Patch 0014 updated and passes lint

On 11/05/2015 03:41 PM, Oleg Fayans wrote:
Wait a bit, the patch has problems with pylint: it does not build :)
The updated version (without the setupmaster nonsense) is being tested now.

On 11/05/2015 08:45 AM, Oleg Fayans wrote:
Hi Jan,

Could you take a look at these, whenever you are free?

On 10/30/2015 02:57 PM, Oleg Fayans wrote:
Hi,

The following patches contain updates to ca-less integration tests.
It's still a proof of concept: 2 tests still fail seemingly due to the
change in target system logic (marked as xfail with "ask jcholast
comment")

The test output looks like this:

$ ipa-run-tests test_integration/test_caless.py --pdb
====================================================================================


test session starts
=====================================================================================



platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
plugins: multihost, sourceorder
collected 88 items

test_integration/test_caless.py
......xx......ss............sssssssssssssssssss.ssssss.........xx......ssxx.............




==================================================================== 53
passed, 29 skipped, 6 xfailed in 5620.17 seconds
=====================================================================

Numerous skips correspond to the tests related to ipa-replica-prepare
(unsupported under domain level 1)






--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 4d9b4689ff08e3183fc0610f9dbc664f6e874290 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 5 Nov 2015 19:32:37 +0100
Subject: [PATCH] Updated ca-less tests.

A preview. All tests except 2 pass. Those 2 failing ones need a consulting from
jcholast (so far marked as xfail).

https://fedorahosted.org/freeipa/ticket/4589
---
 ipatests/test_integration/test_caless.py | 230 ++++++++++++++++---------------
 1 file changed, 122 insertions(+), 108 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 9cfba3ee29114badf5a703ccc1d47a1d3e0c41b7..4209f3942d22f7e2213ab52eeca45fb42b4405ef 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,13 +32,15 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from env_config import get_global_config
 
 _DEFAULT = object()
+config = get_global_config()
+reasoning = "ipa-replica-prepare disabled for domain levels > 0"
 
 
 def get_install_stdin(cert_passwords=()):
     lines = [
-        'yes',  # Existing BIND configuration detected, overwrite? [no]
         '',  # Server host name (has default)
         '',  # Confirm domain name (has default)
     ]
@@ -86,16 +88,16 @@ class CALessBase(IntegrationTest):
             client_hostname = cls.clients[0].hostname
         else:
             client_hostname = 'unused-client.test'
-        env = {
+        cls.env = {
             'domain': cls.master.domain.name,
             'server1': cls.master.hostname,
             'server2': replica_hostname,
             'client': client_hostname,
             'dbdir': 'nssdb',
-            'dbpassword': cls.cert_password,
             'crl_path': cls.crl_path,
+            'dirman_password': cls.master.config.dirman_password,
         }
-        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env)
+        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=cls.env)
 
         for host in cls.get_all_hosts():
             tasks.apply_common_fixes(host)
@@ -118,7 +120,7 @@ class CALessBase(IntegrationTest):
                                     '-n', 'External CA cert'],
                                    raiseonerr=False)
 
-        super(CALessBase, cls).uninstall()
+        super(CALessBase, cls).uninstall(mh)
 
     @classmethod
     def install_server(cls, host=None,
@@ -146,6 +148,11 @@ class CALessBase(IntegrationTest):
         for filename in set(files_to_copy):
             cls.copy_cert(host, filename)
 
+        # Remove existing ca certs from default database to avoid conflicts
+        args = ["certutil", "-D", "-d", "/etc/httpd/alias", "-n"]
+        host.run_command(args + ["ca1"], raiseonerr=False)
+        host.run_command(args + ["ca1/server"], raiseonerr=False)
+
         host.collect_log(paths.IPASERVER_INSTALL_LOG)
         host.collect_log(paths.IPACLIENT_INSTALL_LOG)
         inst = host.domain.realm.replace('.', '-')
@@ -163,6 +170,7 @@ class CALessBase(IntegrationTest):
             '-a', host.config.admin_password,
             '--setup-dns',
             '--forwarder', host.config.dns_forwarder,
+            '--domain-level', str(config.domain_level)
         ]
 
         if http_pin is not None:
@@ -322,9 +330,7 @@ class CALessBase(IntegrationTest):
 
             # Verify certmonger was not started
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has been '
-                    'started.' in result.stdout_text), result.stdout_text
+            assert result.returncode == 0
 
         for host in self.get_all_hosts():
             # Check the cert PEM file
@@ -340,7 +346,7 @@ class CALessBase(IntegrationTest):
 class TestServerInstall(CALessBase):
     num_replicas = 0
 
-    def tearDown(self):
+    def teardown_method(self, method):
         self.uninstall_server()
 
         # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
@@ -364,38 +370,13 @@ class TestServerInstall(CALessBase):
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('ca3/server')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca2'))
 
         result = self.install_server()
         assert_error(result,
-                     'server.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 '
-                     'file')
-
-    def test_ca_server_cert(self):
-        "IPA server install with CA PEM file with server certificate"
-
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1/server'))
-
-        result = self.install_server()
-        assert_error(result,
-                     'trust chain of the server certificate in server.p12 '
-                     'contains 1 certificates, expected 2')
-
-    def test_ca_2_certs(self):
-        "IPA server install with CA PEM file with 2 certificates"
-
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-            f.write(self.get_pem('ca2'))
-
-        result = self.install_server()
-        assert_error(result, 'root.pem contains more than one certificate')
+                     'The full certificate chain is not present in server.p12')
 
     def test_nonexistent_http_pkcs12_file(self):
         "IPA server install with non-existent HTTP PKCS#12 file"
@@ -443,7 +424,8 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
 
         self.export_pkcs12('ca1/server')
@@ -453,7 +435,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
-    def test_incorect_ds_pin(self):
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
 
         self.export_pkcs12('ca1/server')
@@ -561,6 +544,7 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12='dirsrv.p12')
 
         if result.returncode == 0:
+            self.uninstall_server()
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
                 + "https://fedorahosted.org/freeipa/ticket/4270";)
@@ -579,6 +563,7 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12='dirsrv.p12')
 
         if result.returncode == 0:
+            self.uninstall_server()
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
                 + "https://fedorahosted.org/freeipa/ticket/4270";)
@@ -596,8 +581,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server'
+                     ' SSL certificate are not signed by the same CA certificate')
 
     def test_ds_intermediate_ca(self):
         "IPA server install with DS certificate issued by intermediate CA"
@@ -610,8 +595,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     def test_ca_self_signed(self):
         "IPA server install with self-signed certificate"
@@ -699,7 +684,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Apache Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     def test_interactive_missing_ds_pkcs_password(self):
@@ -715,7 +700,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Directory Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     def test_no_http_password(self):
@@ -749,18 +734,19 @@ class TestServerInstall(CALessBase):
 
 class TestReplicaInstall(CALessBase):
     num_replicas = 1
-
-    def setUp(self):
-        # Install the master for every test
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-
-        result = self.install_server()
+    @classmethod
+    def install(cls, mh):
+        super(TestReplicaInstall, cls).install(mh)
+        cls.export_pkcs12('ca1/server')
+        with open(cls.pem_filename, 'w') as f:
+            f.write(cls.get_pem('ca1'))
+        result = cls.install_server()
         assert result.returncode == 0
 
-    def tearDown(self):
-        # Uninstall both master and replica
+
+    @classmethod
+    def teardown_method(self, method):
+        # Uninstall replica
         replica = self.replicas[0]
         tasks.kinit_admin(self.master)
         self.uninstall_server(replica)
@@ -772,32 +758,46 @@ class TestReplicaInstall(CALessBase):
         replica.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                              '-n', 'External CA cert'], raiseonerr=False)
 
-        self.uninstall_server()
         self.master.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
                                  '-n', 'External CA cert'], raiseonerr=False)
 
     def test_no_certs(self):
         "IPA replica install without certificates"
+        replica = self.replicas[0]
+        if config.domain_level == 0:
+            result = self.master.run_command(['ipa-replica-prepare',
+                                              self.replicas[0].hostname,
+                                              '-p', self.env['dirman_password']],
+                                             raiseonerr=False)
+            assert result.returncode > 0
+            assert ('Cannot issue certificates: a CA is not installed. Use the '
+                    '--http-cert-file, --dirsrv-cert-file options to provide '
+                    'custom certificates.' in result.stderr_text), \
+                result.stderr_text
 
-        result = self.master.run_command(['ipa-replica-prepare',
-                                          self.replicas[0].hostname],
-                                         raiseonerr=False)
-        assert result.returncode > 0
-        assert ('Cannot issue certificates: a CA is not installed. Use the '
-                '--http-cert-file, --dirsrv-cert-file options to provide '
-                'custom certificates.' in result.stderr_text), \
-               result.stderr_text
+        else:
+            args = ["ipa-replica-install", "-U",
+                    "-p", replica.config.dirman_password,
+                    "-w", replica.config.admin_password,
+                    "--ip-address", replica.ip, "--setup-ca"]
 
+            tasks.install_client(self.master, replica)
+            result = replica.run_command(args, raiseonerr=False)
+            assert ("The remote master does not have a CA installed,"
+                    " can't proceed without certs" in result.stderr_text), \
+                result.stderr_text
+
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_nonexistent_http_pkcs12_file(self):
         "IPA replica install with non-existent HTTP PKCS#12 file"
 
         self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
-
         result = self.prepare_replica(http_pkcs12='does_not_exist',
                                       dirsrv_pkcs12='dirsrv.p12',
                                       http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA replica install with non-existent DS PKCS#12 file"
 
@@ -808,7 +808,9 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
 
         self.export_pkcs12('ca1/replica', filename='replica.p12')
@@ -817,7 +819,9 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
-    def test_incorect_ds_pin(self):
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
 
         self.export_pkcs12('ca1/replica', filename='replica.p12')
@@ -825,6 +829,7 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_http_unknown_ca(self):
         "IPA replica install with HTTP certificate issued by unknown CA"
 
@@ -834,9 +839,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server'
+                     ' SSL certificate are not signed by the same CA certificate')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_ds_unknown_ca(self):
         "IPA replica install with DS certificate issued by unknown CA"
 
@@ -846,10 +852,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_invalid_http_cn(self):
         "IPA replica install with HTTP certificate with invalid CN"
 
@@ -862,6 +868,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_invalid_ds_cn(self):
         "IPA replica install with DS certificate with invalid CN"
 
@@ -874,6 +881,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_expired_http(self):
         "IPA replica install with expired HTTP certificate"
 
@@ -887,6 +895,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_expired_ds(self):
         "IPA replica install with expired DS certificate"
 
@@ -900,6 +909,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_http_bad_usage(self):
         "IPA replica install with HTTP certificate with invalid key usage"
 
@@ -912,6 +922,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_ds_bad_usage(self):
         "IPA replica install with DS certificate with invalid key usage"
 
@@ -924,6 +935,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_revoked_http(self):
         "IPA replica install with revoked HTTP certificate"
 
@@ -940,6 +952,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_revoked_ds(self):
         "IPA replica install with revoked DS certificate"
 
@@ -956,6 +969,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_http_intermediate_ca(self):
         "IPA replica install with HTTP certificate issued by intermediate CA"
 
@@ -965,9 +979,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_ds_intermediate_ca(self):
         "IPA replica install with DS certificate issued by intermediate CA"
 
@@ -977,10 +992,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'Apache Server SSL certificate and Directory Server'
+                     ' SSL certificate are not signed by the same CA certificate')
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_valid_certs(self):
         "IPA replica install with valid certificates"
 
@@ -995,6 +1010,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
 
@@ -1010,6 +1026,8 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
+#    @setupmaster(self)
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
 
@@ -1025,6 +1043,8 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
+#    @setupmaster(self)
     def test_http_san(self):
         "IPA replica install with HTTP certificate with SAN"
 
@@ -1040,6 +1060,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_ds_san(self):
         "IPA replica install with DS certificate with SAN"
 
@@ -1055,6 +1076,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_interactive_missing_http_pkcs_password(self):
         "IPA replica install with missing HTTP PKCS#12 password"
 
@@ -1072,6 +1094,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA replica install with missing DS PKCS#12 password"
 
@@ -1089,6 +1112,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_no_http_password(self):
         "IPA replica install with empty HTTP password"
 
@@ -1105,6 +1129,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.skipif(config.domain_level > 0, reason=reasoning)
     def test_no_ds_password(self):
         "IPA replica install with empty DS password"
 
@@ -1168,31 +1193,15 @@ class TestIPACommands(CALessBase):
         result = self.master.run_command(['ipa', command], raiseonerr=False)
         assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
 
-    @pytest.mark.parametrize('command', (
-        'cert-status',
-        'cert-show',
-        'cert-find',
-        'cert-revoke',
-        'cert-remove-hold',
-        'cert-status'))
-    def test_cert_commands_unavailable(self, command):
-        result = self.master.run_command(['ipa', command], raiseonerr=False)
-        assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
-
-    def test_cert_help_unavailable(self):
-        "Verify that cert plugin help is not available"
-        result = self.master.run_command(['ipa', 'help', 'cert'],
-                                         raiseonerr=False)
-        assert_error(result,
-                     "ipa: ERROR: no command nor help topic 'cert'",
-                     returncode=1)
-
     @contextlib.contextmanager
     def host(self):
         "Context manager that adds and removes a host entry with a certificate"
         self.master.run_command(['ipa', 'host-add', self.test_hostname,
                                  '--force',
                                  '--certificate', self.client_pem])
+        self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
+                                 '-p' "host/%s" % self.test_hostname,
+                                 '-k', paths.IPA_KEYTAB])
         try:
             yield
         finally:
@@ -1206,6 +1215,9 @@ class TestIPACommands(CALessBase):
             self.master.run_command(['ipa', 'service-add', self.test_service,
                                      '--force',
                                      '--certificate', self.client_pem])
+            self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
+                                     '-p', self.test_service, '-k',
+                                     paths.IPA_KEYTAB])
             yield
 
     def test_service_mod_doesnt_revoke(self):
@@ -1217,8 +1229,10 @@ class TestIPACommands(CALessBase):
     def test_service_disable_doesnt_revoke(self):
         "Verify that service-disable does not attempt to revoke certificate"
         with self.service():
-            self.master.run_command(['ipa', 'service-disable',
-                                     self.test_service])
+            result = self.master.run_command(['ipa', 'service-disable',
+                                              self.test_service],
+                                             raiseonerr=False)
+            assert result.returncode == 0, "Failed to disable ipa-service: %s" % result.stderr_text
 
     def test_service_del_doesnt_revoke(self):
         "Verify that service-del does not attempt to revoke certificate"
@@ -1246,7 +1260,7 @@ class TestIPACommands(CALessBase):
 class TestCertinstall(CALessBase):
     @classmethod
     def install(cls, mh):
-        super(TestCertinstall, cls).install()
+        super(TestCertinstall, cls).install(mh)
 
         cls.export_pkcs12('ca1/server')
         with open(cls.pem_filename, 'w') as f:
@@ -1268,12 +1282,10 @@ class TestCertinstall(CALessBase):
             self.copy_cert(self.master, filename)
         if not args:
             args = ['ipa-server-certinstall',
+                    '-p', self.master.config.dirman_password,
                     '-%s' % mode, filename]
             if pin is not None:
                 args += ['--pin', pin]
-            if mode == 'd':
-                args += ['--dirman-password',
-                         self.master.config.dirman_password]
         return self.master.run_command(args,
                                        raiseonerr=False,
                                        stdin_text=stdin_text)
@@ -1292,14 +1304,16 @@ class TestCertinstall(CALessBase):
                                   cert_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_http_pin(self):
         "Install new HTTP certificate with incorrect PKCS#12 password"
 
         result = self.certinstall('w', 'ca1/server', pin='bad<pin>')
         assert_error(result,
                      'incorrect password for pkcs#12 file server.p12')
 
-    def test_incorect_dirsrv_pin(self):
+    @pytest.mark.xfail  # ticket N 5378
+    def test_incorrect_dirsrv_pin(self):
         "Install new DS certificate with incorrect PKCS#12 password"
 
         result = self.certinstall('d', 'ca1/server', pin='bad<pin>')
@@ -1380,6 +1394,7 @@ class TestCertinstall(CALessBase):
 
         assert result.returncode > 0
 
+    @pytest.mark.xfail  # ask jcholast
     def test_http_intermediate_ca(self):
         "Install new HTTP certificate issued by intermediate CA"
 
@@ -1389,6 +1404,7 @@ class TestCertinstall(CALessBase):
                      'full certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @pytest.mark.xfail  # ask jcholast
     def test_ds_intermediate_ca(self):
         "Install new DS certificate issued by intermediate CA"
 
@@ -1403,9 +1419,7 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('w', 'server-selfsign')
         assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     def test_valid_http(self):
         "Install new valid HTTP certificate"
@@ -1480,7 +1494,7 @@ class TestCertinstall(CALessBase):
                 '--http-pin', self.cert_password]
 
         result = self.certinstall('w', 'ca1/server', args=args)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --http-pin")
 
     def test_ds_old_options(self):
         "Install new valid DS certificate using pre-v3.3 CLI options"
@@ -1493,4 +1507,4 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('d', 'ca1/server',
                                   args=args, stdin_text=stdin_text)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --dirsrv-pin")
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to