URL: https://github.com/freeipa/freeipa/pull/2050 Author: tiran Title: #2050: Extend Sub CA replication test Action: opened
PR body: """ Test more scenarios like replication replica -> master, validate keys. See: https://pagure.io/freeipa/issue/7590 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2050/head:pr2050 git checkout pr2050
From 250b99280688f71a84a12ca4e589dc2fbcae17eb Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 20 Jun 2018 11:09:35 +0200 Subject: [PATCH 1/2] Extend Sub CA replication test Test more scenarios like replication replica -> master, validate keys. See: https://pagure.io/freeipa/issue/7590 Signed-off-by: Christian Heimes <chei...@redhat.com> --- .../test_integration/test_replica_promotion.py | 68 ++++++++++++++++------ 1 file changed, 49 insertions(+), 19 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index b109fb904d..d32a08b8f9 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -593,6 +593,12 @@ def test_replica_install_with_existing_entry(self): tasks.install_replica(master, replica) +AUTH_ID_RE = re.compile( + 'Authority ID: ' + '([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})' +) + + class TestSubCAkeyReplication(IntegrationTest): """ Test if subca key replication is not failing. @@ -600,35 +606,57 @@ class TestSubCAkeyReplication(IntegrationTest): topology = 'line' num_replicas = 1 - SUBCA = 'test_subca' - SUBCA_CN = 'cn=' + SUBCA + SUBCA_MASTER = 'test_subca_master' + SUBCA_MASTER_CN = 'cn=' + SUBCA_MASTER + + SUBCA_REPLICA = 'test_subca_replica' + SUBCA_REPLICA_CN = 'cn=' + SUBCA_REPLICA PKI_DEBUG_PATH = '/var/log/pki/pki-tomcat/ca/debug' ERR_MESS = 'Caught exception during cert/key import' + def add_subca(self, host, name, subject): + result = host.run_command([ + 'ipa', 'ca-add', name, + '--subject', subject + ]) + + auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) + + return '{} {}'.format(IPA_CA_NICKNAME, auth_id) + + def check_subca(self, host, name, cert_nick): + host.run_command(['ipa', 'ca-show', name]) + tasks.run_certutil( + host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR + ) + host.run_command([ + paths.CERTUTIL, '-d', paths.PKI_TOMCAT_ALIAS_DIR, + '-f', paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, + '-K', '-n', cert_nick + ]) + def test_sub_ca_key_replication(self): master = self.master replica = self.replicas[0] - result = master.run_command(['ipa', 'ca-add', self.SUBCA, '--subject', - self.SUBCA_CN]) - - uuid = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' - auth_id_re = re.compile('Authority ID: ({})'.format(uuid), - re.IGNORECASE) - auth_id = "".join(re.findall(auth_id_re, result.stdout_text)) - - cert_nick = '{} {}'.format(IPA_CA_NICKNAME, auth_id) + master_nick = self.add_subca( + master, self.SUBCA_MASTER, self.SUBCA_MASTER_CN + ) + replica_nick = self.add_subca( + master, self.SUBCA_REPLICA, self.SUBCA_REPLICA_CN + ) # give replication some time - time.sleep(30) + time.sleep(15) replica.run_command(['ipa-certupdate']) - replica.run_command(['ipa', 'ca-show', self.SUBCA]) + self.check_subca(replica, self.SUBCA_MASTER, master_nick) + self.check_subca(replica, self.SUBCA_REPLICA, replica_nick) - tasks.run_certutil(replica, ['-L', '-n', cert_nick], - paths.PKI_TOMCAT_ALIAS_DIR) + self.check_subca(master, self.SUBCA_MASTER, master_nick) + self.check_subca(master, self.SUBCA_REPLICA, replica_nick) pki_log_filename = ("{path}.{date}.log" .format(path=self.PKI_DEBUG_PATH, @@ -646,11 +674,13 @@ def test_sign_with_subca_on_replica(self): TEST_CRT_FILE = '/etc/pki/tls/private/test_subca.crt' caacl_cmd = ['ipa', 'caacl-add-ca', 'hosts_services_caIPAserviceCert', - '--cas', self.SUBCA] + '--cas', self.SUBCA_MASTER] master.run_command(caacl_cmd) - request_cmd = [paths.IPA_GETCERT, 'request', '-w', '-k', - TEST_KEY_FILE, '-f', TEST_CRT_FILE, '-X', self.SUBCA] + request_cmd = [ + paths.IPA_GETCERT, 'request', '-w', '-k', TEST_KEY_FILE, + '-f', TEST_CRT_FILE, '-X', self.SUBCA_MASTER + ] replica.run_command(request_cmd) status_cmd = [paths.IPA_GETCERT, 'status', '-v', '-f', TEST_CRT_FILE] @@ -659,4 +689,4 @@ def test_sign_with_subca_on_replica(self): ssl_cmd = ['openssl', 'x509', '-text', '-in', TEST_CRT_FILE] ssl = replica.run_command(ssl_cmd) - assert 'Issuer: CN = {}'.format(self.SUBCA) in ssl.stdout_text + assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text From fe014ebea506c7660ac6a229debacb04614ec96f Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 20 Jun 2018 11:11:29 +0200 Subject: [PATCH 2/2] Temp test commit --- .freeipa-pr-ci.yaml | 185 +--------------------------------------------------- .travis.yml | 93 -------------------------- 2 files changed, 2 insertions(+), 276 deletions(-) delete mode 100644 .travis.yml diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index f5c86c51a1..1195c2855e 100644 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -27,195 +27,14 @@ jobs: timeout: 1800 topology: *build - fedora-28/simple_replication: + fedora-28/replica_promotion: requires: [fedora-28/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_simple_replication.py + test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication template: *ci-master-f28 timeout: 3600 topology: *master_1repl - - fedora-28/caless: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/external_ca_1: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_external_ca.py::TestExternalCA - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/external_ca_2: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_topologies: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_topologies.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_sudo: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_sudo.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_commands: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_commands.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_kerberos_flags: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_kerberos_flags.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_http_kdc_proxy: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_http_kdc_proxy.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_forced_client_enrolment: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_forced_client_reenrollment.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - - fedora-28/test_advise: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_advise.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_testconfig: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_testconfig.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_service_permissions: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_service_permissions.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_netgroup: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_netgroup.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl - - fedora-28/test_vault: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_vault.py - template: *ci-master-f28 - timeout: 4500 - topology: *master_1repl - - fedora-28/test_authconfig: - requires: [fedora-28/build] - priority: 50 - job: - class: RunPytest - args: - build_url: '{fedora-28/build_url}' - test_suite: test_integration/test_authselect.py - template: *ci-master-f28 - timeout: 3600 - topology: *master_1repl_1client - diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index f81af742b9..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,93 +0,0 @@ -# workaround for missing IPv6 address support -# https://github.com/travis-ci/travis-ci/issues/8891 -sudo: required -dist: trusty -group: deprecated-2017Q4 - -language: python - -services: - - docker -python: - - "3.6" -cache: pip -env: - global: - - TEST_RUNNER_IMAGE="freeipa/freeipa-test-runner:master-latest" - PEP8_ERROR_LOG="pycodestyle_errors.log" - CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log" - CI_BACKLOG_SIZE=5000 - CI_RUNNER_LOGS_DIR="/tmp/test-runner-logs" - CI_RUNNER_LOG_ARCHIVE="freeipa-ci-pr-${TRAVIS_PULL_REQUEST}-job-${TRAVIS_JOB_NUMBER}.tar.gz" - matrix: - - TASK_TO_RUN="lint" - TEST_RUNNER_CONFIG=".test_runner_config.yaml" - - TASK_TO_RUN="webui-unit" - TEST_RUNNER_CONFIG=".test_runner_config.yaml" - - TASK_TO_RUN="run-tests" - PYTHON=/usr/bin/python2 - TEST_RUNNER_CONFIG=".test_runner_config.yaml" - TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - - TASK_TO_RUN="run-tests" - PYTHON=/usr/bin/python2 - TEST_RUNNER_CONFIG=".test_runner_config.yaml" - TESTS_TO_RUN="test_cmdline - test_install - test_ipaclient - test_ipalib - test_ipaplatform - test_ipapython - test_ipaserver - test_xmlrpc/test_[l-z]*.py" - - TASK_TO_RUN="run-tests" - PYTHON=/usr/bin/python3 - TEST_RUNNER_CONFIG=".test_runner_config_py3_temp.yaml" - TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py" - - TASK_TO_RUN="run-tests" - PYTHON=/usr/bin/python3 - TEST_RUNNER_CONFIG=".test_runner_config_py3_temp.yaml" - TESTS_TO_RUN="test_cmdline - test_install - test_ipaclient - test_ipalib - test_ipaplatform - test_ipapython - test_ipaserver - test_xmlrpc/test_[l-z]*.py" - - TASK_TO_RUN="tox" - TEST_RUNNER_CONFIG=".test_runner_config.yaml" - -before_install: - - ip addr show - - ls /proc/net - - cat /proc/net/if_inet6 -# - ip addr show dev lo | grep -q inet6 || (echo "No IPv6 address found"; exit 1) - -install: - - pip3 install --upgrade pip - - pip3 install pycodestyle - - > - pip3 install - git+https://github.com/freeipa/ipa-docker-test-runner@release-0-3-1 - -script: - - mkdir -p $CI_RUNNER_LOGS_DIR - - travis_wait 50 ./.travis_run_task.sh - - test -z "`cat $PEP8_ERROR_LOG`" -after_failure: - - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG - - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG - - > - echo "Archiving CI logs"; - if [[ "$TASK_TO_RUN" != "lint" ]]; then - tar --ignore-failed-read -uvf var_log.tar $CI_RESULTS_LOG $PEP8_ERROR_LOG; - gzip var_log.tar; - mv var_log.tar.gz $CI_RUNNER_LOG_ARCHIVE; - - transfer_url=$( - curl --upload-file \ - ./$CI_RUNNER_LOG_ARCHIVE \ - https://transfer.sh/${CI_RUNNER_LOG_ARCHIVE}) && - echo "Download log archive from ${transfer_url}" || - echo "Failed to upload log archive!"; - fi
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/OWSWXTT7WEJZH6244H3UI5ZQ6NY7FTCQ/