Commit Graph

2783 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
e5bb0f392a ipatests: fix tasks.wait_for_replication method
With the fix for https://pagure.io/freeipa/issue/9171, the
method entry.single_value['nsds5replicaupdateinprogress'] now
returns a Boolean instead of a string "TRUE"/"FALSE".

The method tasks.wait_for_replication needs to be fixed so that
it properly detects when replication is not done.

Fixes: https://pagure.io/freeipa/issue/9530

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-02-14 09:26:00 +01:00
Florence Blanc-Renaud
908ef6a179 ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.

Related: https://github.com/SSSD/sssd/issues/7169

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2024-02-12 08:32:20 +01:00
Florence Blanc-Renaud
dfb5099e7f ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2024-02-12 08:32:20 +01:00
Sudhir Menon
7f849956df ipatests: Skip tests for ipahealtcheck tests for specific pki version
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
respective tests are skipped.

Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'

Ref: https://issues.redhat.com/browse/RHEL-21367

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-02-02 11:03:00 +01:00
Florence Blanc-Renaud
9c470d10a5 ipatests: test_idp fails calling yum list wget
On rawhide, the package wget has been replaced with wget2
(more info in https://bugzilla.redhat.com/show_bug.cgi?id=2254790).

The test test_idp is checking that the sudo command is working
for a keycloak user, by creating a sudo rule for the yum command
and calling sudo yum list wget.
As the wget package does not exist any more on Rawhide, the command
returns an error:
Error: No matching Packages to list
and the test fails.

Replace the call "sudo yum list wget" with a call to "sudo yum list yum"
as the yum package is always present.

Fixes: https://pagure.io/freeipa/issue/9522

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 18:27:12 +01:00
Christian Heimes
22875ea2c6 test_acme: Use ipalib.x509
Use IPA's x509 module instead of `cryptography.x509`. This fixes a
regression which was introduced in commit a45a7a20.

Related: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2024-01-25 18:07:20 +01:00
Christian Heimes
a45a7a20d9 Compatibility fix for PyCA cryptography 42.0.0
Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.

The old properties are deprecated. The changeset also modifies code and
tests to use the new `_utc` variants.

Fixes: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-24 14:54:24 +01:00
Masahiro Matsuya
c740cb84ba ipatests: wait for replica update in test_dns_locations
test_ipa_ca_records and test_adtrust_system_records can fail with
NXDOMAIN, because it doesn't wait enough for the update on replica.
It can be resolved by waiting for the update with wait_for_replication.

Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-23 07:57:56 +01:00
Florence Blanc-Renaud
717ae87a75 Nightly tests: test on f38 and f39
Fedora 39 is now officically available. Update the test definitions:
- lastest now uses f39
- previous now uses f38

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-01-12 18:46:41 -05:00
Alexander Bokovoy
a5d38ca171 host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb4, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.

If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.

This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.

There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.

Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.

Fixes: https://pagure.io/freeipa/issue/9496

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-12 18:41:01 -05:00
Carla Martinez
2874823c12
ipatests: test new columns in group details
Test for checking the new columns 'givenname', 'sn' and 'nsaccountlock'.

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2024-01-12 15:26:45 +01:00
Rob Crittenden
e5a9e46138 get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.

In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.

The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.

There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.

This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.

Fixes: https://pagure.io/freeipa/issue/9506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-11 17:19:47 +01:00
Rob Crittenden
ce811db6be ipatests: Test client install/uninstall with automount enabled
The automount installation was failing. Confirm that it is fixed.

The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.

Fixes: https://pagure.io/freeipa/issue/9487

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-01-11 17:13:35 +01:00
Sudhir Menon
8ef3d6ce5c ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.

'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'

Hence the test is skipped to be run on RHEL9.0 SUT.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-10 14:58:49 -05:00
Rob Crittenden
86b073a7f0
Integration tests for verifying Referer header in the UI
Validate that the change_password and login_password endpoints
verify the HTTP Referer header. There is some overlap in the
tests: belt and suspenders.

All endpoints except session/login_x509 are covered, sometimes
having to rely on expected bad results (see the i18n endpoint).

session/login_x509 is not tested yet as it requires significant
additional setup in order to associate a user certificate with
a user entry, etc.

This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
and adding:

Satisfy Any
Require all granted

Then comment out Auth and SSLVerify, etc. and restart httpd.

With a valid Referer will fail with a 401 and log that there is no
KRB5CCNAME. This comes after the referer check.

With an invalid Referer it will fail with a 400 Bad Request as
expected.

CVE-2023-5455

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2024-01-10 10:27:06 +01:00
Florence Blanc-Renaud
8d7bd6c6ab pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)

Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
8981ede1a2 azure tests: move to fedora 39
Update python3 to ensure the fix for BZ 2252567 is pulled.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Alexander Bokovoy
c3bc938650
ipatests: make sure PKINIT enrollment works with a strict policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.

We set admin user authentication type to PASSWORD to simplify
configuration in the test.

What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.

Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Florence Blanc-Renaud
a177121af6 ipatests: disable dnssec validation in tests using dnf
The 2 following tests rely on dnf install and use
mirrors.fedoraproject.org which has a broken trust chain.
Disable dnssec validation so that dnf succeeds.

Fixes: https://pagure.io/freeipa/issue/9498

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-19 14:59:42 +01:00
Rob Crittenden
d1e09c68af ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:58:50 +01:00
Florence Blanc-Renaud
25b58e6dea Webui: use service options to init Firefox driver
With selenium driver 4.10 and above, the API for Firefox driver
initialization has changed and does not use any more the
log_path argument.

The log path is now provided through a FirefoxService option
in the webdriver initialization.

Fixes: https://pagure.io/freeipa/issue/9492
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 11:51:43 +01:00
Florence Blanc-Renaud
9abb50eb1e test_install: restart services after date change
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.

Fixes: https://pagure.io/freeipa/issue/9405

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:55:20 +01:00
Florence Blanc-Renaud
53951ca860 test_external_idp: update code for selenium 4.10
The integration test is using selenium web driver to simulate a
user authentication with an external IdP. The user performs kinit
and is provided with a URL where he needs to authenticate.

The test was written for selenium API 4.9 and must be adapted to
the changes introduced in 4.10:
- the headless method has been deprecated
- executable_path argument has been deprecated

Fixes: https://pagure.io/freeipa/issue/9493
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:52:05 +01:00
Florence Blanc-Renaud
d61d1b059c Make test_external_ca.py compatible with crypto 41.0.0
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.

The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
                    --external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.

Handle both cases properly.

Fixes: https://pagure.io/freeipa/issue/9490

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:49:47 +01:00
Florence Blanc-Renaud
5028b391f1 Integration tests: disable test_sso
Changes in ipa-tuura project are breaking the test
(removal of a script required for test preparation).
Disable the test until a solution is found in ipa-tuura.

Related: https://pagure.io/freeipa/issue/9476

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-04 15:58:07 +01:00
Alexander Bokovoy
6bc9e9d06e Remove upgrade test from Azure CI
It is already running in PR CI for all kinds of targets:

ipatests/prci_definitions/gating.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_389ds.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_pki.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_selinux.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_previous.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_rawhide.yaml:        test_suite: test_integration/test_upgrade.py

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-11-28 17:02:47 +01:00
Rob Crittenden
f00b52ce6d ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.

Fixes: https://pagure.io/freeipa/issue/9482

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-11-16 15:51:03 -05:00
Rob Crittenden
d659d21b43 ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.

Add an exclude for this specific key so tests will pass again.

We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.

Fixes: https://pagure.io/freeipa/issue/9400

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-11-16 15:51:03 -05:00
Florence Blanc-Renaud
07e5637269 ipatests: fix expected output for ipahealthcheck.meta.services
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).

Fixes: https://pagure.io/freeipa/issue/9460

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-11-13 16:39:52 -05:00
Sudhir Menon
9d49f403c2 ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.

SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode

2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.

ie. postconf -e smtpd_tls_fingerprint_digest=sha256

KCS: https://access.redhat.com/solutions/6958957

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-10-19 12:27:01 +02:00
Florence Blanc-Renaud
b6af3a43c7 ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.

Use a simpler method that replaces the timezone info with UTC in the
datetime object.

Fixes: https://pagure.io/freeipa/issue/9462

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-16 14:46:45 -04:00
Rob Crittenden
62454574a1 Allow password policy minlength to be removed like other values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.

So if there are no libpwquality options used then it's fine to
have no minlength in the policy.

Fixes: https://pagure.io/freeipa/issue/9297

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-10-16 13:23:20 -04:00
Florence Blanc-Renaud
430054db41 ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.

Fixes: https://pagure.io/freeipa/issue/9415

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:20:44 -04:00
Florence Blanc-Renaud
e459e5b8bc ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.

The test must be compatible with old and new versions.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:17:52 -04:00
Florence Blanc-Renaud
f9075f9f77 ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.

Fixes: https://pagure.io/freeipa/issue/9459

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:15:29 -04:00
Alexander Bokovoy
b22605ee54 Azure CI: increase memory for forced reenrollment test
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 08:37:28 -04:00
Alexander Bokovoy
48cfe6848c Increase memory usage for Azure CI upgrade test
The test often fails when running in parallel to other tests as very
little memory is left. 389-ds memory autotuning causes database backend
to refuse working in such cases. 389-ds team suggested more memory has
to be made available.

Increate RAM for this test to 2.5GB instead of 2.2GB.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 08:37:28 -04:00
Alexander Bokovoy
1a2cd7f408 Use datetime.timezone.utc instead of newer datetime.UTC alias
datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC

datetime.timezone.utc was present since Python 3.2.

Since RHEL 9 is using Python 3.9, use more compatible variant.

Fixes: https://pagure.io/freeipa/issue/9454

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-09-29 15:06:33 -04:00
Christian Heimes
6aebfe74fb Add context manager to ipalib.API
`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.

```python
import ipalib

with ipalib.api as api:
    api.Commands.ping()
```

See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-09-29 12:57:06 +02:00
Mohammad Rizwan
496e3ace85 ipatests: restart ipa services after moving date
When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.

Fixes: https://pagure.io/freeipa/issue/9379

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-18 17:51:30 +02:00
Antonio Torres
2bc247d831 ipatests: rename 'ipatuura' directory to 'scim' in bridge tests
A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app
to 'scim'. Change it in IPA side as well to fix tests.

[1]: f12592cea4

Fixes: https://pagure.io/freeipa/issue/9447

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-09-11 09:12:51 +02:00
Florence Blanc-Renaud
0654fb3737 idp: add the ipaidpuser objectclass when needed
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.

Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-30 09:13:23 -04:00
Rob Crittenden
317e7061d0 Adjust test to handle revocation reason REMOVE_FROM_CRL
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.

This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.

So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-08-28 10:21:48 -04:00
Mohammad Rizwan
8d081ce894 ipatests: accommodate DST in ACME cert expiry
There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.

Fix is to use 90days+2hours to expire the cert.

Fixes: https://pagure.io/freeipa/issue/9428

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-08-23 13:10:02 -04:00
Alexander Bokovoy
ef955c9015
support more DateTime attributes in LDAP searches in IPA API
LDAPSearch class constructs a filter from a set of attributes and their
values passed in by the command. During this construction process a
limited set of attributes gets converted to a special form, the rest is
simply taken as a string and escaped according to LDAP rules.

This means DateTime class would simply be converted to string using
str(DateTime) and that uses default formatting method. For LDAP we need
to apply a specific formatting method instead.

Following LDAP attributes now handled as datetime.datetime:

 ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113730.3.8.16.1.3  NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
 ( 2.16.840.1.113730.3.8.16.1.4  NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')

Fixes: https://pagure.io/freeipa/issue/9395

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-08-21 16:28:04 +02:00
Rob Crittenden
d98d5e4751 Remove all references to deleted indirect map from parent map
An attempt to do this was already coded but the wrong
argument was used. It was passing in the location name and
not the map name so the map wouldn't be completely removed.

Include a test to verify that the map is gone after removing
it by calling automountlocation-tofiles which will fail if the
map wasn't properly removed.

Fixes: https://pagure.io/freeipa/issue/9397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-21 10:49:06 +02:00
Florence Blanc-Renaud
a6f01115cf ipatests: fixture can produce IndexError
The fixture issue_and_expire_acme_cert returns a function
that fills the hosts array. If the function is not called in
the test (for instance because a test is skipped, as in
TestACMEPrune::test_prune_cert_search_size_limit), hosts = []
and hosts[0] raises an IndexError.

Fix the fixture to check first that hosts is not empty.

Related: https://pagure.io/freeipa/issue/9348

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2023-08-16 11:33:32 +02:00
Florence Blanc-Renaud
6f5fe80de0 ipatests: fix test_topology
The test TestTopologyOptions::test_add_remove_segment is
randomly failing downstream. Test scenario:
- create a line topology master <-> repl1 <-> repl2
- create user on master
- wait for repl success on master
- check that the user is seen on repl2

The test waits for replication to complete on the master but
it should also wait for the replication to complete on repl1
before checking the user presence on repl2.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-08-14 09:58:05 +02:00
Sudhir Menon
8e142bc1d4 ipatests: idm api related tests.
IDM API related tests are automated in the
above PR
Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-14 09:55:42 +02:00
Alexander Bokovoy
09497d2df0 python 3.12: utcnow function is deprecated
The following warning is displayed on a system running with Python 3.12:
-------------------
/usr/lib/python3.12/site-packages/ipalib/rpc.py:925: DeprecationWarning:
datetime.utcnow() is deprecated and scheduled for removal in a future
version. Use timezone-aware objects to represent datetimes in UTC:
datetime.now(datetime.UTC).

  timestamp=datetime.datetime.utcnow())
-------------------

Fixes: https://pagure.io/freeipa/issue/9425
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-09 18:31:03 +02:00
Mohammad Rizwan
bbb53a1271 ipatests: remove fixture call and wait to get things settle
system date moved in order to expire the certs. Sometime it
is observed that subsequent operation fails with 500 error for CA,
hence restart the services after moving date and wait for sometime
to get things settle.

Also the tests was calling fixture which is not required for it, hence
removed it as well.

Fixes: https://pagure.io/freeipa/issue/9348

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-09 18:28:52 +02:00
Florence Blanc-Renaud
e49ec1048d ipatests: update expected webui msg for admin deletion
The deletion of the admin is now forbidden (even if it is
not the last member of the admins group) and the error
message has changed from "admin cannot be deleted or
disabled because it is the last member of group admins"
to " user admin cannot be deleted/modified: privileged user".

Update the expected message in the webui test.

Related: https://pagure.io/freeipa/issue/8878

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-08 12:53:09 +02:00
Rob Crittenden
dea35922cd Prevent the admin user from being deleted
admin is required for trust operations

Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.

Fixes: https://pagure.io/freeipa/issue/8878

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-01 13:47:56 +02:00
Florence Blanc-Renaud
7c5ee21a18 ipatests: update expected cksum for epn.conf
The test test_epn.py::TestEPN::test_EPN_config_file ensures that
/etc/ipa/epn.conf is installed and compares its checksum with an
expected value.
Commit fcad9c9 has changed the content of the file and the cksum
must be updated to reflect the new content.

Fixes: https://pagure.io/freeipa/issue/9419

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-07-28 08:03:55 +02:00
Florence Blanc-Renaud
7517e2ce21 xmlrpc tests: add a test for user plugin with non-existing idp
Add new tests checking the error returned for
ipa user-add ... --idp nonexistingidp
ipa user-mod ... --idp nonexistingidp
ipa stageuser-add ... --idp nonexistingidp
ipa stageuser-mod ... --idp nonexistingidp

The expected error message is:
ipa: ERROR: External IdP configuration nonexistingidp not found

Related: https://pagure.io/freeipa/issue/9416

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-07-19 16:59:25 -04:00
Mohammad Rizwan
00c0a62a6a ipatests: enable firewall rule for http service on acme client
when system hardning done i.e in case of STIG, sometimes http challanges
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
the communication.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-07-05 14:48:52 -04:00
Erik Belko
4a3e3efb84
test: add tests for descriptive error message in ipa user-add
Add tests for renaming existing user and group with invalid name or only numeric name,
add numeric-only stage user, rename some functions and fix indentation
Related: https://pagure.io/freeipa/issue/9378

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-07-04 15:49:04 +02:00
Florence Blanc-Renaud
ce9346e74e ipatests: use dnf download to download pkgs
The tasks.download_packages method is using
dnf install --downloaddir PATH --downloadonly
but the option --downloaddir does not exist any more with
dnf5 that is shipped in rawhide.

An alternative is to use
dnf download
which downloads to the current directory. This alternative
works for both dnf and dnf5.

Fixes: https://pagure.io/freeipa/issue/9399

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-28 09:28:19 +02:00
Florence Blanc-Renaud
8de6405b11 tests: fix backup-restore scenario with replica
The test TestBackupAndRestoreWithReplica is simulating a
master crash in order to check the behavior after ipa-restore.

Since commit 67a33e5, the uninstaller restarts the services in
order to unregister the server from PKI security domain. An
indirect consequence is that master/replica communication is re-
established and operations removing entries (done by the uninstaller)
are replicated to the replica.
This means that the scenario does not really simulate a server crash.

To make sure that no replication happens during this "crash", stop
the replica first, then uninstall the master, and finally restart
the replica before calling the ipa-restore command on the master.

Fixes: https://pagure.io/freeipa/issue/9404

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-28 09:10:51 +02:00
Florence Blanc-Renaud
ac78a84fbe Integration tests: add a test to ipa-server-upgrade
Add an integration test ensuring that the upgrade
properly updates the attributes to be excluded from
replication.

Related: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-21 20:50:59 +02:00
Florence Blanc-Renaud
d76f8fceda Integration test: add a test for upgrade and PKI drop-in file
Add an upgrade test with the following scenario:
- remove PKI drop-in file (to simulate an upgrade from an old
version)
- remove caECServerCertWithSCT profile from LDAP
- launch the ipa-server-upgrade command
- check that the upgrade added the file

Related: https://pagure.io/freeipa/issue/9381

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-21 08:48:07 +02:00
Florence Blanc-Renaud
ae6549ffae xmlrpc tests: add test renaming user or group with setattr
Add a new test renaming user or group using --setattr.
The new name must be validated and invalid names must be
refused.

Related: https://pagure.io/freeipa/issue/9396

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-16 15:19:10 -04:00
Rob Crittenden
fa3a69f91f Use the python-cryptography parser directly in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814

Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.

The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.

CLI times from before and after searching for all certs:

original:

-------------------------------
Number of entries returned 5038
-------------------------------
real    0m15.507s
user    0m0.828s
sys     0m0.241s

using cryptography:

real    0m4.037s
user    0m0.816s
sys     0m0.193s

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-16 11:15:48 -04:00
Anuja More
d7a27a24b9 ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Test checks that krb5.conf does not include
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.

Related: https://pagure.io/freeipa/issue/9267

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-06-09 10:04:20 +02:00
Rob Crittenden
c2bce952d8 Don't allow the FQDN to match the domain on server installs
Without this the installation is successful but the DNS
records will not work. With --setup-dns there will be no
A record for the host (only an NS record) and the PTR record
will point to the domain name.

Fixes: https://pagure.io/freeipa/issue/9003

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-08 16:04:24 -04:00
Florence Blanc-Renaud
1aea1cc29e
webuitests: close notification which hides Add button
The webui test test_service.py::test_service::test_arbitrary_certificates
randomly fails.
The test is creating a new service then navigates to the Service page
and clicks on the Add Certificate button.
The notification area may still be present and hide the button, with
the message "Service successfully added".
Close all notifications before navigating to the Service page.

Fixes: https://pagure.io/freeipa/issue/9389
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-06-07 09:53:07 +02:00
Florence Blanc-Renaud
107f5f2d81 ipatest: remove xfail from test_smb
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.

Remove the xfail.

Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2023-06-05 09:41:14 +02:00
Florence Blanc-Renaud
0075c8b8f6 passkeyconfig: require-user-verification is a boolean
ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
6f0da62f5a Passkey: add support for discoverable credentials
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
d207f6bf32 WebUI tests: add test for krbtpolicy passkey maxlife/maxrenew
Add a new test ensuring that it is possible to modify
the krbt policy settings related to passkey authentication
(max life and max renew)

Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a7d90c1ef5 XMLRPC tests: add new tests for passkey auth type
Add tests for the new passkey authentication type
(ipa user-*, ipa config-mod)
Add tests for the new passkey authentication indicator
(ipa service-*, ipa host-*)
Add tests for the new krbtpolicy parameters
(ipa krbtpolicy-mod --passkey-maxlife=INT --passkeymaxrenew=INT)

Related: ipatests/test_xmlrpc/test_user_plugin.py
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
ae3c281a64 XMLRPC tests: test new passkey commands
Add tests for:
 ipa passkeyconfig-show
 ipa passkeyconfig-mod
 ipa user-add-passkey LOGIN PASSKEY
 ipa user-remove-passkey LOGIN PASSKEY
 ipa stageuser-add-passkey LOGIN PASSKEY
 ipa stageuser-remove-passkey LOGIN PASSKEY

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Rob Crittenden
a213253bb1 Don't allow a group to be converted to POSIX and external
This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.

Fixes: https://pagure.io/freeipa/issue/8990

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-31 09:24:55 +02:00
Florence Blanc-Renaud
2be07242b7 PRCI: update rawhide box
Update the rawhide Vagrant box to 0.8.3
(built May 26 2023 using fedora-39)

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-31 09:17:25 +02:00
Florence Blanc-Renaud
359e1a3d95 ACME tests: fix issue_and_expire_acme_cert method
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.

Fixes: https://pagure.io/freeipa/issue/9383

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2023-05-24 15:50:56 -04:00
Florence Blanc-Renaud
7b0ad59fea user or group name: explain the supported format
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-22 20:22:59 +02:00
Mohammad Rizwan
2eb4cdb641 ipatests: wait for sssd-kcm to settle after date change
In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.

Hence run kinit command repeatedly untill things get settle.

This patch removes the sleep and adds tasks.run_repeatedly()
method instead.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-17 18:12:27 +02:00
Florence Blanc-Renaud
72dccd8244 azure tests: move to fedora 38
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-16 13:12:12 +02:00
Michal Polovka
abf1dc557e
ipatests: commands: Wait for the SSSD to become available
Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.

Fixes: https://pagure.io/freeipa/issue/9377

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-05-16 13:00:57 +02:00
Florence Blanc-Renaud
72cc53a22e Tests: test on f37 and f38
Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-09 18:05:24 +02:00
Florence Blanc-Renaud
c7ef94c62f Nightly test: add +15min for test_ipahealthcheck
The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.

Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-05-04 08:33:53 +02:00
mbhalodi
ef0ae496b7 ipatests: add remove automember condition tests
Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-02 20:40:01 +02:00
Sudhir Menon
dd22bd2528 ipatests: ipa-adtrust-install command test scenarios
This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.

test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-04-28 16:08:56 +02:00
Michal Polovka
ba845b237f ipatest: loginscreen: do not use hardcoded password
Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.

https://pagure.io/freeipa/issue/9226

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-04-19 21:46:14 +02:00
Florence Blanc-Renaud
3bba254ccd ipatests: mark known failures for autoprivategroup
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-17 16:44:57 +02:00
mbhalodi
dc8590ef66
ipatests: Test for sequence processing failures with server context
1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.

Related: https://pagure.io/freeipa/issue/9349

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-04-12 15:10:04 +02:00
Alexander Bokovoy
dd5b189a09 RBCD: add basic test for RBCD handling
Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.

Run RBCD check when the rule exists and when the rule is removed.

Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Alexander Bokovoy
9b777390fb test_xmlrpc: adopt to automember plugin message changes in 389-ds
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
mbhalodi
4119e4e799 ipatests: add missing automember-cli tests
Revisit the bash tests and port the valid
tests to upstream.

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-04-04 16:11:32 +02:00
Florence Blanc-Renaud
07fe877525 ipatests: increase timeout for test_trust
The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-03-24 09:28:43 +01:00
Anuja More
1cca609857 ipatests: Test that non admin user can search hbac rule.
Related : https://pagure.io/freeipa/issue/5130

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-22 16:52:49 +01:00
Alexander Bokovoy
ebac8f6f9b Use system-wide chromium for webui tests
Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Alexander Bokovoy
779aa6bc11 Don't fail if optional RPM macros file is missing
With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Erik Belko
4acd9fe9f7 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario
Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286

Also added some generally helpful functions to tasks.py

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-03-15 09:45:08 +01:00
Anuja More
35c36f9b4e ipatests: Test ipa-advise is not failing with error.
The ipa-advise command should not fail
with error in command.

Related: https://pagure.io/freeipa/issue/6044

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2023-03-14 13:49:09 +01:00
Florence Blanc-Renaud
5dba2aa466 ipatests: adapt for new automembership fixup behavior
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.

Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-03-14 09:39:17 +01:00
Thorsten Scherf
2aeb963fc9 external-idp: change idp server name to reference name
When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-03 05:08:02 +01:00
Florence Blanc-Renaud
9ee16e8acc ipatests: increase timeout for test_acme
The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.

Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).

Also create a separate job for the new test TestACMEPrune.

Fixes: https://pagure.io/freeipa/issue/9324

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-22 15:47:26 +01:00
mbhalodi
14a3d85a15 ipatests: WebUI - ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage
in the WebUI. Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-02-22 09:16:30 +01:00
Mohammad Rizwan
e76b219c21 ipatests: fix tests in TestACMEPrune
When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.

Second fix is related to mismatch of confing setting and corresponding
assert.

Third fix is related to extending time by 60 minutes to properly
expire the certs.

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-21 15:19:02 +01:00