Commit Graph

345 Commits

Author SHA1 Message Date
Michal Reznik
cedd52d7f9 test_caless: fix http.p12 is not valid
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().

Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Michal Reznik
495b85793c test_caless: fix TypeError on domain_level compare
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.

https://pagure.io/freeipa/issue/7254

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 16:23:15 +01:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Tomas Krizek
c45a989506
ipatests: fix circular import for collect_logs
Move collect_logs function from util to avoid a circular import.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-13 13:49:51 +01:00
Abhijeet Kasurde
222cef1a4d
ipatests: Fix interactive prompt in ca_less tests
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.

Fixes: https://pagure.io/freeipa/issue/7182

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2017-11-10 08:05:21 +01:00
Stanislav Laznicka
983234c91b
caless tests: decode cert bytes in debug log
Bytes would cause the logger to throw up while interpolating the
string.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Stanislav Laznicka
a3009b392a
caless tests: make debug log of certificates sensible
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.

Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-08 07:58:46 +01:00
Michal Reznik
02c1d0e8e5
test_external_dns: add missing test cases
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.

The test cases are added as extension into test_dns_locations suite.

https://pagure.io/freeipa/issue/6091

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-07 10:17:17 +01:00
Michal Reznik
5e4f76b043
test_caless: open CA cert in binary mode
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:53:14 +01:00
Michal Reznik
59e136e8ba
test_forced_client: decode get_file_contents() result
Decode get_file_contents() in order to not get bytes when running py3

https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-06 16:51:00 +01:00
Tomas Krizek
1d190092d3
ipatests: collect logs for external_ca test suite
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-11-06 14:05:25 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Felipe Barreto
be66eadb62
Fixing tox and pylint errors
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.

https://pagure.io/freeipa/issue/7132

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-23 18:11:30 +02:00
Michal Reznik
a2a6cf381e tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.

https://pagure.io/freeipa/issue/7124

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-10-11 13:06:57 +02:00
Michal Reznik
f2b32759b9 test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.

https://pagure.io/freeipa/issue/7155

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-04 10:18:11 +02:00
Michal Reznik
7902fc9a06 test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-09-27 11:51:20 +02:00
Michal Reznik
a3c99367bf
test_caless: add SAN dNSName extensions for wildcard tests
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.

https://pagure.io/freeipa/issue/7100

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-11 13:53:44 +02:00
Michal Reznik
1ff356241c
test_caless: add replica ca-less to ca-full test (master caless)
Add replica ca-less to ca-full test when master stays caless. Cover
Pagure issue: https://pagure.io/freeipa/issue/6226

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
7a5b1cc140
test_caless: add server_replica ca-less to ca-full test
Add server_replica ca-less to ca-full test as we are currently missing
one. Cover Pagure issue: https://pagure.io/freeipa/issue/6207

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
4caabb140e
tests: fix external_ca test suite failing due to missing SKI
external_ca test suite is failing during installation due to
missing SKI extension.

https://pagure.io/freeipa/issue/7099

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 10:54:05 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Martin Babinsky
1e5f55e791 Do not delete DS and PKI users during backup/restore tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Martin Babinsky
2624cf2e4c test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Michal Reznik
d5e84d7065 test_caless: mark TestCertinstall intermediate CA tests as xfail
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved

https://pagure.io/freeipa/issue/6959

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Michal Reznik
f7c4039e41 test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

https://pagure.io/freeipa/issue/6854

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Christian Heimes
dd6b72e418 pytest 3.x compatibility
pytest 3.x does no longer support plain pytest.skip() on module level.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 18:03:14 +02:00
Christian Heimes
24161a6190
Move remaining util functions to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8aadd55c93
Move function run_repeatedly to tasks module
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
8867412adc
Move hosts module to ipatests.pytest_plugins.integration.hosts
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
313ae46b57
Move tasks module to ipatests.pytest_plugins.integration.tasks
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
1406dbc8c2
Move env_config module to ipatests.pytest_plugins.integration.env_config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
2895e3931d
Move config module to ipatests.pytest_plugins.integration.config
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-03-22 13:42:04 +01:00
Christian Heimes
fd1b4f6ec9 Add options to run only ipaclient unittests
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py ........
util.py ..
test_ipaclient/test_csrgen.py ..............ssss...
test_ipalib/test_aci.py ...................
test_ipalib/test_backend.py ........
test_ipalib/test_base.py ...............
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...............
test_ipalib/test_crud.py ...............
test_ipalib/test_errors.py .......
test_ipalib/test_frontend.py ........................................
test_ipalib/test_messages.py ....
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .............................................................
test_ipalib/test_plugable.py ........
test_ipalib/test_rpc.py ......ssssssss
test_ipalib/test_text.py .............................
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py ............
test_ipapython/test_dn.py ...........................
test_ipapython/test_ipautil.py ..................................................................
test_ipapython/test_ipavalidate.py ..........
test_ipapython/test_kerberos.py ..............
test_ipapython/test_keyring.py ..........
test_ipapython/test_ssh.py ...............................
test_pkcs10/test_pkcs10.py .....

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-17 15:02:13 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Martin Basti
25fa2bb6c9 tests: use --setup-kra in tests
This will allow to test --setup-kra option together with
ipa-server-install in install tests

Separate installation using ipa-kra-install is already covered.

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 15:50:30 +01:00
Martin Babinsky
612ea7f66e Provide basic integration tests for built-in AD trust installer
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Ganna Kaihorodova
10494b1bb3 Tests: Basic coverage with tree root domain
Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-01 12:29:25 +01:00
Martin Basti
5bd8217423 Test: DNS nsupdate from dns-update-system-records
Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Basti
ad1a5551d5 Tests: fix wait_for_replication task
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.

Both formats were kept to allow tests run on older and new
versions of DS.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-02-08 14:15:53 +01:00
Petr Čech
dc99d3c04e ipatests: nested netgroups (intg)
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 11:56:14 +01:00
Ganna Kaihorodova
822a119100 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Petr Spacek
8bc6775122 Remove named-pkcs11 workarounds from DNSSEC tests.
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-19 13:10:48 +01:00
Oleg Fayans
fad87a9962 Test: uniqueness of certificate renewal master
https://fedorahosted.org/freeipa/ticket/6504

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-08 17:26:04 +01:00