Add tests for the new passkey authentication type
(ipa user-*, ipa config-mod)
Add tests for the new passkey authentication indicator
(ipa service-*, ipa host-*)
Add tests for the new krbtpolicy parameters
(ipa krbtpolicy-mod --passkey-maxlife=INT --passkeymaxrenew=INT)
Related: ipatests/test_xmlrpc/test_user_plugin.py
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.
Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:
- check that maxhostname cannot be changed to a value < 64
- check that ipa host-add is refused if the hostname length is > maxhostname
- check that ipa host-add is OK if the hostname length is <= maxhostname
Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.
This fixes a flaky test case on CI.
Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
MD5 is a grandpa and FIPS does not like it at all.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fixing discrepancies between returned and checked attributes in ipa-join host
test, that arose after recent changes in behavior.
https://fedorahosted.org/freeipa/ticket/6326
Reviewed-By: Martin Basti <mbasti@redhat.com>
Updating path to ipa-join command to allow execution of
test_xmlrpc/test_host::TestHostFalsePwdChange::test_join_host.
https://fedorahosted.org/freeipa/ticket/6326
Reviewed-By: Martin Basti <mbasti@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
fixes incorrect assertions in tests that create, retrieve, and search for
services
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.
DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This fix provides means to remove certificates from host that were added during tests, but not removed.
Ticket: https://fedorahosted.org/freeipa/ticket/5839
Reviewed-By: Martin Basti <mbasti@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The previous way of implementing trackers in the module with
the test caused circular imports. The separate package resolves
this issue.
https://fedorahosted.org/freeipa/ticket/5467
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Web UI tests were marked as tier1 tests.
The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.
The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:
$ py.test -v -m tier1 ipatests
or in case of out of tree tests:
$ ipa-run-tests -m tier1
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With added support for multiple certificates for hosts, services, and even
users, IPA testing framework will need a more flexible way to generate
temporary testing certificates for these entities. This patch modifies the
currently used `testcert` module to support these requirements.
Related to work on http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Milan Kubík <mkubik@redhat.com>
Implements a base class to help test LDAP based plugins.
The class has been decoupled from the original host plugin test
and moved to separate module ipatests.test_xmlrpc.ldaptracker.
https://fedorahosted.org/freeipa/ticket/5032
Reviewed-By: David Kupka <dkupka@redhat.com>
The racker object "remembers" expected state across several tests,
so only changes (rather than all expected state) need to be specified
in each test. Also, the tracker fixture will make it easy to use hosts
in other test modules.
This change makes the tests independent; any permutation of any subset
of these tests should now pass.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This has several advantages:
- Tests other than run-command/check-response can be added easily
- Tracebacks are meaningful (which means we'll be able to remove a lot of
test name/description/location tracking code)
- Individual tests can be selected/deselected using normal pytest mechanisms
(but for isolated tests, more changes will be needed)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The host-del command did not accept --continue option, since the
takes_options was overriden and did not take the options from LDAPDelete.
Fix the behaviour.
https://fedorahosted.org/freeipa/ticket/4473
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.
This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.
https://fedorahosted.org/freeipa/ticket/4102
