[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From fab31aff4cc3950651ee1114d4b1d874aa4c7e0f Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker

Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/tracker/idview_plugin.py | 116 ++
 1 file changed, 116 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py

diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e7bb39b
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+def del_cert_from_idoverrideuser(self, username, cert):
+result = api.Command.idoverrideuser_remove_cert(
+self.cn, username, usercertificate=cert
+)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverrideuser(self, username, cert):
+result = api.Command.idoverrideuser_add_cert(
+self.cn, username, usercertificate=cert
+)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = self.filter_attrs(self.create_keys | set(extra_keys))
+assert_deepequal(dict(
+summary=u'Added ID View "%s"' % self.cn,
+result=self.filter_attrs(expected),
+value=self.cn
+), result)
+
+def check_idoverrideuser_add(self, result, user):
+""" Checks 'gr

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From b08686c53950ee848418f2560454ef7f35cc850c Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker

Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++
 1 file changed, 119 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py

diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e0be0b4
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, cert):
+result = self.cert_del_cmd(self.cn,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, cert):
+result = self.cert_add_cmd(self.cn,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = self.filter_attrs(self.create_keys | set(extra_keys))
+assert_deepequal(dict(
+summary=u'Added ID View "%s"' % self.cn,
+r

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From e776974018333974becba97af56df20ab250a4b7 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker

Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/objectclasses.py |   6 ++
 ipatests/test_xmlrpc/tracker/idview_plugin.py | 119 ++
 2 files changed, 125 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..cad4c48 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,9 @@
 u'top',
 u'ipaca',
 ]
+
+idview = [
+u'ipaIDView',
+u'top',
+u'nsContainer'
+]
diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..e0be0b4
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,119 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, cert):
+result = self.cert_del_cmd(self.cn,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, cert):
+result = self.cert_add_cmd(self.cn,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['valu

[Freeipa-devel] [freeipa PR#270][synchronized] Test: uniqueness of certificate renewal master

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/270
Author: ofayans
 Title: #270: Test: uniqueness of certificate renewal master
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/270/head:pr270
git checkout pr270
From f13b8039d2146518deb85f634af3f13a09cac50b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 24 Nov 2016 11:14:15 +0100
Subject: [PATCH] Test: uniqueness of certificate renewal master

https://fedorahosted.org/freeipa/ticket/6504
---
 .../test_integration/test_replica_promotion.py | 42 ++
 1 file changed, 42 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0e93356..e75f4fc 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -441,3 +441,45 @@ def test_upcase_client_domain(self):
  raiseonerr=False)
 assert(result1.returncode == 0), (
 'Failed to promote the client installed with the upcase domain name')
+
+
+class TestRenewalMaster(IntegrationTest):
+
+topology = 'star'
+num_replicas = 1
+
+@classmethod
+def uninstall(cls, mh):
+super(TestRenewalMaster, cls).uninstall(mh)
+
+def test_replica_not_marked_as_renewal_master(self):
+"""
+https://fedorahosted.org/freeipa/ticket/5902
+"""
+master = self.master
+replica = self.replicas[0]
+result = master.run_command(["ipa", "config-show"]).stdout_text
+assert("IPA CA renewal master: %s" % master.hostname in result), (
+"Master hostname not found among CA renewal masters"
+)
+assert("IPA CA renewal master: %s" % replica.hostname not in result), (
+"Replica hostname found among CA renewal masters"
+)
+
+def test_manual_renewal_master_transfer(self):
+replica = self.replicas[0]
+replica.run_command(['ipa', 'config-mod',
+ '--ca-renewal-master-server', replica.hostname])
+result = self.master.run_command(["ipa", "config-show"]).stdout_text
+assert("IPA CA renewal master: %s" % replica.hostname in result), (
+"Replica hostname not found among CA renewal masters"
+)
+
+def test_automatic_renewal_master_transfer_ondelete(self):
+# Test that after master uninstallation, replica overtakes the cert
+# renewal master role
+tasks.uninstall_master(self.replicas[0])
+result = self.master.run_command(['ipa', 'config-show']).stdout_text
+assert("IPA CA renewal master: %s" % self.master.hostname in result), (
+"Master hostname not found among CA renewal masters"
+)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/225
Title: #225: tests: Added basic tests for certs in idoverrides

ofayans commented:
"""
@apophys done, thank you for review!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/225#issuecomment-263331778
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From cdcd0728096f7d5ca9400db885a1285f1e966906 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 16 Nov 2016 12:57:49 +0100
Subject: [PATCH 1/2] Created idview tracker

Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/objectclasses.py |  6 ++
 ipatests/test_xmlrpc/tracker/idview_plugin.py | 96 +++
 2 files changed, 102 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/tracker/idview_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..cad4c48 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,9 @@
 u'top',
 u'ipaca',
 ]
+
+idview = [
+u'ipaIDView',
+u'top',
+u'nsContainer'
+]
diff --git a/ipatests/test_xmlrpc/tracker/idview_plugin.py b/ipatests/test_xmlrpc/tracker/idview_plugin.py
new file mode 100644
index 000..ceb7d71
--- /dev/null
+++ b/ipatests/test_xmlrpc/tracker/idview_plugin.py
@@ -0,0 +1,96 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipalib import api
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc import objectclasses
+
+import six
+
+if six.PY3:
+unicode = str
+
+
+class IdviewTracker(Tracker):
+"""Class for idview tests"""
+
+retrieve_keys = {
+u'cn'
+}
+
+retrieve_all_keys = retrieve_keys | {
+u'description', u'objectclass', u'dn'
+}
+
+create_keys = retrieve_all_keys
+find_all_keys = retrieve_all_keys
+
+def __init__(self, cn, **kwargs):
+super(IdviewTracker, self).__init__(default_version=None)
+self.cn = cn
+self.dn = DN(('cn', cn), api.env.container_views, api.env.basedn)
+self.kwargs = kwargs
+
+def make_create_command(self):
+return self.make_command(
+'idview_add', self.cn, **self.kwargs
+)
+
+def make_delete_command(self):
+return self.make_command(
+'idview_del', self.cn, **self.kwargs
+)
+
+def make_retrieve_command(self, all=False, raw=False):
+""" Make function that retrieves a idview using idview-show """
+return self.make_command('idview_show', self.cn, all=all)
+
+def make_find_command(self, *args, **kwargs):
+""" Make function that finds idview using idview-find """
+return self.make_command('idview_find', *args, **kwargs)
+
+def make_update_command(self, updates):
+""" Make function that updates idview using idview-mod """
+return self.make_command('idview_mod', self.cn, **updates)
+
+def track_create(self):
+self.attrs = dict(
+cn=(self.cn,),
+dn=unicode(self.dn),
+idoverrideusers=[],
+objectclass=objectclasses.idview
+)
+if 'description' in self.kwargs:
+self.attrs['description'] = self.kwargs['description']
+self.exists = True
+
+def make_add_idoverrideuser_command(self, username, options=None):
+options = options or {}
+""" Make function that adds a member to a group """
+return self.make_command('idoverrideuser_add', self.cn, username,
+ **options)
+
+def idoverrideuser_add(self, user):
+command = self.make_add_idoverrideuser_command(user.name)
+result = command()
+self.attrs['idoverrideusers'].append(result['value'])
+self.check_idoverrideuser_add(result, user)
+
+def check_create(self, result, extra_keys=()):
+""" Check 'user-add' command result """
+expected = self.filter_attrs(self.create_keys | set(extra_keys))
+assert_deepequal(dict(
+summary=u'Added ID View "%s"' % self.cn,
+result=self.filter_attrs(expected),
+value=self.cn
+), result)
+
+def check_idoverrideuser_add(self, result, user):
+""" Checks 'group_add_member' command result """
+assert_deepequal(
+u'Added User ID override "%s"' % user.name,
+result['summary']
+)

From c880236e4dbefcfad07dcd0d4d42c186187d52ad Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH 

[Freeipa-devel] [freeipa PR#270][synchronized] Test: uniqueness of certificate renewal master

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/270
Author: ofayans
 Title: #270: Test: uniqueness of certificate renewal master
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/270/head:pr270
git checkout pr270
From 47eadf36e2ffcce5fff9a8e94527586214b50652 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 24 Nov 2016 11:14:15 +0100
Subject: [PATCH] Test: uniqueness of certificate renewal master

https://fedorahosted.org/freeipa/ticket/6504
---
 .../test_integration/test_replica_promotion.py | 31 ++
 1 file changed, 31 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0e93356..885f327 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -441,3 +441,34 @@ def test_upcase_client_domain(self):
  raiseonerr=False)
 assert(result1.returncode == 0), (
 'Failed to promote the client installed with the upcase domain name')
+
+
+class TestRenewalMaster(IntegrationTest):
+
+topology = 'star'
+num_replicas = 1
+
+@classmethod
+def uninstall(cls, mh):
+super(TestRenewalMaster, cls).uninstall(mh)
+
+def test_replica_not_marked_as_renewal_master(self):
+"""
+https://fedorahosted.org/freeipa/ticket/5902
+"""
+master = self.master
+replica = self.replicas[0]
+result = master.run_command(["ipa", "config-show"]).stdout_text
+assert("IPA CA renewal master: %s" % master.hostname in result), (
+"Master hostname not found among CA renewal masters"
+)
+assert("IPA CA renewal master: %s" % replica.hostname not in result), (
+"Replica hostname found among CA renewal masters"
+)
+# Test that after master uninstallation, replica overtakes the cert
+# renewal master role
+tasks.uninstall_master(master)
+result1 = replica.run_command(['ipa', 'config-show']).stdout_text
+assert("IPA CA renewal master: %s" % replica.hostname in result1), (
+"Replica hostname not found among CA renewal masters"
+)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/200
Title: #200: Test: basic kerberos over http functionality

ofayans commented:
"""
Commits were swapped. The traffic blocking is now performed on a client for 
both ipv4 and ipv6
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/200#issuecomment-263059947
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 4175d282f80ff04849526211e2deae211b8a605b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 1/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c6aab32..72a0f36 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -673,8 +673,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,

From 4615f59003f4bdee3204013937b71ee9a3853ec1 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 2/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 58 
 1 file changed, 58 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..a5eb5db
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# Block access from client to master's port 88
+cls.clients[0].run_command([
+'iptables', '-A', 'OUTPUT', '-p', 'tcp',
+'--dport', '88', '-j', 'DROP'])
+cls.clients[0].run_command([
+'iptables', '-A', 'OUTPUT', '-p', 'udp',
+'--dport', '88', '-j', 'DROP'])
+cls.clients[0].run_command([
+'ip6tables', '-A', 'OUTPUT', '-p', 'tcp',
+'--dport', '88', '-j', 'DROP'])
+cls.clients[0].run_command([
+'ip6tables', '-A', 'OUTPUT', '-p', 'udp',
+'--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.clients[0].run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), (
+"Unable to kinit using KdcProxy: %s" % result.stderr_text
+)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 4175d282f80ff04849526211e2deae211b8a605b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 1/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c6aab32..72a0f36 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -673,8 +673,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,

From 2a4d18d3553a226291859dc4decd7d12367c1dc2 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 2/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 52 
 1 file changed, 52 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..751b3c0
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,52 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# Block access from client to master's port 88
+cls.clients[0].run_command([
+'iptables', '-A', 'OUTPUT', '-p', 'tcp',
+'--dport', '88', '-j', 'DROP'])
+cls.clients[0].run_command([
+'ip6tables', '-A', 'OUTPUT', '-p', 'tcp',
+'--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.clients[0].run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), (
+"Unable to kinit using KdcProxy: %s" % result.stderr_text
+)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 4175d282f80ff04849526211e2deae211b8a605b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 1/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c6aab32..72a0f36 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -673,8 +673,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,

From 0f802880ba4b3947dc35acd063f5ed2c6df016d2 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 2/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 59 
 1 file changed, 59 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..3743dad
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), (
+"Unable to kinit using KdcProxy: %s" % result.stderr_text
+)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][opened] Test: uniqueness of certificate renewal master

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/270
Author: ofayans
 Title: #270: Test: uniqueness of certificate renewal master
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6504
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/270/head:pr270
git checkout pr270
From f526caf5cba7ebc7907155f045981ed4daf8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 24 Nov 2016 11:14:15 +0100
Subject: [PATCH] Test: uniqueness of certificate renewal master

https://fedorahosted.org/freeipa/ticket/6504
---
 ipatests/test_integration/test_renewal_master.py | 45 
 1 file changed, 45 insertions(+)
 create mode 100644 ipatests/test_integration/test_renewal_master.py

diff --git a/ipatests/test_integration/test_renewal_master.py b/ipatests/test_integration/test_renewal_master.py
new file mode 100644
index 000..2a4d699
--- /dev/null
+++ b/ipatests/test_integration/test_renewal_master.py
@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+
+
+class TestRenewalMaster(IntegrationTest):
+
+topology = 'star'
+num_replicas = 1
+
+@classmethod
+def uninstall(cls, mh):
+super(TestRenewalMaster, cls).uninstall(mh)
+
+def test_replica_not_marked_as_renewal_master(self):
+"""
+https://fedorahosted.org/freeipa/ticket/5902
+"""
+master = self.master
+suffix = ",".join(["dc=%s" % i for i in master.domain.name.split('.')])
+result = master.run_command([
+"ldapsearch", "-Y", "GSSAPI", "-b",
+"cn=masters,cn=ipa,cn=etc,%s" % suffix,
+"(ipaConfigString=caRenewalMaster)"
+])
+assert("numResponses: 2" in result.stdout_text), (
+"Unexpected number of responces in"
+" the command stdout: %s" % result.stdout_text)
+assert("numEntries: 1" in result.stdout_text), (
+"Unexpected number of renewal master entries in"
+" the command stdout: %s" % result.stdout_text)
+# Test that after master uninstallation, replica overtakes the cert
+# renewal master role
+tasks.uninstall_master(master)
+result1 = self.replicas[0].run_command([
+"ldapsearch", "-Y", "GSSAPI", "-b",
+"cn=masters,cn=ipa,cn=etc,%s" % suffix,
+"(ipaConfigString=caRenewalMaster)"
+])
+assert("numEntries: 1" in result1.stdout_text), (
+"Unexpected number of renewal master entries in"
+" the command stdout: %s" % result.stdout_text)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 3a406f25c98cc16c9b068d26f5bc2798d1e0c7bb Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH 1/2] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 109 +++
 1 file changed, 109 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..bd365ef 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -11,6 +11,30 @@
 from ipatests.util import assert_deepequal, raises
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipatests.test_xmlrpc.testcert import get_testcert
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
+from ipatests.test_xmlrpc.tracker.idview_plugin import IdviewTracker
+
+
+@pytest.fixture(scope='class')
+def idview(request):
+tracker = IdviewTracker(cn=u'MyView')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def testuser(request):
+tracker = UserTracker(name=u'testuser', givenname=u'John', sn=u'Donne')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def cert1(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
+
+
+@pytest.fixture(scope='class')
+def cert2(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
 
 
 @pytest.mark.tier1
@@ -352,3 +376,88 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+entity_subject = u'testuser'
+entity_principal = u'testuser'
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def test_00_add_idoverrideuser(self, testuser, idview):
+testuser.create()
+idview.create()
+idview.idoverrideuser_add(testuser)
+
+def test_01_add_cert_to_idoverride(self, testuser, idview, cert1):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(cert1),),
+ summary=u'Added certificates to'
+ ' idoverrideuser \"%s\"' % testuser.name,
+ value=testuser.name,
+ ),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert1)
+)
+
+def test_02_add_second_cert_to_idoverride(self, testuser,
+  idview, cert1, cert2):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(cert1),
+ base64.b64decode(cert2)),
+summary=u'Added certificates to'
+' idoverrideuser \"%s\"' % testuser.name,
+value=testuser.name,
+),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert2)
+)
+
+def test_03_add_the_same_cert_to_idoverride(self, testuser,
+idview, cert1, cert2):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   testuser.name, idview.cn, cert1)
+
+def test_04_user_show_displays_cert(self, testuser, idview, cert1, cert2):
+result = api.Command.idoverrideuser_show(idview.cn, testuser.name)
+assert_deepequal((base64.b64decode(cert1),
+  base64.b64decode(cert2)),
+ result[

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 3a406f25c98cc16c9b068d26f5bc2798d1e0c7bb Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH 1/2] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 109 +++
 1 file changed, 109 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..bd365ef 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -11,6 +11,30 @@
 from ipatests.util import assert_deepequal, raises
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipatests.test_xmlrpc.testcert import get_testcert
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
+from ipatests.test_xmlrpc.tracker.idview_plugin import IdviewTracker
+
+
+@pytest.fixture(scope='class')
+def idview(request):
+tracker = IdviewTracker(cn=u'MyView')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def testuser(request):
+tracker = UserTracker(name=u'testuser', givenname=u'John', sn=u'Donne')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def cert1(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
+
+
+@pytest.fixture(scope='class')
+def cert2(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
 
 
 @pytest.mark.tier1
@@ -352,3 +376,88 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+entity_subject = u'testuser'
+entity_principal = u'testuser'
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def test_00_add_idoverrideuser(self, testuser, idview):
+testuser.create()
+idview.create()
+idview.idoverrideuser_add(testuser)
+
+def test_01_add_cert_to_idoverride(self, testuser, idview, cert1):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(cert1),),
+ summary=u'Added certificates to'
+ ' idoverrideuser \"%s\"' % testuser.name,
+ value=testuser.name,
+ ),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert1)
+)
+
+def test_02_add_second_cert_to_idoverride(self, testuser,
+  idview, cert1, cert2):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(cert1),
+ base64.b64decode(cert2)),
+summary=u'Added certificates to'
+' idoverrideuser \"%s\"' % testuser.name,
+value=testuser.name,
+),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert2)
+)
+
+def test_03_add_the_same_cert_to_idoverride(self, testuser,
+idview, cert1, cert2):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   testuser.name, idview.cn, cert1)
+
+def test_04_user_show_displays_cert(self, testuser, idview, cert1, cert2):
+result = api.Command.idoverrideuser_show(idview.cn, testuser.name)
+assert_deepequal((base64.b64decode(cert1),
+  base64.b64decode(cert2)),
+ result[

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 3a406f25c98cc16c9b068d26f5bc2798d1e0c7bb Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH 1/2] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 109 +++
 1 file changed, 109 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..bd365ef 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -11,6 +11,30 @@
 from ipatests.util import assert_deepequal, raises
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipatests.test_xmlrpc.testcert import get_testcert
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
+from ipatests.test_xmlrpc.tracker.idview_plugin import IdviewTracker
+
+
+@pytest.fixture(scope='class')
+def idview(request):
+tracker = IdviewTracker(cn=u'MyView')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def testuser(request):
+tracker = UserTracker(name=u'testuser', givenname=u'John', sn=u'Donne')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def cert1(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
+
+
+@pytest.fixture(scope='class')
+def cert2(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
 
 
 @pytest.mark.tier1
@@ -352,3 +376,88 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+entity_subject = u'testuser'
+entity_principal = u'testuser'
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def test_00_add_idoverrideuser(self, testuser, idview):
+testuser.create()
+idview.create()
+idview.idoverrideuser_add(testuser)
+
+def test_01_add_cert_to_idoverride(self, testuser, idview, cert1):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(cert1),),
+ summary=u'Added certificates to'
+ ' idoverrideuser \"%s\"' % testuser.name,
+ value=testuser.name,
+ ),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert1)
+)
+
+def test_02_add_second_cert_to_idoverride(self, testuser,
+  idview, cert1, cert2):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(cert1),
+ base64.b64decode(cert2)),
+summary=u'Added certificates to'
+' idoverrideuser \"%s\"' % testuser.name,
+value=testuser.name,
+),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert2)
+)
+
+def test_03_add_the_same_cert_to_idoverride(self, testuser,
+idview, cert1, cert2):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   testuser.name, idview.cn, cert1)
+
+def test_04_user_show_displays_cert(self, testuser, idview, cert1, cert2):
+result = api.Command.idoverrideuser_show(idview.cn, testuser.name)
+assert_deepequal((base64.b64decode(cert1),
+  base64.b64decode(cert2)),
+ result[

[Freeipa-devel] [freeipa PR#225][synchronized] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 3a406f25c98cc16c9b068d26f5bc2798d1e0c7bb Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH 1/2] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 109 +++
 1 file changed, 109 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..bd365ef 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -11,6 +11,30 @@
 from ipatests.util import assert_deepequal, raises
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipatests.test_xmlrpc.testcert import get_testcert
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
+from ipatests.test_xmlrpc.tracker.idview_plugin import IdviewTracker
+
+
+@pytest.fixture(scope='class')
+def idview(request):
+tracker = IdviewTracker(cn=u'MyView')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def testuser(request):
+tracker = UserTracker(name=u'testuser', givenname=u'John', sn=u'Donne')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def cert1(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
+
+
+@pytest.fixture(scope='class')
+def cert2(request):
+return get_testcert(DN(('CN', u'testuser')), u'testuser')
 
 
 @pytest.mark.tier1
@@ -352,3 +376,88 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+entity_subject = u'testuser'
+entity_principal = u'testuser'
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def test_00_add_idoverrideuser(self, testuser, idview):
+testuser.create()
+idview.create()
+idview.idoverrideuser_add(testuser)
+
+def test_01_add_cert_to_idoverride(self, testuser, idview, cert1):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(cert1),),
+ summary=u'Added certificates to'
+ ' idoverrideuser \"%s\"' % testuser.name,
+ value=testuser.name,
+ ),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert1)
+)
+
+def test_02_add_second_cert_to_idoverride(self, testuser,
+  idview, cert1, cert2):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(cert1),
+ base64.b64decode(cert2)),
+summary=u'Added certificates to'
+' idoverrideuser \"%s\"' % testuser.name,
+value=testuser.name,
+),
+self.add_cert_to_idoverride(testuser.name,
+idview.cn,
+cert2)
+)
+
+def test_03_add_the_same_cert_to_idoverride(self, testuser,
+idview, cert1, cert2):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   testuser.name, idview.cn, cert1)
+
+def test_04_user_show_displays_cert(self, testuser, idview, cert1, cert2):
+result = api.Command.idoverrideuser_show(idview.cn, testuser.name)
+assert_deepequal((base64.b64decode(cert1),
+  base64.b64decode(cert2)),
+ result[

[Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/224
Title: #224: Integration tests for certs in idoverrides

ofayans commented:
"""
@mirielka done, thank you for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/224#issuecomment-260283573
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From b26d7b67ff1ebcf81231376318249554ec339d55 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

Added generic method to run certutil with arbitrary set of paramenters
---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From a7e853457a012a9f587f1af0cc92f121cf9a1fbd Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+   

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+   

[Freeipa-devel] [freeipa PR#225][opened] tests: Added basic tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/225
Author: ofayans
 Title: #225: tests: Added basic tests for certs in idoverrides
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6412
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/225/head:pr225
git checkout pr225
From 5ee3edd752f347e873e51c01ef853fb1c5e3ffd9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 91 
 1 file changed, 91 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f0..cc19032 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -352,3 +352,94 @@ def delete_entity(cls):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+idview = u'testview'
+testuser = u'testuser'
+entity_subject = testuser
+entity_principal = testuser
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,
+   username,
+   "--certificate=%s" % cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+def add_cert_to_idoverride(self, username, view_name, cert):
+result = self.cert_add_cmd(view_name,
+   username,
+   usercertificate=cert)
+return dict(
+usercertificate=result['result'].get('usercertificate', []),
+value=result.get('value'),
+summary=result.get('summary')
+)
+
+@classmethod
+def teardown_class(cls):
+api.Command.user_del(cls.testuser)
+api.Command.idview_del(cls.idview)
+super(TestCertManipIdOverride, cls).teardown_class()
+
+@classmethod
+def setup_class(cls):
+# Create an idview
+api.Command.idview_add(cls.idview)
+# Create a user
+api.Command.user_add(cls.testuser, givenname=u'Bob', sn=u'Dylan')
+# Add the user to the idview
+api.Command.idoverrideuser_add(cls.idview, cls.testuser)
+# Create certificates
+cls.certs = [
+get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
+for _i in range(2)
+]
+cls.cert1 = cls.certs[0]
+cls.cert2 = cls.certs[1]
+
+super(TestCertManipIdOverride, cls).setup_class()
+
+def test_00_add_cert_to_idoverride(self):
+assert_deepequal(
+dict(usercertificate=(base64.b64decode(self.cert1),),
+ summary="Added certificates to"
+ " idoverrideuser \"%s\"" % self.testuser,
+ value=self.testuser,
+ ),
+self.add_cert_to_idoverride(self.testuser,
+self.idview,
+self.cert1)
+)
+
+def test_01_add_second_cert_to_idoverride(self):
+assert_deepequal(
+dict(
+usercertificate=(base64.b64decode(self.cert1),
+ base64.b64decode(self.cert2)),
+summary="Added certificates to"
+" idoverrideuser \"%s\"" % self.testuser,
+value=self.testuser,
+),
+self.add_cert_to_idoverride(self.testuser, self.idview, self.cert2)
+)
+
+def test_02_add_the_same_cert_to_idoverride(self):
+raises(errors.ExecutionError,
+   self.add_cert_to_idoverride,
+   self.testuser, self.idview, self.cert1)
+
+def test_04_user_show_displays_cert(self):
+result = api.Command.idoverrideuser_show(self.idview, self.testuser)
+assert_deepequal((base64.b64decode(self.cert1),
+  base64.b64decode(self.cert2)),
+ result['result']['usercertificate']
+ )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][opened] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: opened

PR body:
"""
Original mailing list thread:

https://www.redhat.com/archives/freeipa-devel/2016-September/msg00134.html
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/2] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/2] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+   

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From bb1a112db5b224544581a7703d8484c6ae6b8945 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 1/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 59 
 1 file changed, 59 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..3743dad
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), (
+"Unable to kinit using KdcProxy: %s" % result.stderr_text
+)

From 8515d81a025fe259316cb11b75263fe1cafb76be Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 2/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..0d5e084 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 52bb5ea80fa17d13c6baf453578e1374ddb74a9e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 1/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 58 
 1 file changed, 58 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..fd4eb39
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")

From 55bb64047079f080d33eb4168a5d2cd5fe974351 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 2/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..0d5e084 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 00f3dcd33510e9c05ada63bf9b543e326ec1a274 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 1/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 53 
 1 file changed, 53 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..bc1b800
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")

From 33ede80b5d83bddb0d27973b898e553be208db9c Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 2/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..0d5e084 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][opened] Test: basic kerberos over http functionality

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6446
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 00f3dcd33510e9c05ada63bf9b543e326ec1a274 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 53 
 1 file changed, 53 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..bc1b800
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][comment] Reverted the essertion for replica uninstall returncode

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/160
Title: #160: Reverted the essertion for replica uninstall returncode

ofayans commented:
"""
Fair point. Fixed. Should we also update the initial (3230) issue?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/160#issuecomment-253453106
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][synchronized] Reverted the essertion for replica uninstall returncode

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/160
Author: ofayans
 Title: #160: Reverted the essertion for replica uninstall returncode
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/160/head:pr160
git checkout pr160
From b4259eae202d352ebe548c6c316c0ea534ab959e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 13 Oct 2016 08:46:35 +0200
Subject: [PATCH] Reverted the essertion for replica uninstall returncode

As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/5725
---
 ipatests/test_integration/test_replica_promotion.py | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 58f0fa5..0e93356 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-# Due to ticket 3230 server installation/uninstallation always returns
-# 0 unless an uncaught exception occurs. Once this issue is properly
-# addressed, please care to change expected return code in the
-# following assert from 0 to something else.
 assert_error(result, "Removal of '%s' leads to disconnected"
- " topology" % self.replicas[0].hostname, 0)
+ " topology" % self.replicas[0].hostname, 1)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][opened] Reverted the essertion for replica uninstall returncode

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/160
Author: ofayans
 Title: #160: Reverted the essertion for replica uninstall returncode
Action: opened

PR body:
"""
As the issue with ipa installer always returning 0 returncode is apparently
addressed, the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/3230
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/160/head:pr160
git checkout pr160
From 1b339b81679126c45c2af8887c74df35f89808ed Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 13 Oct 2016 08:46:35 +0200
Subject: [PATCH] Reverted the essertion for replica uninstall returncode

As the issue with ipa installer always returning 0 returncode is apparently
addressed, the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/test_replica_promotion.py | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 58f0fa5..0e93356 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-# Due to ticket 3230 server installation/uninstallation always returns
-# 0 unless an uncaught exception occurs. Once this issue is properly
-# addressed, please care to change expected return code in the
-# following assert from 0 to something else.
 assert_error(result, "Removal of '%s' leads to disconnected"
- " topology" % self.replicas[0].hostname, 0)
+ " topology" % self.replicas[0].hostname, 1)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#137][opened] Test: disabled wrong client domain tests for domlevel 0

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/137
Author: ofayans
 Title: #137: Test: disabled wrong client domain tests for domlevel 0
Action: opened

PR body:
"""
These tests are only relevant for domain level 1

https://fedorahosted.org/freeipa/ticket/6382
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/137/head:pr137
git checkout pr137
From 5a5df52fea42d7e3d14fa6bff32eec7bdb8450f9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 5 Oct 2016 10:24:26 +0200
Subject: [PATCH] Test: disabled wrong client domain tests for domlevel 0

These tests are only relevant for domain level 1

https://fedorahosted.org/freeipa/ticket/6382
---
 ipatests/test_integration/test_replica_promotion.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 8ae2962..58f0fa5 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -398,6 +398,7 @@ class TestWrongClientDomain(IntegrationTest):
 topology = "star"
 num_replicas = 1
 domain_name = 'exxample.test'
+domain_level = DOMAIN_LEVEL_1
 
 @classmethod
 def install(cls, mh):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#131][synchronized] Fixed script generating certs to address untrusted sub-ca

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/131
Author: ofayans
 Title: #131: Fixed script generating certs to address untrusted sub-ca
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/131/head:pr131
git checkout pr131
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#131][closed] Fixed script generating certs to address untrusted sub-ca

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/131
Author: ofayans
 Title: #131: Fixed script generating certs to address untrusted sub-ca
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/131/head:pr131
git checkout pr131
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#131][comment] Fixed script generating certs to address untrusted sub-ca

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/131
Title: #131: Fixed script generating certs to address untrusted sub-ca

ofayans commented:
"""
Please disregard this PR: I've caught a false positive. The issue was not fixed
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/131#issuecomment-251600757
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#131][opened] Fixed script generating certs to address untrusted sub-ca

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/131
Author: ofayans
 Title: #131: Fixed script generating certs to address untrusted sub-ca
Action: opened

PR body:
"""
Changed the path length from 0 to -1 (unlimited length)

https://fedorahosted.org/freeipa/ticket/6348
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/131/head:pr131
git checkout pr131
From 2698747fa701b7e470999a9b958a618c132173cc Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 4 Oct 2016 14:14:19 +0200
Subject: [PATCH] Fixed script generating certs to address untrusted sub-ca

Changed the path length from 0 to -1 (unlimited length)

https://fedorahosted.org/freeipa/ticket/6348
---
 ipatests/test_integration/scripts/caless-create-pki | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8928e95..230516f 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -40,7 +40,7 @@ gen_cert() {
 crt="$(mktemp)"
 certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null <-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#130][opened] Added --ip-address paramenter to client installation

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/130
Author: ofayans
 Title: #130: Added --ip-address paramenter to client installation
Action: opened

PR body:
"""
A record for client machine is only created during client installation if the
'--ip-address' parameter is provided. Without A record in some cases
replica connection check fails making it impossible to promote the client to
replica without '--skip-conncheck' option
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/130/head:pr130
git checkout pr130
From e82eaecccead01cbd16b75786d6bef0da02ef82e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 3 Oct 2016 14:24:41 +0200
Subject: [PATCH] Added --ip-address paramenter to client installation

A record for client machine is only created during client installation if the
'--ip-address' parameter is provided. Without A record in some cases
replica connection check fails making it impossible to promote the client to
replica without '--skip-conncheck' option
---
 ipatests/test_integration/tasks.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 6c26626..e2625a4 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -421,6 +421,7 @@ def install_client(master, client, extra_args=()):
 '--realm', client.domain.realm,
 '-p', client.config.admin_name,
 '-w', client.config.admin_password,
+'--ip-address', client.ip,
 '--server', master.hostname]
+ list(extra_args))
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#93][+ack] Tests: Remove SSSD restart from integration tests

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/93
Title: #93: Tests: Remove SSSD restart from integration tests

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)

[ofayans]

ofayans commented on a pull request

"""
sure
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/86#issuecomment-247344841
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (comment)

[ofayans]

ofayans commented on a pull request

"""
Probably Lenka has some use-case for this. I am pretty sure these lines weren't 
added just for fun :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/86#issuecomment-247328115
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#86] Made sssd restart a non-raising opration (opened)

[ofayans]

ofayans's pull request #86: "Made sssd restart a non-raising opration" was 
opened

PR body:
"""
Uninstallation of ipa-server usually removes sssd configuration file,
/etc/sssd/sssd.conf
If we then issue syustemctl restart sssd.service, the command fails because is
unable to find the config file. We need to make this call not raise an
exception
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/86
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/86/head:pr86
git checkout pr86
From 27c33b1e36d6ea34caa619cb89ead223603396c0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 15 Sep 2016 14:10:41 +0200
Subject: [PATCH] Made sssd restart a non-raising opration

Uninstallation of ipa-server usually removes sssd configuration file,
/etc/sssd/sssd.conf
If we then issue syustemctl restart sssd.service, the command fails because is
unable to find the config file. We need to make this call not raise an
exception
---
 ipatests/test_integration/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index ee9d4a2..6a08659 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -691,7 +691,7 @@ def uninstall_master(host, ignore_topology_disconnect=True,
  "xargs rm -fv", raiseonerr=False)
 host.run_command("find /run/ipa -name 'krb5*' | xargs rm -fv",
  raiseonerr=False)
-host.run_command(['systemctl', 'restart', 'sssd'])
+host.run_command(['systemctl', 'restart', 'sssd'], raiseonerr=False)
 unapply_fixes(host)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[ofayans]

ofayans commented on a pull request

"""
Done
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-244925053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From 805e3765f10c12faa34db89904b24e89ccf181ad Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/4] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/6300
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From 524b2d66bbfe96a955a0a7008ec5c6eff134363b Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/4] Several fixes in replica_promotion tests

In test_one_command_installation the ipa-replica-install was missing '--server'
and '-U' options which resulted in false negative result. In
test_client_enrollment_by_unprivileged_user '--server' option was messing.
test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It
leaded to 3 failed cases.

https://fedorahosted.org/freeipa/ticket/6301
---
 ipatests/test_integration/test_replica_promotion.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..34af116 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -187,7 +187,9 @@ def test_one_command_installation(self):
 self.replicas[0].run_command(['ipa-replica-install', '-w',
  self.master.config.admin_password,
  '-n', self.master.domain.name,
- '-r', self.master.domain.realm])
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -307,7 +309,8 @@ def test_client_enrollment_by_unprivileged_user(self):
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
-   '--realm', replica.domain.realm, '-U'],
+   

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[ofayans]

ofayans commented on a pull request

"""
@mbasti-rh,
1. Fixed
2. It's OK, but we won't have working tests in 4.3 branch. Should I create a 
ticket?
3. Gotya :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-244913086
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From 805e3765f10c12faa34db89904b24e89ccf181ad Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/4] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/6300
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From a791998ef32085c936d758554a69a4b5b91485bb Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/4] Several fixes in replica_promotion tests

In test_one_command_installation the ipa-replica-install was missing '--server'
and '-U' options which resulted in false negative result. In
test_client_enrollment_by_unprivileged_user '--server' option was messing.
test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It
leaded to 3 failed cases.
---
 ipatests/test_integration/test_replica_promotion.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..34af116 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -187,7 +187,9 @@ def test_one_command_installation(self):
 self.replicas[0].run_command(['ipa-replica-install', '-w',
  self.master.config.admin_password,
  '-n', self.master.domain.name,
- '-r', self.master.domain.realm])
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -307,7 +309,8 @@ def test_client_enrollment_by_unprivileged_user(self):
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
-   '--realm', replica.domain.realm, '-U'],
+   '--realm', 

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[ofayans]

ofayans commented on a pull request

"""
The commit message was updated
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-244720426
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From c0c274d9873c5be708a2a6e54356f7e611c4b330 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/4] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From d13a6edf02881e0f8f3747f195c8f335a03792bd Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/4] Several fixes in replica_promotion tests

In test_one_command_installation the ipa-replica-install was missing '--server'
and '-U' options which resulted in false negative result. In
test_client_enrollment_by_unprivileged_user '--server' option was messing.
test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It
leaded to 3 failed cases.
---
 ipatests/test_integration/test_replica_promotion.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..34af116 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -187,7 +187,9 @@ def test_one_command_installation(self):
 self.replicas[0].run_command(['ipa-replica-install', '-w',
  self.master.config.admin_password,
  '-n', self.master.domain.name,
- '-r', self.master.domain.realm])
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -307,7 +309,8 @@ def test_client_enrollment_by_unprivileged_user(self):
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
-   '--realm', replica.domain.realm, '-U'],
+   '--realm', 

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From c0c274d9873c5be708a2a6e54356f7e611c4b330 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/4] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From 55155cc8e305d92024a66f918d772a6f4dd3a14f Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/4] Several fixes in replica_promotion tests

---
 ipatests/test_integration/test_replica_promotion.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..34af116 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -187,7 +187,9 @@ def test_one_command_installation(self):
 self.replicas[0].run_command(['ipa-replica-install', '-w',
  self.master.config.admin_password,
  '-n', self.master.domain.name,
- '-r', self.master.domain.realm])
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -307,7 +309,8 @@ def test_client_enrollment_by_unprivileged_user(self):
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
-   '--realm', replica.domain.realm, '-U'],
+   '--realm', replica.domain.realm, '-U',
+   '--server', self.master.hostname],
   raiseonerr=False)
 assert_error(result1, "No permission to join this host", 1)
 
@@ -331,7 +334,8 @@ def test_replica_promotion_after_adding_to_admin_group(self):
  

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From c0c274d9873c5be708a2a6e54356f7e611c4b330 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/3] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From 55155cc8e305d92024a66f918d772a6f4dd3a14f Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/3] Several fixes in replica_promotion tests

---
 ipatests/test_integration/test_replica_promotion.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..34af116 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -187,7 +187,9 @@ def test_one_command_installation(self):
 self.replicas[0].run_command(['ipa-replica-install', '-w',
  self.master.config.admin_password,
  '-n', self.master.domain.name,
- '-r', self.master.domain.realm])
+ '-r', self.master.domain.realm,
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -307,7 +309,8 @@ def test_client_enrollment_by_unprivileged_user(self):
'-p', self.username,
'-w', self.new_password,
'--domain', replica.domain.name,
-   '--realm', replica.domain.realm, '-U'],
+   '--realm', replica.domain.realm, '-U',
+   '--server', self.master.hostname],
   raiseonerr=False)
 assert_error(result1, "No permission to join this host", 1)
 
@@ -331,7 +334,8 @@ def test_replica_promotion_after_adding_to_admin_group(self):
  

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From c0c274d9873c5be708a2a6e54356f7e611c4b330 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH 1/3] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 

From 6a1057319bb48e4ad636be20b83d7965849b5965 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 5 Sep 2016 09:05:06 +0200
Subject: [PATCH 2/3] Several fixes in replica_promotion tests

---
 ipatests/test_integration/test_replica_promotion.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index e06cafd..e501eca 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -188,6 +188,8 @@ def test_one_command_installation(self):
  self.master.config.admin_password,
  '-n', self.master.domain.name,
  '-r', self.master.domain.realm])
+ '--server', self.master.hostname,
+ '-U'])
 
 
 class TestReplicaManageCommands(IntegrationTest):
@@ -308,6 +310,7 @@ def test_client_enrollment_by_unprivileged_user(self):
'-w', self.new_password,
'--domain', replica.domain.name,
'--realm', replica.domain.realm, '-U'],
+   '--server', self.master.hostname],
   raiseonerr=False)
 assert_error(result1, "No permission to join this host", 1)
 
@@ -332,6 +335,7 @@ def test_replica_promotion_after_adding_to_admin_group(self):
   '-p', self.new_password,
   '-n', self.master.domain.name,
   '-r', self.master.domain.realm])
+  '-U'])
 
 
 class 

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (opened)

[ofayans]

ofayans's pull request #52: "Removed incorrect check for returncode" was opened

PR body:
"""
The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
From c0c274d9873c5be708a2a6e54356f7e611c4b330 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 2 Sep 2016 15:24:40 +0200
Subject: [PATCH] Removed incorrect check for returncode

The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/tasks.py  |  2 +-
 ipatests/test_integration/test_replica_promotion.py | 10 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..db99bbb 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1190,7 +1190,7 @@ def run_server_del(host, server_to_delete, force=False,
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-if returncode:
+if returncode is not None:
 assert result.returncode == returncode
 else:
 assert result.returncode > 0
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 3e62f92..e06cafd 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -348,10 +348,12 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode > 0), ("The replica was removed without "
- "'--ignore-topology-disconnect' option")
-assert("Uninstallation leads to disconnected topology"
-   in result.stdout_text), ("Expected error message was not found")
+# Due to ticket 3230 server installation/uninstallation always returns
+# 0 unless an uncaught exception occurs. Once this issue is properly
+# addressed, please care to change expected return code in the
+# following assert from 0 to something else.
+assert_error(result, "Removal of '%s' leads to disconnected"
+ " topology" % self.replicas[0].hostname, 0)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (closed)

[ofayans]

ofayans's pull request #38: "Removed incorrect check for returncode" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/38
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/38/head:pr38
git checkout pr38
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (comment)

[ofayans]

ofayans commented on a pull request

"""
Done. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/38#issuecomment-243407459
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #38: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/38
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/38/head:pr38
git checkout pr38


freeipa-pr-38.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #38: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/38
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/38/head:pr38
git checkout pr38


freeipa-pr-38.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (synchronize)

[ofayans]

ofayans's pull request #38: "Removed incorrect check for returncode" was 
synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/38
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/38/head:pr38
git checkout pr38


freeipa-pr-38.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (opened)

[ofayans]

ofayans's pull request #38: "Removed incorrect check for returncode" was opened

PR body:
"""
The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/3230
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/38
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/38/head:pr38
git checkout pr38


freeipa-pr-38.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#30] Print to debug output answer from CA (comment)

[ofayans]

ofayans commented on a pull request

"""
QA ACK. It rocks: the debug output really helps identify the cause of 
CA-related errors. See for example [this 
issue](https://fedorahosted.org/freeipa/ticket/6274)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/30#issuecomment-243368617
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (+ack)

[ofayans]

stlaz's pull request #26: "Don't ignore --ignore-last-of-role for last CA" 
label *ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/26
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#26] Don't ignore --ignore-last-of-role for last CA (comment)

[ofayans]

ofayans commented on a pull request

"""
QA ACK. With these changes the issue is gone
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/26#issuecomment-243101582
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (comment)

[ofayans]

ofayans commented on a pull request

"""
Done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/28#issuecomment-242733667
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (synchronize)

[ofayans]

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in 
tests" was synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/28
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/28/head:pr28
git checkout pr28


freeipa-pr-28.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#28] Added a sleep interval after domainlevel raise in tests (opened)

[ofayans]

ofayans's pull request #28: "Added a sleep interval after domainlevel raise in 
tests" was opened

PR body:
"""
Due to race conditions the test sometimes catches 2 one-way segments instead of
one bidirectional. We need to give the master time to merge the one-way
segments before we test the output.

https://fedorahosted.org/freeipa/ticket/6265
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/28
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/28/head:pr28
git checkout pr28


freeipa-pr-28.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#18] Fixed incorrect sequence of method calls in tasks.py (comment)

[ofayans]

ofayans commented on a pull request

"""
@mbasti-rh oh, I see. Thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/18#issuecomment-242390863
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#18] Fixed incorrect sequence of method calls in tasks.py (opened)

[ofayans]

ofayans's pull request #18: "Fixed incorrect sequence of method calls in 
tasks.py" was opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6255
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/18
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/18/head:pr18
git checkout pr18


freeipa-pr-18.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code