Hi David,

As per your comments the patches were once again refactored. I am attaching the full set of them, please ignore any previous versions The patches apply cleanly on master and pylint swallows the resulting code silently


On 09/12/2016 09:51 AM, David Kupka wrote:
Hi Oleg,
thank you, now it's completely different game.
Please add prefix to commit message summaries. Simply prepending "tests:
" should be OK.

0041 - -h is deprecated in favor of -H.
0062 - 0068 - LGTM
0069 - I see 2 unrelated changes in the patch, please split them:
- 1 - certutil - > paths.CERTUTIL
- 2 - assert
0070 - I see 2 unrelated changes in the patch, please split them:
- 1 - teardown
- 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install
0071 - typos in commit message, I see 5 unrelated changes in that patch:
 - 1 - error messages in assert
 - 2 - certificates used
 - 3 - verify_installation called only in DOMAIN_LEVEL_0.
 - 4 - TestCertinstall.install
 - 5 - TestCertinstall.certinstall
0072 - 0077 - LGTM

On 09/09/16 15:22, Oleg Fayans wrote:
Hi David, team

According to your suggestions I've splitted my commits so that each
commit addresses some particular problem. One patch (0071) still
contains several unrelated fixes, but they mostly reflect changes in
error messages and really small but numerous bugfixes that I did not
consider worthy of a separate commit each. Please, whenever you have a
free time take a look at this new bunch of patches.

Thanks!

On 09/06/2016 04:41 PM, David Kupka wrote:
Hi Oleg!

0013 - It looks like there are two unrelated changes, addition of CRL
distribution extension and creating certificate signed by no longer
existing CA. Please create separate patch for each of the changes, and
describe the change and reason for it in commit messages.

0014 - Could you please split the patch to "numerous" commit each fixing
one error? Please also describe each fix so everyone has at least vague
idea about the patch without reading its code. Also why do you introduce
global variable config, I don't see its used anywhere.

0039 - It looks like multiple different changes and commit message says
nothing again. Please split and describe what did you change and why.

0041 - Looks like weird workaround to me. It would be better to
investigate the root cause and fix it. Or at least describe the cause in
commit message and code comment if it can't be fixed. Also "-h is
deprecated in favor of -H" says man 1 ldapmodify.


On 05/09/16 14:32, Oleg Fayans wrote:
Hi guys,

Finally the ca-less tests are stable. Here in the attachment is the
full
set of necessary patches.


On 08/09/2016 10:57 AM, Oleg Fayans wrote:
Hi all,

Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it
reviewed/merged

The rest patches should be re-tested, since they were prepared a good
while ago

On 05/10/2016 05:08 PM, Oleg Fayans wrote:
Hi David,

After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize
the
code from tasks.py as much as it is possible

The full set of necessary patches is attached


On 04/20/2016 10:35 AM, David Kupka wrote:
On 19/04/16 11:13, Oleg Fayans wrote:
OK, that one, though passing lint, did not actually work. I gave
up my
attempts to define method decorators inside the class. Now it
passes
lint AND works:)


Hi Oleg!

1) Current commit message is useless. Please use it to describe
what is
the point of the patch.

2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2
blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2
blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many
blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too
long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator


3) Isn't there a way to do this with pytest's fixtures?

+def server_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            args[0].uninstall_server()
+    return wrapped
+
+def replica_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            # Uninstall replica
+            replica = args[0].replicas[0]
+            tasks.kinit_admin(args[0].master)
+            args[0].uninstall_server(replica)
+            args[0].master.run_command(['ipa-replica-manage',
'del',
+                                        replica.hostname,
'--force'],
+                                       raiseonerr=False)
+            args[0].master.run_command(['ipa', 'host-del',
+                                        replica.hostname],
+                                       raiseonerr=False)
+    return wrapped
+

There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it
does
not work.


4) Is it necessary to create the $TEST_DIR in the test? Isn't it
created
by the framework?

+            host.transport.mkdir_recursive(host.config.test_dir)


Removed.


5) I don't think the comment match the code.


+        # Remove CA cert in /etc/pki/nssdb, in case of failed
(un)install
+        for host in cls.get_all_hosts():
+            cls.uninstall_server(host)
+
           super(CALessBase, cls).uninstall(mh)


Not actual anymore


6) No! Create list with one element, iterate that list and append
every
item to the other list. Maybe there's better way (Hint: append).
I've seen this on multiple places.

           if unattended:
               args.extend(['-U'])

Agreed


7) Why don't you (extend and) use
ipatests.test_integaration.tasks.(un)install_{master,replica}?
This could be done pretty much all over the code.

           host.run_command(['ipa-server-install', '--uninstall',
'-U'])

8) Use ipaplatform.paths for certutil and other binaries. If the
binary
is not there feel free to add it.
I've seen this on multiple places.

+        host.run_command(['certutil', '-d', paths.NSS_DB_DIR,
'-D',
+                          '-n', 'External CA cert'],
+                         raiseonerr=False)
+        # A workaround
forhttps://fedorahosted.org/freeipa/ticket/4639
+        result = host.run_command(['certutil', '-L', '-d',
+                                   paths.HTTPD_ALIAS_DIR])
+        for rawcert in result.stdout_text.split('\n')[4: -1]:
+            cert = rawcert.split('    ')[0]
+            host.run_command(['certutil', '-D', '-d',
paths.HTTPD_ALIAS_DIR,
+                              '-n', cert])


Done


9) certmonger is system service. You can check if is is .enabled()
and
.running(). And IIUC the comment is negation of what the code does.


               # Verify certmonger was not started
               result = host.run_command(['getcert', 'list'],
raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has
been '
-                    'started.' in result.stdout_text),
result.stdout_text
+            assert result.returncode == 0

10) What is the point of calling uninstall_server() when it will be
called in the finally block of server_install_teardown anyway?

+    @server_install_teardown
       def test_revoked_http(self):
           "IPA server install with revoked HTTP certificate"

           if result.returncode == 0:
+            self.uninstall_server()
               raise nose.SkipTest(
                   "Known CA-less installation defect, see "
                   +"https://fedorahosted.org/freeipa/ticket/4270";)

           assert result.returncode > 0

Removed


Nitpick) Do not mix fixing typos/grammar/spelling/style with
functional
changes.

-    def test_incorect_http_pin(self):
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
+    def test_incorrect_http_pin(self):
          "Install new HTTP certificate with incorrect PKCS#12
password"

Removed














--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 6de83f0468027e7c2f96ccd50525fd11b1135c81 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 11:22:59 +0200
Subject: [PATCH] tests: Fixed method failures during second call for the method

When the same host is used for numerous server/replica
installations/uninstallations at some point the /etc/openldap/ldap.conf file
gets corruped which results in ldapsearch unaware of the default ldap_uri to
connect. The workaround would be to provide ldap hostname for each ldapsearch.

Attention: please unapply this fix once the original issue is resolved.

https://fedorahosted.org/freeipa/ticket/5880
---
 ipatests/test_integration/tasks.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index ee9d4a21085f2aed8645c7812c43887a5751b34c..33638ced9b598df19b13609dc8ff39f6dead59f2 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -249,7 +249,8 @@ def enable_replication_debugging(host):
         """)
     host.run_command(['ldapmodify', '-x',
                       '-D', str(host.config.dirman_dn),
-                      '-w', host.config.dirman_password],
+                      '-w', host.config.dirman_password,
+                      '-H', host.hostname],
                      stdin_text=logging_ldif)
 
 
-- 
2.7.4

From f40673cb80d73c13b051a1fb7db7dc1781933a24 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 7 Sep 2016 09:52:33 +0200
Subject: [PATCH] tests: Added basic constraints extension to the CA certs

The IPA installer refuses to accept certs signed with a CA-signature that does
not have basic constraints enabled (Described in RFC 5280)
---
 ipatests/test_integration/scripts/caless-create-pki | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index f428ebae16e05644a875a35faf192f75eb149740..8eefadf69532212a89335c87a2d0e5f4748e30f3 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -38,7 +38,10 @@ gen_cert() {
 
     csr="$(mktemp)"
     crt="$(mktemp)"
-    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null <<EOF
+    certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null <<EOF
+y
+0
+N
 1
 7
 file://$crl_path/$ca.crl
-- 
1.8.3.1

From a6b2b914771dc0718e6dfc1f7c6fd7069c8f80d9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 7 Sep 2016 16:05:18 +0200
Subject: [PATCH] tests: Added generation of missing certs

test_ca_server_cert and test_unknown_ca required 2 more certs that were not
pre-generated
---
 ipatests/test_integration/scripts/caless-create-pki | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8eefadf69532212a89335c87a2d0e5f4748e30f3..8928e95eafb645af0eaaff2119944f3a9ee4da39 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -117,6 +117,9 @@ gen_subtree() {
 
 gen_cert server server-selfsign "CN=$server1,O=Self-signed"
 gen_cert server replica-selfsign "CN=$server2,O=Self-signed"
+gen_cert server noca "CN=$server1,O=No-CA"
 gen_subtree ca1 'Example Organization'
 gen_subtree ca1/subca 'Subsidiary Example Organization'
 gen_subtree ca2 'Other Example Organization'
+gen_subtree ca3 'Unknown Organization'
+certutil -D -d "$dbdir" -n ca3
-- 
1.8.3.1

From 589c05221bae84b4de97f92b9505443f34d32218 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 10:58:31 +0200
Subject: [PATCH] tests: Updated ipa server installation stdin text

The installator has changed the question sequence so the stdin used for
interactive server installation has to be changed accordingly
---
 ipatests/test_integration/test_caless.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index c9d90331bd2658b7164e6a9e70f07bbc8960ff07..047917b25c5060212bb50d42fa00bfeda6e0af92 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -40,14 +40,10 @@ assert_error = tasks.assert_error
 
 def get_install_stdin(cert_passwords=()):
     lines = [
-        'yes',  # Existing BIND configuration detected, overwrite? [no]
         '',  # Server host name (has default)
-        '',  # Confirm domain name (has default)
     ]
     lines.extend(cert_passwords)  # Enter foo.p12 unlock password
     lines += [
-        '',  # Do you want to configure the reverse zone? [yes]
-        '',  # Please specify the reverse zone name [47.34.10.in-addr.arpa.]
         'yes',  # Continue with these values?
     ]
     return '\n'.join(lines + [''])
-- 
1.8.3.1

From 1dbb71afeebf18a3a16b02e6b4c7a7392f513c4e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:10:46 +0200
Subject: [PATCH] tests: Create a method that cleans all ipa certs

Upon uninstallation IPA does not remove certs from the system, see
https://fedorahosted.org/freeipa/ticket/4639 for details. This causes
installation failures in several tests. The workaround is to manually remove
certs from all certificate databases used by IPA after each server
uninstallation
---
 ipatests/test_integration/test_caless.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 047917b25c5060212bb50d42fa00bfeda6e0af92..2b4ceee7c278584a37e3be7dd81e4384f96f861e 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -54,6 +54,17 @@ def get_replica_prepare_stdin(cert_passwords=()):
     return '\n'.join(lines + [''])
 
 
+def ipa_certs_cleanup(host):
+    host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+                      '-n', 'External CA cert'],
+                     raiseonerr=False)
+    # A workaround for https://fedorahosted.org/freeipa/ticket/4639
+    result = host.run_command(['certutil', '-L', '-d',
+                               paths.HTTPD_ALIAS_DIR])
+    for rawcert in result.stdout_text.split('\n')[4: -1]:
+        cert = rawcert.split('    ')[0]
+        host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR,
+                          '-n', cert])
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-- 
1.8.3.1

From afbb4b0c47a35914bd2695cd955dc196ff755d4d Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:14:01 +0200
Subject: [PATCH] tests: Added teardown methods for server and replica installation

---
 ipatests/test_integration/test_caless.py | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 2b4ceee7c278584a37e3be7dd81e4384f96f861e..da7ad815a2688173c662a9263a22ea1f8f224ffe 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -65,6 +65,41 @@ def ipa_certs_cleanup(host):
         cert = rawcert.split('    ')[0]
         host.run_command(['certutil', '-D', '-d', paths.HTTPD_ALIAS_DIR,
                           '-n', cert])
+
+
+def server_install_teardown(func):
+    def wrapped(*args):
+        master = args[0].master
+        try:
+            func(*args)
+        finally:
+            tasks.uninstall_master(master, clean=False)
+            ipa_certs_cleanup(master)
+    return wrapped
+
+
+def replica_install_teardown(func):
+    def wrapped(*args):
+        try:
+            func(*args)
+        finally:
+            # Uninstall replica
+            replica = args[0].replicas[0]
+            master = args[0].master
+            tasks.kinit_admin(master)
+            tasks.uninstall_master(replica, clean=False)
+            # Now let's uninstall client for the cases when client promotion
+            # was not successful
+            tasks.uninstall_client(replica)
+            tasks.clean_replication_agreement(master, replica, cleanup=True,
+                                              raiseonerr=False)
+            master.run_command(['ipa', 'host-del',
+                                replica.hostname],
+                               raiseonerr=False)
+            ipa_certs_cleanup(replica)
+    return wrapped
+
+
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-- 
1.8.3.1

From 0e3d8c75a3d977bc405c0cc01c727d5e9426ce8a Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 12:17:09 +0200
Subject: [PATCH] tests: Removed call for install method from parent class

The IntegrationTest.install method installs the full topology while in ca-less
tests we need to check server installation, thus the nodes should not have
server or replica installed
---
 ipatests/test_integration/test_caless.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index da7ad815a2688173c662a9263a22ea1f8f224ffe..4eaa562536d6ad95d4a1a1ef037a5e6083c9bc87 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -103,7 +103,6 @@ def replica_install_teardown(func):
 class CALessBase(IntegrationTest):
     @classmethod
     def install(cls, mh):
-        super(CALessBase, cls).install(mh)
         cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
         cls.pem_filename = os.path.join(cls.cert_dir, 'root.pem')
         scriptfile = os.path.join(os.path.dirname(__file__),
-- 
1.8.3.1

From ab7f3c09ebf3e63ea482d6fa5d28e5a89b7228ae Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 13:16:11 +0200
Subject: [PATCH] tests: Adapted installation methods to utilize methods from tasks

Master and replica installation methods were made to utilize corresponding
methods from tasks.py for the sake of DRY
---
 ipatests/test_integration/test_caless.py | 146 ++++++++++++-------------------
 1 file changed, 55 insertions(+), 91 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 4eaa562536d6ad95d4a1a1ef037a5e6083c9bc87..a464aca21e01ef30416724d02700a7cd477339ba 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,6 +32,7 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from ipalib.constants import DOMAIN_LEVEL_0
 
 _DEFAULT = object()
 
@@ -120,16 +121,16 @@ class CALessBase(IntegrationTest):
             client_hostname = cls.clients[0].hostname
         else:
             client_hostname = 'unused-client.test'
-        env = {
+        cls.env = {
             'domain': cls.master.domain.name,
             'server1': cls.master.hostname,
             'server2': replica_hostname,
             'client': client_hostname,
             'dbdir': 'nssdb',
-            'dbpassword': cls.cert_password,
             'crl_path': cls.crl_path,
+            'dirman_password': cls.master.config.dirman_password,
         }
-        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=env)
+        ipautil.run(['bash', '-ex', scriptfile], cwd=cls.cert_dir, env=cls.env)
 
         for host in cls.get_all_hosts():
             tasks.apply_common_fixes(host)
@@ -145,7 +146,8 @@ class CALessBase(IntegrationTest):
     def uninstall(cls, mh):
         # Remove the NSS database
         shutil.rmtree(cls.cert_dir)
-
+        for host in cls.get_all_hosts():
+            tasks.uninstall_master(host)
         super(CALessBase, cls).uninstall(mh)
 
     @classmethod
@@ -165,7 +167,7 @@ class CALessBase(IntegrationTest):
             http_pin = cls.cert_password
         if dirsrv_pin is _DEFAULT:
             dirsrv_pin = cls.cert_password
-
+        tasks.prepare_host(host)
         files_to_copy = ['root.pem']
         if http_pkcs12_exists:
             files_to_copy.append(http_pkcs12)
@@ -174,51 +176,36 @@ class CALessBase(IntegrationTest):
         for filename in set(files_to_copy):
             cls.copy_cert(host, filename)
 
-        host.collect_log(paths.IPASERVER_INSTALL_LOG)
-        host.collect_log(paths.IPACLIENT_INSTALL_LOG)
-        inst = host.domain.realm.replace('.', '-')
-        host.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        host.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
+        # Remove existing ca certs from default database to avoid conflicts
+        args = [paths.CERTUTIL, "-D", "-d", "/etc/httpd/alias", "-n"]
+        host.run_command(args + ["ca1"], raiseonerr=False)
+        host.run_command(args + ["ca1/server"], raiseonerr=False)
 
-        args = [
-            'ipa-server-install',
-            '--http-cert-file', http_pkcs12,
-            '--dirsrv-cert-file', dirsrv_pkcs12,
-            '--ca-cert-file', root_ca_file,
-            '--ip-address', host.ip,
-            '-r', host.domain.name,
-            '-p', host.config.dirman_password,
-            '-a', host.config.admin_password,
-            '--setup-dns',
-            '--forwarder', host.config.dns_forwarder,
-        ]
+        extra_args = ['--http-cert-file', http_pkcs12,
+                      '--dirsrv-cert-file', dirsrv_pkcs12,
+                      '--ca-cert-file', root_ca_file,
+                      '--ip-address', host.ip]
 
         if http_pin is not None:
-            args.extend(['--http-pin', http_pin])
+            extra_args.extend(['--http-pin', http_pin])
         if dirsrv_pin is not None:
-            args.extend(['--dirsrv-pin', dirsrv_pin])
-        if unattended:
-            args.extend(['-U'])
-
-        return host.run_command(args, raiseonerr=False, stdin_text=stdin_text)
+            extra_args.extend(['--dirsrv-pin', dirsrv_pin])
+        return tasks.install_master(host, extra_args=extra_args,
+                                    unattended=unattended,
+                                    stdin_text=stdin_text,
+                                    raiseonerr=False)
 
     @classmethod
     def copy_cert(cls, host, filename):
         host.transport.put_file(os.path.join(cls.cert_dir, filename),
                                 os.path.join(host.config.test_dir, filename))
 
-    @classmethod
-    def uninstall_server(self, host=None):
-        if host is None:
-            host = self.master
-        host.run_command(['ipa-server-install', '--uninstall', '-U'])
-
     def prepare_replica(self, _replica_number=0, replica=None, master=None,
                         http_pkcs12='replica.p12', dirsrv_pkcs12='replica.p12',
                         http_pkcs12_exists=True, dirsrv_pkcs12_exists=True,
                         http_pin=_DEFAULT, dirsrv_pin=_DEFAULT,
                         root_ca_file='root.pem', unattended=True,
-                        stdin_text=None):
+                        stdin_text=None, domain_level=None):
         """Prepare a CA-less replica
 
         Puts the bundle file into test_dir on the replica if successful,
@@ -234,78 +221,55 @@ class CALessBase(IntegrationTest):
             http_pin = self.cert_password
         if dirsrv_pin is _DEFAULT:
             dirsrv_pin = self.cert_password
-
+        if domain_level is None:
+            domain_level = tasks.domainlevel(master)
         files_to_copy = ['root.pem']
         if http_pkcs12_exists:
             files_to_copy.append(http_pkcs12)
         if dirsrv_pkcs12_exists:
             files_to_copy.append(dirsrv_pkcs12)
+        if domain_level == DOMAIN_LEVEL_0:
+            destination_host = master
+        else:
+            destination_host = replica
+        # Both master and replica lack ipatests folder by this time, so we need
+        # to re-create it
+        tasks.prepare_host(master)
+        tasks.prepare_host(replica)
         for filename in set(files_to_copy):
-            master.transport.put_file(
-                os.path.join(self.cert_dir, filename),
-                os.path.join(master.config.test_dir, filename))
+            try:
+                destination_host.transport.put_file(
+                    os.path.join(self.cert_dir, filename),
+                    os.path.join(destination_host.config.test_dir, filename))
+            except OSError:
+                pass
+        extra_args = []
+        if http_pkcs12_exists:
+            extra_args.extend(['--http-cert-file', http_pkcs12])
+        if dirsrv_pkcs12_exists:
+            extra_args.extend(['--dirsrv-cert-file', dirsrv_pkcs12])
 
-        replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
-        replica.collect_log(paths.IPACLIENT_INSTALL_LOG)
-        inst = replica.domain.realm.replace('.', '-')
-        replica.collect_log(paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst)
-        replica.collect_log(paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst)
-
-        args = [
-            'ipa-replica-prepare',
-            '--ip-address', replica.ip,
-            '-p', replica.config.dirman_password,
-        ]
-
-        if http_pkcs12:
-            args.extend(['--http-cert-file', http_pkcs12])
-        if dirsrv_pkcs12:
-            args.extend(['--dirsrv-cert-file', dirsrv_pkcs12])
         if http_pin is not None:
-            args.extend(['--http-pin', http_pin])
+            extra_args.extend(['--http-pin', http_pin])
         if dirsrv_pin is not None:
-            args.extend(['--dirsrv-pin', dirsrv_pin])
-
-        args.extend([replica.hostname])
-
-        result = master.run_command(args, raiseonerr=False,
-                                    stdin_text=stdin_text)
-
-        if result.returncode == 0:
-            replica_bundle = master.get_file_contents(
-                paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
-            replica.put_file_contents(self.get_replica_filename(replica),
-                                      replica_bundle)
+            extra_args.extend(['--dirsrv-pin', dirsrv_pin])
+        if domain_level == DOMAIN_LEVEL_0:
+            result = tasks.replica_prepare(master, replica,
+                                           extra_args=extra_args,
+                                           raiseonerr=False,
+                                           stdin_text=stdin_text)
         else:
-            replica.run_command(['rm', self.get_replica_filename(replica)],
-                                raiseonerr=False)
-
+            result = tasks.install_replica(master, replica, setup_ca=False,
+                                           extra_args=extra_args,
+                                           unattended=unattended,
+                                           stdin_text=stdin_text,
+                                           raiseonerr=False)
         return result
 
     def get_replica_filename(self, replica):
         return os.path.join(replica.config.test_dir,
                             'replica-info.gpg')
 
-    def install_replica(self, _replica_number=0, replica=None,
-                        unattended=True):
-        """Install a CA-less replica
-
-        The bundle file is expected to be in the test_dir
-
-        Return value is the remote ipa-replica-install command
-        """
-        if replica is None:
-            replica = self.replicas[_replica_number]
-
-        args = ['ipa-replica-install', '-U',
-                '-p', replica.config.dirman_password,
-                '-w', replica.config.admin_password,
-                '--ip-address', replica.ip,
-                self.get_replica_filename(replica)]
-        if unattended:
-            args.append('-U')
-        return replica.run_command(args)
-
     @classmethod
     def export_pkcs12(cls, nickname, filename='server.p12', password=None):
         """Export a cert as PKCS#12 to the given file"""
-- 
1.8.3.1

From 1053349e21e14a1857e0b3fecde8a6c41ac32f70 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 13:43:03 +0200
Subject: [PATCH] tests: Fixed incorrect assert in verify_installation

---
 ipatests/test_integration/test_caless.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index a464aca21e01ef30416724d02700a7cd477339ba..2bfba043208996c86ac094366597bbeeb7076f03 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -314,9 +314,7 @@ class CALessBase(IntegrationTest):
 
             # Verify certmonger was not started
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
-            assert result > 0
-            assert ('Please verify that the certmonger service has been '
-                    'started.' in result.stdout_text), result.stdout_text
+            assert result.returncode == 0
 
         for host in self.get_all_hosts():
             # Check the cert PEM file
-- 
2.7.4

From 06d572a059968d960937cc148da3e16c863890da Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 11:46:07 +0200
Subject: [PATCH] tests: Applied correct teardown methods

---
 ipatests/test_integration/test_caless.py | 71 +++++++++++++++++++++++++-------
 1 file changed, 56 insertions(+), 15 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1b4dd629aa28f073009072d103fabbdf23305ffe..337fb4a3a9aa7e19264a84679fb05c241decafda 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -330,9 +330,7 @@ class CALessBase(IntegrationTest):
 class TestServerInstall(CALessBase):
     num_replicas = 0
 
-    def tearDown(self):
-        self.uninstall_server()
-
+    @server_install_teardown
     def test_nonexistent_ca_pem_file(self):
         "IPA server install with non-existent CA PEM file "
 
@@ -345,6 +343,7 @@ class TestServerInstall(CALessBase):
                      'Failed to open does_not_exist: No such file '
                      'or directory')
 
+    @server_install_teardown
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
@@ -358,6 +357,7 @@ class TestServerInstall(CALessBase):
                      'certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @server_install_teardown
     def test_ca_server_cert(self):
         "IPA server install with CA PEM file with server certificate"
 
@@ -370,6 +370,7 @@ class TestServerInstall(CALessBase):
                      'trust chain of the server certificate in server.p12 '
                      'contains 1 certificates, expected 2')
 
+    @server_install_teardown
     def test_ca_2_certs(self):
         "IPA server install with CA PEM file with 2 certificates"
 
@@ -381,6 +382,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server()
         assert_error(result, 'root.pem contains more than one certificate')
 
+    @server_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA server install with non-existent HTTP PKCS#12 file"
 
@@ -392,6 +394,7 @@ class TestServerInstall(CALessBase):
                                      http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA server install with non-existent DS PKCS#12 file"
 
@@ -403,6 +406,7 @@ class TestServerInstall(CALessBase):
                                      dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @server_install_teardown
     def test_missing_http_password(self):
         "IPA server install with missing HTTP PKCS#12 password (unattended)"
 
@@ -415,6 +419,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify --http-pin '
                      'with --http-cert-file')
 
+    @server_install_teardown
     def test_missing_ds_password(self):
         "IPA server install with missing DS PKCS#12 password (unattended)"
 
@@ -427,6 +432,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
+    @server_install_teardown
     def test_incorect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
 
@@ -437,6 +443,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @server_install_teardown
     def test_incorect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
 
@@ -447,6 +454,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @server_install_teardown
     def test_invalid_http_cn(self):
         "IPA server install with HTTP certificate with invalid CN"
 
@@ -461,6 +469,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_invalid_ds_cn(self):
         "IPA server install with DS certificate with invalid CN"
 
@@ -475,6 +484,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.master.hostname)
 
+    @server_install_teardown
     def test_expired_http(self):
         "IPA server install with expired HTTP certificate"
 
@@ -490,6 +500,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_expired_ds(self):
         "IPA server install with expired DS certificate"
 
@@ -505,6 +516,7 @@ class TestServerInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @server_install_teardown
     def test_http_bad_usage(self):
         "IPA server install with HTTP certificate with invalid key usage"
 
@@ -519,6 +531,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_ds_bad_usage(self):
         "IPA server install with DS certificate with invalid key usage"
 
@@ -533,6 +546,7 @@ class TestServerInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @server_install_teardown
     def test_revoked_http(self):
         "IPA server install with revoked HTTP certificate"
 
@@ -551,6 +565,7 @@ class TestServerInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_revoked_ds(self):
         "IPA server install with revoked DS certificate"
 
@@ -569,6 +584,7 @@ class TestServerInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_http_intermediate_ca(self):
         "IPA server install with HTTP certificate issued by intermediate CA"
 
@@ -583,6 +599,7 @@ class TestServerInstall(CALessBase):
                      'http.p12 is not signed by root.pem, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @server_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA server install with DS certificate issued by intermediate CA"
 
@@ -597,6 +614,7 @@ class TestServerInstall(CALessBase):
                      'dirsrv.p12 is not signed by root.pem, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @server_install_teardown
     def test_ca_self_signed(self):
         "IPA server install with self-signed certificate"
 
@@ -607,6 +625,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server()
         assert result.returncode > 0
 
+    @server_install_teardown
     def test_valid_certs(self):
         "IPA server install with valid certificates"
 
@@ -618,6 +637,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_wildcard_http(self):
         "IPA server install with wildcard HTTP certificate"
 
@@ -631,6 +651,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_wildcard_ds(self):
         "IPA server install with wildcard DS certificate"
 
@@ -644,6 +665,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_http_san(self):
         "IPA server install with HTTP certificate with SAN"
 
@@ -657,6 +679,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_ds_san(self):
         "IPA server install with DS certificate with SAN"
 
@@ -670,6 +693,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA server install with prompt for HTTP PKCS#12 password"
 
@@ -686,6 +710,7 @@ class TestServerInstall(CALessBase):
         assert ('Enter server.p12 unlock password:'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA server install with prompt for DS PKCS#12 password"
 
@@ -702,6 +727,7 @@ class TestServerInstall(CALessBase):
         assert ('Enter server.p12 unlock password:'
                 in result.stdout_text), result.stdout_text
 
+    @server_install_teardown
     def test_no_http_password(self):
         "IPA server install with empty HTTP password"
 
@@ -716,6 +742,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @server_install_teardown
     def test_no_ds_password(self):
         "IPA server install with empty DS password"
 
@@ -743,18 +770,7 @@ class TestReplicaInstall(CALessBase):
         result = self.install_server()
         assert result.returncode == 0
 
-    def tearDown(self):
-        # Uninstall both master and replica
-        replica = self.replicas[0]
-        tasks.kinit_admin(self.master)
-        self.uninstall_server(replica)
-        self.master.run_command(['ipa-replica-manage', 'del', replica.hostname,
-                                 '--force'], raiseonerr=False)
-        self.master.run_command(['ipa', 'host-del', replica.hostname],
-                                raiseonerr=False)
-
-        self.uninstall_server()
-
+    @replica_install_teardown
     def test_no_certs(self):
         "IPA replica install without certificates"
 
@@ -767,6 +783,7 @@ class TestReplicaInstall(CALessBase):
                 'custom certificates.' in result.stderr_text), \
                result.stderr_text
 
+    @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
         "IPA replica install with non-existent HTTP PKCS#12 file"
 
@@ -777,6 +794,7 @@ class TestReplicaInstall(CALessBase):
                                       http_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @replica_install_teardown
     def test_nonexistent_ds_pkcs12_file(self):
         "IPA replica install with non-existent DS PKCS#12 file"
 
@@ -787,6 +805,7 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @replica_install_teardown
     def test_incorect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
 
@@ -796,6 +815,7 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @replica_install_teardown
     def test_incorect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
 
@@ -804,6 +824,7 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @replica_install_teardown
     def test_http_unknown_ca(self):
         "IPA replica install with HTTP certificate issued by unknown CA"
 
@@ -816,6 +837,7 @@ class TestReplicaInstall(CALessBase):
                      'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @replica_install_teardown
     def test_ds_unknown_ca(self):
         "IPA replica install with DS certificate issued by unknown CA"
 
@@ -829,6 +851,7 @@ class TestReplicaInstall(CALessBase):
                      'full certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @replica_install_teardown
     def test_invalid_http_cn(self):
         "IPA replica install with HTTP certificate with invalid CN"
 
@@ -841,6 +864,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_invalid_ds_cn(self):
         "IPA replica install with DS certificate with invalid CN"
 
@@ -853,6 +877,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for server %s' % self.replicas[0].hostname)
 
+    @replica_install_teardown
     def test_expired_http(self):
         "IPA replica install with expired HTTP certificate"
 
@@ -866,6 +891,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_expired_ds(self):
         "IPA replica install with expired DS certificate"
 
@@ -879,6 +905,7 @@ class TestReplicaInstall(CALessBase):
                      "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
                      'expired.')
 
+    @replica_install_teardown
     def test_http_bad_usage(self):
         "IPA replica install with HTTP certificate with invalid key usage"
 
@@ -891,6 +918,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in http.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_ds_bad_usage(self):
         "IPA replica install with DS certificate with invalid key usage"
 
@@ -903,6 +931,7 @@ class TestReplicaInstall(CALessBase):
                      'The server certificate in dirsrv.p12 is not valid: '
                      'invalid for a SSL server')
 
+    @replica_install_teardown
     def test_revoked_http(self):
         "IPA replica install with revoked HTTP certificate"
 
@@ -919,6 +948,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_revoked_ds(self):
         "IPA replica install with revoked DS certificate"
 
@@ -935,6 +965,7 @@ class TestReplicaInstall(CALessBase):
 
         assert result.returncode > 0
 
+    @replica_install_teardown
     def test_http_intermediate_ca(self):
         "IPA replica install with HTTP certificate issued by intermediate CA"
 
@@ -947,6 +978,7 @@ class TestReplicaInstall(CALessBase):
                      'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
                      'certificate chain is not present in the PKCS#12 file')
 
+    @replica_install_teardown
     def test_ds_intermediate_ca(self):
         "IPA replica install with DS certificate issued by intermediate CA"
 
@@ -960,6 +992,7 @@ class TestReplicaInstall(CALessBase):
                      'full certificate chain is not present in the PKCS#12 '
                      'file')
 
+    @replica_install_teardown
     def test_valid_certs(self):
         "IPA replica install with valid certificates"
 
@@ -974,6 +1007,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
 
@@ -989,6 +1023,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
 
@@ -1004,6 +1039,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_http_san(self):
         "IPA replica install with HTTP certificate with SAN"
 
@@ -1019,6 +1055,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_ds_san(self):
         "IPA replica install with DS certificate with SAN"
 
@@ -1034,6 +1071,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
         "IPA replica install with missing HTTP PKCS#12 password"
 
@@ -1051,6 +1089,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
         "IPA replica install with missing DS PKCS#12 password"
 
@@ -1068,6 +1107,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_no_http_password(self):
         "IPA replica install with empty HTTP password"
 
@@ -1084,6 +1124,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @replica_install_teardown
     def test_no_ds_password(self):
         "IPA replica install with empty DS password"
 
-- 
2.7.4

From 72d2bd24772e86eaeebe89a379d6810c3cf6b15e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:15:05 +0200
Subject: [PATCH] tests: Removed outdated command options test

---
 ipatests/test_integration/test_caless.py | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 19e8c5aa8a7af0460b1383e0775bee59f7e2ff5f..d4fdb40d71e77c12e327aa82188dc3573b11f133 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1151,25 +1151,6 @@ class TestIPACommands(CALessBase):
         result = self.master.run_command(['ipa', command], raiseonerr=False)
         assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
 
-    @pytest.mark.parametrize('command', (
-        'cert-status',
-        'cert-show',
-        'cert-find',
-        'cert-revoke',
-        'cert-remove-hold',
-        'cert-status'))
-    def test_cert_commands_unavailable(self, command):
-        result = self.master.run_command(['ipa', command], raiseonerr=False)
-        assert_error(result, "ipa: ERROR: unknown command '%s'" % command)
-
-    def test_cert_help_unavailable(self):
-        "Verify that cert plugin help is not available"
-        result = self.master.run_command(['ipa', 'help', 'cert'],
-                                         raiseonerr=False)
-        assert_error(result,
-                     "ipa: ERROR: no command nor help topic 'cert'",
-                     returncode=1)
-
     @contextlib.contextmanager
     def host(self):
         "Context manager that adds and removes a host entry with a certificate"
-- 
1.8.3.1

From f3d8f8eb4ae0802b66356ff740587ab770bac92d Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:17:49 +0200
Subject: [PATCH] tests: Added necessary getkeytabs calls to fixtures

---
 ipatests/test_integration/test_caless.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d4fdb40d71e77c12e327aa82188dc3573b11f133..5b52867deaf5179651eeb0e3ef636d0566a49b71 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1157,6 +1157,9 @@ class TestIPACommands(CALessBase):
         self.master.run_command(['ipa', 'host-add', self.test_hostname,
                                  '--force',
                                  '--certificate', self.client_pem])
+        self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
+                                 '-p' "host/%s" % self.test_hostname,
+                                 '-k', paths.IPA_KEYTAB])
         try:
             yield
         finally:
@@ -1170,6 +1173,10 @@ class TestIPACommands(CALessBase):
             self.master.run_command(['ipa', 'service-add', self.test_service,
                                      '--force',
                                      '--certificate', self.client_pem])
+            self.master.run_command(['ipa-getkeytab', '-s',
+                                     self.master.hostname,
+                                     '-p', self.test_service,
+                                     '-k', paths.IPA_KEYTAB])
             yield
 
     def test_service_mod_doesnt_revoke(self):
-- 
1.8.3.1

From f31e5446bcb8af2c1fa00b0af0a914640f65ecb1 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:58:03 +0200
Subject: [PATCH] tests: Added necessary xfails

A number of tests fail due to known issues. Added xfails to acknowledge them
---
 ipatests/test_integration/test_caless.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index bbf1fef411044473370e25be3addf66199a12473..04d186a4af305f741d490e7f4ab089821d575435 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -370,6 +370,7 @@ class TestServerInstall(CALessBase):
                      'trust chain of the server certificate in server.p12 '
                      'contains 1 certificates, expected 2')
 
+    @pytest.mark.xfail(reason='Ticket N 6289')
     @server_install_teardown
     def test_ca_2_certs(self):
         "IPA server install with CA PEM file with 2 certificates"
@@ -432,6 +433,7 @@ class TestServerInstall(CALessBase):
                      'ipa-server-install: error: You must specify '
                      '--dirsrv-pin with --dirsrv-cert-file')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @server_install_teardown
     def test_incorect_http_pin(self):
         "IPA server install with incorrect HTTP PKCS#12 password"
@@ -443,6 +445,7 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pin='bad<pin>')
         assert_error(result, 'incorrect password for pkcs#12 file server.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @server_install_teardown
     def test_incorect_ds_pin(self):
         "IPA server install with incorrect DS PKCS#12 password"
@@ -637,6 +640,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @server_install_teardown
     def test_wildcard_http(self):
         "IPA server install with wildcard HTTP certificate"
@@ -651,6 +655,7 @@ class TestServerInstall(CALessBase):
         assert result.returncode == 0
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @server_install_teardown
     def test_wildcard_ds(self):
         "IPA server install with wildcard DS certificate"
@@ -805,6 +810,7 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @replica_install_teardown
     def test_incorect_http_pin(self):
         "IPA replica install with incorrect HTTP PKCS#12 password"
@@ -815,6 +821,7 @@ class TestReplicaInstall(CALessBase):
         assert result.returncode > 0
         assert_error(result, 'incorrect password for pkcs#12 file replica.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     @replica_install_teardown
     def test_incorect_ds_pin(self):
         "IPA replica install with incorrect DS PKCS#12 password"
@@ -1007,6 +1014,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
     def test_wildcard_http(self):
         "IPA replica install with wildcard HTTP certificate"
@@ -1023,6 +1031,7 @@ class TestReplicaInstall(CALessBase):
 
         self.verify_installation()
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
     def test_wildcard_ds(self):
         "IPA replica install with wildcard DS certificate"
@@ -1300,6 +1309,7 @@ class TestCertinstall(CALessBase):
                                   cert_exists=False)
         assert_error(result, 'Failed to open does_not_exist')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     def test_incorect_http_pin(self):
         "Install new HTTP certificate with incorrect PKCS#12 password"
 
@@ -1307,6 +1317,7 @@ class TestCertinstall(CALessBase):
         assert_error(result,
                      'incorrect password for pkcs#12 file server.p12')
 
+    @pytest.mark.xfail(reason='freeipa ticket 5378')
     def test_incorect_dirsrv_pin(self):
         "Install new DS certificate with incorrect PKCS#12 password"
 
@@ -1427,12 +1438,14 @@ class TestCertinstall(CALessBase):
         result = self.certinstall('d', 'ca1/server')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_http(self):
         "Install new wildcard HTTP certificate"
 
         result = self.certinstall('w', 'ca1/wildcard')
         assert result.returncode == 0
 
+    @pytest.mark.xfail(reason='freeipa ticket 5603')
     def test_wildcard_ds(self):
         "Install new wildcard DS certificate"
 
-- 
2.7.4

From 1ce11de1bfe88bb9b53fd755e539daf6bea0ca6b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 14:41:59 +0200
Subject: [PATCH] tests: Updated master and replica installation methods to enable
 negative testing

Negative testing was enabled by introducing an optional raiseonerr parameter
with True by default to both master and replica installation methods
Also the methods were updated to support intractive installation
---
 ipatests/test_integration/tasks.py | 90 ++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 38 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d43699d6577abe930ac8d6ab696feea837331..be3ca29318681537d877c7fd142ca628a21837c3 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -254,7 +254,8 @@ def enable_replication_debugging(host):
 
 
 def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
-                   domain_level=None):
+                   domain_level=None, unattended=True, stdin_text=None,
+                   raiseonerr=True):
     if domain_level is None:
         domain_level = host.config.domain_level
     setup_server_logs_collecting(host)
@@ -262,13 +263,15 @@ def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
     fix_apache_semaphores(host)
 
     args = [
-        'ipa-server-install', '-U',
+        'ipa-server-install',
         '-n', host.domain.name,
         '-r', host.domain.realm,
         '-p', host.config.dirman_password,
         '-a', host.config.admin_password,
         "--domain-level=%i" % domain_level,
     ]
+    if unattended:
+        args.append('-U')
 
     if setup_dns:
         args.extend([
@@ -278,20 +281,20 @@ def install_master(host, setup_dns=True, setup_kra=False, extra_args=(),
         ])
 
     args.extend(extra_args)
-
-    host.run_command(args)
-    enable_replication_debugging(host)
-    setup_sssd_debugging(host)
-
-    if setup_kra:
-        args = [
-            "ipa-kra-install",
-            "-p", host.config.dirman_password,
-            "-U",
-        ]
-        host.run_command(args)
-
-    kinit_admin(host)
+    result = host.run_command(args, raiseonerr=raiseonerr,
+                              stdin_text=stdin_text)
+    if result.returncode == 0:
+        enable_replication_debugging(host)
+        setup_sssd_debugging(host)
+        if setup_kra:
+            args = [
+                "ipa-kra-install",
+                "-p", host.config.dirman_password,
+                "-U",
+            ]
+            host.run_command(args)
+        kinit_admin(host)
+    return result
 
 
 def get_replica_filename(replica):
@@ -327,7 +330,8 @@ def master_authoritative_for_client_domain(master, client):
         return False
 
 
-def replica_prepare(master, replica):
+def replica_prepare(master, replica, extra_args=(),
+                    raiseonerr=True, stdin_text=None):
     fix_apache_semaphores(replica)
     prepare_reverse_zone(master, replica.ip)
     args = ['ipa-replica-prepare',
@@ -335,15 +339,20 @@ def replica_prepare(master, replica):
             replica.hostname]
     if master_authoritative_for_client_domain(master, replica):
         args.extend(['--ip-address', replica.ip])
-    master.run_command(args)
-    replica_bundle = master.get_file_contents(
-        paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
-    replica_filename = get_replica_filename(replica)
-    replica.put_file_contents(replica_filename, replica_bundle)
+    args.extend(extra_args)
+    result = master.run_command(args, raiseonerr=raiseonerr,
+                                stdin_text=stdin_text)
+    if result.returncode == 0:
+        replica_bundle = master.get_file_contents(
+            paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
+        replica_filename = get_replica_filename(replica)
+        replica.put_file_contents(replica_filename, replica_bundle)
+    return result
 
 
 def install_replica(master, replica, setup_ca=True, setup_dns=False,
-                    setup_kra=False, extra_args=(), domain_level=None):
+                    setup_kra=False, extra_args=(), domain_level=None,
+                    unattended=True, stdin_text=None, raiseonerr=True):
     if domain_level is None:
         domain_level = domainlevel(master)
     apply_common_fixes(replica)
@@ -351,9 +360,11 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
     allow_sync_ptr(master)
     # Otherwise ipa-client-install would not create a PTR
     # and replica installation would fail
-    args = ['ipa-replica-install', '-U',
+    args = ['ipa-replica-install',
             '-p', replica.config.dirman_password,
             '-w', replica.config.admin_password]
+    if unattended:
+        args.append('-U')
     if setup_ca:
         args.append('--setup-ca')
     if setup_dns:
@@ -376,22 +387,25 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
         install_client(master, replica)
         fix_apache_semaphores(replica)
         args.extend(['-r', replica.domain.realm])
-    replica.run_command(args)
-    enable_replication_debugging(replica)
-    setup_sssd_debugging(replica)
 
-    if setup_kra:
-        assert setup_ca, "CA must be installed on replica with KRA"
-        args = [
-            "ipa-kra-install",
-            "-p", replica.config.dirman_password,
-            "-U",
-        ]
-        if domainlevel(master) == DOMAIN_LEVEL_0:
-            args.append(replica_filename)
-        replica.run_command(args)
+    result = replica.run_command(args, raiseonerr=raiseonerr,
+                                 stdin_text=stdin_text)
+    if result.returncode == 0:
+        enable_replication_debugging(replica)
+        setup_sssd_debugging(replica)
+        if setup_kra:
+            assert setup_ca, "CA must be installed on replica with KRA"
+            args = [
+                "ipa-kra-install",
+                "-p", replica.config.dirman_password,
+                "-U",
+            ]
+            if domainlevel(master) == DOMAIN_LEVEL_0:
+                args.append(replica_filename)
+            replica.run_command(args)
 
-    kinit_admin(replica)
+        kinit_admin(replica)
+    return result
 
 
 def install_client(master, client, extra_args=()):
-- 
1.8.3.1

From f836a7c162d3302b71735c91a390ff71218e7403 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 15 Sep 2016 11:36:51 +0200
Subject: [PATCH] tests: Made unapply_fixes call optional at master uninstallation

Unapply fixes removes the temporary testing folder at ~/ipatests, which
contains some artifacts like root.pem that need to be persistent between tests
in the test_caless testsuite. There has to be the way to skip the deletion of
this testfolder
---
 ipatests/test_integration/tasks.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index bd46eda77ef55f17d05c016280e553c6987591a0..cc4943c3ec10fd344d1ff01a2b273721c3ba8f6c 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -679,7 +679,7 @@ def kinit_admin(host, raiseonerr=True):
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-                     ignore_last_of_role=True):
+                     ignore_last_of_role=True, clean=True):
     host.collect_log(paths.IPASERVER_UNINSTALL_LOG)
     uninstall_cmd = ['ipa-server-install', '--uninstall', '-U']
 
@@ -707,7 +707,8 @@ def uninstall_master(host, ignore_topology_disconnect=True,
     host.run_command("find /run/ipa -name 'krb5*' | xargs rm -fv",
                      raiseonerr=False)
     host.run_command(['systemctl', 'restart', 'sssd'])
-    unapply_fixes(host)
+    if clean:
+        unapply_fixes(host)
 
 
 def uninstall_client(host):
-- 
1.8.3.1

From c7302d096d221306f0d2599ad30c2c38792b1d61 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 9 Sep 2016 15:06:46 +0200
Subject: [PATCH] tests: Enabled negative testing for cleaning replication agreements

---
 ipatests/test_integration/tasks.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 372345f13f41424f4f62718a113c575a125f3be8..f5c8ab4cfc21446b843f3c383b51472fb40517c8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -714,14 +714,15 @@ def uninstall_client(host):
 
 
 @check_arguments_are((0, 2), Host)
-def clean_replication_agreement(master, replica):
+def clean_replication_agreement(master, replica, cleanup=False,
+                                raiseonerr=True):
     """
     Performs `ipa-replica-manage del replica_hostname --force`.
     """
-    master.run_command(['ipa-replica-manage',
-                        'del',
-                        replica.hostname,
-                        '--force'])
+    args = ['ipa-replica-manage', 'del', replica.hostname, '--force']
+    if cleanup:
+        args.append('--cleanup')
+    master.run_command(args, raiseonerr=raiseonerr)
 
 
 @check_arguments_are((0, 3), Host)
-- 
1.8.3.1

From 1543055011d1fae330707e890af0b65051302f89 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 11:32:57 +0200
Subject: [PATCH] tests: Replaced hardcoded certutil with imported from paths

---
 ipatests/test_integration/test_caless.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 2bfba043208996c86ac094366597bbeeb7076f03..1b4dd629aa28f073009072d103fabbdf23305ffe 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -285,7 +285,7 @@ class CALessBase(IntegrationTest):
     @classmethod
     def get_pem(cls, nickname):
         result = ipautil.run(
-            ['certutil', '-L', '-d', 'nssdb', '-n', nickname, '-a'],
+            [paths.CERTUTIL, '-L', '-d', 'nssdb', '-n', nickname, '-a'],
             cwd=cls.cert_dir, capture_output=True)
         return result.output
 
-- 
2.7.4

From e0cbefa3f13ffd1713f119ea7b8d7fed188f3917 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 11:48:30 +0200
Subject: [PATCH] tests: Replaced unused setUp method with install

setUp method does not get executed in recent versions of pytest
Replaced with the install method derived from the parent IntegrationTest class
---
 ipatests/test_integration/test_caless.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 337fb4a3a9aa7e19264a84679fb05c241decafda..07ee280f21a90c6ee61a83dc84c41971df2f1b20 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -761,13 +761,13 @@ class TestServerInstall(CALessBase):
 class TestReplicaInstall(CALessBase):
     num_replicas = 1
 
-    def setUp(self):
-        # Install the master for every test
-        self.export_pkcs12('ca1/server')
-        with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1'))
-
-        result = self.install_server()
+    @classmethod
+    def install(cls, mh):
+        super(TestReplicaInstall, cls).install(mh)
+        cls.export_pkcs12('ca1/server')
+        with open(cls.pem_filename, 'w') as f:
+            f.write(cls.get_pem('ca1'))
+        result = cls.install_server()
         assert result.returncode == 0
 
     @replica_install_teardown
-- 
2.7.4

From 94ac46be0576cb5dfaf09ebd8ec84474e6705e97 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 14:12:10 +0200
Subject: [PATCH] tests: fixed expects of incorrect error messages

---
 ipatests/test_integration/test_caless.py | 56 ++++++++++++++------------------
 1 file changed, 24 insertions(+), 32 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index f362517f26d27fb37873892873acc0428333f142..f499c61f36268cff57d67c928c0a3bb414035442 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -353,9 +353,7 @@ class TestServerInstall(CALessBase):
 
         result = self.install_server()
         assert_error(result,
-                     'server.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     @server_install_teardown
     def test_ca_server_cert(self):
@@ -367,8 +365,7 @@ class TestServerInstall(CALessBase):
 
         result = self.install_server()
         assert_error(result,
-                     'trust chain of the server certificate in server.p12 '
-                     'contains 1 certificates, expected 2')
+                     'The full certificate chain is not present in server.p12')
 
     @pytest.mark.xfail(reason='Ticket N 6289')
     @server_install_teardown
@@ -598,9 +595,9 @@ class TestServerInstall(CALessBase):
 
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @server_install_teardown
     def test_ds_intermediate_ca(self):
@@ -614,8 +611,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by root.pem, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @server_install_teardown
     def test_ca_self_signed(self):
@@ -712,7 +709,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Apache Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     @server_install_teardown
@@ -729,7 +726,7 @@ class TestServerInstall(CALessBase):
                                      stdin_text=stdin_text)
         assert result.returncode == 0
         self.verify_installation()
-        assert ('Enter server.p12 unlock password:'
+        assert ('Enter Directory Server private key unlock password'
                 in result.stdout_text), result.stdout_text
 
     @server_install_teardown
@@ -782,11 +779,10 @@ class TestReplicaInstall(CALessBase):
         result = self.master.run_command(['ipa-replica-prepare',
                                           self.replicas[0].hostname],
                                          raiseonerr=False)
-        assert result.returncode > 0
-        assert ('Cannot issue certificates: a CA is not installed. Use the '
-                '--http-cert-file, --dirsrv-cert-file options to provide '
-                'custom certificates.' in result.stderr_text), \
-               result.stderr_text
+        assert_error(result, "Cannot issue certificates: a CA is not "
+                             "installed. Use the --http-cert-file, "
+                             "--dirsrv-cert-file options to provide "
+                             "custom certificates.")
 
     @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
@@ -840,9 +836,9 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @replica_install_teardown
     def test_ds_unknown_ca(self):
@@ -854,9 +850,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @replica_install_teardown
     def test_invalid_http_cn(self):
@@ -982,8 +977,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'http.p12 is not signed by /etc/ipa/ca.crt, or the full '
-                     'certificate chain is not present in the PKCS#12 file')
+                     'Apache Server SSL certificate and Directory Server SSL'
+                     ' certificate are not signed by the same CA certificate')
 
     @replica_install_teardown
     def test_ds_intermediate_ca(self):
@@ -994,10 +989,9 @@ class TestReplicaInstall(CALessBase):
 
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
-        assert_error(result,
-                     'dirsrv.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert_error(result, 'Apache Server SSL certificate and'
+                             ' Directory Server SSL certificate are not'
+                             ' signed by the same CA certificate')
 
     @replica_install_teardown
     def test_valid_certs(self):
@@ -1422,9 +1416,7 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('w', 'server-selfsign')
         assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+                     'The full certificate chain is not present in server.p12')
 
     def test_valid_http(self):
         "Install new valid HTTP certificate"
-- 
2.7.4

From 2f79ee27d335a52fb2a5488c35db026f55863770 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 14:24:04 +0200
Subject: [PATCH] tests: Fixed Usage of improper certs in ca-less tests

---
 ipatests/test_integration/test_caless.py | 33 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index f499c61f36268cff57d67c928c0a3bb414035442..1c19a9df8cd05d7b60caa9f29f5650e7da84a7d3 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -347,7 +347,7 @@ class TestServerInstall(CALessBase):
     def test_unknown_ca(self):
         "IPA server install with CA PEM file with unknown CA certificate"
 
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('ca3/server')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca2'))
 
@@ -359,9 +359,9 @@ class TestServerInstall(CALessBase):
     def test_ca_server_cert(self):
         "IPA server install with CA PEM file with server certificate"
 
-        self.export_pkcs12('ca1/server')
+        self.export_pkcs12('noca')
         with open(self.pem_filename, 'w') as f:
-            f.write(self.get_pem('ca1/server'))
+            f.write(self.get_pem('noca'))
 
         result = self.install_server()
         assert_error(result,
@@ -473,8 +473,7 @@ class TestServerInstall(CALessBase):
     def test_invalid_ds_cn(self):
         "IPA server install with DS certificate with invalid CN"
 
-        self.export_pkcs12('ca1/server', filename='http.p12')
-        self.export_pkcs12('ca1/server-badname', filename='dirsrv.p12')
+        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
         with open(self.pem_filename, 'w') as f:
             f.write(self.get_pem('ca1'))
 
@@ -786,24 +785,22 @@ class TestReplicaInstall(CALessBase):
 
     @replica_install_teardown
     def test_nonexistent_http_pkcs12_file(self):
-        "IPA replica install with non-existent HTTP PKCS#12 file"
-
-        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
-
-        result = self.prepare_replica(http_pkcs12='does_not_exist',
-                                      dirsrv_pkcs12='dirsrv.p12',
-                                      http_pkcs12_exists=False)
-        assert_error(result, 'Failed to open does_not_exist')
-
-    @replica_install_teardown
-    def test_nonexistent_ds_pkcs12_file(self):
         "IPA replica install with non-existent DS PKCS#12 file"
 
         self.export_pkcs12('ca1/replica', filename='http.p12')
 
         result = self.prepare_replica(dirsrv_pkcs12='does_not_exist',
-                                      http_pkcs12='http.p12',
-                                      dirsrv_pkcs12_exists=False)
+                                      http_pkcs12='http.p12')
+        assert_error(result, 'Failed to open does_not_exist')
+
+    @replica_install_teardown
+    def test_nonexistent_ds_pkcs12_file(self):
+        "IPA replica install with non-existent HTTP PKCS#12 file"
+
+        self.export_pkcs12('ca1/replica', filename='dirsrv.p12')
+
+        result = self.prepare_replica(http_pkcs12='does_not_exist',
+                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result, 'Failed to open does_not_exist')
 
     @pytest.mark.xfail(reason='freeipa ticket 5378')
-- 
2.7.4

From 213b30e8ffd2c013749d2bb4226bf4787dcf95f9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 14:31:40 +0200
Subject: [PATCH] tests: Implemented check for domainlevel before installation
 verification

We only need to verify installation of replica under domain level 1, otherwise
replica is not installed but only a gpg file is prepared
---
 ipatests/test_integration/test_caless.py | 61 ++++++++++----------------------
 1 file changed, 18 insertions(+), 43 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1c19a9df8cd05d7b60caa9f29f5650e7da84a7d3..73a111f87bc53c71ef6611cfef7c903c6641a29e 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -999,11 +999,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='server.p12',
                                       dirsrv_pkcs12='server.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
@@ -1016,11 +1013,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @pytest.mark.xfail(reason='freeipa ticket 5603')
     @replica_install_teardown
@@ -1033,11 +1027,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_http_san(self):
@@ -1049,11 +1040,9 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
 
     @replica_install_teardown
     def test_ds_san(self):
@@ -1065,11 +1054,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_interactive_missing_http_pkcs_password(self):
@@ -1083,11 +1069,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_interactive_missing_ds_pkcs_password(self):
@@ -1101,11 +1084,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(dirsrv_pin=None, unattended=False,
                                       stdin_text=stdin_text)
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_no_http_password(self):
@@ -1118,11 +1098,8 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       http_pin='')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
-        self.verify_installation()
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
     @replica_install_teardown
     def test_no_ds_password(self):
@@ -1135,10 +1112,8 @@ class TestReplicaInstall(CALessBase):
                                       dirsrv_pkcs12='dirsrv.p12',
                                       dirsrv_pin='')
         assert result.returncode == 0
-
-        result = self.install_replica()
-        assert result.returncode == 0
-
+        if self.domain_level > DOMAIN_LEVEL_0:
+            self.verify_installation()
 
 class TestClientInstall(CALessBase):
     num_clients = 1
-- 
2.7.4

From d7455ef8c7022d448601f7ec8ded87ce0f7cdf9d Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:13:44 +0200
Subject: [PATCH] tests: Standardized replica_preparation in test_no_certs

---
 ipatests/test_integration/test_caless.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d4ce62c32e73bb011859daa49c403b6b8bff3dcf..b06ee6da29ebe5010407b0b416a0e4f3a59dbd95 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -768,10 +768,8 @@ class TestReplicaInstall(CALessBase):
     @replica_install_teardown
     def test_no_certs(self):
         "IPA replica install without certificates"
-
-        result = self.master.run_command(['ipa-replica-prepare',
-                                          self.replicas[0].hostname],
-                                         raiseonerr=False)
+        result = self.prepare_replica(http_pkcs12_exists=False,
+                                      dirsrv_pkcs12_exists=False)
         assert_error(result, "Cannot issue certificates: a CA is not "
                              "installed. Use the --http-cert-file, "
                              "--dirsrv-cert-file options to provide "
-- 
2.7.4

From 04b46e94200b1628e4cf93fcee0bcdf1e840d232 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:17:14 +0200
Subject: [PATCH] tests: added verbose assert to
 test_service_disable_doesnt_revoke

---
 ipatests/test_integration/test_caless.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index b06ee6da29ebe5010407b0b416a0e4f3a59dbd95..a0c1f2abf8f840d8661e38f7273512cd818bf770 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1200,8 +1200,11 @@ class TestIPACommands(CALessBase):
     def test_service_disable_doesnt_revoke(self):
         "Verify that service-disable does not attempt to revoke certificate"
         with self.service():
-            self.master.run_command(['ipa', 'service-disable',
-                                     self.test_service])
+            result = self.master.run_command(['ipa', 'service-disable',
+                                              self.test_service],
+                                             raiseonerr=False)
+            assert(result.returncode == 0), (
+                "Failed to disable ipa-service: %s" % result.stderr_text)
 
     def test_service_del_doesnt_revoke(self):
         "Verify that service-del does not attempt to revoke certificate"
-- 
2.7.4

From f37fd5c20f3e237f2e955cc55256df1e1153a0cf Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:18:58 +0200
Subject: [PATCH] tests: fixed super method invocation

---
 ipatests/test_integration/test_caless.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index a0c1f2abf8f840d8661e38f7273512cd818bf770..8a76ae636aff5a7b767447f01e6cd47776da8659 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1232,7 +1232,7 @@ class TestIPACommands(CALessBase):
 class TestCertinstall(CALessBase):
     @classmethod
     def install(cls, mh):
-        super(TestCertinstall, cls).install()
+        super(TestCertinstall, cls).install(mh)
 
         cls.export_pkcs12('ca1/server')
         with open(cls.pem_filename, 'w') as f:
-- 
2.7.4

From 36ebc84d7eb117711a4f301aa70f10fc9af38874 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:22:44 +0200
Subject: [PATCH] tests: fixed certinstall method

---
 ipatests/test_integration/test_caless.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 8a76ae636aff5a7b767447f01e6cd47776da8659..c77846f97a1adb275608d016b8ffc03c49c6aa56 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1254,12 +1254,10 @@ class TestCertinstall(CALessBase):
             self.copy_cert(self.master, filename)
         if not args:
             args = ['ipa-server-certinstall',
+                    '-p', self.master.config.dirman_password,
                     '-%s' % mode, filename]
             if pin is not None:
                 args += ['--pin', pin]
-            if mode == 'd':
-                args += ['--dirman-password',
-                         self.master.config.dirman_password]
         return self.master.run_command(args,
                                        raiseonerr=False,
                                        stdin_text=stdin_text)
-- 
2.7.4

From 8d948e7131945b241ab64aaedf844344c9b87049 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 13:24:20 +0200
Subject: [PATCH] tests: Reverted erroneous asserts in 4 tests

---
 ipatests/test_integration/test_caless.py | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index c77846f97a1adb275608d016b8ffc03c49c6aa56..19e8c5aa8a7af0460b1383e0775bee59f7e2ff5f 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -1368,19 +1368,13 @@ class TestCertinstall(CALessBase):
         "Install new HTTP certificate issued by intermediate CA"
 
         result = self.certinstall('w', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_ds_intermediate_ca(self):
         "Install new DS certificate issued by intermediate CA"
 
         result = self.certinstall('d', 'ca1/subca/server')
-        assert_error(result,
-                     'server.p12 is not signed by /etc/ipa/ca.crt, or the '
-                     'full certificate chain is not present in the PKCS#12 '
-                     'file')
+        assert result.returncode == 0, result.stderr_text
 
     def test_self_signed(self):
         "Install new self-signed certificate"
@@ -1462,7 +1456,7 @@ class TestCertinstall(CALessBase):
                 '--http-pin', self.cert_password]
 
         result = self.certinstall('w', 'ca1/server', args=args)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --http-pin")
 
     def test_ds_old_options(self):
         "Install new valid DS certificate using pre-v3.3 CLI options"
@@ -1475,4 +1469,4 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('d', 'ca1/server',
                                   args=args, stdin_text=stdin_text)
-        assert result.returncode == 0
+        assert_error(result, "no such option: --dirsrv-pin")
-- 
2.7.4

From 96962e0bb7aa5bd4db2e531fc5b07916ad5f6cf0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 21 Sep 2016 14:36:19 +0200
Subject: [PATCH] tests: Fixed code styling in caless tests to make pep8 happy

---
 ipatests/test_integration/test_caless.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 35bfdbe856e263703d6194bb0c988edbbfdf98a6..e47984cf721653ba8492bca1428ff51f05a41668 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -560,7 +560,7 @@ class TestServerInstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
@@ -579,7 +579,7 @@ class TestServerInstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
@@ -941,7 +941,7 @@ class TestReplicaInstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
@@ -958,7 +958,7 @@ class TestReplicaInstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
@@ -1041,7 +1041,6 @@ class TestReplicaInstall(CALessBase):
         if self.domain_level > DOMAIN_LEVEL_0:
             self.verify_installation()
 
-
     @replica_install_teardown
     def test_ds_san(self):
         "IPA replica install with DS certificate with SAN"
@@ -1113,6 +1112,7 @@ class TestReplicaInstall(CALessBase):
         if self.domain_level > DOMAIN_LEVEL_0:
             self.verify_installation()
 
+
 class TestClientInstall(CALessBase):
     num_clients = 1
 
@@ -1348,7 +1348,7 @@ class TestCertinstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
@@ -1360,7 +1360,7 @@ class TestCertinstall(CALessBase):
         if result.returncode == 0:
             raise nose.SkipTest(
                 "Known CA-less installation defect, see "
-                + "https://fedorahosted.org/freeipa/ticket/4270";)
+                "https://fedorahosted.org/freeipa/ticket/4270";)
 
         assert result.returncode > 0
 
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to