Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using the input environment saved in self._session_env
outside of the config loading meant that methods of
configuration other than environment variables wouldn't
be possible.
Restructure the roles/extra_roles to not depend on _session_env.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In the parameters system, we have been checking for a positive list of values
which get converted to None. The problem is that this method can in some
cases throw warnings when type coercion doesn't work (particularly, string
to unicode). Instead, any values that evaluate to False that are neither
numeric nor boolean should be converted to None.
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
When restoring files from backup, we do use an incorrect order of
operations - we first restore SELinux context and then copy the
files from backup, when we need to do the exact opposite.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Older versions of dnspython have problems with implicit values for
size and h/v precision so our tests use explicit value.
See https://github.com/rthalley/dnspython/issues/47
This change is necessary because we want to test if data visible
over DNS protocol matches data visible over LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Sometimes, we will want to do more than just call IPA commands and
check the output. This patch makes it possible to add arbitrary
functions to Declarative tests. They will be called as part of
the sequence of tests.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
In the non-posix tests on the legacy clients, the testuser does not
belong to the testgroup (since this is represented by the NIS
group membership).
Relax the regular expression check for the output of the id testuser.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The hardcoded values for the home directories for the AD users did
not properly scale up from the POSIX attrs only test scanario.
When using POSIX attrs, the home dir is returned as whatever is set
in the AD (/home/username by default). Without using POSIX attributes,
the /home/domain/username form is taken by default.
Refactor the tests to take this behaviour into account.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adds test cases for:
* getent subdomain user on legacy client
* getent subdomain group on legacy client
* getent id subdomain user on legacy client
* ssh into legacy client with subdomain user
* ssh into legacy client with disabled subdomain user
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In the integration tests, we do not stop the sssd service
before deleting the cache, but rather start it. We need
to stop sssd before deleting the cache.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When we add the disabledipauser during the setup class part of the
BaseTestLegacyClient, we need to make sure that we re-kinit admin
since we do ntpsync with the AD just before that, which can render
the previous ticket invalid.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When the host is down, the preparation of the host fails. This
produces misleading errors, since the test framework reports that
the actual command being executed failed, when in fact (in case
of SSHTransport), the cause of failure was unability to establish
a SSH session.
https://fedorahosted.org/freeipa/ticket/4132
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Restoring backup files and restoring their context were two separate commands,
what means that in case we use SSHTrasport, which creates a separate SSH
session for each command, we try to restore the SELinux context of the
changed files in a new session.
This causes problems, if the access to files themselves are necessary
for the creation of the new SSH session.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
All the hosts in the domain have IPA master set as their only
nameserver. However, the IPA master does not create records for
these machines by default. This is not an big issue for clients
or replicas, since those records do get created in other ways,
but external hosts using their internal hostnames will not resolve.
Adds an A record for each host in master's domain.
https://fedorahosted.org/freeipa/ticket/4130
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The integration test for legacy clients used incorrectly "test group"
instead of "testgroup" as group used on AD for test purposes. This
is inconsistent with the usage of "testuser".
https://fedorahosted.org/freeipa/ticket/4131
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
