When ipa-adtrust-install is used, IPA KDC will be configured to issue
tickets with MS-PAC record in them for users and services that have
ipaNTSecurityIdentifier (SID) attribute in the LDAP record.
Test that a newly added user can kinit and obtain a ticket that has
a PAC structure.
Test that a service can impersonate a user and the resulting S4U2Self
requested service ticket also has PAC structure.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
has two more dnf repos enabled compared to Tests container(image
fedora:32). This results in the packages built within the Build
container can have dependencies which are unresolvable(missing)
within Tests container.
This enables updates-testing and updates-testing-modular,
disables fedora-cisco-openh264 for Tests container.
Fixes: https://pagure.io/freeipa/issue/8330
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group
Related: https://pagure.io/freeipa/issue/6884
Co-authored-by: Nikhil Dehadrai <ndehadra@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.
Use set of attribute names to deduplicate the list.
Fixes: https://pagure.io/freeipa/issue/8328
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups
The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc
user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.
If one removes the direct membership to 'groupb' again,
nothing should change as well
Pagure Link: https://pagure.io/SSSD/sssd/issue/3636
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.
Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.
To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.
The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.
RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.
Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some integration tests use internal option ``force``. Re-add
``in_tree=True`` to make the tests pass until Pagure#8317 is fixed.
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The logic to detect in-tree builds was broken and ipatests/conftest.py
had hard-coded in_tree=True.
IPA now considers an environment as in-tree when the parent directory of
the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
present in source and never installed.
API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
because the function call can be expensive and would require path
normalization, too. The function is also missing from venv site module.
Fixes: https://pagure.io/freeipa/issue/8312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* use "developer" in Azure
* fix man page: "development" to "developer"
* list known modes in API bootstrap methods
Other values for mode are still supported to avoid breaking existing
installations.
Fixes: https://pagure.io/freeipa/issue/8313
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Issue: https://pagure.io/freeipa/issue/8066
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Though time namespace support was added in Linux kernel 5.6, it
is not landed on Azure VM (Ubuntu) yet.
The syncing time stuff is required by IPA NTP tests. it's
acceptable for testing 1 IPA environment on 1 Azure VM for such
tests.
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This allows to override the default seccomp profile.
Custom profile was generated from the default one [0] by adding one
allowed system call 'clock_adjtime'. This one is indirectly used by
chronyd with recent glibc2.31.
[0]: https://github.com/containers/libpod/blob/master/seccomp.json
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cifs/... principal on SMB server side has NetBIOS name of the SMB server
as its alias. Test that we can actually initialize credentials using
this alias. We don't need to use it anywhere in Samba, just verify that
alias works.
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
PEP8 fix for teat_webui/test_user.py. Errors involved:
- line > 79 character
- 2 blank line needed before class
- single space was needed between # and comment
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Notification used to intercept the click on page for some element.
This test ensures that element is clickable.
related: https://pagure.io/freeipa/issue/8120
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Chrony daemon tries to use adjtimex() which doesn't work in the
container we run in Docker environment on Azure Pipelines.
nis-domainname also tries to modify kernel-specific parameter that
doesn't really work in runc-based containers.
Use systemd container detection to avoid starting these services in the
containers.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa service-del <Principal name> did not display proper principal
name which is being deleted in error message.
This test check if it throws error having proper principal name.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.
Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test cases:
- admin can add member manager for user/host group
- admin can add member manager group to user/host group
- member manager can add user to group
- member manager can remove user from group
- member manager can add host to host group
- member manager can remove host from host group
Ticket: https://pagure.io/freeipa/issue/8298
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
"previous" updated to Fedora 31
"latest" updated to Fedora 32
"rawhide" based on Fedora 33
389ds, testing and pki definitions updated to Fedora 32
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Azure host has 6 GB of physical memory + 7 GB of swap.
FreeIPA CI runs at least 5 masters on each Azure's host.
Thus, swap is intensively used.
Based on the available *physical* memory 389-ds performs db tweaks
and in future may fail to start in case of memory shortage.
Current memory limit for Azure Docker containers(master/replica):
- Physical
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
1610612736
- Physical + swap:
$ cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
3221225472
In the meantime, installation of master + ca + kra + dnssec requires:
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
1856929792
Some test environments require more memory.
For example, 'ipatests.test_integration.test_commands.TestIPACommand':
$ cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
2232246272
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
2232246272
Fixes: https://pagure.io/freeipa/issue/8264
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
```
class TestFoo(IntegrationTest):
def test_foo(self):
pass
def test_bar(self, integration_logs):
integration_logs.collect_method_log(self.master, '/logfile')
```
Collected logs:
1) 'test_foo' - default logs
2) 'test_bar' - default logs + /logfile
3) 'TestFoo' - default logs
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e. So, it could be safely removed.
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Make it easier to skip tests based on platform ID and platform LIKE_ID.
Skip some tests that are not working on Debian-like platforms
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')
Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.
https://pagure.io/freeipa/issue/8082
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Use -W with sphinx-build by default to turn warnings into errors.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
_issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```
For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.
The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.
[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
