On 07/01/2016 03:04 PM, Martin Babinsky wrote:
On 07/01/2016 11:13 AM, Lenka Doudova wrote:
And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:
Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka





Hi Lenka,

test data such as usernames, etc. should be stored either in separate resource files or at least as class attributes like this:

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
     """
     Test support of UPN for trusted domains
     """
+    upn_suffix = 'UPNsuffix.com'
+    upn_username = 'upnuser'
+    upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+    upn_password = 'Secret123456'
+
     def test_upn_in_nonposix_trust(self):
         """ Check that UPN is listed as trust attribute """
result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
                                           '--all', '--raw'])

- assert "ipantadditionalsuffixes: UPNsuffix.com" in result.stdout_text
+        assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+                result.stdout_text)

     def test_upn_user_resolution_in_nonposix_trust(self):
         """ Check that user with UPN can be resolved """
-        upnuser = 'upnu...@upnsuffix.com'
-        result = self.master.run_command(['getent', 'passwd', upnuser])
+ result = self.master.run_command(['getent', 'passwd', self.upn_princ])

         # result will contain AD domain, not UPN
- upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN User:/:$".format(
-            self.ad_domain)
+        upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+            self.upn_username, self.ad_domain)
         assert re.search(upnuser_regex, result.stdout_text)

     def test_upn_user_authentication(self):
         """ Check that AD user with UPN can authenticate in IPA """
         self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
- self.master.run_command(['kinit', '-C', '-E', 'upnu...@upnsuffix.com'],
-                                stdin_text='Secret123456')
+        self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
+                                stdin_text=self.upn_password)

otherwise LGTM.

Thanks for review, fixed patch attached.

Few notes:
1. mbabinsky's suggestion to store testdata as class attributes or separate resource file: I decided to use the class attribute approach. The separate resource file is a nice idea, which I have already put on my "to do" list - there's a lot of hardcoded stuff in the trust tests, even in the original ones (before my patches), so when there's time I'll work on a way how to dynamically provide this data as test configuration 2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the getent command, since according to mbasti the alternative would not work in CI.

Lenka
From 997ae46d6ee2ab5a147e9f57ef17778cad943cdd Mon Sep 17 00:00:00 2001
From: Lenka Doudova <ldoud...@redhat.com>
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
 ipatests/test_integration/test_trust.py | 40 +++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index ba7ab8fdc0703369d55302ae3c20e79bd1b01daa..2507bf1747bfcdfdda4ae269ea403aad66fa903a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -345,3 +345,43 @@ class TestExternalTrustWithRootDomain(ADTrustSubdomainBase):
     def test_remove_nonposix_trust(self):
         tasks.remove_trust_with_ad(self.master, self.ad_domain)
         tasks.clear_sssd_cache(self.master)
+
+
+class TestTrustWithUPN(ADTrustBase):
+    """
+    Test support of UPN for trusted domains
+    """
+
+    upn_suffix = 'UPNsuffix.com'
+    upn_username = 'upnuser'
+    upn_name = 'UPN User'
+    upn_principal = '{}@{}'.format(upn_username, upn_suffix)
+    upn_password = 'Secret123456'
+
+    def test_upn_in_nonposix_trust(self):
+        """ Check that UPN is listed as trust attribute """
+        result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
+                                          '--all', '--raw'])
+
+        assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+                result.stdout_text)
+
+    def test_upn_user_resolution_in_nonposix_trust(self):
+        """ Check that user with UPN can be resolved """
+        result = self.master.run_command(['getent', 'passwd',
+                                          self.upn_principal])
+
+        # result will contain AD domain, not UPN
+        upnuser_regex = "^{}@{}:\*:(\d+):(\d+):{}:/:$".format(
+            self.upn_username, self.ad_domain, self.upn_name)
+        assert re.search(upnuser_regex, result.stdout_text)
+
+    def test_upn_user_authentication(self):
+        """ Check that AD user with UPN can authenticate in IPA """
+        self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
+        self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
+                                stdin_text=self.upn_password)
+
+    def test_remove_nonposix_trust(self):
+        tasks.remove_trust_with_ad(self.master, self.ad_domain)
+        tasks.clear_sssd_cache(self.master)
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to