Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' ==================================== test session starts ====================================
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

================================ 2 passed in 948.44 seconds =================================


On 10/21/2016 10:54 AM, Oleg Fayans wrote:
Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:
Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:
On 10/14/2016 03:48 PM, Oleg Fayans wrote:
So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch



might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?


Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?

On 09/15/2016 10:32 AM, Martin Basti wrote:


On 15.09.2016 10:10, Oleg Fayans wrote:
Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?

I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2

On 09/15/2016 09:49 AM, Martin Basti wrote:


On 14.09.2016 18:53, Sumit Bose wrote:
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:

On 14.09.2016 17:53, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:

On 14.09.2016 17:41, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?
You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID
override in
that
one.

Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?
You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?

You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate



.

HTH

bye,
Sumit

Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2
Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 867c603183d792b0056c0f8895f52577bc67d7b0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d43699d6577abe930ac8d6ab696feea837331..0e329f4ad5d754fd61a9ca911488230677daad77 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1187,6 +1187,13 @@ def run_server_del(host, server_to_delete, force=False,
     return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+    new_args = [paths.CERTUTIL, "-d", reqdir]
+    new_args = " ".join(new_args + args)
+    return host.run_command(new_args, raiseonerr=raiseonerr,
+                            stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
     "Assert that `result` command failed and its stderr contains `stderr_text`"
     assert stderr_text in result.stderr_text, result.stderr_text
-- 
1.8.3.1

From 9c1ee16aef99c060799adb7776df15516fcb5e47 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 25 Oct 2016 10:15:35 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 155 ++++++++++++++++++++++++++++++
 1 file changed, 155 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 0000000000000000000000000000000000000000..fa87f09493c7e9677bc6c7e5081e0ee29c999cb4
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,155 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+    topology = "line"
+    num_ad_domains = 1
+    adview = 'Default Trust View'
+    cert_re = re.compile('Certificate: (?P<cert>.*?)\\s+.*')
+    ad = config.ad_domains[0].ads[0]
+    ad_domain = ad.domain.name
+    aduser = "testuser@%s" % ad_domain
+    adcert1 = 'MyCert1'
+    adcert2 = 'MyCert2'
+    adcert1_file = adcert1 + '.crt'
+    adcert2_file = adcert2 + '.crt'
+
+    @classmethod
+    def uninstall(cls, mh):
+        super(TestCertsInIDOverrides, cls).uninstall(mh)
+        cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+    @classmethod
+    def install(cls, mh):
+        super(TestCertsInIDOverrides, cls).install(mh)
+        master = cls.master
+        # A setup for test_dbus_user_lookup
+        master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+                           raiseonerr=False)
+        # The tasks.modify_sssd_conf way did not work because
+        # sssd_domain.set_option knows nothing about 'services' parameter of
+        # the sssd config file. Therefore I am using sed approach
+        master.run_command(
+            "sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+        master.run_command(
+            "sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+        master.run_command(['systemctl', 'restart', 'sssd.service'])
+        # End of setup for test_dbus_user_lookup
+
+        # AD-related stuff
+        tasks.install_adtrust(master)
+        tasks.sync_time(master, cls.ad)
+        tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+                                      extra_args=['--range-type',
+                                                  'ipa-ad-trust'])
+
+        cls.reqdir = os.path.join(master.config.test_dir, "certs")
+        cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+        cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+        cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+        # Create a NSS database folder
+        master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+        # Create an empty password file
+        master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+        # Initialize NSS database
+        tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+        # Now generate self-signed certs for a windows user
+        stdin_text = string.digits+string.letters[2:] + '\n'
+        tasks.run_certutil(master, ['-S', '-s',
+                                    "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n',
+                                    cls.adcert1, '-x', '-t', 'CT,C,C', '-v',
+                                    '120', '-m', '1234'],
+                           cls.reqdir, stdin=stdin_text)
+        tasks.run_certutil(master, ['-S', '-s',
+                                    "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n',
+                                    cls.adcert2, '-x', '-t', 'CT,C,C', '-v',
+                                    '120', '-m', '1234'],
+                           cls.reqdir, stdin=stdin_text)
+
+        # Export the previously generated cert
+        tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+                                    cls.adcert1_file], cls.reqdir)
+        tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+                                    cls.adcert2_file], cls.reqdir)
+        cls.cert1_base64 = cls.master.run_command(
+            "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file
+            ).stdout_text
+        cls.cert2_base64 = cls.master.run_command(
+            "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file
+            ).stdout_text
+        cls.cert1_pem = cls.master.run_command(
+            "openssl x509 -in %s -outform pem" % cls.adcert1_file
+            ).stdout_text
+        cls.cert2_pem = cls.master.run_command(
+            "openssl x509 -in %s -outform pem" % cls.adcert2_file
+            ).stdout_text
+
+    def test_certs_in_idoverrides_ad_users(self):
+        """
+        http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan
+        #Test_case:_Manipulate_certificate_in_ID_override_entry
+        """
+        master = self.master
+        master.run_command(['ipa', 'idoverrideuser-add',
+                            self.adview, self.aduser])
+        master.run_command(['ipa', 'idoverrideuser-add-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert1_base64])
+        master.run_command(['ipa', 'idoverrideuser-add-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert2_base64])
+        result = master.run_command(['ipa', 'idoverrideuser-show',
+                                     self.adview, self.aduser])
+        assert(self.cert1_base64 in result.stdout_text and
+               self.cert2_base64 in result.stdout_text), (
+            "idoverrideuser-show does not show all user certificates")
+        master.run_command(['ipa', 'idoverrideuser-remove-cert',
+                            self.adview, self.aduser,
+                            "--certificate=%s" % self.cert2_base64])
+
+    def test_dbus_user_lookup(self):
+        """
+        http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan
+        #Test_case:_User_lookup_by_certificate
+        """
+
+        master = self.master
+        userpath_re = re.compile('.*object path "(.*?)".*')
+
+        result0 = master.run_command([
+            'dbus-send', '--system', '--print-reply',
+            '--dest=org.freedesktop.sssd.infopipe',
+            '/org/freedesktop/sssd/infopipe/Users',
+            'org.freedesktop.sssd.infopipe.Users.FindByCertificate',
+            "string:%s" % self.cert1_pem])
+        assert("object path" in result0.stdout_text), (
+            "command output did not contain expected"
+            "string:\n\n%s" % result0.stdout_text)
+        userpath = userpath_re.findall(result0.stdout_text)[0]
+        result1 = master.run_command(
+            "dbus-send --system --print-reply"
+            " --dest=org.freedesktop.sssd.infopipe"
+            " %s org.freedesktop.DBus.Properties.Get"
+            " string:\"org.freedesktop.sssd.infopipe.Users.User\""
+            " string:\"name\"" % userpath, raiseonerr=False)
+        assert(self.aduser in result1.stdout_text)
+        result2 = master.run_command(
+            "dbus-send --system --print-reply"
+            " --dest=org.freedesktop.sssd.infopipe"
+            " %s org.freedesktop.DBus.Properties.GetAll"
+            " string:\"org.freedesktop.sssd.infopipe.Users.User\"" % userpath
+            )
+        assert('dict entry' in result2.stdout_text)
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to