OK, that one, though passing lint, did not actually work. I gave up my
attempts to define method decorators inside the class. Now it passes
lint AND works :)

On 04/13/2016 12:24 PM, Oleg Fayans wrote:
> Please. disregard my previous patch-0014: it doesn't pass pylint. The
> newer one does.
> 
> On 04/08/2016 04:46 PM, Oleg Fayans wrote:
>> Hi all,
>>
>> It's been a while, and now the patch seems to be stable. It does hit one
>> known issue with replica installation occationally [1], but other than
>> that works fine on both domain levels.
>>
>> [1] https://fedorahosted.org/freeipa/ticket/5758
>>
>>
>>
> 
> 
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 911e3a6ff38c4f34fd43b1c1b1bd8d9053acfc54 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 19 Apr 2016 11:04:31 +0200
Subject: [PATCH] Actualized ca-less tests

https://fedorahosted.org/freeipa/ticket/4589
---
 ipatests/test_integration/test_caless.py | 453 +++++++++++++++++--------------
 1 file changed, 248 insertions(+), 205 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index fdc4fc8efe73631e9ab03f3b9019444f7d7e09ec..dd1d8194891f177a2055ee1cf66b7f82c5d6c245 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,20 +32,19 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from env_config import get_global_config
+from ipalib.constants import DOMAIN_LEVEL_0, DOMAIN_LEVEL_1
 
 _DEFAULT = object()
+config = get_global_config()
 
 
 def get_install_stdin(cert_passwords=()):
     lines = [
-        'yes',  # Existing BIND configuration detected, overwrite? [no]
         '',  # Server host name (has default)
-        '',  # Confirm domain name (has default)
     ]
     lines.extend(cert_passwords)  # Enter foo.p12 unlock password
     lines += [
-        '',  # Do you want to configure the reverse zone? [yes]
-        '',  # Please specify the reverse zone name [47.34.10.in-addr.arpa.]
         'yes',  # Continue with these values?
     ]
     return '\n'.join(lines + [''])
@@ -64,6 +63,31 @@ def assert_error(result, stderr_text, returncode=None):
     else:
         assert result.returncode > 0
 
+def server_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            args[0].uninstall_server()
+    return wrapped
+
+def replica_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            # Uninstall replica
+            replica = args[0].replicas[0]
+            tasks.kinit_admin(args[0].master)
+            args[0].uninstall_server(replica)
+            args[0].master.run_command(['ipa-replica-manage', 'del',
+                                        replica.hostname, '--force'],
+                                       raiseonerr=False)
+            args[0].master.run_command(['ipa', 'host-del',
+                                        replica.hostname],
+                                       raiseonerr=False)
+    return wrapped
+
 
 class CALessBase(IntegrationTest):
     @classmethod
@@ -86,22 +110,23 @@ class CALessBase(IntegrationTest):
             client_hostname = cls.clients[0].hostname
         else:
             client_hostname = 'unused-client.test'
-        env = {
+        cls.env = {
             'domain': cls.master.domain.name,
             'server1': cls.master.hostname,
             'server2': replica_hostname,
             'client': client_hostname,
             'dbdir': 'nssdb',
-            'dbpassword': cls.cert_password,
             'crl_path': cls.crl_path,
+            'dirman_password': cls.master.config.dirman_password,
         }
-        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env)
+        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=cls.env)
 
         for host in cls.get_all_hosts():
             tasks.apply_common_fixes(host)
 
             # Copy CRLs over
             base = os.path.join(cls.cert_dir, 'nssdb')
+            host.transport.mkdir_recursive(host.config.test_dir)
             host.transport.mkdir_recursive(cls.crl_path)
             for source in glob.glob(os.path.join(base, '*.crl')):
                 dest = os.path.join(cls.crl_path, os.path.basename(source))
@@ -112,6 +137,10 @@ class CALessBase(IntegrationTest):
         # Remove the NSS database
         shutil.rmtree(cls.cert_dir)
 
+        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
+        for host in cls.get_all_hosts():
+            cls.uninstall_server(host)
+
         super(CALessBase, cls).uninstall(mh)
 
     @classmethod
@@ -140,6 +169,11 @@ class CALessBase(IntegrationTest):
         for filename in set(files_to_copy):
             cls.copy_cert(host, filename)
 
+        # Remove existing ca certs from default database to avoid conflicts
+        args = ["certutil", "-D", "-d", "/etc/httpd/alias", "-n"]
+        host.run_command(args + ["ca1"], raiseonerr=False)
+        host.run_command(args + ["ca1/server"], raiseonerr=False)
+
         host.collect_log(paths.IPASERVER_INSTALL_LOG)
         host.collect_log(paths.IPACLIENT_INSTALL_LOG)
         inst = host.domain.realm.replace('.', '-')
@@ -152,11 +186,14 @@ class CALessBase(IntegrationTest):
             '--dirsrv-cert-file', dirsrv_pkcs12,
             '--ca-cert-file', root_ca_file,
             '--ip-address', host.ip,
-            '-r', host.domain.name,
+            '-n', host.domain.name,
+            '-r', host.domain.realm,
             '-p', host.config.dirman_password,
             '-a', host.config.admin_password,
             '--setup-dns',
             '--forwarder', host.config.dns_forwarder,
+            '--auto-reverse',
+            '--domain-level', str(config.domain_level)
         ]
 
         if http_pin is not None:
@@ -165,7 +202,6 @@ class CALessBase(IntegrationTest):
             args.extend(['--dirsrv-pin', dirsrv_pin])
         if unattended:
             args.extend(['-U'])
-
         return host.run_command(args, raiseonerr=False, stdin_text=stdin_text)
 
     @classmethod
@@ -178,13 +214,24 @@ class CALessBase(IntegrationTest):
         if host is None:
             host = self.master
         host.run_command(['ipa-server-install', '--uninstall', '-U'])
+        # Remove CA cert in /etc/pki/nssdb, in case of failed (un)install
+        host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+                          '-n', 'External CA cert'],
+                         raiseonerr=False)
+        # A workaround for https://fedorahosted.org/freeipa/ticket/4639
+        result = host.run_command(['certutil', '-L', '-d',
+                                   paths.HTTPD_ALIAS_DIR])
+        for rawcert in result.stdout_text.split('\n')[4: -1]:
+            cert = rawcert.split('    ')[0]
+            host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR,
+                              '-n', cert])
 
     def prepare_replica(self, _replica_number=0, replica=None, master=None,
                         http_pkcs12='replica.p12', dirsrv_pkcs12='replica.p12',
                         http_pkcs12_exists=True, dirsrv_pkcs12_exists=True,
                         http_pin=_DEFAULT, dirsrv_pin=_DEFAULT,
                         root_ca_file='root.pem', unattended=True,
-                        stdin_text=None):
+                        stdin_text=None, domain_level=None):
         """Prepare a CA-less replica
 
         Puts the bundle file into test_dir on the replica if successful,
@@ -200,16 +247,27 @@ class CALessBase(IntegrationTest):
             http_pin = self.cert_password
         if dirsrv_pin is _DEFAULT:
             dirsrv_pin = self.cert_password
+        if domain_level is None:
+            tasks.kinit_admin(master)
+            domain_level = tasks.domainlevel(master)
 
         files_to_copy = ['root.pem']
         if http_pkcs12_exists:
             files_to_copy.append(http_pkcs12)
+
         if dirsrv_pkcs12_exists:
             files_to_copy.append(dirsrv_pkcs12)
+        if domain_level == DOMAIN_LEVEL_0:
+            destination_host = master
+        else:
+            destination_host = replica
         for filename in set(files_to_copy):
-            master.transport.put_file(
-                os.path.join(self.cert_dir, filename),
-                os.path.join(master.config.test_dir, filename))
+            try:
+                destination_host.transport.put_file(
+                    os.path.join(self.cert_dir, filename),
+                    os.path.join(destination_host.config.test_dir, filename))
+            except OSError:
+                pass
 
         replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
         replica.collect_log(paths.IPACLIENT_INSTALL_LOG)
@@ -217,35 +275,42 @@ class CALessBase(IntegrationTest):
         replica.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
         replica.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
 
-        args = [
-            'ipa-replica-prepare',
-            '--ip-address', replica.ip,
-            '-p', replica.config.dirman_password,
-        ]
+        args = ['-p', replica.config.dirman_password]
 
-        if http_pkcs12:
+        if http_pkcs12_exists:
             args.extend(['--http-cert-file', http_pkcs12])
-        if dirsrv_pkcs12:
+        if dirsrv_pkcs12_exists:
             args.extend(['--dirsrv-cert-file', dirsrv_pkcs12])
         if http_pin is not None:
             args.extend(['--http-pin', http_pin])
         if dirsrv_pin is not None:
             args.extend(['--dirsrv-pin', dirsrv_pin])
 
-        args.extend([replica.hostname])
-
-        result = master.run_command(args, raiseonerr=False,
-                                    stdin_text=stdin_text)
-
-        if result.returncode == 0:
-            replica_bundle = master.get_file_contents(
-                paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
-            replica.put_file_contents(self.get_replica_filename(replica),
-                                      replica_bundle)
+        if domain_level == DOMAIN_LEVEL_0:
+            args.insert(0, "ipa-replica-prepare")
+            args.extend([replica.hostname])
         else:
-            replica.run_command(['rm', self.get_replica_filename(replica)],
-                                raiseonerr=False)
+            args.insert(0, "ipa-replica-install")
+            args.extend(['-P', 'admin', '-n', replica.domain.name,
+                         '-r', replica.domain.realm,
+                         '--server', master.hostname])
+            if unattended:
+                args.append('-U')
 
+            if tasks.master_authoritative_for_client_domain(master, replica):
+                args.extend(['--ip-address', replica.ip])
+
+        result = destination_host.run_command(args, raiseonerr=False,
+                                              stdin_text=stdin_text)
+        if domain_level == DOMAIN_LEVEL_0:
+            if result.returncode == 0:
+                replica_bundle = master.get_file_contents(
+                    paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
+                replica.put_file_contents(self.get_replica_filename(replica),
+                                          replica_bundle)
+            else:
+                replica.run_command(['rm', self.get_replica_filename(replica)],
+                                    raiseonerr=False)
         return result
 
     def get_replica_filename(self, replica):
@@ -288,7 +353,7 @@ class CALessBase(IntegrationTest):
     def get_pem(cls, nickname):
         pem_cert, _stderr, _returncode = ipautil.run(
             ['certutil', '-L', '-d', 'nssdb', '-n', nickname, '-a'],
-            cwd=cls.cert_dir)
+            cwd=cls.cert_dir, capture_output=True)
         return pem_cert
 
     def verify_installation(self):
@@ -316,9 +381,7 @@ class CALessBase(IntegrationTest):
 
             # Verify certmonger was not started
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has been '
-                    'started.' in result.stdout_text), result.stdout_text
+            assert result.returncode == 0
 
         for host in self.get_all_hosts():
             # Check the cert PEM file
@@ -334,9 +397,7 @@ class CALessBase(IntegrationTest):
 class TestServerInstall(CALessBase):
     num_replicas = 0
 
-    def tearDown(self):
-        self.uninstall_server()
-
+    @server_install_teardown
     def test_nonexistent_ca_pem_file(self):
         "IPA server install with non-existent CA PEM file "
 
@@ -349,42 +410,19 @@ class TestServerInstall(CALessBase):
                      'Failed to open does_not_exist: No such file '
                      'or directory')
 
+    @server_install_teardown
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('ca3/server')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca2'))
 
         result = self.install_server()
         assert_error(result,
-                     'server.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 '
-                     'file')
-
-    def test_ca_server_cert(self):
-        "IPA server install with CA PEM file with server certificate"
-
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1/server'))
-
-        result = self.install_server()
-        assert_error(result,
-                     'trust chain of the server certificate in server.p12 '
-                     'contains 1 certificates, expected 2')
-
-    def test_ca_2_certs(self):
-        "IPA server install with CA PEM file with 2 certificates"
-
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-            f.write(self.get_pem('ca2'))
-
-        result = self.install_server()
-        assert_error(result, 'root.pem contains more than one certificate')
+                     'The full certificate chain is not present in server.p12')
 
+    @server_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA server install with non-existent HTTP PKCS#12 file"
 
@@ -396,6 +434,7 @@ class TestServerInstall(CALessBase):
                                      http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA server install with non-existent DS PKCS#12 file"
 
@@ -407,6 +446,7 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_missing_http_password(self):
         "IPA server install with missing HTTP PKCS#12 password (unattended)"
 
@@ -419,6 +459,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify --http-pin '
                      'with --http-cert-file')
 
+    @server_install_teardown
     def test_missing_ds_password(self):
         "IPA server install with missing DS PKCS#12 password (unattended)"
 
@@ -431,7 +472,9 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    @server_install_teardown
+    def test_incorrect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
 
         self.export_pkcs12('ca1/server')
@@ -441,7 +484,9 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
-    def test_incorect_ds_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    @server_install_teardown
+    def test_incorrect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
 
         self.export_pkcs12('ca1/server')
@@ -451,6 +496,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @server_install_teardown
     def test_invalid_http_cn(self):
         "IPA server install with HTTP certificate with invalid CN"
 
@@ -465,6 +511,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_invalid_ds_cn(self):
         "IPA server install with DS certificate with invalid CN"
 
@@ -479,6 +526,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_expired_http(self):
         "IPA server install with expired HTTP certificate"
 
@@ -494,6 +542,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_expired_ds(self):
         "IPA server install with expired DS certificate"
 
@@ -509,6 +558,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_http_bad_usage(self):
         "IPA server install with HTTP certificate with invalid key usage"
 
@@ -523,6 +573,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_ds_bad_usage(self):
         "IPA server install with DS certificate with invalid key usage"
 
@@ -537,6 +588,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_revoked_http(self):
         "IPA server install with revoked HTTP certificate"
 
@@ -549,12 +601,14 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12='dirsrv.p12')
 
         if result.returncode == 0:
+            self.uninstall_server()
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
                 + "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_revoked_ds(self):
         "IPA server install with revoked DS certificate"
 
@@ -567,12 +621,14 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12='dirsrv.p12')
 
         if result.returncode == 0:
+            self.uninstall_server()
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
                 + "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_http_intermediate_ca(self):
         "IPA server install with HTTP certificate issued by intermediate CA"
 
@@ -583,10 +639,11 @@ class TestServerInstall(CALessBase):
 
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
+    @server_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA server install with DS certificate issued by intermediate CA"
 
@@ -598,9 +655,10 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
+    @server_install_teardown
     def test_ca_self_signed(self):
         "IPA server install with self-signed certificate"
 
@@ -611,6 +669,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server()
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_valid_certs(self):
         "IPA server install with valid certificates"
 
@@ -622,6 +681,8 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
+    @server_install_teardown
     def test_wildcard_http(self):
         "IPA server install with wildcard HTTP certificate"
 
@@ -635,6 +696,8 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
+    @server_install_teardown
     def test_wildcard_ds(self):
         "IPA server install with wildcard DS certificate"
 
@@ -648,6 +711,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_http_san(self):
         "IPA server install with HTTP certificate with SAN"
 
@@ -661,6 +725,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_ds_san(self):
         "IPA server install with DS certificate with SAN"
 
@@ -674,6 +739,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA server install with prompt for HTTP PKCS#12 password"
 
@@ -687,9 +753,10 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Apache Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA server install with prompt for DS PKCS#12 password"
 
@@ -703,9 +770,10 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Directory Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_no_http_password(self):
         "IPA server install with empty HTTP password"
 
@@ -720,6 +788,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_no_ds_password(self):
         "IPA server install with empty DS password"
 
@@ -738,60 +807,47 @@ class TestServerInstall(CALessBase):
 class TestReplicaInstall(CALessBase):
     num_replicas = 1
 
-    def setUp(self):
-        # Install the master for every test
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-
-        result = self.install_server()
+    @classmethod
+    def install(cls, mh):
+        super(TestReplicaInstall, cls).install(mh)
+        cls.export_pkcs12('ca1/server')
+        with open(cls.pem_filename, 'w') as f:
+            f.write(cls.get_pem('ca1'))
+        result = cls.install_server()
         assert result.returncode == 0
 
-    def tearDown(self):
-        # Uninstall both master and replica
-        replica = self.replicas[0]
-        tasks.kinit_admin(self.master)
-        self.uninstall_server(replica)
-        self.master.run_command(['ipa-replica-manage', 'del', replica.hostname,
-                                 '--force'], raiseonerr=False)
-        self.master.run_command(['ipa', 'host-del', replica.hostname],
-                                raiseonerr=False)
-
-        self.uninstall_server()
 
+    @replica_install_teardown
     def test_no_certs(self):
         "IPA replica install without certificates"
+        result = self.prepare_replica(http_pkcs12_exists=False,
+                                      dirsrv_pkcs12_exists=False)
+        assert_error(result, "Cannot issue certificates: a CA is not installed."
+                             " Use the --http-cert-file, --dirsrv-cert-file "
+                             "options to provide custom certificates.")
 
-        result = self.master.run_command(['ipa-replica-prepare',
-                                          self.replicas[0].hostname],
-                                         raiseonerr=False)
-        assert result.returncode > 0
-        assert ('Cannot issue certificates: a CA is not installed. Use the '
-                '--http-cert-file, --dirsrv-cert-file options to provide '
-                'custom certificates.' in result.stderr_text), \
-               result.stderr_text
-
+    @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA replica install with non-existent HTTP PKCS#12 file"
 
-        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
-
+        self.export_pkcs12('ca1/replica', filename='http.p12')
         result = self.prepare_replica(http_pkcs12='does_not_exist',
-                                      dirsrv_pkcs12='dirsrv.p12',
-                                      http_pkcs12_exists=False)
+                                      dirsrv_pkcs12='http.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
+    @replica_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA replica install with non-existent DS PKCS#12 file"
 
         self.export_pkcs12('ca1/replica', filename='http.p12')
 
         result = self.prepare_replica(dirsrv_pkcs12='does_not_exist',
-                                      http_pkcs12='http.p12',
-                                      dirsrv_pkcs12_exists=False)
+                                      http_pkcs12='http.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    @replica_install_teardown
+    def test_incorrect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
 
         self.export_pkcs12('ca1/replica', filename='replica.p12')
@@ -800,7 +856,9 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
-    def test_incorect_ds_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    @replica_install_teardown
+    def test_incorrect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
 
         self.export_pkcs12('ca1/replica', filename='replica.p12')
@@ -808,6 +866,7 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @replica_install_teardown
     def test_http_unknown_ca(self):
         "IPA replica install with HTTP certificate issued by unknown CA"
 
@@ -816,10 +875,11 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
+    @replica_install_teardown
     def test_ds_unknown_ca(self):
         "IPA replica install with DS certificate issued by unknown CA"
 
@@ -829,10 +889,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
+    @replica_install_teardown
     def test_invalid_http_cn(self):
         "IPA replica install with HTTP certificate with invalid CN"
 
@@ -845,6 +905,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_invalid_ds_cn(self):
         "IPA replica install with DS certificate with invalid CN"
 
@@ -857,6 +918,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_expired_http(self):
         "IPA replica install with expired HTTP certificate"
 
@@ -870,6 +932,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_expired_ds(self):
         "IPA replica install with expired DS certificate"
 
@@ -883,6 +946,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_http_bad_usage(self):
         "IPA replica install with HTTP certificate with invalid key usage"
 
@@ -895,6 +959,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_ds_bad_usage(self):
         "IPA replica install with DS certificate with invalid key usage"
 
@@ -907,6 +972,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_revoked_http(self):
         "IPA replica install with revoked HTTP certificate"
 
@@ -923,6 +989,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_revoked_ds(self):
         "IPA replica install with revoked DS certificate"
 
@@ -939,6 +1006,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_http_intermediate_ca(self):
         "IPA replica install with HTTP certificate issued by intermediate CA"
 
@@ -948,9 +1016,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
+    @replica_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA replica install with DS certificate issued by intermediate CA"
 
@@ -959,11 +1028,13 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
+    @pytest.mark.skipif(config.domain_level==DOMAIN_LEVEL_1,
+                        reason='freeipa ticket 5721')
+    @replica_install_teardown
     def test_valid_certs(self):
         "IPA replica install with valid certificates"
 
@@ -972,12 +1043,11 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='server.p12',
                                       dirsrv_pkcs12='server.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
+    @replica_install_teardown
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
 
@@ -987,12 +1057,11 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
+    @replica_install_teardown
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
 
@@ -1002,12 +1071,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @replica_install_teardown
     def test_http_san(self):
         "IPA replica install with HTTP certificate with SAN"
 
@@ -1017,12 +1084,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @replica_install_teardown
     def test_ds_san(self):
         "IPA replica install with DS certificate with SAN"
 
@@ -1032,12 +1097,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @replica_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA replica install with missing HTTP PKCS#12 password"
 
@@ -1049,12 +1112,10 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @replica_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA replica install with missing DS PKCS#12 password"
 
@@ -1066,12 +1127,12 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_1,
+                        reason='freeipa ticket 5789')
+    @replica_install_teardown
     def test_no_http_password(self):
         "IPA replica install with empty HTTP password"
 
@@ -1082,12 +1143,10 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       http_pin='')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
-
+    @replica_install_teardown
     def test_no_ds_password(self):
         "IPA replica install with empty DS password"
 
@@ -1098,9 +1157,8 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       dirsrv_pin='')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
 
 class TestClientInstall(CALessBase):
@@ -1151,31 +1209,15 @@ class TestIPACommands(CALessBase):
         result = self.master.run_command(['ipa', command], raiseonerr=False)
         assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
 
-    @pytest.mark.parametrize('command', (
-        'cert-status',
-        'cert-show',
-        'cert-find',
-        'cert-revoke',
-        'cert-remove-hold',
-        'cert-status'))
-    def test_cert_commands_unavailable(self, command):
-        result = self.master.run_command(['ipa', command], raiseonerr=False)
-        assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
-
-    def test_cert_help_unavailable(self):
-        "Verify that cert plugin help is not available"
-        result = self.master.run_command(['ipa', 'help', 'cert'],
-                                         raiseonerr=False)
-        assert_error(result,
-                     "ipa: ERROR: no command nor help topic 'cert'",
-                     returncode=1)
-
     @contextlib.contextmanager
     def host(self):
         "Context manager that adds and removes a host entry with a certificate"
         self.master.run_command(['ipa', 'host-add', self.test_hostname,
                                  '--force',
                                  '--certificate', self.client_pem])
+        self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
+                                 '-p' "host/%s" % self.test_hostname,
+                                 '-k', paths.IPA_KEYTAB])
         try:
             yield
         finally:
@@ -1189,6 +1231,10 @@ class TestIPACommands(CALessBase):
             self.master.run_command(['ipa', 'service-add', self.test_service,
                                      '--force',
                                      '--certificate', self.client_pem])
+            self.master.run_command(['ipa-getkeytab', '-s',
+                                     self.master.hostname,
+                                     '-p', self.test_service,
+                                     '-k', paths.IPA_KEYTAB])
             yield
 
     def test_service_mod_doesnt_revoke(self):
@@ -1200,8 +1246,11 @@ class TestIPACommands(CALessBase):
     def test_service_disable_doesnt_revoke(self):
         "Verify that service-disable does not attempt to revoke certificate"
         with self.service():
-            self.master.run_command(['ipa', 'service-disable',
-                                     self.test_service])
+            result = self.master.run_command(['ipa', 'service-disable',
+                                              self.test_service],
+                                             raiseonerr=False)
+            assert(result.returncode == 0), (
+                "Failed to disable ipa-service: %s" % result.stderr_text)
 
     def test_service_del_doesnt_revoke(self):
         "Verify that service-del does not attempt to revoke certificate"
@@ -1229,7 +1278,7 @@ class TestIPACommands(CALessBase):
 class TestCertinstall(CALessBase):
     @classmethod
     def install(cls, mh):
-        super(TestCertinstall, cls).install()
+        super(TestCertinstall, cls).install(mh)
 
         cls.export_pkcs12('ca1/server')
         with open(cls.pem_filename, 'w') as f:
@@ -1251,12 +1300,10 @@ class TestCertinstall(CALessBase):
             self.copy_cert(self.master, filename)
         if not args:
             args = ['ipa-server-certinstall',
+                    '-p', self.master.config.dirman_password,
                     '-%s' % mode, filename]
             if pin is not None:
                 args += ['--pin', pin]
-            if mode == 'd':
-                args += ['--dirman-password',
-                         self.master.config.dirman_password]
         return self.master.run_command(args,
                                        raiseonerr=False,
                                        stdin_text=stdin_text)
@@ -1275,14 +1322,16 @@ class TestCertinstall(CALessBase):
                                   cert_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    def test_incorrect_http_pin(self):
         "Install new HTTP certificate with incorrect PKCS#12 password"
 
         result = self.certinstall('w', 'ca1/server', pin='bad<pin>')
         assert_error(result,
                      'incorrect password for pkcs#12 file server.p12')
 
-    def test_incorect_dirsrv_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    def test_incorrect_dirsrv_pin(self):
         "Install new DS certificate with incorrect PKCS#12 password"
 
         result = self.certinstall('d', 'ca1/server', pin='bad<pin>')
@@ -1367,28 +1416,20 @@ class TestCertinstall(CALessBase):
         "Install new HTTP certificate issued by intermediate CA"
 
         result = self.certinstall('w', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_ds_intermediate_ca(self):
         "Install new DS certificate issued by intermediate CA"
 
         result = self.certinstall('d', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_self_signed(self):
         "Install new self-signed certificate"
 
         result = self.certinstall('w', 'server-selfsign')
         assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     def test_valid_http(self):
         "Install new valid HTTP certificate"
@@ -1402,12 +1443,14 @@ class TestCertinstall(CALessBase):
         result = self.certinstall('d', 'ca1/server')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_http(self):
         "Install new wildcard HTTP certificate"
 
         result = self.certinstall('w', 'ca1/wildcard')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_ds(self):
         "Install new wildcard DS certificate"
 
@@ -1463,7 +1506,7 @@ class TestCertinstall(CALessBase):
                 '--http-pin', self.cert_password]
 
         result = self.certinstall('w', 'ca1/server', args=args)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --http-pin")
 
     def test_ds_old_options(self):
         "Install new valid DS certificate using pre-v3.3 CLI options"
@@ -1476,4 +1519,4 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('d', 'ca1/server',
                                   args=args, stdin_text=stdin_text)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --dirsrv-pin")
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to