Hi David, team

According to your suggestions I've splitted my commits so that each commit addresses some particular problem. One patch (0071) still contains several unrelated fixes, but they mostly reflect changes in error messages and really small but numerous bugfixes that I did not consider worthy of a separate commit each. Please, whenever you have a free time take a look at this new bunch of patches.


Thanks!

On 09/06/2016 04:41 PM, David Kupka wrote:
Hi Oleg!

0013 - It looks like there are two unrelated changes, addition of CRL
distribution extension and creating certificate signed by no longer
existing CA. Please create separate patch for each of the changes, and
describe the change and reason for it in commit messages.

0014 - Could you please split the patch to "numerous" commit each fixing
one error? Please also describe each fix so everyone has at least vague
idea about the patch without reading its code. Also why do you introduce
global variable config, I don't see its used anywhere.

0039 - It looks like multiple different changes and commit message says
nothing again. Please split and describe what did you change and why.

0041 - Looks like weird workaround to me. It would be better to
investigate the root cause and fix it. Or at least describe the cause in
commit message and code comment if it can't be fixed. Also "-h is
deprecated in favor of -H" says man 1 ldapmodify.


On 05/09/16 14:32, Oleg Fayans wrote:
Hi guys,

Finally the ca-less tests are stable. Here in the attachment is the full
set of necessary patches.


On 08/09/2016 10:57 AM, Oleg Fayans wrote:
Hi all,

Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it reviewed/merged

The rest patches should be re-tested, since they were prepared a good
while ago

On 05/10/2016 05:08 PM, Oleg Fayans wrote:
Hi David,

After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible

The full set of necessary patches is attached


On 04/20/2016 10:35 AM, David Kupka wrote:
On 19/04/16 11:13, Oleg Fayans wrote:
OK, that one, though passing lint, did not actually work. I gave
up my
attempts to define method decorators inside the class. Now it passes
lint AND works:)


Hi Oleg!

1) Current commit message is useless. Please use it to describe
what is
the point of the patch.

2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator


3) Isn't there a way to do this with pytest's fixtures?

+def server_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            args[0].uninstall_server()
+    return wrapped
+
+def replica_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            # Uninstall replica
+            replica = args[0].replicas[0]
+            tasks.kinit_admin(args[0].master)
+            args[0].uninstall_server(replica)
+            args[0].master.run_command(['ipa-replica-manage', 'del',
+                                        replica.hostname,
'--force'],
+                                       raiseonerr=False)
+            args[0].master.run_command(['ipa', 'host-del',
+                                        replica.hostname],
+                                       raiseonerr=False)
+    return wrapped
+

There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it
does
not work.


4) Is it necessary to create the $TEST_DIR in the test? Isn't it
created
by the framework?

+            host.transport.mkdir_recursive(host.config.test_dir)


Removed.


5) I don't think the comment match the code.


+        # Remove CA cert in /etc/pki/nssdb, in case of failed
(un)install
+        for host in cls.get_all_hosts():
+            cls.uninstall_server(host)
+
           super(CALessBase, cls).uninstall(mh)


Not actual anymore


6) No! Create list with one element, iterate that list and append
every
item to the other list. Maybe there's better way (Hint: append).
I've seen this on multiple places.

           if unattended:
               args.extend(['-U'])

Agreed


7) Why don't you (extend and) use
ipatests.test_integaration.tasks.(un)install_{master,replica}?
This could be done pretty much all over the code.

           host.run_command(['ipa-server-install', '--uninstall',
'-U'])

8) Use ipaplatform.paths for certutil and other binaries. If the
binary
is not there feel free to add it.
I've seen this on multiple places.

+        host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+                          '-n', 'External CA cert'],
+                         raiseonerr=False)
+        # A workaround
forhttps://fedorahosted.org/freeipa/ticket/4639
+        result = host.run_command(['certutil', '-L', '-d',
+                                   paths.HTTPD_ALIAS_DIR])
+        for rawcert in result.stdout_text.split('\n')[4: -1]:
+            cert = rawcert.split('    ')[0]
+            host.run_command(['certutil', '-D', '-d',
paths.HTTPD_ALIAS_DIR,
+                              '-n', cert])


Done


9) certmonger is system service. You can check if is is .enabled() and
.running(). And IIUC the comment is negation of what the code does.


               # Verify certmonger was not started
               result = host.run_command(['getcert', 'list'],
raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has
been '
-                    'started.' in result.stdout_text),
result.stdout_text
+            assert result.returncode == 0

10) What is the point of calling uninstall_server() when it will be
called in the finally block of server_install_teardown anyway?

+    @server_install_teardown
       def test_revoked_http(self):
           "IPA server install with revoked HTTP certificate"

           if result.returncode == 0:
+            self.uninstall_server()
               raise nose.SkipTest(
                   "Known CA-less installation defect, see "
                   +"https://fedorahosted.org/freeipa/ticket/4270";)

           assert result.returncode > 0

Removed


Nitpick) Do not mix fixing typos/grammar/spelling/style with
functional
changes.

-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    def test_incorrect_http_pin(self):
          "Install new HTTP certificate with incorrect PKCS#12
password"

Removed











--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From e4d14730663c64dc229c86fb70e51cb2a4374bc0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 15:11:59 +0200
Subject: [PATCH] Fixed method failures during second call for the method

When the same host is used for numerous server/replica
installations/uninstallations at some point the /etc/openldap/ldap.conf file
gets corruped which results in ldapsearch unaware of the default ldap_uri to
connect. The workaround would be to provide ldap hostname for each ldapsearch.

Attention: please unapply this fix once the original issue is resolved.

https://fedorahosted.org/freeipa/ticket/5880
---
 ipatests/test_integration/tasks.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index f5c8ab4cfc21446b843f3c383b51472fb40517c8..f4dcf4844513961f349682d6e3cb8aefaeece256 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -249,7 +249,8 @@ def enable_replication_debugging(host):
         """)
     host.run_command(['ldapmodify', '-x',
                       '-D', str(host.config.dirman_dn),
-                      '-w', host.config.dirman_password],
+                      '-w', host.config.dirman_password,
+                      '-h', host.hostname],
                      stdin_text=logging_ldif)
 
 
-- 
1.8.3.1

From f40673cb80d73c13b051a1fb7db7dc1781933a24 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 7 Sep 2016 09:52:33 +0200
Subject: [PATCH] Added basic constraints extension to the CA certs

The IPA installer refuses to accept certs signed with a CA-signature that does
not have basic constraints enabled (Described in RFC 5280)
---
 ipatests/test_integration/scripts/caless-create-pki | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index f428ebae16e05644a875a35faf192f75eb149740..8eefadf69532212a89335c87a2d0e5f4748e30f3 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -38,7 +38,10 @@ gen_cert() {
 
     csr="$(mktemp)"
     crt="$(mktemp)"
-    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null <<EOF
+    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null <<EOF
+y
+0
+N
 1
 7
 file://$crl_path/$ca.crl
-- 
1.8.3.1

From a6b2b914771dc0718e6dfc1f7c6fd7069c8f80d9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 7 Sep 2016 16:05:18 +0200
Subject: [PATCH] Added generation of missing certs

test_ca_server_cert and test_unknown_ca required 2 more certs that were not
pre-generated
---
 ipatests/test_integration/scripts/caless-create-pki | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8eefadf69532212a89335c87a2d0e5f4748e30f3..8928e95eafb645af0eaaff2119944f3a9ee4da39 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -117,6 +117,9 @@ gen_subtree() {
 
 gen_cert server server-selfsign "CN=$server1,O=Self-signed"
 gen_cert server replica-selfsign "CN=$server2,O=Self-signed"
+gen_cert server noca "CN=$server1,O=No-CA"
 gen_subtree ca1 'Example Organization'
 gen_subtree ca1/subca 'Subsidiary Example Organization'
 gen_subtree ca2 'Other Example Organization'
+gen_subtree ca3 'Unknown Organization'
+certutil -D -d "$dbdir" -n ca3
-- 
1.8.3.1

From 589c05221bae84b4de97f92b9505443f34d32218 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 10:58:31 +0200
Subject: [PATCH] Updated ipa server installation stdin text

The installator has changed the question sequence so the stdin used for
interactive server installation has to be changed accordingly
---
 ipatests/test_integration/test_caless.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index c9d90331bd2658b7164e6a9e70f07bbc8960ff07..047917b25c5060212bb50d42fa00bfeda6e0af92 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -40,14 +40,10 @@ assert_error = tasks.assert_error
 
 def get_install_stdin(cert_passwords=()):
     lines = [
-        'yes',  # Existing BIND configuration detected, overwrite? [no]
         '',  # Server host name (has default)
-        '',  # Confirm domain name (has default)
     ]
     lines.extend(cert_passwords)  # Enter foo.p12 unlock password
     lines += [
-        '',  # Do you want to configure the reverse zone? [yes]
-        '',  # Please specify the reverse zone name [47.34.10.in-addr.arpa.]
         'yes',  # Continue with these values?
     ]
     return '\n'.join(lines + [''])
-- 
1.8.3.1

From 1dbb71afeebf18a3a16b02e6b4c7a7392f513c4e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:10:46 +0200
Subject: [PATCH] Create a method that cleans all ipa certs

Upon uninstallation IPA does not remove certs from the system, see
https://fedorahosted.org/freeipa/ticket/4639 for details. This causes
installation failures in several tests. The workaround is to manually remove
certs from all certificate databases used by IPA after each server
uninstallation
---
 ipatests/test_integration/test_caless.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 047917b25c5060212bb50d42fa00bfeda6e0af92..2b4ceee7c278584a37e3be7dd81e4384f96f861e 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -54,6 +54,17 @@ def get_replica_prepare_stdin(cert_passwords=()):
     return '\n'.join(lines + [''])
 
 
+def ipa_certs_cleanup(host):
+    host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+                      '-n', 'External CA cert'],
+                     raiseonerr=False)
+    # A workaround for https://fedorahosted.org/freeipa/ticket/4639
+    result = host.run_command(['certutil', '-L', '-d',
+                               paths.HTTPD_ALIAS_DIR])
+    for rawcert in result.stdout_text.split('\n')[4: -1]:
+        cert = rawcert.split('    ')[0]
+        host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR,
+                          '-n', cert])
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-- 
1.8.3.1

From afbb4b0c47a35914bd2695cd955dc196ff755d4d Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:14:01 +0200
Subject: [PATCH] Added teardown methods for server and replica installation

---
 ipatests/test_integration/test_caless.py | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 2b4ceee7c278584a37e3be7dd81e4384f96f861e..da7ad815a2688173c662a9263a22ea1f8f224ffe 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -65,6 +65,41 @@ def ipa_certs_cleanup(host):
         cert = rawcert.split('    ')[0]
         host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR,
                           '-n', cert])
+
+
+def server_install_teardown(func):
+    def wrapped(*args):
+        master = args[0].master
+        try:
+            func(*args)
+        finally:
+            tasks.uninstall_master(master, clean=False)
+            ipa_certs_cleanup(master)
+    return wrapped
+
+
+def replica_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            # Uninstall replica
+            replica = args[0].replicas[0]
+            master = args[0].master
+            tasks.kinit_admin(master)
+            tasks.uninstall_master(replica, clean=False)
+            # Now let's uninstall client for the cases when client promotion
+            # was not successful
+            tasks.uninstall_client(replica)
+            tasks.clean_replication_agreement(master, replica, cleanup=True,
+                                              raiseonerr=False)
+            master.run_command(['ipa', 'host-del',
+                                replica.hostname],
+                               raiseonerr=False)
+            ipa_certs_cleanup(replica)
+    return wrapped
+
+
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-- 
1.8.3.1

From 0e3d8c75a3d977bc405c0cc01c727d5e9426ce8a Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:17:09 +0200
Subject: [PATCH] Removed call for install method from parent class

The IntegrationTest.install method installs the full topology while in ca-less
tests we need to check server installation, thus the nodes should not have
server or replica installed
---
 ipatests/test_integration/test_caless.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index da7ad815a2688173c662a9263a22ea1f8f224ffe..4eaa562536d6ad95d4a1a1ef037a5e6083c9bc87 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -103,7 +103,6 @@ def replica_install_teardown(func):
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-        super(CALessBase, cls).install(mh)
         cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
         cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem')
         scriptfile = os.path.join(os.path.dirname(__file__),
-- 
1.8.3.1

From ab7f3c09ebf3e63ea482d6fa5d28e5a89b7228ae Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 13:16:11 +0200
Subject: [PATCH] Adapted installation methods to utilize methods from tasks

Master and replica installation methods were made to utilize corresponding
methods from tasks.py for the sake of DRY
---
 ipatests/test_integration/test_caless.py | 146 ++++++++++++-------------------
 1 file changed, 55 insertions(+), 91 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 4eaa562536d6ad95d4a1a1ef037a5e6083c9bc87..a464aca21e01ef30416724d02700a7cd477339ba 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,6 +32,7 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from ipalib.constants import DOMAIN_LEVEL_0
 
 _DEFAULT = object()
 
@@ -120,16 +121,16 @@ class CALessBase(IntegrationTest):
             client_hostname = cls.clients[0].hostname
         else:
             client_hostname = 'unused-client.test'
-        env = {
+        cls.env = {
             'domain': cls.master.domain.name,
             'server1': cls.master.hostname,
             'server2': replica_hostname,
             'client': client_hostname,
             'dbdir': 'nssdb',
-            'dbpassword': cls.cert_password,
             'crl_path': cls.crl_path,
+            'dirman_password': cls.master.config.dirman_password,
         }
-        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env)
+        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=cls.env)
 
         for host in cls.get_all_hosts():
             tasks.apply_common_fixes(host)
@@ -145,7 +146,8 @@ class CALessBase(IntegrationTest):
     def uninstall(cls, mh):
         # Remove the NSS database
         shutil.rmtree(cls.cert_dir)
-
+        for host in cls.get_all_hosts():
+            tasks.uninstall_master(host)
         super(CALessBase, cls).uninstall(mh)
 
     @classmethod
@@ -165,7 +167,7 @@ class CALessBase(IntegrationTest):
             http_pin = cls.cert_password
         if dirsrv_pin is _DEFAULT:
             dirsrv_pin = cls.cert_password
-
+        tasks.prepare_host(host)
         files_to_copy = ['root.pem']
         if http_pkcs12_exists:
             files_to_copy.append(http_pkcs12)
@@ -174,51 +176,36 @@ class CALessBase(IntegrationTest):
         for filename in set(files_to_copy):
             cls.copy_cert(host, filename)
 
-        host.collect_log(paths.IPASERVER_INSTALL_LOG)
-        host.collect_log(paths.IPACLIENT_INSTALL_LOG)
-        inst = host.domain.realm.replace('.', '-')
-        host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
+        # Remove existing ca certs from default database to avoid conflicts
+        args = [paths.CERTUTIL, "-D", "-d", "/etc/httpd/alias", "-n"]
+        host.run_command(args + ["ca1"], raiseonerr=False)
+        host.run_command(args + ["ca1/server"], raiseonerr=False)
 
-        args = [
-            'ipa-server-install',
-            '--http-cert-file', http_pkcs12,
-            '--dirsrv-cert-file', dirsrv_pkcs12,
-            '--ca-cert-file', root_ca_file,
-            '--ip-address', host.ip,
-            '-r', host.domain.name,
-            '-p', host.config.dirman_password,
-            '-a', host.config.admin_password,
-            '--setup-dns',
-            '--forwarder', host.config.dns_forwarder,
-        ]
+        extra_args = ['--http-cert-file', http_pkcs12,
+                      '--dirsrv-cert-file', dirsrv_pkcs12,
+                      '--ca-cert-file', root_ca_file,
+                      '--ip-address', host.ip]
 
         if http_pin is not None:
-            args.extend(['--http-pin', http_pin])
+            extra_args.extend(['--http-pin', http_pin])
         if dirsrv_pin is not None:
-            args.extend(['--dirsrv-pin', dirsrv_pin])
-        if unattended:
-            args.extend(['-U'])
-
-        return host.run_command(args, raiseonerr=False, stdin_text=stdin_text)
+            extra_args.extend(['--dirsrv-pin', dirsrv_pin])
+        return tasks.install_master(host, extra_args=extra_args,
+                                    unattended=unattended,
+                                    stdin_text=stdin_text,
+                                    raiseonerr=False)
 
     @classmethod
     def copy_cert(cls, host, filename):
         host.transport.put_file(os.path.join(cls.cert_dir, filename),
                                 os.path.join(host.config.test_dir, filename))
 
-    @classmethod
-    def uninstall_server(self, host=None):
-        if host is None:
-            host = self.master
-        host.run_command(['ipa-server-install', '--uninstall', '-U'])
-
     def prepare_replica(self, _replica_number=0, replica=None, master=None,
                         http_pkcs12='replica.p12', dirsrv_pkcs12='replica.p12',
                         http_pkcs12_exists=True, dirsrv_pkcs12_exists=True,
                         http_pin=_DEFAULT, dirsrv_pin=_DEFAULT,
                         root_ca_file='root.pem', unattended=True,
-                        stdin_text=None):
+                        stdin_text=None, domain_level=None):
         """Prepare a CA-less replica
 
         Puts the bundle file into test_dir on the replica if successful,
@@ -234,78 +221,55 @@ class CALessBase(IntegrationTest):
             http_pin = self.cert_password
         if dirsrv_pin is _DEFAULT:
             dirsrv_pin = self.cert_password
-
+        if domain_level is None:
+            domain_level = tasks.domainlevel(master)
         files_to_copy = ['root.pem']
         if http_pkcs12_exists:
             files_to_copy.append(http_pkcs12)
         if dirsrv_pkcs12_exists:
             files_to_copy.append(dirsrv_pkcs12)
+        if domain_level == DOMAIN_LEVEL_0:
+            destination_host = master
+        else:
+            destination_host = replica
+        # Both master and replica lack ipatests folder by this time, so we need
+        # to re-create it
+        tasks.prepare_host(master)
+        tasks.prepare_host(replica)
         for filename in set(files_to_copy):
-            master.transport.put_file(
-                os.path.join(self.cert_dir, filename),
-                os.path.join(master.config.test_dir, filename))
+            try:
+                destination_host.transport.put_file(
+                    os.path.join(self.cert_dir, filename),
+                    os.path.join(destination_host.config.test_dir, filename))
+            except OSError:
+                pass
+        extra_args = []
+        if http_pkcs12_exists:
+            extra_args.extend(['--http-cert-file', http_pkcs12])
+        if dirsrv_pkcs12_exists:
+            extra_args.extend(['--dirsrv-cert-file', dirsrv_pkcs12])
 
-        replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
-        replica.collect_log(paths.IPACLIENT_INSTALL_LOG)
-        inst = replica.domain.realm.replace('.', '-')
-        replica.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        replica.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
-
-        args = [
-            'ipa-replica-prepare',
-            '--ip-address', replica.ip,
-            '-p', replica.config.dirman_password,
-        ]
-
-        if http_pkcs12:
-            args.extend(['--http-cert-file', http_pkcs12])
-        if dirsrv_pkcs12:
-            args.extend(['--dirsrv-cert-file', dirsrv_pkcs12])
         if http_pin is not None:
-            args.extend(['--http-pin', http_pin])
+            extra_args.extend(['--http-pin', http_pin])
         if dirsrv_pin is not None:
-            args.extend(['--dirsrv-pin', dirsrv_pin])
-
-        args.extend([replica.hostname])
-
-        result = master.run_command(args, raiseonerr=False,
-                                    stdin_text=stdin_text)
-
-        if result.returncode == 0:
-            replica_bundle = master.get_file_contents(
-                paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
-            replica.put_file_contents(self.get_replica_filename(replica),
-                                      replica_bundle)
+            extra_args.extend(['--dirsrv-pin', dirsrv_pin])
+        if domain_level == DOMAIN_LEVEL_0:
+            result = tasks.replica_prepare(master, replica,
+                                           extra_args=extra_args,
+                                           raiseonerr=False,
+                                           stdin_text=stdin_text)
         else:
-            replica.run_command(['rm', self.get_replica_filename(replica)],
-                                raiseonerr=False)
-
+            result = tasks.install_replica(master, replica, setup_ca=False,
+                                           extra_args=extra_args,
+                                           unattended=unattended,
+                                           stdin_text=stdin_text,
+                                           raiseonerr=False)
         return result
 
     def get_replica_filename(self, replica):
         return os.path.join(replica.config.test_dir,
                             'replica-info.gpg')
 
-    def install_replica(self, _replica_number=0, replica=None,
-                        unattended=True):
-        """Install a CA-less replica
-
-        The bundle file is expected to be in the test_dir
-
-        Return value is the remote ipa-replica-install command
-        """
-        if replica is None:
-            replica = self.replicas[_replica_number]
-
-        args = ['ipa-replica-install', '-U',
-                '-p', replica.config.dirman_password,
-                '-w', replica.config.admin_password,
-                '--ip-address', replica.ip,
-                self.get_replica_filename(replica)]
-        if unattended:
-            args.append('-U')
-        return replica.run_command(args)
-
     @classmethod
     def export_pkcs12(cls, nickname, filename='server.p12', password=None):
         """Export a cert as PKCS#12 to the given file"""
-- 
1.8.3.1

From ee49c5e30f2ab40366cb92b0e5e299400f727706 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 13:43:03 +0200
Subject: [PATCH] Fixed incorrect assert in verify_installation

---
 ipatests/test_integration/test_caless.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index a464aca21e01ef30416724d02700a7cd477339ba..1b4dd629aa28f073009072d103fabbdf23305ffe 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -285,7 +285,7 @@ class CALessBase(IntegrationTest):
     @classmethod
     def get_pem(cls, nickname):
         result = ipautil.run(
-            ['certutil', '-L', '-d', 'nssdb', '-n', nickname, '-a'],
+            [paths.CERTUTIL, '-L', '-d', 'nssdb', '-n', nickname, '-a'],
             cwd=cls.cert_dir, capture_output=True)
         return result.output
 
@@ -314,9 +314,7 @@ class CALessBase(IntegrationTest):
 
             # Verify certmonger was not started
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has been '
-                    'started.' in result.stdout_text), result.stdout_text
+            assert result.returncode == 0
 
         for host in self.get_all_hosts():
             # Check the cert PEM file
-- 
1.8.3.1

From 6752416468aabe82f49958e64ff5dd55515db2e5 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 13:59:42 +0200
Subject: [PATCH] Applied correct install and teardown methods

---
 ipatests/test_integration/test_caless.py | 85 +++++++++++++++++++++++---------
 1 file changed, 63 insertions(+), 22 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1b4dd629aa28f073009072d103fabbdf23305ffe..07ee280f21a90c6ee61a83dc84c41971df2f1b20 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -330,9 +330,7 @@ class CALessBase(IntegrationTest):
 class TestServerInstall(CALessBase):
     num_replicas = 0
 
-    def tearDown(self):
-        self.uninstall_server()
-
+    @server_install_teardown
     def test_nonexistent_ca_pem_file(self):
         "IPA server install with non-existent CA PEM file "
 
@@ -345,6 +343,7 @@ class TestServerInstall(CALessBase):
                      'Failed to open does_not_exist: No such file '
                      'or directory')
 
+    @server_install_teardown
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
@@ -358,6 +357,7 @@ class TestServerInstall(CALessBase):
                      'certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @server_install_teardown
     def test_ca_server_cert(self):
         "IPA server install with CA PEM file with server certificate"
 
@@ -370,6 +370,7 @@ class TestServerInstall(CALessBase):
                      'trust chain of the server certificate in server.p12 '
                      'contains 1 certificates, expected 2')
 
+    @server_install_teardown
     def test_ca_2_certs(self):
         "IPA server install with CA PEM file with 2 certificates"
 
@@ -381,6 +382,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server()
         assert_error(result, 'root.pem contains more than one certificate')
 
+    @server_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA server install with non-existent HTTP PKCS#12 file"
 
@@ -392,6 +394,7 @@ class TestServerInstall(CALessBase):
                                      http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA server install with non-existent DS PKCS#12 file"
 
@@ -403,6 +406,7 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_missing_http_password(self):
         "IPA server install with missing HTTP PKCS#12 password (unattended)"
 
@@ -415,6 +419,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify --http-pin '
                      'with --http-cert-file')
 
+    @server_install_teardown
     def test_missing_ds_password(self):
         "IPA server install with missing DS PKCS#12 password (unattended)"
 
@@ -427,6 +432,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
+    @server_install_teardown
     def test_incorect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
 
@@ -437,6 +443,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @server_install_teardown
     def test_incorect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
 
@@ -447,6 +454,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @server_install_teardown
     def test_invalid_http_cn(self):
         "IPA server install with HTTP certificate with invalid CN"
 
@@ -461,6 +469,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_invalid_ds_cn(self):
         "IPA server install with DS certificate with invalid CN"
 
@@ -475,6 +484,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_expired_http(self):
         "IPA server install with expired HTTP certificate"
 
@@ -490,6 +500,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_expired_ds(self):
         "IPA server install with expired DS certificate"
 
@@ -505,6 +516,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_http_bad_usage(self):
         "IPA server install with HTTP certificate with invalid key usage"
 
@@ -519,6 +531,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_ds_bad_usage(self):
         "IPA server install with DS certificate with invalid key usage"
 
@@ -533,6 +546,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_revoked_http(self):
         "IPA server install with revoked HTTP certificate"
 
@@ -551,6 +565,7 @@ class TestServerInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_revoked_ds(self):
         "IPA server install with revoked DS certificate"
 
@@ -569,6 +584,7 @@ class TestServerInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_http_intermediate_ca(self):
         "IPA server install with HTTP certificate issued by intermediate CA"
 
@@ -583,6 +599,7 @@ class TestServerInstall(CALessBase):
                      'http.p12 is not signed by root.pem, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @server_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA server install with DS certificate issued by intermediate CA"
 
@@ -597,6 +614,7 @@ class TestServerInstall(CALessBase):
                      'dirsrv.p12 is not signed by root.pem, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @server_install_teardown
     def test_ca_self_signed(self):
         "IPA server install with self-signed certificate"
 
@@ -607,6 +625,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server()
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_valid_certs(self):
         "IPA server install with valid certificates"
 
@@ -618,6 +637,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_wildcard_http(self):
         "IPA server install with wildcard HTTP certificate"
 
@@ -631,6 +651,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_wildcard_ds(self):
         "IPA server install with wildcard DS certificate"
 
@@ -644,6 +665,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_http_san(self):
         "IPA server install with HTTP certificate with SAN"
 
@@ -657,6 +679,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_ds_san(self):
         "IPA server install with DS certificate with SAN"
 
@@ -670,6 +693,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA server install with prompt for HTTP PKCS#12 password"
 
@@ -686,6 +710,7 @@ class TestServerInstall(CALessBase):
         assert ('Enter server.p12 unlock password:'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA server install with prompt for DS PKCS#12 password"
 
@@ -702,6 +727,7 @@ class TestServerInstall(CALessBase):
         assert ('Enter server.p12 unlock password:'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_no_http_password(self):
         "IPA server install with empty HTTP password"
 
@@ -716,6 +742,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_no_ds_password(self):
         "IPA server install with empty DS password"
 
@@ -734,27 +761,16 @@ class TestServerInstall(CALessBase):
 class TestReplicaInstall(CALessBase):
     num_replicas = 1
 
-    def setUp(self):
-        # Install the master for every test
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-
-        result = self.install_server()
+    @classmethod
+    def install(cls, mh):
+        super(TestReplicaInstall, cls).install(mh)
+        cls.export_pkcs12('ca1/server')
+        with open(cls.pem_filename, 'w') as f:
+            f.write(cls.get_pem('ca1'))
+        result = cls.install_server()
         assert result.returncode == 0
 
-    def tearDown(self):
-        # Uninstall both master and replica
-        replica = self.replicas[0]
-        tasks.kinit_admin(self.master)
-        self.uninstall_server(replica)
-        self.master.run_command(['ipa-replica-manage', 'del', replica.hostname,
-                                 '--force'], raiseonerr=False)
-        self.master.run_command(['ipa', 'host-del', replica.hostname],
-                                raiseonerr=False)
-
-        self.uninstall_server()
-
+    @replica_install_teardown
     def test_no_certs(self):
         "IPA replica install without certificates"
 
@@ -767,6 +783,7 @@ class TestReplicaInstall(CALessBase):
                 'custom certificates.' in result.stderr_text), \
                result.stderr_text
 
+    @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA replica install with non-existent HTTP PKCS#12 file"
 
@@ -777,6 +794,7 @@ class TestReplicaInstall(CALessBase):
                                       http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @replica_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA replica install with non-existent DS PKCS#12 file"
 
@@ -787,6 +805,7 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @replica_install_teardown
     def test_incorect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
 
@@ -796,6 +815,7 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @replica_install_teardown
     def test_incorect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
 
@@ -804,6 +824,7 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @replica_install_teardown
     def test_http_unknown_ca(self):
         "IPA replica install with HTTP certificate issued by unknown CA"
 
@@ -816,6 +837,7 @@ class TestReplicaInstall(CALessBase):
                      'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @replica_install_teardown
     def test_ds_unknown_ca(self):
         "IPA replica install with DS certificate issued by unknown CA"
 
@@ -829,6 +851,7 @@ class TestReplicaInstall(CALessBase):
                      'full certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @replica_install_teardown
     def test_invalid_http_cn(self):
         "IPA replica install with HTTP certificate with invalid CN"
 
@@ -841,6 +864,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_invalid_ds_cn(self):
         "IPA replica install with DS certificate with invalid CN"
 
@@ -853,6 +877,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_expired_http(self):
         "IPA replica install with expired HTTP certificate"
 
@@ -866,6 +891,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_expired_ds(self):
         "IPA replica install with expired DS certificate"
 
@@ -879,6 +905,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_http_bad_usage(self):
         "IPA replica install with HTTP certificate with invalid key usage"
 
@@ -891,6 +918,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_ds_bad_usage(self):
         "IPA replica install with DS certificate with invalid key usage"
 
@@ -903,6 +931,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_revoked_http(self):
         "IPA replica install with revoked HTTP certificate"
 
@@ -919,6 +948,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_revoked_ds(self):
         "IPA replica install with revoked DS certificate"
 
@@ -935,6 +965,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_http_intermediate_ca(self):
         "IPA replica install with HTTP certificate issued by intermediate CA"
 
@@ -947,6 +978,7 @@ class TestReplicaInstall(CALessBase):
                      'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @replica_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA replica install with DS certificate issued by intermediate CA"
 
@@ -960,6 +992,7 @@ class TestReplicaInstall(CALessBase):
                      'full certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @replica_install_teardown
     def test_valid_certs(self):
         "IPA replica install with valid certificates"
 
@@ -974,6 +1007,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
 
@@ -989,6 +1023,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
 
@@ -1004,6 +1039,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_http_san(self):
         "IPA replica install with HTTP certificate with SAN"
 
@@ -1019,6 +1055,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_ds_san(self):
         "IPA replica install with DS certificate with SAN"
 
@@ -1034,6 +1071,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA replica install with missing HTTP PKCS#12 password"
 
@@ -1051,6 +1089,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA replica install with missing DS PKCS#12 password"
 
@@ -1068,6 +1107,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_no_http_password(self):
         "IPA replica install with empty HTTP password"
 
@@ -1084,6 +1124,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_no_ds_password(self):
         "IPA replica install with empty DS password"
 
-- 
1.8.3.1

From 2140d5dc3a8bdd45e790450776791f222aadb721 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:13:37 +0200
Subject: [PATCH] Fixed test errors in calss tests

A lot of error messages have changed which required th changes in test asserts.
Several other minor bugfixes
---
 ipatests/test_integration/test_caless.py | 168 ++++++++++++-------------------
 1 file changed, 62 insertions(+), 106 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 07ee280f21a90c6ee61a83dc84c41971df2f1b20..19e8c5aa8a7af0460b1383e0775bee59f7e2ff5f 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -347,28 +347,24 @@ class TestServerInstall(CALessBase):
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('ca3/server')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca2'))
 
         result = self.install_server()
         assert_error(result,
-                     'server.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     @server_install_teardown
     def test_ca_server_cert(self):
         "IPA server install with CA PEM file with server certificate"
-
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('noca')
         with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1/server'))
+            f.write(self.get_pem('noca'))
 
         result = self.install_server()
         assert_error(result,
-                     'trust chain of the server certificate in server.p12 '
-                     'contains 1 certificates, expected 2')
+                     'The full certificate chain is not present in server.p12')
 
     @server_install_teardown
     def test_ca_2_certs(self):
@@ -473,8 +469,7 @@ class TestServerInstall(CALessBase):
     def test_invalid_ds_cn(self):
         "IPA server install with DS certificate with invalid CN"
 
-        self.export_pkcs12('ca1/server', filename='http.p12')
-        self.export_pkcs12('ca1/server-badname', filename='dirsrv.p12')
+        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca1'))
 
@@ -595,9 +590,9 @@ class TestServerInstall(CALessBase):
 
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @server_install_teardown
     def test_ds_intermediate_ca(self):
@@ -611,8 +606,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @server_install_teardown
     def test_ca_self_signed(self):
@@ -707,7 +702,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Apache Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     @server_install_teardown
@@ -724,7 +719,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Directory Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     @server_install_teardown
@@ -773,25 +768,21 @@ class TestReplicaInstall(CALessBase):
     @replica_install_teardown
     def test_no_certs(self):
         "IPA replica install without certificates"
-
-        result = self.master.run_command(['ipa-replica-prepare',
-                                          self.replicas[0].hostname],
-                                         raiseonerr=False)
-        assert result.returncode > 0
-        assert ('Cannot issue certificates: a CA is not installed. Use the '
-                '--http-cert-file, --dirsrv-cert-file options to provide '
-                'custom certificates.' in result.stderr_text), \
-               result.stderr_text
+        result = self.prepare_replica(http_pkcs12_exists=False,
+                                      dirsrv_pkcs12_exists=False)
+        assert_error(result, "Cannot issue certificates: a CA is not "
+                             "installed. Use the --http-cert-file, "
+                             "--dirsrv-cert-file options to provide "
+                             "custom certificates.")
 
     @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA replica install with non-existent HTTP PKCS#12 file"
 
-        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
+        self.export_pkcs12('ca1/replica', filename='http.p12')
 
         result = self.prepare_replica(http_pkcs12='does_not_exist',
-                                      dirsrv_pkcs12='dirsrv.p12',
-                                      http_pkcs12_exists=False)
+                                      dirsrv_pkcs12='http.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
     @replica_install_teardown
@@ -801,8 +792,7 @@ class TestReplicaInstall(CALessBase):
         self.export_pkcs12('ca1/replica', filename='http.p12')
 
         result = self.prepare_replica(dirsrv_pkcs12='does_not_exist',
-                                      http_pkcs12='http.p12',
-                                      dirsrv_pkcs12_exists=False)
+                                      http_pkcs12='http.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
     @replica_install_teardown
@@ -833,9 +823,9 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @replica_install_teardown
     def test_ds_unknown_ca(self):
@@ -847,9 +837,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @replica_install_teardown
     def test_invalid_http_cn(self):
@@ -975,8 +964,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @replica_install_teardown
     def test_ds_intermediate_ca(self):
@@ -987,10 +976,9 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @replica_install_teardown
     def test_valid_certs(self):
@@ -1001,11 +989,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='server.p12',
                                       dirsrv_pkcs12='server.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_wildcard_http(self):
@@ -1017,11 +1002,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_wildcard_ds(self):
@@ -1033,11 +1015,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_http_san(self):
@@ -1049,11 +1028,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_ds_san(self):
@@ -1065,11 +1041,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
@@ -1083,11 +1056,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
@@ -1101,11 +1071,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_no_http_password(self):
@@ -1118,11 +1085,8 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       http_pin='')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_no_ds_password(self):
@@ -1135,9 +1099,8 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       dirsrv_pin='')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
 
 class TestClientInstall(CALessBase):
@@ -1237,8 +1200,11 @@ class TestIPACommands(CALessBase):
     def test_service_disable_doesnt_revoke(self):
         "Verify that service-disable does not attempt to revoke certificate"
         with self.service():
-            self.master.run_command(['ipa', 'service-disable',
-                                     self.test_service])
+            result = self.master.run_command(['ipa', 'service-disable',
+                                              self.test_service],
+                                             raiseonerr=False)
+            assert(result.returncode == 0), (
+                "Failed to disable ipa-service: %s" % result.stderr_text)
 
     def test_service_del_doesnt_revoke(self):
         "Verify that service-del does not attempt to revoke certificate"
@@ -1266,7 +1232,7 @@ class TestIPACommands(CALessBase):
 class TestCertinstall(CALessBase):
     @classmethod
     def install(cls, mh):
-        super(TestCertinstall, cls).install()
+        super(TestCertinstall, cls).install(mh)
 
         cls.export_pkcs12('ca1/server')
         with open(cls.pem_filename, 'w') as f:
@@ -1288,12 +1254,10 @@ class TestCertinstall(CALessBase):
             self.copy_cert(self.master, filename)
         if not args:
             args = ['ipa-server-certinstall',
+                    '-p', self.master.config.dirman_password,
                     '-%s' % mode, filename]
             if pin is not None:
                 args += ['--pin', pin]
-            if mode == 'd':
-                args += ['--dirman-password',
-                         self.master.config.dirman_password]
         return self.master.run_command(args,
                                        raiseonerr=False,
                                        stdin_text=stdin_text)
@@ -1404,28 +1368,20 @@ class TestCertinstall(CALessBase):
         "Install new HTTP certificate issued by intermediate CA"
 
         result = self.certinstall('w', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_ds_intermediate_ca(self):
         "Install new DS certificate issued by intermediate CA"
 
         result = self.certinstall('d', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_self_signed(self):
         "Install new self-signed certificate"
 
         result = self.certinstall('w', 'server-selfsign')
         assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     def test_valid_http(self):
         "Install new valid HTTP certificate"
@@ -1500,7 +1456,7 @@ class TestCertinstall(CALessBase):
                 '--http-pin', self.cert_password]
 
         result = self.certinstall('w', 'ca1/server', args=args)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --http-pin")
 
     def test_ds_old_options(self):
         "Install new valid DS certificate using pre-v3.3 CLI options"
@@ -1513,4 +1469,4 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('d', 'ca1/server',
                                   args=args, stdin_text=stdin_text)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --dirsrv-pin")
-- 
1.8.3.1

From 72d2bd24772e86eaeebe89a379d6810c3cf6b15e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:15:05 +0200
Subject: [PATCH] Removed outdated command options test

---
 ipatests/test_integration/test_caless.py | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 19e8c5aa8a7af0460b1383e0775bee59f7e2ff5f..d4fdb40d71e77c12e327aa82188dc3573b11f133 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1151,25 +1151,6 @@ class TestIPACommands(CALessBase):
         result = self.master.run_command(['ipa', command], raiseonerr=False)
         assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
 
-    @pytest.mark.parametrize('command', (
-        'cert-status',
-        'cert-show',
-        'cert-find',
-        'cert-revoke',
-        'cert-remove-hold',
-        'cert-status'))
-    def test_cert_commands_unavailable(self, command):
-        result = self.master.run_command(['ipa', command], raiseonerr=False)
-        assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
-
-    def test_cert_help_unavailable(self):
-        "Verify that cert plugin help is not available"
-        result = self.master.run_command(['ipa', 'help', 'cert'],
-                                         raiseonerr=False)
-        assert_error(result,
-                     "ipa: ERROR: no command nor help topic 'cert'",
-                     returncode=1)
-
     @contextlib.contextmanager
     def host(self):
         "Context manager that adds and removes a host entry with a certificate"
-- 
1.8.3.1

From f3d8f8eb4ae0802b66356ff740587ab770bac92d Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:17:49 +0200
Subject: [PATCH] Added necessary getkeytabs calls to fixtures

---
 ipatests/test_integration/test_caless.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d4fdb40d71e77c12e327aa82188dc3573b11f133..5b52867deaf5179651eeb0e3ef636d0566a49b71 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1157,6 +1157,9 @@ class TestIPACommands(CALessBase):
         self.master.run_command(['ipa', 'host-add', self.test_hostname,
                                  '--force',
                                  '--certificate', self.client_pem])
+        self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
+                                 '-p' "host/%s" % self.test_hostname,
+                                 '-k', paths.IPA_KEYTAB])
         try:
             yield
         finally:
@@ -1170,6 +1173,10 @@ class TestIPACommands(CALessBase):
             self.master.run_command(['ipa', 'service-add', self.test_service,
                                      '--force',
                                      '--certificate', self.client_pem])
+            self.master.run_command(['ipa-getkeytab', '-s',
+                                     self.master.hostname,
+                                     '-p', self.test_service,
+                                     '-k', paths.IPA_KEYTAB])
             yield
 
     def test_service_mod_doesnt_revoke(self):
-- 
1.8.3.1

From ee14f6f2b8c966841b61785279acdb539b9263b3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:20:59 +0200
Subject: [PATCH] Added necessary xfails

A number of tests ail due to known issus. Added xfails to acknowledge them
---
 ipatests/test_integration/test_caless.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 5b52867deaf5179651eeb0e3ef636d0566a49b71..cb9d60c493d8dadf609352dd63c66e80aee38136 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -366,6 +366,7 @@ class TestServerInstall(CALessBase):
         assert_error(result,
                      'The full certificate chain is not present in server.p12')
 
+    @pytest.mark.xfail(reason='Ticket N 6289')
     @server_install_teardown
     def test_ca_2_certs(self):
         "IPA server install with CA PEM file with 2 certificates"
@@ -428,6 +429,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @server_install_teardown
     def test_incorect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
@@ -439,6 +441,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @server_install_teardown
     def test_incorect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
@@ -632,6 +635,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @server_install_teardown
     def test_wildcard_http(self):
         "IPA server install with wildcard HTTP certificate"
@@ -646,6 +650,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @server_install_teardown
     def test_wildcard_ds(self):
         "IPA server install with wildcard DS certificate"
@@ -795,6 +800,7 @@ class TestReplicaInstall(CALessBase):
                                       http_pkcs12='http.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @replica_install_teardown
     def test_incorect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
@@ -805,6 +811,7 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @replica_install_teardown
     def test_incorect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
@@ -992,6 +999,7 @@ class TestReplicaInstall(CALessBase):
         if self.domain_level > DOMAIN_LEVEL_0:
             self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
@@ -1005,6 +1013,7 @@ class TestReplicaInstall(CALessBase):
         if self.domain_level > DOMAIN_LEVEL_0:
             self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
@@ -1264,6 +1273,7 @@ class TestCertinstall(CALessBase):
                                   cert_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     def test_incorect_http_pin(self):
         "Install new HTTP certificate with incorrect PKCS#12 password"
 
@@ -1271,6 +1281,7 @@ class TestCertinstall(CALessBase):
         assert_error(result,
                      'incorrect password for pkcs#12 file server.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     def test_incorect_dirsrv_pin(self):
         "Install new DS certificate with incorrect PKCS#12 password"
 
@@ -1383,12 +1394,14 @@ class TestCertinstall(CALessBase):
         result = self.certinstall('d', 'ca1/server')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_http(self):
         "Install new wildcard HTTP certificate"
 
         result = self.certinstall('w', 'ca1/wildcard')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_ds(self):
         "Install new wildcard DS certificate"
 
-- 
1.8.3.1

From 1ce11de1bfe88bb9b53fd755e539daf6bea0ca6b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:41:59 +0200
Subject: [PATCH] Updated master and replica installation methods to enable
 negative testing

Negative testing was enabled by introducing an optional raiseonerr parameter
with True by default to both master and replica installation methods
Also the methods were updated to support intractive installation
---
 ipatests/test_integration/tasks.py | 90 ++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 38 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d43699d6577abe930ac8d6ab696feea837331..be3ca29318681537d877c7fd142ca628a21837c3 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -254,7 +254,8 @@ def enable_replication_debugging(host):
 
 
 def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
-                   domain_level=None):
+                   domain_level=None, unattended=True, stdin_text=None,
+                   raiseonerr=True):
     if domain_level is None:
         domain_level = host.config.domain_level
     setup_server_logs_collecting(host)
@@ -262,13 +263,15 @@ def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
     fix_apache_semaphores(host)
 
     args = [
-        'ipa-server-install', '-U',
+        'ipa-server-install',
         '-n', host.domain.name,
         '-r', host.domain.realm,
         '-p', host.config.dirman_password,
         '-a', host.config.admin_password,
         "--domain-level=%i" % domain_level,
     ]
+    if unattended:
+        args.append('-U')
 
     if setup_dns:
         args.extend([
@@ -278,20 +281,20 @@ def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
         ])
 
     args.extend(extra_args)
-
-    host.run_command(args)
-    enable_replication_debugging(host)
-    setup_sssd_debugging(host)
-
-    if setup_kra:
-        args = [
-            "ipa-kra-install",
-            "-p", host.config.dirman_password,
-            "-U",
-        ]
-        host.run_command(args)
-
-    kinit_admin(host)
+    result = host.run_command(args, raiseonerr=raiseonerr,
+                              stdin_text=stdin_text)
+    if result.returncode == 0:
+        enable_replication_debugging(host)
+        setup_sssd_debugging(host)
+        if setup_kra:
+            args = [
+                "ipa-kra-install",
+                "-p", host.config.dirman_password,
+                "-U",
+            ]
+            host.run_command(args)
+        kinit_admin(host)
+    return result
 
 
 def get_replica_filename(replica):
@@ -327,7 +330,8 @@ def master_authoritative_for_client_domain(master, client):
         return False
 
 
-def replica_prepare(master, replica):
+def replica_prepare(master, replica, extra_args=(),
+                    raiseonerr=True, stdin_text=None):
     fix_apache_semaphores(replica)
     prepare_reverse_zone(master, replica.ip)
     args = ['ipa-replica-prepare',
@@ -335,15 +339,20 @@ def replica_prepare(master, replica):
             replica.hostname]
     if master_authoritative_for_client_domain(master, replica):
         args.extend(['--ip-address', replica.ip])
-    master.run_command(args)
-    replica_bundle = master.get_file_contents(
-        paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
-    replica_filename = get_replica_filename(replica)
-    replica.put_file_contents(replica_filename, replica_bundle)
+    args.extend(extra_args)
+    result = master.run_command(args, raiseonerr=raiseonerr,
+                                stdin_text=stdin_text)
+    if result.returncode == 0:
+        replica_bundle = master.get_file_contents(
+            paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
+        replica_filename = get_replica_filename(replica)
+        replica.put_file_contents(replica_filename, replica_bundle)
+    return result
 
 
 def install_replica(master, replica, setup_ca=True, setup_dns=False,
-                    setup_kra=False, extra_args=(), domain_level=None):
+                    setup_kra=False, extra_args=(), domain_level=None,
+                    unattended=True, stdin_text=None, raiseonerr=True):
     if domain_level is None:
         domain_level = domainlevel(master)
     apply_common_fixes(replica)
@@ -351,9 +360,11 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
     allow_sync_ptr(master)
     # Otherwise ipa-client-install would not create a PTR
     # and replica installation would fail
-    args = ['ipa-replica-install', '-U',
+    args = ['ipa-replica-install',
             '-p', replica.config.dirman_password,
             '-w', replica.config.admin_password]
+    if unattended:
+        args.append('-U')
     if setup_ca:
         args.append('--setup-ca')
     if setup_dns:
@@ -376,22 +387,25 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
         install_client(master, replica)
         fix_apache_semaphores(replica)
         args.extend(['-r', replica.domain.realm])
-    replica.run_command(args)
-    enable_replication_debugging(replica)
-    setup_sssd_debugging(replica)
 
-    if setup_kra:
-        assert setup_ca, "CA must be installed on replica with KRA"
-        args = [
-            "ipa-kra-install",
-            "-p", replica.config.dirman_password,
-            "-U",
-        ]
-        if domainlevel(master) == DOMAIN_LEVEL_0:
-            args.append(replica_filename)
-        replica.run_command(args)
+    result = replica.run_command(args, raiseonerr=raiseonerr,
+                                 stdin_text=stdin_text)
+    if result.returncode == 0:
+        enable_replication_debugging(replica)
+        setup_sssd_debugging(replica)
+        if setup_kra:
+            assert setup_ca, "CA must be installed on replica with KRA"
+            args = [
+                "ipa-kra-install",
+                "-p", replica.config.dirman_password,
+                "-U",
+            ]
+            if domainlevel(master) == DOMAIN_LEVEL_0:
+                args.append(replica_filename)
+            replica.run_command(args)
 
-    kinit_admin(replica)
+        kinit_admin(replica)
+    return result
 
 
 def install_client(master, client, extra_args=()):
-- 
1.8.3.1

From f3491848ab38d013b9749f1d4a1726f928fb7725 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:46:35 +0200
Subject: [PATCH] Made unapply_fixes call optional at master uninstallation

Unapply fixes removes the temporary testing folder at ~/ipatests, which
contains some artifacts like root.pem that need to be persistent between tests
in the test_caless testsuite. There has to be the way to skip the deletion of
this testfolder
---
 ipatests/test_integration/tasks.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index be3ca29318681537d877c7fd142ca628a21837c3..372345f13f41424f4f62718a113c575a125f3be8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -678,7 +678,7 @@ def kinit_admin(host, raiseonerr=True):
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-                     ignore_last_of_role=True):
+                     ignore_last_of_role=True, clean=True):
     host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
     uninstall_cmd = ['ipa-server-install', '--uninstall', '-U']
 
@@ -701,7 +701,8 @@ def uninstall_master(host, ignore_topology_disconnect=True,
                       paths.PKI_TOMCAT,
                       paths.REPLICA_INFO_GPG_TEMPLATE % host.hostname],
                      raiseonerr=False)
-    unapply_fixes(host)
+    if clean:
+        unapply_fixes(host)
 
 
 def uninstall_client(host):
-- 
1.8.3.1

From c7302d096d221306f0d2599ad30c2c38792b1d61 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 15:06:46 +0200
Subject: [PATCH] Enabled negative testing for cleaning replication agreements

---
 ipatests/test_integration/tasks.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 372345f13f41424f4f62718a113c575a125f3be8..f5c8ab4cfc21446b843f3c383b51472fb40517c8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -714,14 +714,15 @@ def uninstall_client(host):
 
 
 @check_arguments_are((0, 2), Host)
-def clean_replication_agreement(master, replica):
+def clean_replication_agreement(master, replica, cleanup=False,
+                                raiseonerr=True):
     """
     Performs `ipa-replica-manage del replica_hostname --force`.
     """
-    master.run_command(['ipa-replica-manage',
-                        'del',
-                        replica.hostname,
-                        '--force'])
+    args = ['ipa-replica-manage', 'del', replica.hostname, '--force']
+    if cleanup:
+        args.append('--cleanup')
+    master.run_command(args, raiseonerr=raiseonerr)
 
 
 @check_arguments_are((0, 3), Host)
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to