On 11/01/2013 03:42 PM, Tomas Babej wrote:
On 11/01/2013 03:39 PM, Petr Viktorin wrote:
On 11/01/2013 03:20 PM, Tomas Babej wrote:
On 11/01/2013 12:19 PM, Tomas Babej wrote:
Hi,
This implements the test cases for legacy clients using SSSD, nss-ldap
and nss-pam-ldapd.
Part of: https://fedorahosted.org/freeipa/ticket/3833
A nitpick:
assert result.returncode == 0
run_command will do this for you (unless you give raiseonerr=False)
Right. Updated patch attached.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Updating comments in patches 128 and 129 upon Alexander's request.
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
From 1bdacdc9d7a7385d45bb7a6253f7a568d5b6024f Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Fri, 1 Nov 2013 13:59:16 +0100
Subject: [PATCH] ipatests: test_trust: use domain name instead of realm for
user lookups
---
ipatests/test_integration/test_trust.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index c5167301503ef0c7fb8518d8c865617e17da9da4..68fc0285c58bf540bddbf1368bee1d0b28459ad1 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -86,7 +86,8 @@ class TestBasicADTrust(ADTrustBase):
def test_user_gid_uid_resolution_in_nonposix_trust(self):
"""Check that user has SID-generated UID"""
- testuser = 'testuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ testuser = 'testuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', testuser])
# This regex checks that Test User does not have UID 10042 nor belongs
@@ -124,7 +125,8 @@ class TestPosixADTrust(ADTrustBase):
def test_user_uid_gid_resolution_in_posix_trust(self):
# Check that user has AD-defined UID
- testuser = 'testuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ testuser = 'testuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', testuser])
testuser_stdout = "testuser@%s:*:10042:10047:"\
@@ -136,7 +138,8 @@ class TestPosixADTrust(ADTrustBase):
def test_user_without_posix_attributes_not_visible(self):
# Check that user has AD-defined UID
- nonposixuser = 'nonposixuser@%s' % self.ad.domain.realm
+ # Using domain name since it is lowercased realm name for AD domains
+ nonposixuser = 'nonposixuser@%s' % self.ad.domain.name
result = self.master.run_command(['getent', 'passwd', nonposixuser],
raiseonerr=False)
--
1.8.3.1
From 95f3b485136781c804b73d613939b4582bec78ae Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Fri, 1 Nov 2013 13:57:18 +0100
Subject: [PATCH] ipatests: Add integration tests for legacy clients
Part of: https://fedorahosted.org/freeipa/ticket/3833
---
ipatests/test_integration/test_legacy_clients.py | 261 +++++++++++++++++++++++
1 file changed, 261 insertions(+)
create mode 100644 ipatests/test_integration/test_legacy_clients.py
diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
new file mode 100644
index 0000000000000000000000000000000000000000..72b7ff4927a16bb914e96b5d5f64cc6da35ba98c
--- /dev/null
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -0,0 +1,261 @@
+# Authors:
+# Tomas Babej <tba...@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+
+import nose
+
+from ipatests.test_integration import tasks
+
+# importing test_trust under different name to avoid nose executing the test
+# base class imported from this module
+from ipatests.test_integration import test_trust as trust_tests
+
+
+class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust):
+ """
+ Tests legacy client support.
+ """
+
+ advice_id = None
+ backup_files = ['/etc/sysconfig/authconfig',
+ '/etc/pam.d',
+ '/etc/openldap/cacerts',
+ '/etc/openldap/ldap.conf',
+ '/etc/nsswitch.conf',
+ '/etc/sssd/sssd.conf']
+
+ @classmethod
+ def setup_class(cls):
+ super(BaseTestLegacyClient, cls).setup_class()
+ cls.ad = cls.ad_domains[0].ads[0]
+
+ cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
+ tasks.apply_common_fixes(cls.legacy_client)
+
+ for f in cls.backup_files:
+ tasks.backup_file(cls.legacy_client, f)
+
+ def test_remove_trust_with_posix_attributes(self):
+ pass
+
+ def test_apply_advice(self):
+ # Obtain the advice from the server
+ tasks.kinit_admin(self.master)
+ result = self.master.run_command(['ipa-advise', self.advice_id])
+ advice = result.stdout_text
+
+ # Apply the advice on the legacy client
+ advice_path = os.path.join(self.legacy_client.config.test_dir,
+ 'advice.sh')
+ self.legacy_client.put_file_contents(advice_path, advice)
+ result = self.legacy_client.run_command(['bash', '-x', '-e',
+ advice_path])
+
+ # Restart SSHD to load new PAM configuration
+ self.legacy_client.run_command(['/sbin/service', 'sshd', 'restart'])
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
+ tasks.clear_sssd_cache(self.legacy_client)
+
+ def test_getent_ipa_user(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['getent', 'passwd', 'admin'])
+
+ admin_regex = "^admin:\*:(\d+):(\d+):"\
+ "Administrator:/home/admin:/bin/bash$"
+
+ assert re.search(admin_regex, result.stdout_text)
+
+ def test_getent_ipa_group(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['getent', 'group', 'admins'])
+
+ admin_group_regex = "^admins:\*:(\d+):admin"
+
+ assert re.search(admin_group_regex, result.stdout_text)
+
+ def test_id_ipa_user(self):
+ self.clear_sssd_caches()
+ result = self.legacy_client.run_command(['id', 'admin'])
+
+ uid_regex = "uid=(\d+)\(admin\)"
+ gid_regex = "gid=(\d+)\(admins\)"
+ groups_regex = "groups=(\d+)\(admins\)"
+
+ assert re.search(uid_regex, result.stdout_text)
+ assert re.search(gid_regex, result.stdout_text)
+ assert re.search(groups_regex, result.stdout_text)
+
+ def test_getent_ad_user(self):
+ self.clear_sssd_caches()
+ testuser = 'testuser@%s' % self.ad.domain.name
+ result = self.legacy_client.run_command(['getent', 'passwd', testuser])
+
+ testuser_stdout = "testuser@%s:*:10042:10047:"\
+ "Test User:/home/testuser:/bin/sh"\
+ % self.ad.domain.name
+
+ assert testuser_stdout in result.stdout_text
+
+ def test_getent_ad_group(self):
+ self.clear_sssd_caches()
+ testgroup = 'test group@%s' % self.ad.domain.name
+ result = self.legacy_client.run_command(['getent', 'group', testgroup])
+
+ testgroup_stdout = "%s:\*:10047:" % testgroup
+ assert re.search(testgroup_stdout, result.stdout_text)
+
+ def test_id_ad_user(self):
+ self.clear_sssd_caches()
+ testuser = 'testuser@%s' % self.ad.domain.name
+ testgroup = 'test group@%s' % self.ad.domain.name
+
+ result = self.legacy_client.run_command(['id', testuser])
+
+ uid_regex = "uid=10042\(%s\)" % testuser
+ gid_regex = "gid=10047\(%s\)" % testgroup
+ groups_regex = "groups=10047\(%s\)" % testgroup
+
+ assert re.search(uid_regex, result.stdout_text)
+ assert re.search(gid_regex, result.stdout_text)
+ assert re.search(groups_regex, result.stdout_text)
+
+ def test_login_ipa_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ result = self.master.run_command(
+ 'sshpass -p %s '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l admin '
+ '%s '
+ '"echo test"' %
+ (self.legacy_client.config.admin_password,
+ self.legacy_client.external_hostname))
+
+ assert "test" in result.stdout_text
+
+ def test_login_ad_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ testuser = 'testuser@%s' % self.ad.domain.name
+ result = self.master.run_command(
+ 'sshpass -p Secret123 '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l %s '
+ '%s '
+ '"echo test"' %
+ (testuser, self.legacy_client.external_hostname))
+
+ assert "test" in result.stdout_text
+
+ def test_login_disabled_ipa_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ self.clear_sssd_caches()
+
+ result = self.master.run_command(
+ 'sshpass -p %s '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l disabledipauser '
+ '%s '
+ '"echo test"'
+ % (self.legacy_client.config.admin_password,
+ self.legacy_client.external_hostname),
+ raiseonerr=False)
+
+ assert result.returncode != 0
+
+ def test_login_disabled_ad_user(self):
+ if not self.master.transport.file_exists('/usr/bin/sshpass'):
+ raise nose.SkipTest('Package sshpass not available on %s'
+ % self.master.hostname)
+
+ testuser = 'disabledaduser@%s' % self.ad.domain.name
+ result = self.master.run_command(
+ 'sshpass -p Secret123 '
+ 'ssh '
+ '-o StrictHostKeyChecking=no '
+ '-l %s '
+ '%s '
+ '"echo test"' %
+ (testuser, self.legacy_client.external_hostname),
+ raiseonerr=False)
+
+ assert result.returncode != 0
+
+ @classmethod
+ def install(cls):
+ super(BaseTestLegacyClient, cls).install()
+
+ password_confirmation = (
+ cls.master.config.admin_password +
+ '\n' +
+ cls.master.config.admin_password
+ )
+
+ cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
+ '--first', 'disabled',
+ '--last', 'ipauser',
+ '--password'],
+ stdin_text=password_confirmation)
+
+ cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
+
+ @classmethod
+ def uninstall(cls):
+ cls.master.run_command(['ipa', 'user-del', 'disabledipauser'],
+ raiseonerr=False)
+ tasks.unapply_fixes(cls.legacy_client)
+ super(BaseTestLegacyClient, cls).uninstall()
+
+
+class TestLegacySSSDBefore19RedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-sssd-before-1-9'
+ required_extra_roles = ['legacy_client_sssd_redhat']
+
+
+class TestLegacyNssPamLdapdRedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-nss-pam-ldapd'
+ required_extra_roles = ['legacy_client_nss_pam_ldapd_redhat']
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
+
+
+class TestLegacyNssLdapRedHat(BaseTestLegacyClient):
+
+ advice_id = 'config-redhat-nss-ldap'
+ required_extra_roles = ['legacy_client_nss_ldap_redhat']
+
+ def clear_sssd_caches(self):
+ tasks.clear_sssd_cache(self.master)
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
