[Freeipa-devel] [freeipa PR#119][opened] Tests: Providing trust tests with tree root domain

mirielka Mon, 26 Sep 2016 06:26:23 -0700

   URL: https://github.com/freeipa/freeipa/pull/119
Author: mirielka
 Title: #119: Tests: Providing trust tests with tree root domain
Action: opened


PR body:
"""
https://fedorahosted.org/freeipa/ticket/6347
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/119/head:pr119
git checkout pr119

From 95568636efffdb2fa00df17291f2b1aed90cf769 Mon Sep 17 00:00:00 2001
From: Lenka Doudova <ldoud...@redhat.com>
Date: Thu, 22 Sep 2016 14:09:03 +0200
Subject: [PATCH] Tests: Providing trust tests with tree root domain

https://fedorahosted.org/freeipa/ticket/6347
---
 ipatests/pytest_plugins/integration.py  |   2 +-
 ipatests/test_integration/test_trust.py | 110 ++++++++++++++++++++++++++++----
 2 files changed, 97 insertions(+), 15 deletions(-)

diff --git a/ipatests/pytest_plugins/integration.py b/ipatests/pytest_plugins/integration.py
index 63d0c99..bd44f16 100644
--- a/ipatests/pytest_plugins/integration.py
+++ b/ipatests/pytest_plugins/integration.py
@@ -173,7 +173,7 @@ def mh(request, class_integration_logs):
     for i in range(cls.num_ad_domains):
         domain_descriptions.append({
             'type': 'AD',
-            'hosts': {'ad': 1, 'ad_subdomain': 1},
+            'hosts': {'ad': 1, 'ad_subdomain': 1, 'ad_treedomain': 1},
         })
 
     mh = make_multihost_fixture(
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 6b30338..dc7cf28 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -31,7 +31,7 @@ class ADTrustBase(IntegrationTest):
 
     topology = 'line'
     num_ad_domains = 1
-    optional_extra_roles = ['ad_subdomain']
+    optional_extra_roles = ['ad_subdomain', 'ad_treedomain']
 
     @classmethod
     def install(cls, mh):
@@ -49,6 +49,14 @@ def install(cls, mh):
         except LookupError:
             cls.ad_subdomain = None
 
+        # Determine whether the tree domain AD is available
+        try:
+            cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
+            cls.ad_treedomain = '.'.join(
+                                    cls.tree_ad.hostname.split('.')[1:])
+        except LookupError:
+            cls.ad_treedomain = None
+
         cls.configure_dns_and_time()
 
     @classmethod
@@ -95,9 +103,10 @@ def test_all_trustdomains_found(self):
                                           'trustdomain-find',
                                           self.ad_domain])
 
-        # Check that both trustdomains appear in the result
+        # Check that all trustdomains appear in the result
         assert self.ad_domain in result.stdout_text
         assert self.ad_subdomain in result.stdout_text
+        assert self.ad_treedomain in result.stdout_text
 
 
 class ADTrustSubdomainBase(ADTrustBase):
@@ -113,20 +122,26 @@ def configure_dns_and_time(cls):
     @classmethod
     def install(cls, mh):
         super(ADTrustSubdomainBase, cls).install(mh)
-        cls.ad = cls.ad_domains[0].ads[0]
-        cls.ad_domain = cls.ad.domain.name
-        cls.install_adtrust()
-        cls.check_sid_generation()
-
-        # Determine whether the subdomain AD is available
-        # if not, skip the whole suite
-        try:
-            cls.child_ad = cls.host_by_role(cls.optional_extra_roles[0])
-            cls.ad_subdomain = '.'.join(cls.child_ad.hostname.split('.')[1:])
-        except LookupError:
+        if not cls.ad_subdomain:
             raise nose.SkipTest('AD subdomain is not available.')
 
-        cls.configure_dns_and_time()
+
+class ADTrustTreedomainBase(ADTrustBase):
+    """
+    Base class for tests involving tree root domains of trusted forests
+    """
+
+    @classmethod
+    def configure_dns_and_time(cls):
+        tasks.configure_dns_for_trust(cls.master, cls.ad_treedomain)
+        tasks.sync_time(cls.master, cls.tree_ad)
+
+    @classmethod
+    def install(cls, mh):
+        super(ADTrustTreedomainBase, cls).install(mh)
+        if not cls.ad_treedomain:
+            raise nose.SkipTest('AD tree root domain is not available.')
+
 
 class TestBasicADTrust(ADTrustBase):
     """Basic Integration test for Active Directory"""
@@ -340,6 +355,73 @@ def test_all_trustdomains_found(self):
             'Test case unapplicable, present for inheritance reason only')
 
 
+class TestExternalTrustWithTreedomain(ADTrustTreedomainBase):
+    """
+    Test establishing external trust with tree root domain
+    """
+
+    def test_establish_trust(self):
+        """ Tests establishing external trust with Active Directory """
+        tasks.establish_trust_with_ad(
+            self.master, self.ad_treedomain,
+            extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
+
+    def test_all_trustdomains_found(self):
+        """ Test that only one trustdomain is found """
+        result = self.master.run_command(['ipa', 'trustdomain-find',
+                                          self.ad_treedomain])
+
+        assert self.ad_treedomain in result.stdout_text
+        assert "Number of entries returned 1" in result.stdout_text
+
+    def test_user_gid_uid_resolution_in_nonposix_trust(self):
+        """ Check that user has SID-generated UID """
+        testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+        result = self.master.run_command(['getent', 'passwd', testuser])
+
+        testuser_regex = ("^treetestuser@{0}:\*:(?!10242)(\d+):"
+                          "(?!10247)(\d+):TreeTest User:"
+                          "/home/{1}/treetestuser:/bin/sh$".format(
+                              re.escape(self.ad_treedomain),
+                              re.escape(self.ad_treedomain)))
+
+        assert re.search(testuser_regex, result.stdout_text)
+
+    def test_remove_nonposix_trust(self):
+        tasks.remove_trust_with_ad(self.master, self.ad_treedomain)
+        tasks.clear_sssd_cache(self.master)
+
+
+class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
+    """
+    Tests that a non-external trust to a tree root domain cannot be established
+    """
+    def test_establish_trust(self):
+        """ Tests establishing non-external trust with Active Directory """
+        self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+                                 'HTTP/%s' % self.master.hostname])
+        self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
+        self.master.run_command(['kdestroy', '-A'])
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(['klist'])
+        self.master.run_command(['smbcontrol', 'all', 'debug', '100'])
+
+        result = self.master.run_command([
+            'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin',
+            'Administrator', '--password', '--range-type', 'ipa-ad-trust'
+            ], stdin_text=self.master.config.ad_admin_password,
+            raiseonerr=False)
+
+        assert result != 0
+        assert ("Domain '{0}' is not a root domain".format(
+            self.ad_treedomain) in result.stderr_text)
+
+    def test_all_trustdomains_found(self):
+        raise nose.SkipTest(
+            'Test case unapplicable, present for inheritance reason only')
+
+
 class TestExternalTrustWithRootDomain(ADTrustSubdomainBase):
     """
     Test establishing external trust with root domain

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#119][opened] Tests: Providing trust tests with tree root domain

Reply via email to