Commit Graph

2710 Commits

Author SHA1 Message Date
Sudhir Menon
bf4c51266c
ipatests: WebUI: do not allow subid range deletion
This testcase checks that subid added by user admin
cannot be deleted.

Related: https://pagure.io/freeipa/issue/9150

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-08-03 09:33:42 +02:00
David Pascual
8297b74974 ipatest: fix prci checker target masked return code & add pylint
In the yamllint target of makefile, prci_checker result was being masked by echo statement.
Aditionally, prci_checker script has been added to the list of Python sources to be Pylinted.

Addressing comments of recently merged PR:
https://github.com/freeipa/freeipa/pull/6301#discussion_r923163970
https://github.com/freeipa/freeipa/pull/6301#issuecomment-1187037261

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-01 09:34:42 -04:00
Sudhir Menon
e3e7c98ac5 ipatests: ipa-client-install --subid adds entry in nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry

subid: nss
Related: https://pagure.io/freeipa/issue/9159

Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files

gating.yaml
nightly_latest.yaml
nightly_latest_selinux.yaml
nightly_latest_testing.yaml
nightly_previous.yaml
nightly_rawhide.yaml

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-01 09:28:30 -04:00
Rob Crittenden
4105fee2cf Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.

Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.

Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.

Fixes: https://pagure.io/freeipa/issue/9206

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-01 09:24:40 -04:00
Erik
fc5de8216d
ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.

Related: https://pagure.io/freeipa/issue/8951

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-27 13:34:07 +02:00
Stanislav Levin
8542fd3012 ap: Rearrange overloaded jobs
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
dd094e3889 ap: Disable azure's security daemon
This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
0e8bde3175 ap: Raise dbus timeout
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.

https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
David Pascual
3237ade3d2 ipatests: Checker script for prci definitions
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-07-15 17:09:17 +02:00
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Armando Neto
436c9d85ee
webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.

Fixes: https://pagure.io/freeipa/issue/9192

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-07-12 11:38:17 -03:00
Florence Blanc-Renaud
e8d34361c7 ipatests: fix SSSD nightly definition
The nightly test test_external_idp requires a topology
with 2 replicas. Fix the definition in nightly_latest_sssd.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-12 10:15:21 +02:00
Iker Pedrosa
03e9139504 ipatests: definitions for SSSD COPR nightly
Defined the tests that will be executed for SSSD's COPR nightly.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 09:46:17 +02:00
Sumedh Sidhaye
2e11247cde Added a check while removing 'cert_dir'. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.

Pagure Issue: https://pagure.io/freeipa/issue/9179

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-02 18:34:16 +02:00
Armando Neto
52782b55f5
ipatests: update rawhide template
Python packages updated to include latest `pytest-html`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/467

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-29 21:24:04 -03:00
Rob Crittenden
9a97f9b40c Fix test_secure_ajp_connector.py failing with Python 3.6.8
Some of the test data are not expected to cause a rewrite in
the upgrade code. Those that do will set the rewrite flag.

In that case there is a new server.xml to be read. This is
handled with mock_open(). The contents can be retrieved via
mocked_file().write.call_args but the repr() of it is:

call(b'<Server port="1234" shutdown="SHUTDOWN">\n  ...')

In at least Python 3.10 one can use write.call_args.args to get
just the raw data. This does not work with Python 3.6.8 and
returns the string 'args' instead results in a TypeError.

TypeError: a bytes-like object is required, not 'str'

Instead drop the args and use the data directly.

For the case of x = mocked_file().write.call_args:

   x[0] is a tuple with the first element being the data
   x[0][0] is the raw data

So use x[0][0] to get at the data instead of x.args[0]

Fixes: https://pagure.io/freeipa/issue/9190

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-23 17:46:57 -04:00
Anuja More
ef091c99f8 ipatests: Fix install_master for test_idp.py
For install_master added --no-dnssec-validation.

Fixes: https://pagure.io/freeipa/issue/9189

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-23 13:04:05 -04:00
Michal Polovka
d3c11f7627 ipatests: Healthcheck use subject base from IPA not REALM
Test if healthcheck uses cert subject base from IPA and not from
REALM. This prevents false-positive errors when the subject base is
customized.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/253

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-23 13:01:36 -04:00
Anuja More
bd57ff3566 Add end to end integration tests for external IdP
Added tests for HBAC and SUDO rule and other
test scenarios.

Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-22 20:57:22 +02:00
Anuja More
a80a981948 ipatests: update prci definitions for test_idp.py
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-22 20:57:22 +02:00
Florence Blanc-Renaud
3732349bc2 xmlrpc tests: updated expected output for preserved user
Update the expected summary for the command
ipa user-del --preserve

The command now displays: Preserved user: user1
instead of                Deleted user: user1

Related: https://pagure.io/freeipa/issue/9187

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-22 20:53:29 +02:00
Armando Neto
b3085b8302
ipatests: update prci template
New box contains the fixed mock configuration needed when
`enable_testing_repo` is True.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-20 09:09:37 -03:00
Michal Polovka
40b3c11bd0
ipatests: Increase expect timeout for interactive mode
Increase the default timeout for expect function when testing
interactive mode to mitigate an issue when the tests are failing
on the slow systems.

Fixes: https://pagure.io/freeipa/issue/9183

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-06-17 12:18:42 +02:00
Michal Polovka
b2bbf81659
ipatests: Healthcheck should ignore pki errors when CA is not configured
Test if ipa-healthcheck complains about pki.server.healthcheck errors
when CA is not configured on the replica.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/201

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-16 10:47:37 +02:00
Michal Polovka
e46dd73a9a
ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version
Change xfail for test_replica_promotion.py/TestHiddenReplicaPromotion/test_ipahealthcheck_hidden_replica
to respect platform and pki version as the related issue is fixed.

Implement tasks/get_platform_version which returns a platform version
number(s) of a provided host in a form of a tuple.

Related: https://pagure.io/freeipa/issue/8582

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-15 10:03:00 +02:00
Rob Crittenden
7572174175 Remove extraneous AJP secret from server.xml on upgrades
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version.  It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.

PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.

Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.

Fixes: https://pagure.io/freeipa/issue/9176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:54:50 +03:00
Armando Neto
93a06d8295 ipatests: bump pr-ci templates
Packages updated to include `freeipa-healthcheck-0.11-2`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-13 12:56:04 +02:00
Florence Blanc-Renaud
8f785482df ipatests: update expected output for boolean attribute
Now that IPA API properly maps LDAP boolean attributes to the
python bool type, they are displayed as True/False instead
of TRUE/FALSE in the ipa *-show outputs.

Update the expected output for DNS Active Zone.

Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-13 09:07:38 +02:00
Sudhir Menon
aa1105b64d ipatests: ipahealthcheck tests to check change in permission of ipaserver log files
This testscase checks that when permission of
ipaserver-upgrade.log
file is changed healtcheck tool reports the correct warning message.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 12:16:55 +02:00
Florence Blanc-Renaud
d5e4e572ff ipatest: update expected out for ipa-healthcheck's DogtagCertsConnectivityCheck
Pre ipa-healthcheck 0.11, failures detected by DogtagCertsConnectivityCheck
were reported as:
"msg": "Request for certificate failed, <error>"
but the output is now the following:
"msg": "Request for certificate failed: {error}"
"error": <error>

Update the expected output to be compatible with both versions.

Fixes: https://pagure.io/freeipa/issue/9175
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-10 09:30:38 +02:00
Alexander Bokovoy
6c5f2bcb30 ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like

        Bool('idnsallowdynupdate?',
            cli_name='dynamic_update',
            label=_('Dynamic update'),
            doc=_('Allow dynamic updates.'),
            attribute=True,
            default=False,
            autofill=True
        ),

in 'ipa dnszone-show':

> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']

This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.

When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:

            "idnsallowdynupdate": [
                "TRUE"
            ],

Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.

Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:

 - if output is from a command with --raw option, 'TRUE' or 'FALSE'
   should be expected

 - if output if from a normal (non-raw) command, True or False would be
   returned

Fixes: https://pagure.io/freeipa/issue/9171

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 09:25:27 +02:00
Rob Crittenden
d241d7405f Add tests for Random Serial Number v3 support
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.

Update the xml-rpc test to allow the new RSN version number
attribute.

Update some certificate tests where a specifc serial number
is expected.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
83be923ac5 Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).

Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
aedb73a90d Don't duplicate the LDAP gracelimit set in the previous test
Remove a duplicated policy change which sets the gracelimit
to 3.

We don't typically run tests individually but as a whole. If
we ever need to call this one test directly we can ignore
failures.

Fixes: https://pagure.io/freeipa/issue/9167

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-03 09:57:52 +02:00
Rob Crittenden
773d3cb45d Configure and enable the graceperiod plugin on upgrades
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.

Loading a new plugin requires a restart. Do so if a
new one is configured.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 15:24:22 -04:00
Rob Crittenden
e9d0208cac healthcheck: add tests for setting cli options in config file
Fixes: https://pagure.io/freeipa/issue/9136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-02 11:12:18 +02:00
Michal Polovka
94dd9ef1d6
ipatests: tasks: add ipactl start, stop and restart
Include functions to manage IdM service using ipactl, in particular
starting, stopping and restarting the service.

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 10:04:37 +02:00
Michal Polovka
ce50d2255f
ipatests: RFE: Improve ipa-replica-install error message
Test for RFE: Improve error message with more detail for
ipa-replica-install command. If the replication agreement already
exists, check if the error message contains
a particular command needed to delete it.

Related: https://pagure.io/freeipa/issue/9162

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 10:04:37 +02:00
Michal Polovka
c18caaa7aa
ipatests: test_subids: test subid-match shows UID of the owner
ipa subid-match should show UID of the owner instead of DN.

Related: https://pagure.io/freeipa/issue/8977

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2022-06-01 13:53:23 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Armando Neto
1101b22b58 ipatests: update definitions for custom COPR nightlies
Vagrant templates for `pki-`, `389ds-` and `testing-` are no longer
needed after feature added by https://github.com/freeipa/freeipa-pr-ci/pull/463.

This updates the test definitions to use PR-CI's custom arguments with
standard `ci-master-f36` vagrant box.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-05-25 22:38:11 +02:00
Alexander Bokovoy
ee07c1542a Ignore dnssec-enable-related named-checkonf errors in test
Check and skip dnssec-enable-related issues in 9.18+ where dnssec-enable
option was removed completely.

Fixes: https://pagure.io/freeipa/issue/9157

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-25 20:05:42 +02:00
Florence Blanc-Renaud
952a77caef ipatests: add new test with --subid installer option
Add a new test for ipa-client-install --subid
Add a new test for ipa-server-install --subid

Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Anuja More
9cc703fd0e ipatests: Add integration tests for External IdP support
Tests for [RFE]: Added integration tests for external IdP
authentication with keycloak-17 as identity provider.

Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-05-23 08:38:40 +03:00
Anuja More
5ca4e8ee33 pr-ci definitions: add external idp related jobs.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-05-23 08:38:40 +03:00
Francisco Trivino
49a1c1caaa
ipatests: Bump PR-CI latest templates to Fedora 36
Moving 'latest' to Fedora 36 and 'previous' to Fedora 35.
Update Rawhide template.

The following templates are updated:

- gating
- nightly_latest
- nightlñy_latest_selinux
- nightly_previous
- nightly_rawhide
- temp_commit

These are not updated as they will receive a new update after
"custom COPR" feature in PR-CI is merged:

- nightly_latest_389ds
- nightly_latest_pki
- nightly_latest_testing

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-05-19 12:40:37 -03:00
Alexander Bokovoy
03a905eed9 external-idp: add XMLRPC tests for External IdP objects and idp indicator
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Florence Blanc-Renaud
73daf6b50b ipatests: --no-dnssec-validation requires --setup-dns
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.

Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.

Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-08 09:32:02 +02:00
Sudhir Menon
92d8077304 ipatests: Adding --no-dnssec-validation option for healthcheck
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function

https://pagure.io/freeipa/issue/9151

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-06 09:09:09 -04:00
Alexander Bokovoy
862340a3a1 js tests: use latest grunt
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.

This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
53d9dafe2f Azure CI: don't force non-existing OpenSSL configuration anymore
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.

Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
6a086eb220 Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
64bbf31fd8 Switch Azure CI to Fedora 36 pre-release
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
46dc1c76ef web ui: do not provide Remove button in subid page
subid range management does not allow to delete ranges

If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.

In Web UI a button to remove the range should not be shown.

Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.

Fixes: https://pagure.io/freeipa/issue/9150

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-05-05 10:08:45 +03:00
Florence Blanc-Renaud
3edd09a8d9 ipatests: remove test_rekey_keytype_DSA
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)

Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id

Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-04 13:45:02 -04:00
Alexander Bokovoy
4a7cc3467c docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.

The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-04 09:36:40 +03:00
Florence Blanc-Renaud
a10a48e1ec ipatests: update the expected sha256sum of epn.conf file
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.

The expected checksum needs to be updated.

Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-02 16:11:04 -04:00
Florence Blanc-Renaud
fbfd64fc2b ipatests: fix wrong condition in xfail_context for auto private grp
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).

Remove the wrong condition so that the test is always expected to fail.

Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore@redhat.com>
2022-04-25 09:04:17 +02:00
Armando Neto
c780504d47
ipatests: bump PR-CI rawhide template
Based on compose `20220413.n.0`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/457

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-04-24 21:13:26 -03:00
Alexander Bokovoy
599792e863 ipatests: collect samba logs when setting up trust to AD
In many cases it is impossible to investigate test failures of
environments where a trust to Active Directory is establishe without
Samba logs.

Collect Samba logs by default and make sure Samba is configured with
higher log levels if we are going to configure IPA to setup trust to
Active Directory.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
Mohammad Rizwan
10046ffb33 ipatests: extend find_segment with suffix param
topologysegment name can be different depending on suffix.
This patch determines and supply the name of topologysgement
as per the suffix

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Mohammad Rizwan
4514e8090a ipatests: fix the topologysegment-reinitialize command
There is no guarantee for the topologysegement name, it could be
master-to-replica or replica-to-master. If it is master-to-replica
then --right should be used with the command else --left.

Fixes: https://pagure.io/freeipa/issue/9137

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Alexander Bokovoy
27ab21658b ipatests: fix check for AD topology being present
Fixes: https://pagure.io/freeipa/issue/9133

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-28 16:34:04 +03:00
Alexander Bokovoy
5a42ab115e tests: ensure AD-SUPPORT subpolicy is active in more cases
Continuation of the commit 2eee5931d7:

    Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
    mode. This is required in FIPS mode due to AD not supporting Kerberos
    AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
    defined in RFC 8009.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2022-03-25 10:23:38 +01:00
Sudhir Menon
67488d2342 ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data
This test checks that when
'pki.server.healthcheck.clones.connectivity_and_data' check is run
'Source 'pki.server.healthcheck.clones.connectivity_and_data' not found'
is not displayed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041995

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-22 08:37:51 +01:00
Florence Blanc-Renaud
e32bfd44ee ipatests: Fix a call to run_command with wildcard
The test is calling run_command with a list of arguments:
run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
but this format does not support shell expansion.

Replace with a str parameter:
run_command('rm -fv' + paths.CERTMONGER_REQUESTS_DIR + '/*')

to make sure all the files in the directory are actually removed.

Fixes: https://pagure.io/freeipa/issue/8506
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Florence Blanc-Renaud
52ec9cc027 ipatests: remove certmonger tracking before uninstall
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.

The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.

The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.

To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.

Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Rob Crittenden
a283735fbf Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.

The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671

Fixes: https://pagure.io/freeipa/issue/9084

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-18 09:40:37 +01:00
Rob Crittenden
fe9be8c4a1 Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.

When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.

So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.

This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).

Fixes: https://pagure.io/freeipa/issue/9004

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 12:18:35 +02:00
Mohammad Rizwan
5a909cff8d ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."

But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does

related: https://pagure.io/freeipa/issue/9038

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-16 12:17:08 +02:00
Alexander Bokovoy
517ae594e1 test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Alexander Bokovoy
621af275c3 test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.

Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Rob Crittenden
9ac88216a0 ipatests: Give the subCA more time to be loaded by the CA
The subCA keys are loaded out-of-band after creation into the
CA so they may have been replicated but not loaded. Give more
time for them to appear in the remote CA.

Use a loop for the checking instead of a raw sleep because most
of the time this is very fast (< 15 seconds) but sometimes it
requires just a bit more. Allow up to 60 seconds.

To avoid output difference, strip the token name out of certutil
output. We don't care about the token a certificate is stored
in, the internal or the FIPS token. We just care that they exist
on both servers and that the keys match.

Apparently in some cases the token name is displayed and not in
others so lets normalize the output to make comparisons more
consistent.

Fixes: https://pagure.io/freeipa/issue/9096

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-03-15 08:36:18 +01:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
feab723c59 pylint: Fix deprecated-method for threading
As of Python3 `currentThread`, `thread.getName` are aliases for
`threading.current_thread()` and `threading.Thread.name`
respectively.

In Python3.10:
> bpo-43723: The following threading methods are now deprecated and
  should be replaced:
  currentThread => threading.current_thread()
  activeCount => threading.active_count()
  Condition.notifyAll => threading.Condition.notify_all()
  Event.isSet => threading.Event.is_set()
  Thread.setName => threading.Thread.name
  thread.getName => threading.Thread.name
  Thread.isDaemon => threading.Thread.daemon
  Thread.setDaemon => threading.Thread.daemon

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
851f6d48ac pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
f9d0fc8a8c pylint: Skip not-callable
The klass property is referenced to class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
a1f0f2743d pylint: Fix no-member
Teach pylint or skip newly exposed no-members.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
e096478752 pylint: Skip isinstance-second-argument-not-valid-type
The type of value to be compared is class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
31a9eb3783 pylint: Fix deprecated-decorator
Pylint 2.9 introduced new checker:
> The decorator is marked as deprecated and will be removed in the
  future.

- @abstractproperty has been deprecated since Python3.3 [0]
- @abstractclassmethod has been deprecated since Python3.3 [1]

[0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty
[1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
516adf40f8 pylint: Fix unnecessary-dict-index-lookup
Pylint 2.9 introduced new check:
> Emitted when iterating over the dictionary items (key-item pairs) and
accessing the value by index lookup. The value can be accessed directly
instead.

Note: in Python3 removing from dict during an iteration is not
possible even. For example,
```
cat a.py
d = {"a": 1}

for k, v in d.items():
    if v is not None:
        del d[k]

python3 a.py
Traceback (most recent call last):
  File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module>
    for k, v in d.items():
RuntimeError: dictionary changed size during iteration
```

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
139f6b63b1 pylint: Fix deprecated-class
There is no actual usage of deprecated classes for Python3.
Pylint complains about such for Python2. Since Python2 is no
longer supported these imports were removed.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
21c3dff6a1 pylint: Drop no longer used __home
`__home` has been added in 8ca44bcbfa,
later `tests.util` was refactored in
fd43b39145, but `__home` wasn't cleaned
up.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
cd2739bb0c pylint: Skip unused-private-member for property case
See https://github.com/PyCQA/pylint/issues/4756 for details

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
017b73e7f6 pylint: Fix use-maxsplit-arg
Pylint 2.9.0 new checker:
> Emitted when accessing only the first or last element of str.split().
  The first and last element can be accessed by using str.split(sep,
  maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Alexander Bokovoy
985dffe147 ipatests: extend AES keyset to SHA2-based ones
Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-08 12:54:47 +01:00
Alexander Bokovoy
2eee5931d7 tests: ensure AD-SUPPORT subpolicy is active
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-08 12:54:47 +01:00
Florence Blanc-Renaud
625176a797 ipatests: add missing test in the nightly defs
The test
test_integration/test_installation.py::TestInstallWithoutNamed
was missing in some nightly definitions.
Add the job definition for:
- nightly_latest_selinux.yaml
- nightly_latest_testing.yaml
- nightly_latest_testing_selinux.yaml

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-03 08:11:42 +01:00
Rob Crittenden
b445cff453 Strip off trailing period of a user-provided FQDN in installer
The example text included a trailing dot which isn't actually
allowed in a system hostname (just DNS). Remove the suggestion
to include it and strip off any trailing dot so that the install
can proceed.

Related: https://pagure.io/freeipa/issue/9111

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-25 08:13:52 +01:00
Rob Crittenden
8b517e6825 Verify the user-provided hostname in the server installer
The refactor change 9094dfc had a slight error where the
user-input provided value in input wasn't being validated. Only
the command-line or the current FQDN was being verified so
if the FQDN was bad any value input by the user was being skipped.

Fixes: https://pagure.io/freeipa/issue/9111

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-25 08:13:52 +01:00
Anuja More
3403af580d
Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
Related : https://github.com/SSSD/sssd/issues/5988

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-23 10:29:14 +01:00
Anuja More
9d1f227975
mark xfail for test_idoverride_with_auto_private_group[hybrid]
Related : https://github.com/SSSD/sssd/issues/5989

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-23 10:29:14 +01:00
Anuja More
663cd9af68
ipatests: Tests for Autoprivate group.
Added tests using posix AD trust and non posix AD trust.
For option --auto-private-groups=[hybrid/true/false]

Related : https://pagure.io/freeipa/issue/8807

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-23 10:29:14 +01:00
Anuja More
a78f9f7fc9 ipatests: remove additional check for failed units.
On RHEL tests are randomly failing because of this check
and the test doesn't need to check this.

Related : https://pagure.io/freeipa/issue/9108

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-11 13:33:16 +02:00
Rob Crittenden
46ccf006ff ipatests: Remove certmonger tracking before uninstall in cert tests
There is some contention between certmonger starting during the
uninstallation process in order to stop the tracking and activity
going on within certmonger helpers.

As near as I can tell certmonger is not running, then IPA is
stopped in order to uninstall, then certmonger is started to stop
the tracking. certmonger checks cert status on startup but since
IPA isn't running it can't get a host ticket. During this time any
request over DBus may time out, causing a test to fail when we're
just trying to clean up.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-02-10 11:55:26 -05:00
Stanislav Levin
54f8733f4a ipatests: healthcheck: Sync the expected system RRs
The support for the DNS URI RRs has been added in freeipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/issues/222

Fixes: https://pagure.io/freeipa/issue/9054
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-09 10:45:40 -05:00
Mohammad Rizwan
f4df4d9bb7 Test ipa-ccache-sweep.timer enabled by default during installation
This test checks that ipa-ccache-sweep.timer is enabled by default
during the ipa installation.

related: https://pagure.io/freeipa/issue/9107

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-02-09 10:41:56 -05:00
Florence Blanc-Renaud
926b707d31 ipatests: update images for f34 and f35
The new images include 389-ds-base 2.0.14-1
which contains the fixes for  the following tickets:

389-ds-base #5079 Freeipa nightly test failure with winsync agreement
389-ds-base #5031 ipa-restore broken in selinux enforcing mode

Fixes: https://pagure.io/freeipa/issue/9069
Fixes: https://pagure.io/freeipa/issue/9051
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-02-08 18:30:43 +01:00
Alexander Bokovoy
c93fa491f6 OpenLDAP 2.6+: use only -H option to specify LDAP url
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.

Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.

See also: https://bugs.openldap.org/show_bug.cgi?id=8618

Fixes: https://pagure.io/freeipa/issue/9106

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-02-07 10:35:27 +02:00
Julien Rische
97d123cccc ipatests: add case for hardened-only ticket policy
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-02-02 15:42:45 +01:00
Florence Blanc-Renaud
d97a221f7e ipatests: fix expected automount config in nsswitch.conf
The test TestIpaClientAutomountFileRestore expects a
specific order for the automount sources to query
in /etc/nsswitch.conf.

With authselect update 1.3.0, the databases are sorted in
order of likelihood and the following line in seen:
automount: files sss
instead of
automount: sss files

Since the test doesn't care about the order but rather about
the list of sources, ignore the order.

Fixes: https://pagure.io/freeipa/issue/9067
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-25 15:40:28 +01:00
Florence Blanc-Renaud
2278de732b ipatests: update images for f34 and f35
The new images include kernel-modules package.

Fixes: https://pagure.io/freeipa/issue/9087
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-01-20 16:40:38 +01:00
Sumedh Sidhaye
75645760d2 Added test automation for SHA384withRSA CSR support
Scenario 1:
Setup master with --ca-signing-algorithm=SHA384withRSA
Run certutil and check Signing Algorithm

Scenario 2:
Setup a master
Stop services
Modify default.params.signingAlg in CS.cfg
Restart services
Resubmit cert (Resubmitted cert should have new Algorithm)

Added nightly definitions

Pagure Link: https://pagure.io/freeipa/issue/8906

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2022-01-14 15:10:54 +01:00
Michal Polovka
ff02041350 ipatests: webui: Use safe-loader for loading YAML configuration file
FullLoader class for YAML loader was introduced in version 5.1 which
also deprecated default loader. SafeLoader, however, stays consistent
across the versions and brings added security.

This fix is necessary as PyYAML > 5.1 is not available in downstream.

Related: https://pagure.io/freeipa/issue/9009

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-14 08:38:41 -05:00
Florence Blanc-Renaud
325415bb66 config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.

Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-13 14:20:59 -05:00
Florence Blanc-Renaud
513099b4b3 ipatests: update images for f34 and f35
New versions of pki-server fix the following issues:
Fixes: https://pagure.io/freeipa/issue/9024
Fixes: https://pagure.io/freeipa/issue/8865

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-01-13 08:21:05 +01:00
Anuja More
56df1fd95c
pr-ci definitions: add web-ui subid-related jobs
Related: https://pagure.io/freeipa/issue/8361

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-01-12 15:01:28 +01:00
Anuja More
c2f2597b6d
ipatests: webui: Tests for subordinate ids.
Added web-ui tests to verify where operations
using subordinate ids are working as expected.

Related : https://pagure.io/freeipa/issue/8361

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-01-12 15:01:28 +01:00
Mohammad Rizwan
df03dd9bfe PEP8 Fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-01-12 11:22:28 +01:00
Mohammad Rizwan
265f261874 Test cases for ipa-replica-conncheck command
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
  kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
  TGT (it should default to principal=admin and prompt for a password)

related: https://pagure.io/freeipa/issue/9047

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-01-12 11:22:28 +01:00
Mohammad Rizwan
a8b2279e94 ipatests: Test empty cert request doesn't force certmonger to segfault
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it

and some PEP8 fixes

related: https://pagure.io/certmonger/issue/191

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2021-12-17 17:27:30 +01:00
Anuja More
56e4f33ce6 ipatests: Test default value of nsslapd-sizelimit.
related : https://pagure.io/freeipa/issue/8962

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-12-16 08:34:03 +01:00
Florence Blanc-Renaud
b5fd288991 ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
kinit with an otp token (which makes ipa-otpd create a LDAP
connection), then sleeps for 60s. The expectation is that
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
and close the connection.
According to 389ds doc, the idle timeout is enforced when the
connection table is walked. By doing a ldapsearch, the test
"wakes up" ns-slapd and forces the detection of ipa-otpd
idle connection.

Fixes: https://pagure.io/freeipa/issue/9044
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-12-14 09:00:38 +01:00
Mohammad Rizwan
f18a6c023b ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.

Fixes: https://pagure.io/freeipa/issue/9052

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-29 15:24:38 +01:00
Sumedh Sidhaye
f1a441858a Extend test to see if replica is not shown when running ipa-replica-manage list -v <FQDN>
Related: https://pagure.io/freeipa/issue/8605

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-29 15:21:11 +01:00
Timo Aaltonen
52090d39e4 ipatests/test_ipaplatform: Skip test_ipa_version on Debian
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-25 21:02:56 -05:00
Florence Blanc-Renaud
eb833b158e ipatests: remove xfail on f35+ for test_number_of_zones
systemd-resolved fixed the issue on f35+
Related: https://pagure.io/freeipa/issue/8700

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-23 14:57:49 +01:00
Petr Vobornik
da4a7d29e9 webui tests: remove unnecessary code in add_record
Pkeys are not used anywhere in the method thus can be removed.

Related: https://pagure.io/freeipa/issue/9036

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-22 12:38:35 +01:00
Petr Vobornik
36b975804f fix(webui): create correct PTR record when navigated from host page
In scenario:
1. make sure that reverse zone doesn't have the desired PTR record
2. open host page of the host with matchnig the A record, e.g.: https://server.pvoborni.test/ipa/ui/#/e/host/details/test2.pvoborni.test
3. click on the "Host name" link, it will bring us to it's DNS record page. E.g., https://server.pvoborni.test/ipa/ui/#/e/dnsrecord/details/pvoborni.test&test2
! notice the missing '.' in the URL after zone name (pvoborni.test)
4. click on the A record , dialog will show up, saying "record not found"
5. click on the "create DNS record"

PTR record created by Web UI doesn't have trailing '.' (is not fully
qualified record) even if the DNS zone is.

This patch is fixing the link to the DNS Record page so that the
page then correctly gets the DNS Zone name and thus creates a correct
fully qualified PTR record.

https://bugzilla.redhat.com/show_bug.cgi?id=2009114
https://pagure.io/freeipa/issue/9036

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-22 12:38:35 +01:00
Florence Blanc-Renaud
4c61b9266a ipatests: update packages in rawhide test test_installation_client.py
The test definition is missing the instruction to update
the packages.

Fixes: https://pagure.io/freeipa/issue/9035
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-11-19 22:12:32 +01:00
Armando Neto
15da3a8ea5
ipatests: Fix UI_driver method after Selenium upgrade
`WebDriver.switch_to_active_element()` was deprecated in favour of
`driver.switch_to.active_element`.

Method was deprecated a long time ago, however deprecation message and
proxy method were removed recently and are not present in latest
version.

https://selenium-python.readthedocs.io/api.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to_active_element
https://www.selenium.dev/selenium/docs/api/py/webdriver_remote/selenium.webdriver.remote.webdriver.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to

Issue: https://pagure.io/freeipa/issue/9029

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-11-18 20:04:36 -03:00
Armando Neto
f224f6ade7
ipatests: Bump PR-CI latest templates to Fedora 35
Moving 'latest' to Fedora 35 and 'previous' to Fedora 34.
Update Rawhide template.

Based on https://github.com/freeipa/freeipa-pr-ci/pull/445.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-11-18 19:58:23 -03:00
Florence Blanc-Renaud
680d92b548 ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail
The test failure is a known issue, happening on f33+. Mark as xfail
until 8700 is fixed.

Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-18 18:05:35 +01:00
Florence Blanc-Renaud
2e7396b0e2 ipatests: fix get_user_result method
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-10 14:05:53 +01:00
Rob Crittenden
b842b825ab Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-03 10:59:10 +01:00
Mohammad Rizwan
6b544c4362 ipatests: remove redundant kinit from test
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-03 10:55:49 +01:00
Florence Blanc-Renaud
4b665ccf22 ipatests: revert wrong commit on gating definition
Commit ebe838c overwrote the PRCI definition with temp commit
and needs to be reverted.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-02 11:40:25 +01:00
Florence Blanc-Renaud
cc8a0bc24c ipatests: update the expected output of user-add cmd
The SID is not expected to be returned by ipa user-add.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
02b4241e19 Webui tests: new idrange now requires base RID
Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
c99b8bb4ab ipatests: backup-reinstall-restore needs to clear sssd cache
The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
fdfde9ce52 ipatests: adapt expected output with SID
From now on, new users/groups automatically get a SID.
Update the expect test outputs.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
2d468fa49f ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
8dc064c2e3 ipatests: add test ensuring SIDs are generated for new installs
The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Sumedh Sidhaye
ebe838cb86 Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain) where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`

BZ Link: https://bugzilla.redhat.com/show_bug.cgi?id=1958788

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-11-01 11:27:53 -04:00
Sergey Orlov
f1922fe501
ipatests: use AD domain name from config instead of hardcoded value
The test fails when test config contains AD domain value other than one
hardcoded in the test code.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-01 13:57:18 +01:00
Armando Neto
d6d413628b
ipatests: bump rawhide template for PR-CI
New PR-CI template based on compose `Fedora-Rawhide-20211021.n.0`,
future Fedora 36.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-31 20:44:27 -03:00
Stanislav Levin
18456e71a1 ipatests: TestMultipleExternalCA: Create tempfiles on remote host
Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.

The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.

Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-10-28 16:29:01 -04:00
Michal Polovka
f11a4c3df5
ipatests: webui: Specify configuration loader
Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.

Fixes: https://pagure.io/freeipa/issue/9009

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-21 10:36:27 +02:00
Stanislav Levin
8f1dda6404 seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.

More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750

See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087

Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json

Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json

Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-18 12:08:56 +02:00
Rob Crittenden
47fbe05f7f Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.

This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:

Added option "('one', 'two')" to Sudo Rule "test"

or

Added option "(u'one', u'Two')" to Sudo Rule "test"

instead of with this change:

Added option "one,two" to Sudo Rule "test"

Removing an option works in a similar way.

The value is normalized on the client side in order to ensure that
the option value is always a tuple.

https://pagure.io/freeipa/issue/2278

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-08 10:47:58 +02:00
Florence Blanc-Renaud
575074daf0 ipatests: Update the subca used in TestIPACommand::test_cacert_manage
The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.

Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-10-08 10:39:05 +02:00
Sergey Orlov
2a7285c8dd
ipatests: check for message in sssd log only during actual test action
Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.

Fixes https://pagure.io/freeipa/issue/8987

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-05 10:23:31 +02:00
Florence Blanc-Renaud
563077c935 webui test: close notification after selinux user map update
The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.

After saving the modification on the record, close any notification
to make sure the test succeeds.

Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-10-04 09:14:24 -04:00
Florence Blanc-Renaud
2d534662c4 ipatests: update expected error message for openssl verify
The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.

Fixes: https://pagure.io/freeipa/issue/8999
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-29 15:52:45 +02:00
Florence Blanc-Renaud
a6b3993d92 ipatests: increase sosreport verbosity
With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
1d0729a9dc

Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.

Fixes: https://pagure.io/freeipa/issue/9000
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-09-29 15:50:31 +02:00
Stanislav Levin
c0a2b37791 test_schema_plugin: Add missing tests for command, class and topic commands
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Stanislav Levin
d4a3ed9dd4 test_schema_plugin: Drop dependency on Tracker
Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Rob Crittenden
540b01bc6e ipatests: Test that a user can be issued multiple certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-09-16 13:16:17 -04:00
Stanislav Levin
4fa6afa922 ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.

It's useful to see what is happening during kinit in case of any
issues.

Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 10:16:54 +02:00
Stanislav Levin
a941e8f602 azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```

This is expected failure since processes are not stopped during logs
collection and can flush their logs.

Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 08:48:13 +02:00
Florence Blanc-Renaud
a2e06c385e ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).

As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.

Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-14 14:56:42 -04:00
Florence Blanc-Renaud
0342e18e1f ipatests: fix logic waiting for repl in TestIPACommand
The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master

The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
    Note that this waits for updates originating on this host, not those
    coming from other hosts.

Fixes: https://pagure.io/freeipa/issue/8975

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2021-09-08 16:46:21 +02:00
Florence Blanc-Renaud
b18cd122fa ipatests: rpcclient now uses --use-kerberos=desired
The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)

Adapt the test to be compatible with both old and new versions.

Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-09-08 08:16:14 +02:00
Christian Heimes
f1c58fb646 Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.

Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.

See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-31 18:28:27 -04:00
Florence Blanc-Renaud
7b5ef8aede ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.

If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.

Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: François Cami <fcami@redhat.com>
2021-08-25 11:00:03 +02:00
Stanislav Levin
42067e5610 Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.

- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.

- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.

- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.

Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2021-08-24 16:49:10 +02:00
Mohammad Rizwan
c963adc727 ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:48:02 +02:00
Mohammad Rizwan
50c6359f3d ipatests: wait while http/ldap/pkinit cert get renew on replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.

This test adds check for replication before calling ipa-cert-fix
on replica.

Fixes: https://pagure.io/freeipa/issue/8815

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:48:02 +02:00
Stanislav Levin
77e7ac3592 ipatests: Add tests for schema Command
- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered

- allow testing of the plugin in `development` mode(locked API).

Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-19 08:44:26 +02:00
Rob Crittenden
c0d6c05d00 ipatests: Verify that securitydomain is updated on server-del
For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-16 09:12:55 +02:00
Michal Polovka
d46f5b2cc3
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.

Resolves: https://pagure.io/freeipa/issue/8949

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-13 09:19:48 +02:00
Anuja More
dabf2763f8 ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.

When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.

Related : https://pagure.io/freeipa/issue/8402

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-12 16:35:52 -04:00
Stanislav Levin
bb628aebaf ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.

Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-12 16:34:17 -04:00
Anuja More
16b3788f68 ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.

Related: https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-10 11:12:52 +02:00
Anuja More
cd665e2d5c ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 14:49:21 +02:00
Anuja More
7cac63faef ipatests: Test ldapsearch with base scope works with compat tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 14:49:21 +02:00
Christian Heimes
c75be14bee Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.

Also check for 'debian' platform.

Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-09 08:42:39 +02:00
Rob Crittenden
e3304ff3aa pr-ci definitions: add custom plugin-related jobs
Related: https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-05 17:36:46 +02:00
Rob Crittenden
7b77fef75a ipatests: add suite for testing custom plugins
Ensure that attributes and objectclasses are case-insensitive.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-05 17:36:46 +02:00
François Cami
e914a59738 ipatests: use krb5_trace in TestIpaAdTrustInstall
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.

Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-08-05 15:19:33 +02:00
Antonio Torres
715987a82e ipatests: expect SOA serial option deprecation warning
Tests must be updated to expect the new deprecation warning.

Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman@redhat.com>
2021-08-04 14:09:45 +02:00
Mohammad Rizwan
bb38fbca91 ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-04 12:10:33 +02:00
Rob Crittenden
3272780439 ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.

Verify that it is present in the output.

https://bugzilla.redhat.com/show_bug.cgi?id=1940261

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-08-03 11:09:28 -04:00
Anuja More
81b6157877 ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.

Related : https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-08-03 08:32:25 +02:00
Christian Heimes
8170659d15 Fix ldapupdate.get_sub_dict() for missing named user
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.

Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-30 08:58:25 -04:00
Rob Crittenden
7729b1c8ff ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-30 08:45:08 -04:00
Armando Neto
1457bc602b ipatests: bump prci boxes + move gating to f34
Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.

Issue: https://pagure.io/freeipa/issue/8935

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2021-07-27 15:44:44 +02:00
Antonio Torres
42447c4540 ipatests: test if KRA install fails when ca_host is overriden
KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.

Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-27 13:27:36 +02:00
François Cami
8a4a338c09 ipatests: refactor test_ipa_cert_fix with tasks
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-07-27 09:55:27 +02:00
Rob Crittenden
f470f64908 Fix automountlocation-tofiles expected output in xmlrpc test
The previous output matched the bad behavior of only displaying
one orphaned key.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
Rob Crittenden
14062c774b ipatests: Add test for ipa automountlocation-tofiles
Only the first key of orphaned automount keys was being
displayed.

tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
François Cami
d4d545a1c0 gating.yaml: Fix TestInstallMaster timeout
test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
François Cami
baed2e6f91 Azure: temporarily disable problematic tests, #2
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061

The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1

Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
François Cami
b71009b31a Azure: temporarily disable problematic tests, #1
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2021-07-23 10:52:55 +02:00
Rob Crittenden
2097776e5e ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-22 14:39:24 -04:00
François Cami
93fad5a89c test_acme: make password renewal more robust
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.

Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 15:27:31 +02:00
François Cami
82ab9245a5 test_acme: refactor with tasks
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 15:27:31 +02:00
François Cami
4618c3c24a tasks.py: fix flake8-reported issues
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-21 11:29:00 +02:00
François Cami
cbe5151e12 ipatests: smbclient "-k" => "--use-kerberos=desired"
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt

As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".

Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-07-20 11:11:28 +02:00
Florence Blanc-Renaud
319aa7a4b1 webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.

With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.

Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-16 14:35:48 -04:00
Florence Blanc-Renaud
4bd1d15b60 webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.

Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2021-07-14 14:31:51 -04:00
Rob Crittenden
bd0d437450 Fall back to krbprincipalname when validating host auth indicators
When adding a new host the principal cannot be determined because it
relies on either:

a) an entry to already exist
b) krbprincipalname be a component of the dn

As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.

Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.

https://pagure.io/freeipa/issue/8206

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-13 17:57:28 -04:00
Michal Polovka
3189e501fb
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.

Related: https://pagure.io/freeipa/issue/8795

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-13 16:52:57 +02:00
François Cami
4616c125b6 pr-ci definitions: add subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-13 15:03:46 +02:00
Michal Polovka
b43ac4fdd2 ipatests: test_ipahealthcheck: print a message if a system is healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).

Related: https://pagure.io/freeipa/issue/8892

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-12 17:11:10 -04:00
Mohammad Rizwan
ea8f4b69a8 ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-12 19:59:06 +02:00
Florence Blanc-Renaud
eb8a6d0782 ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-07-12 10:43:39 +02:00
Sudhir Menon
c64eaa49c4 ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Related: https://pagure.io/freeipa/issue/8889

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-07-12 09:07:53 +02:00
Rob Crittenden
02e19d0a39 Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-09 13:21:00 -04:00
Christian Heimes
aae6c029da Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00