs
For Base/XMLRPC tests BIND's logs are already collected.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
07c423afd5 BIND: Setup logging
- allow BIND's logging customization
- preconfig logging with ISC recommendations:
  https://kb.isc.org/docs/aa-01526

Fixes: https://pagure.io/freeipa/issue/8856
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
b5fdba7a72 azure: Warn about memory issues
The nonzero number of memory/memory+Swap usage hits limits may
indicate the possible env instability(crashes, random failures, etc.).

> memory.failcnt		 # show the number of memory usage hits limits
  memory.memsw.failcnt		 # show the number of memory+Swap hits limits

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
9148ca2e1e azure: Add workaround for PhantomJS against OpenSSL 1.1.1
WebUI unit tests fail with:
```
PhantomJS threw an error:ERROR
>> Auto configuration failed 0 [
>>   'Auto configuration failed',
>>   '140613066520384:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory',
>>   '140613066520384:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:',
>>   '140613066520384:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf',
>>   '140613066520384:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf'
>> ]
...

Warning: PhantomJS exited unexpectedly with exit code 1. Use --force to continue.

Aborted due to warnings.
```

See https://github.com/wch/webshot/pull/93 for details.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
1aff24e891 ipatests: Update expectations for test_detect_container
Since a4a9a6f7c6
systemd improves the detection of Docker and Podman containers based
on the presence of files-markers.

```console
[slev@test systemd]$ git describe --contains --tags a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
v248-rc1~155^2~1
```

Note: on Azure unit tests are run as non-privileged user in non-systemd
inited container.

This worked on F32 because:
```console
[root@6d2aad38f62c /]# rpm -q systemd
systemd-245.9-1.fc32.x86_64
```
So, actual comparison in test was `assert None == None`.

But F34 has:
```console
[root@1ff1325f5a61 /]# rpm -q systemd
systemd-248-2.fc34.x86_64
```
So, the test's expectations should be updated.
Unfortunately, this is incompatible with older versions of systemd
(< v248).

See https://github.com/systemd/systemd/pull/17902 for details.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
06d7c7f1d3 azure: Mask systemd-resolved
The initial value of NS of resolv.conf is 127.0.0.11, this
is the embedded NS of docker-compose. The disabling of
this feature is not currently supported by Docker.

On startup systemd-resolved caches the /etc/resolv.conf
(docker-compose version), which is later modified by
setup_containers.py script.

This results in resolving error occurs:
```console
[root@replica1 /]# getent ahosts master1.ipa.test
... can't resolve

[root@replica1 /]# grep 'hosts:' /etc/nsswitch.conf
hosts:      files myhostname resolve [!UNAVAIL=return] dns

[root@replica1 /]# resolvectl status
Global
       LLMNR setting: resolve
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 127.0.0.11
         DNS Servers: 127.0.0.11
Fallback DNS Servers: 1.1.1.1
                      8.8.8.8
                      1.0.0.1
                      8.8.4.4
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844
```

According to docs:
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
our case is 4(managed by other packages).

So, restart of systemd-resolved is enough for its re-initialization,
but not for services that already received DNS results. To speed up
the overall process and to no restart each service which wants
internet connection(or wait until service retries connection)
systemd-resolved is masked.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
7ed21f158c azure: Remove no longer needed repo
libseccomp2 2.5.1 is on focal-updates(Ubuntu 20.04LTS):
https://packages.ubuntu.com/focal-updates/libseccomp2

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
1c82895c20 azure: Wait for systemd booted
The calling of systemd's utils during systemd boot may lead to
unpredictable results. For example, if DBus(dbus-broker) service
is not started then DBus request goes nowhere and eventually will
be timeouted. So, it's safer to wait fully booted system.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
09a4918f03 azure: Enforce multi-user.target as default systemd's target
This may speed up boot process.
For example, 'fedora:34' set graphical.target as default,
while multi-user one will be more appropriate.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
be2f659aa7 azure: Collect systemd boot log
If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Stanislav Levin
6fe8620668 azure: bump F32->F34
Fixes: https://pagure.io/freeipa/issue/8848
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-25 10:45:49 +03:00
Rob Crittenden
4f30130697 ipatests: kinit on server for test_proxycommand_invalid_shell
We've seen some intermittent failures of this test with warnings
about passwords about to expire. We suspect there may be a time
difference between the client and server so set the passwords
on the server instead to be sure that time is correct.

https://pagure.io/freeipa/issue/8785

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-05-21 08:52:19 +02:00
Sergey Orlov
47d0ef40c8
ipatests: increase timeout for test_commands up to 1.5 hours
Normally it takes 50 minutes for test_commands test suite
to complete. But due to fluctuations in virtualized environment
sometimes it exceeds 60 minutes which produces random failures
in nightly runs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-13 10:44:36 +03:00
Armando Neto
4484762f62
ipatests: Bump PR-CI templates to Fedora 34
Move 'latest' to Fedora 34 and 'previous' Fedora 33 for nightly runs.
Keep gating on Fedora 33 for now.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-05-12 15:21:22 -03:00
Rob Crittenden
8d21df9352 Add a unit test for the LDAP cache layer
This mostly confirms that when an entry is added, modified or
deleted it is expunged from the cache.

https://pagure.io/freeipa/issue/8798

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2021-05-12 10:45:57 -04:00
Michal Polovka
b8ebce7b18
ipatests: test_installation: add install test scenarios
test_hostname_parameter: Test for issue 2692 ipa-server-install ignores --hostname:
check whether hostname provided in `--hostname` parameter is being taken into account and set as new hostname without prompting for it again

test_ad_subpackage_dependency: Test for issue 4011 ipa-server-install crashes when AD subpackage is not installed:
test if ipa-server installation succeeds without `freeipa-ipa-server-trust-ad` installed

test_backup_of_cs_cfg_should_be_created: Test for issue 4166 Backup CS.cfg before modifying it:
test if ipa-server installer backs up CS.cfg before modifying it

test_installer_wizard_should_prompt_for_DNS: Test for issue 2575 [RFE] Installer wizard should prompt for DNS:
test if installer is asking for DNS setup details if not provided as parameter

Related: https://pagure.io/freeipa/issue/2692
Related: https://pagure.io/freeipa/issue/4011
Related: https://pagure.io/freeipa/issue/4166
Related: https://pagure.io/freeipa/issue/2575

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-06 16:51:18 +02:00
Christian Heimes
6d0d1c7088 Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.

Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-03 09:16:14 +02:00
Mohammad Rizwan
d2ca791549 ipatests: Test if ACME renews the issued cert with cerbot
This test is to check if ACME certificate renews upon
reaching expiry

related: https://pagure.io/freeipa/issue/4751

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

ipatests: remove skipif for minimum pki dependency

Remove skipif from ACME tests as required pki version
updated in freeipa.spec file (pki 10.10.5)

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

ipatests: move common code to separate method

Move the code from prepare_acme_client, TestACME/test_certbot_register
and TestACME/test_certbot_certonly_standalone to separate method so
that it can be re-used in TestACMERenew.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-04-30 11:02:44 +02:00
Christian Heimes
a297ebbb8a Add max/min safe integer
JSON cannot safely handle integers outside range ``-(2**53) - 1`` to
``(2**53) - 1``. Add constants for safe integers and limit the Int
parameter to safe JSON values.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER

See: https://pagure.io/freeipa/issue/8802
See: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-04-27 13:10:26 -04:00
Stanislav Levin
bdb2696805 pylint: Adapt to new Pylint 2.8
- globally ignore `consider-using-with`
- fix `consider-using-max-builtin`
- explicitly enable pylint on project configuration
- unpin Pylint
- added transformation for IntegrationTest attributes(will work
  unless explicitly defined)

Fixes: https://pagure.io/freeipa/issue/8818
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2021-04-27 13:28:42 +02:00
Michal Polovka
180af784aa
WebUI: Handle assertion if multiple notifications are present
If multiple notifications of the same type are shown at the same
time, assertion works for only the first one. This change enables to
search for notification's content in all shown notifications.

Fixes: https://pagure.io/freeipa/issue/8641

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2021-04-24 10:20:51 +02:00
Mohammad Rizwan
99e7ad0fd8 ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.

related: https://pagure.io/freeipa/issue/7885

ipatests: refactor expire_cert_critical fixture

Defined method to move the date and refactor
expire_cert_critical fixture using it

ipatests: PEP8 fixes

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-22 09:22:46 +02:00
Florence Blanc-Renaud
f45a79a783 xmlrpc tests: add test for idrange auto-private-groups option
Scenarii:
- idrange-add prevents --auto-private-groups with a local id range
- idrange-mod prevents --auto-private-groups with a local id range
- auto-private-groups accepts only true/false/hybrid/empty values

Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-04-19 17:14:23 +02:00
Michal Polovka
a0d11517f8
WebUI: test_user: test if user is enabled by default
Test checks if the user is enabled, able to reset their password and
authentication types in both CA and CA-less environment.

Related: https://pagure.io/freeipa/issue/8203

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2021-04-16 18:25:57 +02:00
Florence Blanc-Renaud
058a9c01c7 ipatests: check that the output of sudo -V is not displayed
During client installation, the installer calls sudo -V
to check if sudo command is installed. The output must not
be displayed in stdout.

Related: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-15 15:41:39 +02:00
Florence Blanc-Renaud
56639861a9 ipatests: call server-del before replica uninstall
The test test_replica_promotion.py::TestRenewalMaster::
test_automatic_renewal_master_transfer_ondelete is calling
ipa-server-install --uninstall directly without performing first
ipa server-del. This can lead to incomplete uninstallation and
test failures.
Call tasks.uninstall_replica instead of tasks.uninstall_master.
This is equivalent to ipa-replica-manage del + uninstall
(ipa-replica-manage del works in DL0 and DL1 and internally calls
ipa server-del in DL1).

Fixes: https://pagure.io/freeipa/issue/8792
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-06 17:02:11 -04:00
Florence Blanc-Renaud
e8e456e3f6 ipatests: TestIpaHealthCheck now needs 1 client
The test TestIpaHealthCheck has been updated with commit
e86ff48 and now needs 1 master, 1 replica and 1 client
in order to execute.
Update the nightly definitions accordingly.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-06 15:30:36 +02:00
François Cami
7eb50d4e6e ipatests: mark test_ipahealthcheck_hidden_replica as expected failure
test_ipahealthcheck_hidden_replica fails due to:
https://pagure.io/freeipa/issue/8582
Mark it as expected failure.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
4c7f148c50 ipatests: hidden replica: misc fixes
Rename a test and split a test in two.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
b9b7175dbd ipatests: hidden replica: use dns_update_system_records
Use dns_update_system_records after restoring the replica
to force-update the DNS records.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
acf31d043f ipatests: use wait_for_replication for hidden replica checks
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.

Fixes: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
d5ee7528b2 ipatests: hiddenreplica: use wait_for_ipa_to_start after restore
Use wait_for_ipa_to_start to wait until the restored replica is online.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
d02ec40901 ipatests: tasks.py: add dns_update_system_records
Add a frontend to "ipa dns-update-system-records" to tasks.py.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
François Cami
ef752bf208 ipatests: tasks.py: add wait_for_ipa_to_start
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.

Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-04-01 18:21:55 +02:00
Sudhir Menon
e86ff48b49 ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client
The testcase checks that when ipa-healthcheck tool is run
on ipa-client it will display warning message "IPA is not configured"

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-01 08:42:58 +02:00
Florence Blanc-Renaud
d832736f5a ipatests: collect PKI config files and NSSDB
To ease debugging, also collect:
- /etc/pki/pki-tomcat/server.xml
- /etc/pki/pki-tomcat/ca/CS.cfg
- /etc/pki/pki-tomcat/kra/CS.cfg
- /etc/pki/pki-tomcat/alias
- /etc/pki/pki-tomcat/alias/pwdfile.txt

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-01 08:35:23 +02:00
Stanislav Levin
68a5fe8223 ipatests: Skip test_jsplugins in server less environments
This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.

Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.

Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 13:16:36 +03:00
Stanislav Levin
7855c77f93 Azure: Run Lint task as separate job
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.

Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
91e7452393 pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)

Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
056c51161c Azure: Don't install pypi's docker
Ubuntu 20.04's docker meets the requirement(4+).

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
72adb3279a Azure: Disable AppArmor profile for chrony
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:

fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2  capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1  capname="dac_override"

So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
    reference it in container's configuration. This requires the
    knowledge of profile syntax at least, not to difficult, but
    potentially hard to maintain.
2) disable conflicting profile on Host;

Azure will warn about AVC in either case.
The second one was chosen as more simple.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
5daa41fc55 Azure: Warn about Host's AVC and SECCOMP
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.

It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
45d2381037 Azure: Collect Host's systemd journal
The journal of Host is useful for AVC/SECCOMP analyzing.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
5afe13798e Azure: Run chronyd in Docker
The syncing time stuff is required by IPA NTP tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
908e8cf338 Azure: Template docs build
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
85c63fbe62 Azure: Show disk usage
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
3ac2cdfd43 Azure: Make it possible to pass additional Pytest args
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Florence Blanc-Renaud
ebf928571a ipatests: update expected message
The test TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
is expecting a specific message for the RIPluginCheck
but the message has been updated to fix
4656 - Remove problematic language from UI/CLI/lib389
("enable referint on all suppliers" instead of
"enable referint on all masters").

Shorten the expected msg so that it fits both situations.

Fixes: https://pagure.io/freeipa/issue/8779

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 07:39:47 +02:00
Sergey Orlov
947167d892 ipatests: log command spawned by pexpect
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-29 14:55:23 +03:00
Sergey Orlov
ae533e2998 ipatests: allocate pseudo-terminal only for specific command
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-03-29 14:55:23 +03:00
Stanislav Levin
83e16a4e47 Azure: Run rpmlint on Fedora
Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Antonio Torres
8caac84146 ipatests: expect boolean type for nsaccountlock in user module
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.

Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:11:56 +03:00
Antonio Torres
5984f14426 ipatests: add test for group creation with GID and nonposix option
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-29 10:09:22 +03:00
Antonio Torres
6cd544d38e ipatests: add test for multiple permitopen entries in SSH keys
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:06:07 +03:00
Rob Crittenden
8c93e2fb0b Increase timeout for TestIpaHealthCheck to 5400s
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-26 10:54:08 +01:00
Rob Crittenden
fb58b76a80 Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.

certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.

A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.

A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).

During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.

This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.

This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-26 10:54:08 +01:00
Mohammad Rizwan
34af8099e6 ipatests: Don't rely on certmonger's assigned request id
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.

This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.

fixes: https://pagure.io/freeipa/issue/8725

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:46:54 +01:00
Rob Crittenden
7ee30aa092 ipatests: Test secure_ajp_connector works with multiple connectors
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.

The Apache password will be updated if needed elsewhere in the
upgrade process.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-25 15:43:22 +01:00
Mohammad Rizwan
19da4a76d5 ipatests: Enable certbot test on rhel
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-03-23 15:57:51 +01:00
Armando Neto
c572697d98 ipatests: Bump PR-CI Rawhide template
Template based on Fedora 35.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-23 10:18:59 +01:00
Sergey Orlov
76dd9a97fd
ipatests: update prci definitions for test_http_kdc_proxy
the new tests require an AD instance

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Sergey Orlov
40a686ca84
ipatests: add test for kdcproxy handling reply split to several TCP packets
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
  When the reply from AD is split into several TCP packets the kdc
  proxy software cannot handle it and returns a false error message
  indicating it cannot contact the KDC server.

This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets

This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
  them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
  single 88 port we now block all outgoing traffic except few essential
  ports
* add basic tests for using kdcproxy to communicate between IPA client
  and AD DC.

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Sergey Orlov
38c897f946
ipatests: return result of kinit_as_user, pass raiseonerr parameter
Similar to kinit_admin, this allows to check for error values returned
by kinit.

Reviewed-By: Anuja More <amore@redhat.com>
2021-03-18 13:41:49 +01:00
Florence Blanc-Renaud
fb107b9180 ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".

Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-03-17 16:28:19 +01:00
Florence Blanc-Renaud
a9b4ed4f52 ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
The test was temporarily removed because of a known issue
but the issue is now fixed.

Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-03-17 16:28:19 +01:00
Florence Blanc-Renaud
6d39ef7de6 ipatests: filter_users belongs to nss section
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.

Fixes: https://pagure.io/freeipa/issue/8747

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-17 16:20:37 +01:00
Florence Blanc-Renaud
96a297f3b3 ipatests: add test_acme.py in nightly previous
The nightly_latest.yaml file is missing the test test_acme.py
Add the job definition.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-17 16:16:26 +01:00
Mohammad Rizwan
40aeec975a ipatests: introduce wait_for_replication in test_rolecheck_Trust
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.

related: https://pagure.io/freeipa/issue/8553

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-17 09:04:30 +01:00
François Cami
1ef54f2b8f ipatests: check for the "no sudo present" string absence
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-03-16 08:44:03 -04:00
Sergey Orlov
886506f89f
ipatests: use proper template for TestMaskInstall
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-09 19:41:10 +01:00
Armando Neto
a6b4871304
ipatests: Update gating to Fedora 33
* Update template images to include updated packages
* Bump rawhide to use branched F34 template

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-09 12:46:21 +01:00
Stanislav Levin
2c4a160fc2 ipatests: Fix expectation about GSS error in test for healthcheck
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.

Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-03-05 10:41:48 +01:00
François Cami
87304c78a8 ipatests: fix nightly_latest_testing_selinux template
The TestInstallWithoutSudo entry referenced fedora-latest instead
of testing-fedora for its build dependency. Fix it.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-05 10:34:35 +01:00
Sudhir Menon
735355ad03 ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-03-05 08:45:18 +01:00
Sergey Orlov
881eea4efe
ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
4ad5ce7b58
ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
dc423661c8
ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
1853695d22
ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
01f455f424
ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
cd066ba887
ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
2e92d0836d
ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:

* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution

Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:

* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
  systems with NetworkManager and systemd-resolved.

This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved

For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.

The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.

The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Sergey Orlov
fe3c6657ec
ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.

Related to https://pagure.io/freeipa/issue/8703

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-04 18:47:32 +01:00
Stanislav Levin
271fd162a7 ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.

Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00
Florence Blanc-Renaud
5cd3944bb2 ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.

The fix provides a complete date with year-month-day hours:min:sec.

Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-03-02 11:47:09 +01:00
Sergey Orlov
0b60408dab
ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-01 12:55:58 +01:00
Antonio Torres
4fc1e15c7c ipatests: check that zonemgr is set correctly during server install
Add test to check that zonemgr is correctly
set when installing IPA server.

Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-25 20:24:55 +01:00
Mohammad Rizwan
1197e2ef85 ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
0904bb2387 ipatests: Test if ipa-cert-fix renews expired certs with kra installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
f7ef6d5ab7 Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Mohammad Rizwan
f49c7dafc4 ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.

related: https://pagure.io/freeipa/issue/7885

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-02-23 13:25:26 +01:00
Sergey Orlov
4d87982b07
ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-19 13:31:28 +01:00
Kaleemullah Siddiqui
5e49910bcf ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.

related: https://pagure.io/freeipa/issue/8550

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-18 16:44:29 +01:00
Rob Crittenden
be4195cfaf ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Florence Blanc-Renaud
137b39cf93 ipatests: update expected error message
With commit ec6698f , the error message has changed from
  Unable to communicate with CMS (503)
to
  Request failed with status 503: Non-2xx response from CA REST API: 503.  (503)

Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 15:22:19 +02:00
Armando Neto
7d691f07d6 ipatests: Update PR-CI templates
Update "previous" and "latest" templates with updated dependencies.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:23 +02:00
Antonio Torres
89135830cc ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:59:41 +02:00
Stanislav Levin
596bb320be ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Stanislav Levin
3e33e546c3 Azure: Populate containers with self-AAAA records
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.

In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.

In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
    "when": "20210120055054Z",
    "duration": "0.032740",
    "kw": {
      "msg": "Got {count} ipa-ca AAAA records, expected {expected}",
      "count": 1,
      "expected": 2
    }
  }
]
```
where `ipa-ca` record exists only for replica.

Note: since the most of the code in setup_containers was touched it has
been reformatted.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Antonio Torres
8a2e6ec320 ipatests: add test for ipa-cacert-manage prune
Add test for prune option of ipa-cacert-manage.
After a certificate is installed, a jump in time
is performed to a date where the certificate is expired,
and then it is pruned.

Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 14:08:11 -05:00
Florence Blanc-Renaud
4672d61cee xmlrpc tests: add a test for cert-remove-hold
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold

Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'

Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-12 17:49:02 +01:00
Alexander Bokovoy
46b0746fe9 test_installutils: run gpg-agent under a specific SELinux context
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.

Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-11 09:09:46 +01:00
Florence Blanc-Renaud
610d542c0e ipatests: ipactl status now exits with 3 when a service is stopped
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).

Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-08 09:55:01 +01:00
Florence Blanc-Renaud
27ae8a93f5 ipatests: fix ipahealthcheck fixture _modify_permission
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.

When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.

The fix consists in calling 'stat -L' because the command follows
links.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-05 15:39:07 +01:00
François Cami
82216bfa3d ipatests: add TestInstallWithoutSudo
Test IPA servers and clients behavior when sudo is not installed.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
François Cami
ed8a9e4e6a ipatests: tasks: handle uninstalling packages with nodeps
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.

Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
Florence Blanc-Renaud
7902c78496 ipatests: add a test for ZSK/KSK keytype in DNSKEY record
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.

Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
Michal Polovka
d0269f2367
test_webui: test_hostgroup: Wait for modal dialog to appear
Modal dialog transition is currently set to 300ms, we have to wait
for it to appear in order to interact with it. Double that time is a
safe value.

Resolves: https://pagure.io/freeipa/issue/8684

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2021-02-04 13:23:19 +01:00
Rob Crittenden
8082a2d9eb ipatests: Handle non-zero return code in test_ipactl_scenario_check
https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Sergey Orlov
caeed7e2d1 ipatests: use pexpect to control inetractive session of ipa-adtrust-install
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.

If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
  in this case scope of test case changes without being noticed

If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00
Sergey Orlov
1b25270686 ipatests: use pexpect to invoke ktutil
`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00
Sergey Orlov
7363c4b203 ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00