[Freeipa-devel] [wiki] please review: domain levels overview page

2016-02-09 Thread Martin Basti 

Hello,

I prepared page for keeping the information about domain levels, what 
are features, which version introduced the particular domain level.


http://www.freeipa.org/page/Domain_Levels

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [wiki] please review: domain levels overview page

2016-02-09 Thread Fraser Tweedale 
On Tue, Feb 09, 2016 at 11:14:47AM +0100, Martin Basti wrote:
> Hello,
> 
> I prepared page for keeping the information about domain levels, what are
> features, which version introduced the particular domain level.
> 
> http://www.freeipa.org/page/Domain_Levels
> 
> Martin^2
> 
Thanks, it is a useful summary.

Suggestion: in `Features' section, if you are only going to link to
design page, I would just remove that section and directly link the
design page from the `Current domain levels' table.  (OTOH, if it is
planned to expand these sections then it is fine).

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0407] make lint: migration to config file and pylint plugin due pylint 1.5.2

2016-02-09 Thread Martin Basti 



On 03.02.2016 10:19, David Kupka wrote:

On 01/02/16 14:18, Martin Basti wrote:



On 26.01.2016 14:16, Martin Basti wrote:



On 20.01.2016 14:38, Jan Cholasta wrote:

Hi,

On 19.1.2016 13:43, Martin Basti wrote:

New pylint version will broke our custom make-lint script again,
attached patch migrates make-lint to:
* config file
* pylint plugin
which are supported by pylint and should not have regular 
compatibility

issues

to test new approach run ./make-lint2

Advantages:
* compatibility with pylint
* works on both pylint-1.4.3-3.fc23.noarch and
pylint-1.5.2-1.fc24.noarch
* pylint plugin works in different way than the previous custom
checker.
Missing ("dynamic") attributes are added to abstract syntax tree
instead
of ignoring them and all their sub-members. This makes check better,
pylint can detect more typos in tests configurations, api, env, etc..

Disadvantages:
* any new attribute in api, test config, etc.. must be added to
definition of missing members (pylint plugin) - this should not 
happen

too often


1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py"
and "rm -rf pylint_plugins/", no need for this redundant directory
structure.

2) Rename pylintrc to freeipa.pylintrc so you have to always specify
it explicitly with --rcfile.

3) Use the load-plugins directive in freeipa.pylintrc to load the
plugins rather than --load-plugins.

4) Instead of running pylint twice, run it only once with both normal
and Python 3 checks enabled:

[MESSAGE CONTROL]
enable=all,python3
disable=...,no-absolute-import




Q:
* make-lint: should it be just bash script or rather python script?


IMO neither, it should be a make target (make lint).


* add dynamic detection of python files to be checked


You can use "find . -type f -executable ! -path \*/.\* ! -name
\*.py\* -exec grep -lsm1 '^#!.*\bpython' \{\} \;".


* should I keep the current options from original make-lint?


No, but allow pylint options to be overridable (make lint
PYLINTFLAGS="--disable=python3")


* several false positive errors I haven't been able to fix in plugin
yet, in worst case they can be locally disabled:


Disable them locally.

Honza


Updated patch attached.

Please note that make-lint script has been removed, to execute lint
check use 'make lint'




Updated patch attached:
* fixes recently added error
* fixes PEP8
* cleanup of pylint config file

Patch is only for master branch, for 4.3 and 4.2 I will send different
patches when this will be acked




Could you please add an extensive comment to the 4-lines-long find 
command? I can after a while (and with the help of man page) decode 
what it does so it would definitely help to have it described.

Otherwise it looks good to me.

Updated patch attached, only for master, patches for 4.2, 4.3 will 
follow if this one will be ACKed
From 340ce4d517257160df7534dbacc961b4c998139a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 15 Jan 2016 16:58:38 +0100
Subject: [PATCH] make lint: use config file and plugin for pylint

Our custom implementation of pylint checker is often broken by
incompatible change on pylint side. Using supported solutions (config
file, pylint plugins) should avoid this issue.

The plugin adds missing (dynamic) member to classes in abstract syntax
tree generated for pylint, instead of just ignoring missing members and
all sub-members. This should improve pylint detection of typos and
missing members in api. env and test config.

make-lint python script has been removed, to run pylint execute 'make
lint'

https://fedorahosted.org/freeipa/ticket/5615
---
 Makefile|  14 +-
 ipalib/plugins/vault.py |   4 +
 ipatests/test_ipapython/test_ipautil.py |   2 +
 make-lint   | 351 
 pylint_plugins.py   | 210 +++
 pylintrc|  85 
 6 files changed, 312 insertions(+), 354 deletions(-)
 delete mode 100755 make-lint
 create mode 100644 pylint_plugins.py
 create mode 100644 pylintrc

diff --git a/Makefile b/Makefile
index d2857ae4744188532e360a5f2375a17d3acb7d4a..8c1a5dea7cbd04fbd31bfe0de205608a3c347872 100644
--- a/Makefile
+++ b/Makefile
@@ -54,7 +54,9 @@ LIBDIR ?= /usr/lib
 
 DEVELOPER_MODE ?= 0
 ifneq ($(DEVELOPER_MODE),0)
-LINT_OPTIONS=--no-fail
+LINT_IGNORE_FAIL=true
+else
+LINT_IGNORE_FAIL=false
 endif
 
 PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python2)
@@ -127,8 +129,14 @@ client-dirs:
 	fi
 
 lint: bootstrap-autogen
-	./make-lint $(LINT_OPTIONS)
-	$(MAKE) -C install/po validate-src-strings
+	# find all python modules and executable python files outside modules for pylint check
+	FILES=`find . \
+		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
+		-name \*.py -print -o \
+		-type f \! -path '*/.*' \! -name '*~' -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
+	echo "Pylint is running, please wait ..."; \
+

Re: [Freeipa-devel] [PATCH 0407] make lint: migration to config file and pylint plugin due pylint 1.5.2

2016-02-09 Thread David Kupka 

On 09/02/16 11:28, Martin Basti wrote:



On 03.02.2016 10:19, David Kupka wrote:

On 01/02/16 14:18, Martin Basti wrote:



On 26.01.2016 14:16, Martin Basti wrote:



On 20.01.2016 14:38, Jan Cholasta wrote:

Hi,

On 19.1.2016 13:43, Martin Basti wrote:

New pylint version will broke our custom make-lint script again,
attached patch migrates make-lint to:
* config file
* pylint plugin
which are supported by pylint and should not have regular
compatibility
issues

to test new approach run ./make-lint2

Advantages:
* compatibility with pylint
* works on both pylint-1.4.3-3.fc23.noarch and
pylint-1.5.2-1.fc24.noarch
* pylint plugin works in different way than the previous custom
checker.
Missing ("dynamic") attributes are added to abstract syntax tree
instead
of ignoring them and all their sub-members. This makes check better,
pylint can detect more typos in tests configurations, api, env, etc..

Disadvantages:
* any new attribute in api, test config, etc.. must be added to
definition of missing members (pylint plugin) - this should not
happen
too often


1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py"
and "rm -rf pylint_plugins/", no need for this redundant directory
structure.

2) Rename pylintrc to freeipa.pylintrc so you have to always specify
it explicitly with --rcfile.

3) Use the load-plugins directive in freeipa.pylintrc to load the
plugins rather than --load-plugins.

4) Instead of running pylint twice, run it only once with both normal
and Python 3 checks enabled:

[MESSAGE CONTROL]
enable=all,python3
disable=...,no-absolute-import




Q:
* make-lint: should it be just bash script or rather python script?


IMO neither, it should be a make target (make lint).


* add dynamic detection of python files to be checked


You can use "find . -type f -executable ! -path \*/.\* ! -name
\*.py\* -exec grep -lsm1 '^#!.*\bpython' \{\} \;".


* should I keep the current options from original make-lint?


No, but allow pylint options to be overridable (make lint
PYLINTFLAGS="--disable=python3")


* several false positive errors I haven't been able to fix in plugin
yet, in worst case they can be locally disabled:


Disable them locally.

Honza


Updated patch attached.

Please note that make-lint script has been removed, to execute lint
check use 'make lint'




Updated patch attached:
* fixes recently added error
* fixes PEP8
* cleanup of pylint config file

Patch is only for master branch, for 4.3 and 4.2 I will send different
patches when this will be acked




Could you please add an extensive comment to the 4-lines-long find
command? I can after a while (and with the help of man page) decode
what it does so it would definitely help to have it described.
Otherwise it looks good to me.


Updated patch attached, only for master, patches for 4.2, 4.3 will
follow if this one will be ACKed


The comment is probably sufficient, thanks.
Also works for me on current master, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA Cloud/Openstack Configuration?

2016-02-09 Thread Petr Spacek 
On 31.1.2016 10:39, Dan Lavu wrote:
> I started playing around with Openstack and was installing FreeIPA on a 
> tenant 
> network and I wanted to replicate to a server on provider network or another 
> network entirely. If you are not familiar with Openstack, a lot of cloud 
> implementations will have a virtual private network that is entirely isolated 
> from the outside world until an IP is attached to the guest. So this had me 
> thinking about best practices and cloud implementations using FreeIPA. I 
> can't 
> seem to find a lot documentation on this. So the complication I've come 
> across 
> is that the tenant network is not route-able by default, but you can attach a 
> floating-IP which is route-able to the external FreeIPA server but the host 
> entries are going to differ. For clarification in the below diagram, (if this 
> diagram doesn't show up, it is attached).
> 
> openstack_networks
> 
> idm2, has the local IP of 192.168.50.13 and has a floating ip 0f 
> 192.168.73.7, 
> but on the guest 192.168.73.7 is not known at all, for it to be route-able it 
> does some source natting using neutron and openvswitch. So during the 
> installation, it's not possible to use the external IP because the installer 
> will indicate the IP doesn't exist or is not route-able.
> 
> So I ultimately installed FreeIPA using the internal address and modified the 
> A 
> record to point to the floating external IP address. Lastly modified the host 
> file to have the name resolve to the internal address. I feel like there is a 
> cleaner way of doing this. Now it gets even more complicated if different 
> hostnames are used, since IPA does a URL rewrite and I'm sure there are other 
> name dependencies I'm unaware of.
> 
> So my questions are, do we have a documentation about installation FreeIPA on 
> a 
> cloud platform to serve external hosts?
> 
> Do we have any instructions on adding another name to the FreeIPA server 
> certificate? (I know we have steps for client hosts) I can see this being 
> resolved by having idm2 access requests for two domains, i.e. 192.168.73.0/24 
> company.com and 192.168.50.0/24 cloud.company.com.
> 
> Is there any other solutions?

I can tell you how I'm installing IPA in OpenStack, but it is a hack:
1) Assign a floating IP to the VM
2) Configure hostname inside the VM to match the externally visible one
3) Temporarily assign floating IP address to loopback inside the VM
4) Run IPA installer
5) Remove the floating address from the loopback

> Is this something that we need to address?
Yeah, we should, but I have no idea how IPA can detect its floating IP address 
...

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

2016-02-09 Thread Milan Kubík 

On 01/28/2016 10:42 AM, Filip Skola wrote:


- Original Message -

On 01/25/2016 11:11 AM, Filip Skola wrote:

- Original Message -

On 01/15/2016 03:38 PM, Filip Skola wrote:

Hi,

sending rebased patch.

F.

- Original Message -

Hello,

sorry for delays. The patch no longer applies to master. Rebase it,
please.

Milan

- Original Message -
From: "Filip Škola" 
To: "Milan Kubík" 
Cc: freeipa-devel@redhat.com
Sent: Wednesday, 9 December, 2015 7:01:02 PM
Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

On Mon, 7 Dec 2015 17:49:18 +0100
Milan Kubík  wrote:


On 12/03/2015 08:15 PM, Filip Škola wrote:

On Mon, 30 Nov 2015 17:18:30 +0100
Milan Kubík  wrote:


On 11/23/2015 04:42 PM, Filip Škola wrote:

Sending updated patch.

F.

On Mon, 23 Nov 2015 14:59:34 +0100
Filip Škola  wrote:


Found couple of issues (broke some dependencies).

NACK

F.

On Fri, 20 Nov 2015 13:56:36 +0100
Filip Škola  wrote:


Another one.

F.

Hi, the tests look good. Few remarks, though.

1. Please, use the shortes copyright notice in new modules.

 #
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for
license #

2. The tests `test_group_remove_group_from_protected_group` and
`test_group_full_set_of_objectclass_not_available_post_detach`
were not ported. Please, include them in the patch.

Also, for less hassle, please rebase your patches on top of
freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch
Which changes the location of tracker implementations and prevents
circular imports.

Thanks.


Hi,

these cases are there, in corresponding classes. They are marked
with the original comments. (However I can move them to separate
class if desirable.)

The copyright notice is changed. Also included a few changes in the
test with user without private group.

Filip

NACK

linter:
* Module tracker.group_plugin
ipatests/test_xmlrpc/tracker/group_plugin.py:257:
[E0102(function-redefined), GroupTracker.check_remove_member] method
already defined line 253)

Probably a leftover after the rebase made on top of my patch. Please
fix it. You can check youch changes by make-lint script before
sending them.

Thanks


Hi,

I learned to use make-lint!

Thanks,
F.


Hello,

NACK, pylint doesn't seem to like the way the fixtures are imported
(pytest does a lot of runtime magic) [1].
One possible solution would be [2]. Though, I don't think this would be
a good idea in our environment. I suggest to create the fixtures on per
module basis.


[1]: http://fpaste.org/311949/53118942/
[2]:
https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects

--
Milan Kubik



Hi,

the fixtures were copied into corresponding module. Please note that this
patch has a dependence on my patch 0001 (user plugin).

Filip

Linter:
* Module ipatests.test_xmlrpc.tracker.group_plugin
W:100,26: Calling a dict.iter*() method (dict-iter-method)

please use dict.items

--
Milan Kubik



Hi, sorry. This has been fixed in this patch.

Filip

ACK, thanks for the patience. :)

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0032] ipatests: add missing certprofile fixture

2016-02-09 Thread Milan Kubík 

On 02/09/2016 02:37 PM, Milan Kubík wrote:
Fixes the CA ACL tests broken by removed import. This patch doesn't 
rely on undocumented behavior of pytest.


The patch invalidates patch 133 by Martin Babinsky.




Patch updated with trac link

--
Milan Kubik

From 0779fb587d10cb8fd8f7b7293527be623b078077 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Tue, 2 Feb 2016 11:34:26 +0100
Subject: [PATCH] ipatests: Add missing certificate profile fixture

https://fedorahosted.org/freeipa/ticket/5630
---
 ipatests/test_xmlrpc/test_caacl_plugin.py | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py
index 85c7072a0bc483822b9b5c201d61932a423dd3d8..f20b02b295024313008be7b75bdcae2ade70b4ff 100644
--- a/ipatests/test_xmlrpc/test_caacl_plugin.py
+++ b/ipatests/test_xmlrpc/test_caacl_plugin.py
@@ -11,12 +11,21 @@ import pytest
 from ipalib import errors
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 
-# reuse the fixture
+from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker
 from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker
 from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker
 
 
 @pytest.fixture(scope='class')
+def default_profile(request):
+name = 'caIPAserviceCert'
+desc = u'Standard profile for network services'
+tracker = CertprofileTracker(name, store=True, desc=desc)
+tracker.track_create()
+return tracker
+
+
+@pytest.fixture(scope='class')
 def default_acl(request):
 name = u'hosts_services_caIPAserviceCert'
 tracker = CAACLTracker(name, service_category=u'all', host_category=u'all')
-- 
2.7.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [patch 0032] ipatests: add missing certprofile fixture

2016-02-09 Thread Milan Kubík 
Fixes the CA ACL tests broken by removed import. This patch doesn't rely 
on undocumented behavior of pytest.


The patch invalidates patch 133 by Martin Babinsky.

--
Milan Kubik

From 73dc9e91605c9299e48cdf62ddc0eb4927471a57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Tue, 2 Feb 2016 11:34:26 +0100
Subject: [PATCH] ipatests: Add missing certificate profile fixture

---
 ipatests/test_xmlrpc/test_caacl_plugin.py | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py
index 85c7072a0bc483822b9b5c201d61932a423dd3d8..f20b02b295024313008be7b75bdcae2ade70b4ff 100644
--- a/ipatests/test_xmlrpc/test_caacl_plugin.py
+++ b/ipatests/test_xmlrpc/test_caacl_plugin.py
@@ -11,12 +11,21 @@ import pytest
 from ipalib import errors
 from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 
-# reuse the fixture
+from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker
 from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker
 from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker
 
 
 @pytest.fixture(scope='class')
+def default_profile(request):
+name = 'caIPAserviceCert'
+desc = u'Standard profile for network services'
+tracker = CertprofileTracker(name, store=True, desc=desc)
+tracker.track_create()
+return tracker
+
+
+@pytest.fixture(scope='class')
 def default_acl(request):
 name = u'hosts_services_caIPAserviceCert'
 tracker = CAACLTracker(name, service_category=u'all', host_category=u'all')
-- 
2.7.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [wiki] please review: domain levels overview page

2016-02-09 Thread Martin Basti 



On 09.02.2016 12:07, Fraser Tweedale wrote:

On Tue, Feb 09, 2016 at 11:14:47AM +0100, Martin Basti wrote:

Hello,

I prepared page for keeping the information about domain levels, what are
features, which version introduced the particular domain level.

http://www.freeipa.org/page/Domain_Levels

Martin^2


Thanks, it is a useful summary.

Suggestion: in `Features' section, if you are only going to link to
design page, I would just remove that section and directly link the
design page from the `Current domain levels' table.  (OTOH, if it is
planned to expand these sections then it is fine).
I plan to add there links to howto or documentation (but I/somebody have 
to write it first :) )




Cheers,
Fraser


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes

2016-02-09 Thread Petr Viktorin 
On 01/29/2016 09:42 AM, Jan Cholasta wrote:
> On 29.1.2016 09:25, Jan Cholasta wrote:
>> Hi,
>>
>> On 27.1.2016 18:38, Petr Viktorin wrote:
>>> Hello,
>>>
>>> Here is a mixed bag of Python 3 fixes.
>>> They fix some tests, and they should enable you to use `python3
>>> /usr/bin/ipa`.
>>
>> Patch 761:
>>
>> 1) The "invalid 'my_number': " bit comes from IPA itself, shouldn't we
>> check at least that?

Fixed

>> Patch 762:
>>
>> 1) We should handle UnicodeError here as well, in addition to TypeError:
>>
>>   if k.lower() == 'negotiate':
>>   try:
>> -token = base64.b64decode(v)
>> +token = base64.b64decode(v.encode('ascii'))
>>   break
>>   # b64decode raises TypeError on invalid input
>>   except TypeError:

Fixed

>> 2) I would prefer if the encoding was specified explicitly here:
>>
>> +response = json_decode_binary(json.loads(response.decode()))

Fixed

>> Patch 763:
>>
>> 1)
>>
>> +altname = altname

Fixed

>> 2) Nitpick, but could you please:
>>
>> -if isinstance(name_or_oid, unicode):
>> -name_or_oid = name_or_oid.encode('utf-8')
>> +if six.PY2:
>> +if isinstance(name_or_oid, unicode):
>> +name_or_oid = name_or_oid.encode('utf-8')
>>
>> This way it's more visible that this is a py2-only thing.

Sure

>> Patch 764: LGTM
>>
>>
>> Patch 765:
>>
>> 1)
>>
>> +import tempfile
>> +import tempfile

Fixed.

>> Patch 766-767: LGTM
>>
>>
>> Patch 768:
>>
>> 1) Only binascii.Error should be handled in int_to_bytes, the try-except
>> block is there just to handle odd-length strings.

That's there for Python 2, where unhexlify raises TypeError.

>> 2) I think you can just remove the library_path.encode(), it's there
>> because the original C code did the same thing, but don't think it's
>> necessary.

OK

>> Patch 769: LGTM
> 
> Also, could you please reference
>  in the patches?

Sure.

Thanks for the review! Updated patches attached.

-- 
Petr Viktorin
From e5cc6a408243454bd1e8ac5eae0af91d5138a3b0 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Mon, 21 Sep 2015 13:22:17 +0200
Subject: [PATCH] test_parameters: Ignore specific error message

In Python 3, the error message from the decimal module is
less clear than before.
(It's apparently the price to pay for speed -- Python3 uses
libmpdec as its Decimal implementation by default.)

Don't check for the exact error message.

https://fedorahosted.org/freeipa/ticket/5638
---
 ipatests/test_ipalib/test_parameters.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipatests/test_ipalib/test_parameters.py b/ipatests/test_ipalib/test_parameters.py
index b640f50dae4ebfb4f764e5ca9b2aa355fdfb6359..ea6b80ca859e16c91db4fad26aa8f484b34b6b15 100644
--- a/ipatests/test_ipalib/test_parameters.py
+++ b/ipatests/test_ipalib/test_parameters.py
@@ -1441,8 +1441,7 @@ class test_Decimal(ClassChecker):
 param = self.cls('my_number', precision=1)
 e = raises(ConversionError, param, '123456789012345678901234567890')
 
-assert str(e) == \
-"invalid 'my_number': quantize result has too many digits for current context"
+assert str(e).startswith("invalid 'my_number': ")
 
 def test_exponential(self):
 """
-- 
2.5.0

From 3b957cdba60df736bed7fe562a352bc6b038e943 Mon Sep 17 00:00:00 2001
From: Michael Simacek 
Date: Tue, 22 Sep 2015 10:29:32 +0200
Subject: [PATCH] Fix bytes/string handling in rpc

https://fedorahosted.org/freeipa/ticket/5638
---
 ipalib/rpc.py | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index a165491adea5366a14a86d7c8bd6337e36fd1b44..c70b3a29fdc86ef10d9c0ce55a360233dbd8663e 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -349,7 +349,7 @@ def json_decode_binary(val):
 elif isinstance(val, list):
 return tuple(json_decode_binary(v) for v in val)
 else:
-if isinstance(val, six.string_types):
+if isinstance(val, bytes):
 try:
 return val.decode('utf-8')
 except UnicodeDecodeError:
@@ -400,7 +400,7 @@ def xml_loads(data, encoding='UTF-8'):
 
 class DummyParser(object):
 def __init__(self):
-self.data = ''
+self.data = b''
 
 def feed(self, data):
 self.data += data
@@ -575,7 +575,7 @@ class KerbTransport(SSLTransport):
 
 if token:
 extra_headers.append(
-('Authorization', 'negotiate %s' % base64.b64encode(token))
+('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
 )
 
 def _auth_complete(self, response):
@@ -586,10 +586,10 @@ class KerbTransport(SSLTransport):
 k, _, v = field.strip().partition(' ')

[Freeipa-devel] [PATCH] CI: Add simple replication test in 2-connected topology.

2016-02-09 Thread David Kupka 
This topology should be closer to the ones in real world than our 
current ones. But it is still impractical and (hopefully) no one has 
such deployment.
If some user could share his/her deployment topology I will be happy to 
create generator based on it.


--
David Kupka
From 6c9767df40c656ce45fb06b2018ab93eaa05034a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 9 Feb 2016 15:45:45 +0100
Subject: [PATCH 1/3] CI: Add '2-connected' topology generator.

If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for
any n >= 0:
 * every server has replication agreement with 2 - 4 other servers.
 * at least two agreements must fail in order to disconnect the topology.
Otherwise there can be server(s) with single agreement on the edge of the
topology.
---
 ipatests/test_integration/tasks.py | 57 ++
 1 file changed, 57 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 85f669af618f8de759fe57d3e4410c1d6ce1f3e0..d37b616bd6efe437a1a979cc7a9ad8c7ea803773 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -857,6 +857,63 @@ def tree2_topo(master, replicas):
 yield master, replica
 master = replica
 
+@_topo('2-connected')
+def two_connected_topo(master, replicas):
+r"""No replica has more than 4 agreements and at least two
+replicas must fail to disconnect the topology.
+
+ . . . .
+ . . . .
+ . . . .
+ ... R --- R R --- R ...
+  \   / \   / \   /
+   \ /   \ /   \ /
+... R R R ...
+ \   / \   /
+  \ /   \ /
+   M0 -- R2
+   | |
+   | |
+   R1 -- R3
+  . \   /  .
+ .   \ /.
+. R  .
+ .  .
+..
+   .  .
+"""
+grow = []
+pool = [master] + replicas
+
+try:
+v0 = pool.pop(0)
+v1 = pool.pop(0)
+yield v0, v1
+
+v2 = pool.pop(0)
+yield v0, v2
+grow.append((v0,v2))
+
+v3 = pool.pop(0)
+yield v2, v3
+yield v1, v3
+grow.append((v1,v3))
+
+for (r,s) in grow:
+t = pool.pop(0)
+
+for (u,v) in [(r,t), (s,t)]:
+yield u, v
+w = pool.pop(0)
+yield u, w
+x = pool.pop(0)
+yield v, x
+yield w, x
+grow.append((w,x))
+
+except IndexError:
+return
+
 
 def install_topo(topo, master, replicas, clients,
  skip_master=False, setup_replica_cas=True):
-- 
2.5.0

From 049917e146bc7ad1580e474d090cf4db5301af5f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 9 Feb 2016 17:12:00 +0100
Subject: [PATCH 2/3] CI: Add simple replication test in 2-connected topology.

---
 ipatests/test_integration/test_replication_layouts.py | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/ipatests/test_integration/test_replication_layouts.py b/ipatests/test_integration/test_replication_layouts.py
index 3a3e9641e8645c62c95c8d48ecf67f2dc32dbd4d..4dd3fb51b638970139043e0b33f01864ee003192 100644
--- a/ipatests/test_integration/test_replication_layouts.py
+++ b/ipatests/test_integration/test_replication_layouts.py
@@ -85,3 +85,21 @@ class TestCompleteTopologyWithCA(LayoutsBaseTest):
 tasks.install_topo('complete', self.master, self.replicas, [],
setup_replica_cas=True)
 self.replication_is_working()
+
+
+class Test2ConnectedTopologyWithoutCA(LayoutsBaseTest):
+num_replicas = 33
+
+def test_2_connected_topology_without_ca(self):
+tasks.install_topo('2-connected', self.master, self.replicas, [],
+   setup_replica_cas=False)
+self.replication_is_working()
+
+
+class Test2ConnectedTopologyWithCA(LayoutsBaseTest):
+num_replicas = 33
+
+def test_2_connected_topology_with_ca(self):
+tasks.install_topo('2-connected', self.master, self.replicas, [],
+   setup_replica_cas=True)
+self.replication_is_working()
-- 
2.5.0

From 0d50bf001f7450d36f9a52e68b07cf67eefc4e2c Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 10 Feb 2016 08:46:43 +0100
Subject: [PATCH 3/3] CI: Add test for 2-connected topology generator.

---
 ipatests/test_integration/test_topologies.py | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/ipatests/test_integration/test_topologies.py b/ipatests/test_integration/test_topologies.py
index 86ca1904f17c6f8af2660c51862988d5229f07b7..f5332adbef12e8c18471592d4fd5c89097e2d4ed 100644
--- a/ipatests/test_integration/test_topologies.py
+++ b/ipatests/test_integration/test_topologies.py
@@ -96,3 +96,22 @@ def