The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.
Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Also test that a normal user has password history enforcement
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is to confirm that the Directory Manager is not affected by
password policy.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.
The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
- as a user: must succeeed
- as a cn=Directory Manager: must succeed even with a password re-use
- as a user again: must fail due to password re-use
Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Extend ldappasswd_sysaccount_change() helper to allow changing
passwords as a cn=Directory Manager.
Related to: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.
Do not wait for the entry that would never come by using 'ipa -n'.
Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`ipa trust-add --password` command requires that user provides a password.
Related to: https://pagure.io/freeipa/issue/7895
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.
related: https://pagure.io/freeipa/issue/8193
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
This is to ensure if said entry is set after installation with AD.
related: https://pagure.io/freeipa/issue/8193
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.
The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.
The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.
https://bugzilla.redhat.com/show_bug.cgi?id=1752849
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.
Fixes: https://pagure.io/freeipa/issue/8228
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.
Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.
RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.
Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.
Related: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This removes a lot of duplication and simplifies the test
code.
It returns the command returncode and the JSON data (if any)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.
Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.
Related to: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.
related: https://pagure.io/freeipa/issue/8105
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Moved the method so that it can be used by other modules too
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`
This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
early
* has convenient interface for simple options modification,
both in domain and service sections
* allows sophisticated modifications through SSSDConfig object
Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Thanks to sorlov for the nightly test definitions and new test.
Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well
related : https://pagure.io/freeipa/issue/8079
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.
Implement the following rules:
1. If all masters have weight == 0 then all are equally
weighted.
2. If any masters have weight == 0 then they have an
extremely small chance of being chosen, percentage is
0.1.
3. Otherwise it's percentage change is based on the sum of
the weights of non-zero masters.
https://pagure.io/freeipa/issue/8135
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.
Next examples are for 'master-only' topologies.
Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.
Concurrency results for TestInstallMaster:
------------------------------------------
| job concurrency | time/jobs |
------------------------------------------
| 5 | 40/5 |
| 4 | 34/4 |
| 3 | 25/3 |
| 2 | 19/2 |
| 1 | 17/1 |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.
But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.
Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
| job concurrency | time | jobs used | jobs free |
------------------------------------------------------------------
| 5 | 40 | 4 | 6 |
| 4 | 34 | 5 | 5 |
| 3 | 25 | 7 | 3 |
| 2 | 19 | 10 | 0 |
| 1 | 34 | 20 | 0 |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.
New Azure IPA tests workflow:
+ 1) generate-matrix.py script generates JSON from user's YAML [0]
2) Azure generate jobs using Matrix strategy
3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) GNU 'parallel' launch each IPA environment in parallel:
+ 1) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ 2) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ 3) launch IPA tests on tests' controller
c) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
d) publish regular system logs as artifacts
[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This allows to run IPA tests on Azure using any distro.
To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
a) which Docker image to use to build IPA packages (rpm, deb, etc.)
b) how to prepare Build environment
c) how to build IPA packages
d) how to prepare environment to run Tox tests
e) how to prepare environment to run WebUI unittests
f) which base Docker image to use to build the new image to run
IPA tests within it
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.
This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.
New Azure IPA tests workflow:
+ 1) Azure generate jobs using Matrix strategy
2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ c) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ d) launch IPA tests on tests' controller
e) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
f) publish regular system logs as artifacts
[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
As for now, a list of tests which will be ignored by Pytest is
mandatory. But actually, a list of tests to run is explicitly set
in yaml config. And thus, 'ignore' list should be an optional field.
This simplifies tests definitions to drop extra stuff.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a little utility function to get the certmonger status
of a request id on a particular host and wait until it is either
failed on the CA or issued (or times out).
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.
related : https://pagure.io/certmonger/issue/125
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
There was a regression caused in nightly run of test
TestBackupReinstallRestoreWithDNS of test_backup_and_restore
test suite because of PR#3962.
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore
https://pagure.io/freeipa/issue/7630
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When there are more external groups than default limit, then
SSSD should fetch all groups.
Related : https://pagure.io/SSSD/sssd/issue/4058
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.
For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
'--norc',
'--noprofile',
'-c',
'--',
"/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
'--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']
Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.
So, a short-termed solution is the quotting of zero-length arguments.
Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Added changes in topology for test_sssd.py
As in test it needs client also.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.
Related to: https://bugzilla.redhat.com/1746951
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.
This results in an error like:
```
================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...
> os.unlink(entry.name, dir_fd=topfd)
E FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'
/usr/lib64/python3.7/shutil.py:450: FileNotFoundError
```
The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.
[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot
Co-authored-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The nightly tests for rawhide and updates_testing are expected
to set
update_packages: True
in all the job definitions to make sure that dnf/yum update is called
before starting the tests.
This tag was missing for some jobs, this commit fixes the issue.
Reviewed-By: Armando Neto <abiagion@redhat.com>
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).
Ticket: https://pagure.io/freeipa/issue/8157
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.
Ticket: https://pagure.io/freeipa/issue/8169
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
fedora-latest/temp_commit section was removed from
temp_commit.yaml file while working with PR4108, adding it back.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.
This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Check that ipa-client-samba tool reports specific properties of domains:
name, netbios name, sid and id range
Related to https://pagure.io/freeipa/issue/8149
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)
As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."
As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.
The fix makes a stricter comparison, looking for /bin/gzip.
Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.
Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.
Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages. Update the
error message assertions to get these tests going again.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Temporarily skipping test due to unknown time-outs happening regularly.
Issue: https://pagure.io/freeipa/issue/8151
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.
Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.
The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test is installing master +DNSSEC, then replica and migrates the DNSSEC
to the replica.
During teardown, the replica is removed with ipa server-del. This operation
deletes the entries cn=DNS and cn=DNSSEC on the master, but if the
replication is stopped before the operations are replicated on the replica,
the replica may end up with a dangling cn=DNSSEC entry and no cn=DNS entry.
In this case ipa-server-install --uninstall on the replica will fail.
The fix: uninstall the DNSSec master as the last step of teardown
Related: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_smb slows down gating and PR turnover. The test takes between 45 and
50 minutes to execute while the other gating tests finish in about or less
than half the time.
The Samba / AD integration tests are still executed in nightly tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.
Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.
The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.
See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
When a system is in FIPS mode, SSHd can prints some noise to stderr:
FIPS mode initialized\r\n
This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.
The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The uninstall method of some tests can be skipped as the cleanup is
already done before.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master
Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.
Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests
Switch to master_1repl template.
Related: https://pagure.io/freeipa/issue/8001
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit cd887a48b5 did that for gating,
this commit bumps the version for the remaining definitions.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.
This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Fedora 31 is the latest release, Fedora 30 is now the previous release.
New template boxes were built for current tests definitions with
updated dependencies.
Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.
Future changes would only require to update the name and version of the template used.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```
This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf
This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.
Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* `cp` now preserves all attributes of original file, there is no reason
to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk
Related to: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```
Fixed by replacing hard-coded value with short name of the AD instance.
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Follow-up for commit a4ca34261a.
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci@380c8b8.
This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.
This also adds a missing but available topology to `temp_commit.yaml`.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive
* 'en_US' is a commonly used locale
AP warns regularly:
```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Define integration test for custom CA subject DN and subject base
scenarios. Add to nightly CI runs.
Part of: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain -- two forwarders:
one for root domain and another one for treedomain.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.
related ticket: https://pagure.io/freeipa/issue/7566
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after 380c8b8c78.
This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.
related ticket : https://pagure.io/freeipa/issue/7725
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.
The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254
As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
for host in hosts_unexpected:
value = host.hostname if rtype == 'SRV' else host.ip
> assert value not in txt
E AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E '192.168.121.25' is contained here:
E ipa-ca.ipa.test. 1 IN A 192.168.121.254
E ? ++++++++++++++
This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.
Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
as the default group for new users is not POSIX (ipausers), the
command is expected to fail
- create a user with the --gid parameter
The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
As the UPG plugin is disabled, the user creation will not trigger
the creation of a group with the same name, and command is
expected to succeed
- re-enable the UPG plugin for other tests
Related to: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_sssd is using a wrong dependency (fedora30 build instead
of fedora29 build). As a result, this test is not triggered
by PRCI because it's waiting forever for a dependency.
(See the status: fedora-30/test_sssd Pending — unassigned)
Fix the version in the fedora 29 nightly definition.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 ipa.example.test ipa
cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```
As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder.
It's not desirable to rely on this.
Let's clear test environment.
[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.
Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on
and collect the generated audit file. This will help troubleshoot failures
related to DS.
Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update nightly definitions used to test if FreeIPA works when repo
`updates-testing` is enabled.
These changes include all tests currently defined in `nightly_master.yaml`.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain
Related to: https://bugzilla.redhat.com/1685581
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.
New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.
Ticket: https://pagure.io/freeipa/issue/8031
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.
Ticket: https://pagure.io/freeipa/issue/7961
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Added test to check whether hidden replica can be configurred
as CRL generation master.
Related Tickets:
https://pagure.io/freeipa/issue/7307
Signed-off-by: ndehadra <ndehadra@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.
This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
PR-CI breaks if the class to execute the tests doesn't exist.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:
- check that maxhostname cannot be changed to a value < 64
- check that ipa host-add is refused if the hostname length is > maxhostname
- check that ipa host-add is OK if the hostname length is <= maxhostname
Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba
Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is a first step in order to run nightly
integration tests with the 389-ds Directory Server.
It is updating the tests that should be run against
a nightly build of 389-ds.
The vagrant box freeipa/389ds-master-f30 version 0.0.1 has already
been created, available in vagrant cloud.
freeipa-pr-ci workspace also already contains the nightly scheduler
definition for this job (saturdays 00:10, using nightly_master_389ds.yaml)
but the cron job is not scheduled yet.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Strings should not be compared with the identity operation 'is' or
'is not'.
Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Topology for TestIpaNotConfigured is changed from ipaserver to
master_1repl in order to prevent aforementioned test suite runner from
configuring ipa-server, which is required by the test itself.
Resolves: https://pagure.io/freeipa/issue/8055
Related: https://pagure.io/freeipa/issue/6843
The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.
The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.
Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
test_webui/test_loginscreen fails because login screen is rendered with delays.
To solve the issue small pause added after login.
Ticket: https://pagure.io/freeipa/issue/8053
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.
Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of the user is applied.
2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions
Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This will let us call it from ipaplatform.
Mark the original location as deprecated.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.
Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.
https://pagure.io/freeipa/issue/6843
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.
Mark the test as expecting to fail until python-dns is fixed in Fedora.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update boxes used in nightlies runs and add new ones.
Based on the changes made in freeipa/freeipa-pr-ci#304.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py
The following tests was missing from nightly_f29:
- test_integration/test_smb.py
The following test was missing from nightly_rawhide:
- test_integration/test_smb.py
Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* switch to Python 3.7 (UsePythonVersion@0 task)
* use "pip install --user"
Fixes: https://pagure.io/freeipa/issue/8030
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move common and error messages to class scope to be reused again.
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.
Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When moving a preserved user to the stage area, check that the
custom attributes are not lost ( = the attr for which there is
no specific user_stage option).
Test scenario:
- add a stage user with --setattr "businesscategory=value"
- activate the user, check that businesscategory is still present
- delete (preserve) the user, check that attr is still present
- stage the user, check that attr is still present
Related: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
test_nfs.py historically used master_2repl_1client.
Now that master_3client exists, switch to that as it allows removal
of custom install/cleanup steps.
Fixes: https://pagure.io/freeipa/issue/8027
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.
Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Some tests would benefit from using a multi-client topology.
As PR-CI now supports master_3client, use it.
Fixes: https://pagure.io/freeipa/issue/8026
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Test scenario:
- create a hostgroup
- create a host
- create an automember rule for the hostgroup with a condition fulfilled
by the host
- delete the hostgroup
- call automember-rebuild (1)
- call automember-find-orphans to remove the orphan automember group
- call automember-rebuild(2)
The test was expecting the first rebuild command to fail but this
assumption is not true if the DS version is >= 1.4.0.22 because of the
fix for https://pagure.io/389-ds-base/issue/50077
Modify the test so that it expects failure only when DS is older.
Fixes: https://pagure.io/freeipa/issue/7902
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Because of intergration with AD server response can take time more then 1 minute.
So request_timeout is increased to 120s.
Ticket: https://pagure.io/freeipa/issue/8024
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The azure pipeline defines a "prepare build" step that
installs the FreeIPA development dependencies but the
step does not report failures of the dnf builddep command.
As a consequence, subsequent steps may fail (for instance
because of components not installed such as tox) but are
hard to diagnose.
The fix reports the command failure.
Fixes: https://pagure.io/freeipa/issue/8022
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.
ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
Related Ticket: https://pagure.io/freeipa/issue/7929
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- Increase wait timeout after password reset
- Wait for server response after login in TestLoginScreen.test_reset_password_and_login_view
Ticket: https://pagure.io/freeipa/issue/8012
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Azure Pipelines provide counters for running test jobs, these split into
System.StageAttempt and System.PhaseAttempt. Use them to make test
artifacts unique.
For XML test results we don't need to name them differently as they
aren't uploaded as artifacts but rather presented in a separate test
pane.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.
Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:
> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.
>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.
Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.
About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)
Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:
ipa-run-tests --slices=2 --slice-num=1 test_cmdline
- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:
ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
--slice-num=2 test_cmdline
Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is a sort of rollback to the pre #93c158b05 state with
several improvements.
For now, the nodeids calculation by ipa-run-tests is not stable,
since it depends on current working directory. Nodeids (tests
addresses) are utilized by the other plugins, for example.
Unfortunately, the `pytest_load_initial_conftests` hook doesn't
correctly work with pytest internal paths, since it is called
after the calculation of rootdir was performed, for example.
Eventually, it's simpler to follow the default convention for
Python test discovery.
There is at least one drawback of new "old" implementation.
The ignore rules don't support globs, because pytest 4.3.0+
has the same facility via `--ignore-glob`:
> Add the `--ignore-glob` parameter to exclude test-modules with
> Unix shell-style wildcards. Add the collect_ignore_glob for
> conftest.py to exclude test-modules with Unix shell-style
> wildcards.
Upon switching to pytest4 it will be possible to utilize this.
Anyway, tests for checking current basic facilities of
ipa-run-tests were added.
Fixes: https://pagure.io/freeipa/issue/8007
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.
Relates to: https://pagure.io/freeipa/issue/7895.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Display which dnf repositories were available at the
prepare-build step via metalink.
Also display the fastestmirror cache.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
SSSD fix have not yet landed in Fedora 29 and below.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Sometimes the prepare-build step of azure pipelines fails
with download errors:
"configure: error: Package requirements (nspr) were not met:"
This can be due to fastestmirror not being used to check
mirror availability and sometimes speed. Combined with a
too-low default number of retries, and a high timeout this
can lead to download failures that could be avoided.
Activate fastestmirror, add more download workers, and tune
timeout/retries to make dnf more reliable.
Fixes: https://pagure.io/freeipa/issue/7999
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test is calling dnsrecord-mod --ttl and should expect a unicode
value in order to be python2/python3 compatible.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This exercises the removal of 3DES and RC4 via Samba.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test suite did not have any test for modification of the TTL
of an existing DNS record.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Added test which validates that POSIX attributes, such
as shell or home directory, are no longer overwritten or missing.
Related Ticket : https://pagure.io/SSSD/sssd/issue/2474
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
By default, the `last` exit code returned from Azure script will be
checked and, if non-zero, treated as a step failure. Luckily,
for Linux script is a shortcut for Bash. Hence errexit/e option
could be applied. But Azure pipelines doesn't set it by default:
https://github.com/microsoft/azure-pipelines-agent/issues/1803
For multiline script this is a problem, unless otherwise designed.
Some of benefits of checking the result of each subcommand:
- preventing subsequent issues (broken packages, container images, etc.)
- time saving (next steps will not run)
- good diagnostics (tells which part of script fails)
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new XMLRPC test with the following scenario:
- ldapadd a user without the posixaccount objectclass
- call ipa stageuser-find <user>
- check that 1 entry is returned
Related: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
"message" parameter of pytest.raises is deprecated since Pytest4.1:
```
It is a common mistake to think this parameter will match the
exception message, while in fact it only serves to provide a custom
message in case the pytest.raises check fails.
```
That was the truth for test_unrecognised_attr_type_raises, which has
wrongly checked an exception message.
Fixes: https://pagure.io/freeipa/issue/7981
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
nfs.py calls "ipa user-add" without inputting the password twice
leading to a timeout. Input password twice then.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).
The vagrant images currently in use in the nightly tests
are configured with selinux disabled. Add skipif marker when
selinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami@redhat.com>
The test test_backup_and_restore.py::TestBackupAndRestore
test_full_backup_and_restore_with_selinux_booleans_off
requires SELinux to be enabled because it's using
getsebool command.
Skip the test if SELinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7970
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The behavior of automember changed with the design
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
such that members are "cleaned up" first then re-added. This has
the effect of removing members that no longer apply to a rule.
This was breaking the automember rebuild tests because sometimes
the tests were faster than 389-ds causing memberships to be missed.
This does a client-side wait for the task to finish up so still
exercises the rebuild code.
https://pagure.io/freeipa/issue/7972
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".
The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.
This commit answers 'no' to the question and allows to proceed with
the ipa server installation.
Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
It is likely that these were fixed by the original change
b96906156b but was uncaught because
these tests are not executed in CI because the server is configured.
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077
Tests for autounmembership feature has been added in
this PR
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Azure tests fail because we couldn't configure docker for IPv6 anymore.
This happened because we weren't able to copy our configuration file to
/etc/docker -- looks like the docker directory does not exist.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
The command
ipa-replica-manage list -v <node>
can display:
last init ended: 1970-01-01 00:00:00+00:00
last init status: None
when called on a node that never had total update.
The fix for 7716 modifies the command so that it doesn't print
those lines when there is no last init status.
This commit adds a new test checking the output of
ipa-replica-manage list -v <node>.
Related to: https://pagure.io/freeipa/issue/7716
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.
related ticket : https://pagure.io/freeipa/issue/7927
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.
Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When applying DN to a cryptography.x509.Name, multi-valued RDNs get
"flattened" into separate RDNs. Update the constructor to correctly
handle Name values with multi-valued RDNs.
Fixes: https://pagure.io/freeipa/issue/7963
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.
ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.
With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.
Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696
Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.
Add a test case that performs this operation.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.
This is required to perform actual tests for use of the retrieved keys.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Rewrite templates to make test job declarations simpler and easier to
work with.
A test job template can be instantiated this way:
- template: templates/test-jobs.yml
parameters:
jobName: Base
jobTitle: Base tests
testsToRun:
- test_cmdline
- test_install
- test_ipaclient
- test_ipalib
- test_ipaplatform
- test_ipapython
testsToIgnore:
- test_integration
- test_webui
- test_ipapython/test_keyring.py
taskToRun: run-tests
Both 'testsToRun' and 'testsToIgnore' accept arrays of test matches.
Wildcards also supported:
....
testsToRun:
- test_xmlrpc/test_hbac*
....
'taskToRun' specifies a script ipatests/azure/azure-${taskToRun}.sh that
will be executed in the test environment to actually start tests.
Parameters 'testsToRun' and 'testsToIgnore' define TESTS_TO_{RUN,IGNORE}
variables that will be set in the environment of the test script. These
variables will have entries from the parameters separated by a space.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-run-tests expands arguments passed with their full paths. However,
it doesn't support expanding globs, so targets like 'test_ipa*' cannot
be specified.
Expand the code that replaces '--ignore foo' and 'foo' positional
arguments with support for '--ignore foo*' and 'foo*'.
This allows to reduce a number of additional steps in the CI pipeline
preparation.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Order of master/replica was incorect which has been
corrected
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
ipaconfigstring: ipaCA
Related to https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The FreeIPA uses its own classes for managing temp files and
directories for tests. One of its underlying low-level functions
is `mkdtemp`.
According to documentation for `mkdtemp`:
```
If dir is not None, the file will be created in that directory; otherwise, a
default directory is used. The default directory is chosen from a
platform-dependent list, but the user of the application can control the
directory location by setting the TMPDIR, TEMP or TMP environment variables.
```
It's actually the truth,
/usr/lib64/python3.7/tempfile.py:
```
def _candidate_tempdir_list():
"""Generate a list of candidate temporary directories which
_get_default_tempdir will try."""
dirlist = []
# First, try the environment.
for envname in 'TMPDIR', 'TEMP', 'TMP':
dirname = _os.getenv(envname)
if dirname: dirlist.append(dirname)
# Failing that, try OS-specific locations.
if _os.name == 'nt':
dirlist.extend([ _os.path.expanduser(r'~\AppData\Local\Temp'),
_os.path.expandvars(r'%SYSTEMROOT%\Temp'),
r'c:\temp', r'c:\tmp', r'\temp', r'\tmp' ])
else:
dirlist.extend([ '/tmp', '/var/tmp', '/usr/tmp' ])
```
For now, there is a hardcoded assertion of a temp directory (`/tmp`) in
IPA tests. But some systems use the mentioned environment variables
(for example, pam_mktemp https://www.openhub.net/p/pam_mktemp).
It's easy to check an actual temp dir via `gettempdir`.
Fixes: https://pagure.io/freeipa/issue/7956
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.
Related to https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Commit f49fac7bda added a special
workaround to get fr-fr locale translations installed when running
tests in Travis CI.
Get it back to Azure Pipelines.
Fixes: https://pagure.io/freeipa/issue/7951
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If TESTS_TO_RUN contains a single parameter that cannot be expanded,
bash will not perform brace elimination. Remove braces manually.
For example, TESTS_TO_RUN='test_xmlrpc/test_*.py' will not expand
outside of ipatests and the script would generate
tests_to_run=-k{test_xmlrpc/test_*.py}
Braces then will prevent actual ipa-run-tests execution from matching
any of XMLRPC tests.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Sets up a pipeline to run FreeIPA build and tests in Azure Pipelines.
Azure Pipelines provides 10 parallel free runners for open source projects.
Use them to run following jobs:
- Build: build RPMs and Fedora 30 container with them
- Lint: run linting of the source code
- Tox: run py36,pypi,pylint tests using Tox
- Web UI unit tests: run Web UI unit tests with Grunt/QUnit/PhantomJS
- XMLRPC tests: install FreeIPA server and run XMLRPC tests against it
All jobs are running in Fedora 30 containers. Build, Lint, Tox, and Web
UI unit tests run inside f30/fedora-toolbox container. Build job
generates a container with pre-installed FreeIPA packages using official
fedora:30 container. All containers are picked up from
registry.fedoraproject.org.
Artifacts from the build job are pushed to a pipeline storage and reused
in the XMLRPC tests. They also are accessible in the 'Summary' tab to
download.
XUnit and QUnit outputs from the tests that produce it are reported in
the 'Tests' tab.
Logs from individual steps from each job are available for review in
the 'Logs' tab. They also can be downloaded.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The modern PKCS#8 private key format supports better encryption standard
and is preferable over traditional, weak PKCS#1 key format.
Fixes: https://pagure.io/freeipa/issue/7943
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Under some conditions, ipa config-show and several other commands were
failing with error message:
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.
A new test verifies that config-show works with hidden and configured HTTP
service.
Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.
Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.
A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The object logger methods been deprecated for about two years since release
4.6.0. The log manager used to moneky-patch additional log methods like
info(), warning(), and error() into API plugin objects. The methods have
been replaced by calls to module logger objects in 4.6.0.
Remove monkey-patch logger methods, log manager, and its root logger from
ipapython.ipa_log_manager.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.
On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.
This extends the existing automount location test and must be
run nightly.
Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Peter Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test case verifies that IPA supports external CAs with weaker keys.
Related: Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.
On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.
On systems without NM, fall back to create /etc/resolv.conf directly.
Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Install CA with 4096bit RSA key and SHA-384 signature.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>