Commit Graph

12 Commits

Author SHA1 Message Date
François Cami
5cc7a2b703 ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2020-07-29 13:53:52 +02:00
Florence Blanc-Renaud
3dd5053cdd ipatests: Check if user with 'User Administrator' role can delete group.
Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group

Related: https://pagure.io/freeipa/issue/6884

Co-authored-by: Nikhil Dehadrai <ndehadra@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-05-20 09:23:11 +02:00
Christian Heimes
6a17a91672 Skip paramiko tests in FIPS mode
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.

See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-11-29 17:02:16 +01:00
Florence Blanc-Renaud
910ff25bad ipatests: fix TestUserPermissions::test_selinux_user_optimized
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).

The vagrant images currently in use in the nightly tests
are configured with selinux disabled.  Add skipif marker when
selinux is disabled.

Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami@redhat.com>
2019-06-13 23:24:01 +02:00
François Cami
40dd0979a4 ipatests: remove all occurrences of osinfo.version_id
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.

Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-01 08:38:11 +01:00
Florence Blanc-Renaud
e63c6b202a tests: mark xfail for test_selinux_user_optimized on fed<=28
The test TestUserPermissions::test_selinux_user_optimized is
testing the fix for SSSD issue 3819, but the fix is not
available in fedora 28. Hence mark the test as xfail when
executed on fedora <=28 (our nightly tests also run on fed 28).

For full ref: fixed in sssd 1.16.4, Fedora 28 provides
1.16.3-2.fc28 only, while Fedora 29 provides 2.0.0-3.fc29.

related ticket : https://pagure.io/SSSD/sssd/issue/3819

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-15 18:21:47 +01:00
Mohammad Rizwan Yusuf
144a9c74d6 ipatests: check if username are not optimized out in semanage context
ipa users having default semanage context were optimized out.
This test checks if those users are listed.

related ticket : https://pagure.io/SSSD/sssd/issue/3819

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-02-12 12:00:29 +01:00
Florence Blanc-Renaud
da4c12c3e6 ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>

This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.

Related to https://pagure.io/freeipa/issue/7570

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Christian Heimes
6414509343
Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.

Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-02 17:07:43 +02:00
Christian Heimes
2b669c52a5 Wait for client certificates
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.

The --request-cert option also ensures that certmonger is enabled and
running.

See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-09 20:15:18 +02:00
Anuja More
0128b3f92e
Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-29 10:31:50 +02:00
Florence Blanc-Renaud
d647072642
ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

This commit also adds integration test for non-regression.

https://pagure.io/freeipa/issue/7342

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 15:51:44 +01:00