Re: [Freeipa-devel] cert profiles - test plan + patches

[Lenka Doudova]

On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite 
server. Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended about 
test with importing a profile from XML file. The test case may need to 
be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), I 
think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan


Hi,

can't build rpms after applying the patches (namely patch 0009.2):

Module ipatests.test_xmlrpc.utils
ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] 
Module 'py' has no 'path' member)



Lenka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0312] CI: extend backup restore tests with DNS/DNSSEC

[Martin Basti]

On 09/10/2015 10:48 AM, Martin Basti wrote:

Self NACK

On 09/10/2015 10:21 AM, Martin Basti wrote:

Patch attached.







Updated patch attached.
From d91945aade1931b37e6b431729c43ae0cfb71311 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 8 Sep 2015 13:08:31 +0200
Subject: [PATCH] backup CI: test DNS/DNSSEC after backup and restore

---
 ipatests/test_integration/tasks.py |  23 
 .../test_integration/test_backup_and_restore.py| 132 +
 2 files changed, 155 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 820507022e6b5e8cc7a57c66c7f9e8e8b1500c7e..06049d4ae01332e0af4d8775b745342406fc868d 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -26,6 +26,7 @@ import collections
 import itertools
 import time
 import StringIO
+import dns
 
 from ldif import LDIFWriter
 
@@ -801,3 +802,25 @@ def add_a_record(master, host):
 master.domain.name,
 host.hostname,
 '--a-rec', host.ip])
+
+
+def resolve_record(nameserver, query, rtype="SOA", retry=True, timeout=100):
+"""Resolve DNS record
+:retry: if resolution failed try again until timeout is reached
+:timeout: max period of time while method will try to resolve query
+ (requires retry=True)
+"""
+res = dns.resolver.Resolver()
+res.nameservers = [nameserver]
+res.lifetime = 10  # wait max 10 seconds for reply
+
+wait_until = time.time() + timeout
+
+while time.time() < wait_until:
+try:
+ans = res.query(query, rtype)
+return ans
+except dns.exception.DNSException:
+if not retry:
+raise
+time.sleep(1)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 0ce1aaf29f76fec207b6ac64fab81190dae12e7f..93f5d131c7de2b40d9be9434a372477d5924c1b9 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -27,6 +27,7 @@ from ipapython.ipa_log_manager import log_mgr
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from ipatests.test_integration.test_dnssec import wait_until_record_is_signed
 from ipatests.util import assert_deepequal
 
 log = log_mgr.get_logger(__name__)
@@ -206,3 +207,134 @@ class TestBackupAndRestore(IntegrationTest):
 ])
 assert 'httpd_can_network_connect --> on' in result.stdout_text
 assert 'httpd_manage_ipa --> on' in result.stdout_text
+
+
+class BaseBackupAndRestoreWithDNS(IntegrationTest):
+"""
+Abstract class for DNS restore tests
+"""
+topology = 'star'
+
+example_test_zone = "example.test."
+example2_test_zone = "example2.test."
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, setup_dns=True)
+
+def _full_backup_restore_with_DNS_zone(self, reinstall=False):
+"""backup, uninstall, restore"""
+with restore_checker(self.master):
+
+self.master.run_command([
+'ipa', 'dnszone-add',
+self.example_test_zone,
+])
+
+tasks.resolve_record(self.master.ip, self.example_test_zone)
+
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+if reinstall:
+tasks.install_master(self.master, setup_dns=True)
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+stdin_text=dirman_password + '\nyes')
+
+tasks.resolve_record(self.master.ip, self.example_test_zone)
+
+self.master.run_command([
+'ipa', 'dnszone-add',
+self.example2_test_zone,
+])
+
+tasks.resolve_record(self.master.ip, self.example2_test_zone)
+
+
+class TestBackupAndRestoreWithDNS(BaseBackupAndRestoreWithDNS):
+def test_full_backup_and_restore_with_DNS_zone(self):
+"""backup, uninstall, restore"""
+self._full_backup_restore_with_DNS_zone(reinstall=False)
+
+
+class TestBackupReinstallRestoreWithDNS(BaseBackupAndRestoreWithDNS):
+def test_full_backup_reinstall_restore_with_DNS_zone(self):
+"""backup, uninstall, reinstall, restore"""
+self._full_backup_restore_with_DNS_zone(reinstall=True)
+
+
+class BaseBackupAndRestoreWithDNSSEC(IntegrationTest):
+"""
+Abstract class for DNSSEC restore tests
+"""
+topology = 'star'
+
+example_test_zone = "example.test."
+example2_test_zone = "example2.test."
+
+@classmethod
+ 

Re: [Freeipa-devel] cert profiles - test plan + patches

[Martin Basti]

On 09/11/2015 09:51 AM, Lenka Doudova wrote:



On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite 
server. Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended 
about test with importing a profile from XML file. The test case may 
need to be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), I 
think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan


Hi,

can't build rpms after applying the patches (namely patch 0009.2):

Module ipatests.test_xmlrpc.utils
ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] 
Module 'py' has no 'path' member)



Lenka

Do we need new util.py in test_xmlrpc? Why not just add it into existing 
ipatests/util.py?



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] cert profiles - test plan + patches

[Milan Kubík]

On 09/11/2015 10:27 AM, Martin Basti wrote:



On 09/11/2015 09:51 AM, Lenka Doudova wrote:



On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite 
server. Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended 
about test with importing a profile from XML file. The test case may 
need to be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), I 
think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan


Hi,

can't build rpms after applying the patches (namely patch 0009.2):

Module ipatests.test_xmlrpc.utils
ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] 
Module 'py' has no 'path' member)



Lenka

Do we need new util.py in test_xmlrpc? Why not just add it into 
existing ipatests/util.py?




I will move it there.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] cert profiles - test plan + patches

[Milan Kubík]

On 09/11/2015 10:27 AM, Martin Basti wrote:



On 09/11/2015 09:51 AM, Lenka Doudova wrote:



On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite 
server. Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended 
about test with importing a profile from XML file. The test case may 
need to be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), I 
think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan


Hi,

can't build rpms after applying the patches (namely patch 0009.2):

Module ipatests.test_xmlrpc.utils
ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] 
Module 'py' has no 'path' member)



Lenka

Do we need new util.py in test_xmlrpc? Why not just add it into 
existing ipatests/util.py?




Updated patch attached.
Changes:
content of ipatests.test_xmlrpc.utils moved to ipatests.utils
make-lint updated to ignore py.path submodule
From a01d9bb444f9ecbb6a8d0b99b5ea4eff905bb908 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Sun, 23 Aug 2015 16:19:59 +0200
Subject: [PATCH] ipatests: Add basic tests for certificate profile plugin

---
 .../test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 619 +
 .../test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 
 .../test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 
 .../data/caIPAserviceCert_mod_mal.cfg.tmpl | 109 
 ipatests/test_xmlrpc/test_certprofile_plugin.py| 203 ++-
 ipatests/util.py   |  13 +
 make-lint  |   1 +
 7 files changed, 1162 insertions(+), 1 deletion(-)
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl

diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
new file mode 100644
index ..99548192346b6105ea4f1a015738bfec612e3acd
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
@@ -0,0 +1,619 @@
+
+http://www.w3.org/2005/Atom; id="caIPAserviceCert_xml">
+caEnrollImpl
+IPA-RA Agent-Authenticated Server Certificate Enrollment
+This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+true
+false
+ipara
+raCertAuth
+
+false
+false
+
+certReqInputImpl
+Certificate Request Input
+
+
+cert_request_type
+Certificate Request Type
+
+
+
+
+cert_request
+Certificate Request
+
+
+
+
+submitterInfoInputImpl
+Requestor Information
+
+
+string
+Requestor Name
+
+
+
+
+string
+Requestor Email
+
+
+
+
+string
+Requestor Phone
+
+
+
+
+Certificate Output
+certOutputImpl
+
+
+pretty_print
+Certificate Pretty Print
+
+
+
+
+pretty_print
+Certificate Base-64 Encoded
+
+
+
+
+
+serverCertSet
+
+
+This default populates a Certificate Subject Name to the request. The default values are Subject Name=CN=$request.req_subject_name.cn$, O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
+
+
+string
+Subject Name
+
+
+

Re: [Freeipa-devel] cert profiles - test plan + patches

[Milan Kubík]

On 09/11/2015 12:43 PM, Lenka Doudova wrote:





On 09/11/2015 11:45 AM, Milan Kubík wrote:


On 09/11/2015 10:27 AM, Martin Basti wrote:






On 09/11/2015 09:51 AM, Lenka Doudova wrote:






On 09/10/2015 02:11 PM, Milan Kubík wrote:


On 09/04/2015 03:57 PM, Martin Babinsky wrote:


On 09/04/2015 11:06 AM, Lenka Doudova wrote:




Hi,







there's no traceback in the file you mentioned, but I'm running it



through lite-server, so here's the traceback from there:



http://pastebin.test.redhat.com/310598







I can't really get to the problem. What I forgot to mention in the



previous email was that the tests fail when attempting to add a



certprofile, but if I try to do is manually using 'ipa



certprofile-import' command with the exact same data as used in the



test, it works fine.







Lenka








Do you get the traceback also when you run the tests using

'ipa-run-tests' with installed IPA master?












Hello,



I don't think it is possible to run these tests against the lite
server. Please do it on regular installation.



Anyway, sorry for the long delay. I send the updated patches.

I updated them to reflect the fix for rename option and extended
about test with importing a profile from XML file. The test case
may need to be updated, based on the resolution of [1].

This at the moment raises remote retrieve error (400 from dogtag),
I think there should be more clear message (detecting xml).



[1]: https://fedorahosted.org/freeipa/ticket/5294





Cheers,

Milan




Hi,



can't build rpms after applying the patches (namely patch 0009.2):



Module ipatests.test_xmlrpc.utils

ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config]
Module 'py' has no 'path' member)





Lenka




Do we need new util.py in test_xmlrpc? Why not just add it into
existing ipatests/util.py?






Updated patch attached.

Changes:

content of ipatests.test_xmlrpc.utils moved to ipatests.utils

make-lint updated to ignore py.path submodule




Again got an error:



Module ipatests.test_xmlrpc.test_certprofile_plugin



ipatests/test_xmlrpc/test_certprofile_plugin.py:16: 
[E0611(no-name-in-module), ] No name 'utils' in module 'ipatests')






Probably just extra 's' in:



from ipatests.utils import prepare_config



Lenka




Typo fixed. Removed the py module from the code after an offline discussion.
Patch attached.

Milan

From b21dbf8e4ce6215f1bd06b250c48d826372e354b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Sun, 23 Aug 2015 16:19:59 +0200
Subject: [PATCH] ipatests: Add basic tests for certificate profile plugin

---
 .../test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 619 +
 .../test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 
 .../test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 
 .../data/caIPAserviceCert_mod_mal.cfg.tmpl | 109 
 ipatests/test_xmlrpc/test_certprofile_plugin.py| 203 ++-
 ipatests/util.py   |  10 +
 6 files changed, 1158 insertions(+), 1 deletion(-)
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl
 create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl

diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
new file mode 100644
index ..99548192346b6105ea4f1a015738bfec612e3acd
--- /dev/null
+++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl
@@ -0,0 +1,619 @@
+
+http://www.w3.org/2005/Atom; id="caIPAserviceCert_xml">
+caEnrollImpl
+IPA-RA Agent-Authenticated Server Certificate Enrollment
+This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+true
+false
+ipara
+raCertAuth
+
+false
+false
+
+certReqInputImpl
+Certificate Request Input
+
+
+cert_request_type
+Certificate Request Type
+
+
+
+
+cert_request
+Certificate Request
+
+
+
+
+submitterInfoInputImpl
+Requestor Information
+
+
+string
+Requestor Name
+
+
+
+
+string
+Requestor Email
+
+
+
+
+string
+Requestor Phone
+
+
+
+
+Certificate Output
+certOutputImpl
+
+
+pretty_print
+Certificate Pretty Print
+
+
+
+
+pretty_print
+Certificate 

Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed

[Simo Sorce]

On Fri, 2015-09-11 at 14:49 +0200, Martin Basti wrote:
> 
> On 09/03/2015 03:56 PM, Simo Sorce wrote:
> > On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote:
> >> On 09/03/2015 02:42 PM, Simo Sorce wrote:
> >>> On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote:
>  On 09/02/2015 06:00 PM, Simo Sorce wrote:
> > On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote:
> >> Client installation is done as "Restarting web server". This step
> >> deserve own message.
> >>
> >> Patch attached
> > I've seen various cases like this. And I can't understand why these
> > steps aren't embedded in the actual instance install steps that need the
> > restart (which implicitly also provide a message).
> >
> > In the promotion patchset I did move steps like this into the proper
> > instances, so I would prefer you do the same with the install path as
> > that is more appropriate.
> >
> > Simo.
> >
>  We need restart httpd after CA, DNS(optional) installation, so thats why
>  it is outside of httpd instance.
> >>> You need to restart httpd always after CA install as it changes the
> >>> proxy settings, but why do you need to restart it after DNS
> >>> installation ?
> >> It is needed due changes in resolv.conf
> >>> (I think it is fine to restart it twice if it is really needed after DNS
> >>> change).
> >> IMO it is waste of time to restart httpd twice in one minute
> >>
> >> Can we resolve this in 4.4, where might be place to finish improvements
> >> in installer? (If this is not blocking replica promotion)
> > Ok, it is not important enough to waste time now.
> >
> > Simo.
> >
> 
> Can be this patch pushed to master then?

Yes

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] cert profiles - test plan + patches

[Lenka Doudova]

On 09/11/2015 11:45 AM, Milan Kubík wrote:

On 09/11/2015 10:27 AM, Martin Basti wrote:



On 09/11/2015 09:51 AM, Lenka Doudova wrote:



On 09/10/2015 02:11 PM, Milan Kubík wrote:

On 09/04/2015 03:57 PM, Martin Babinsky wrote:

On 09/04/2015 11:06 AM, Lenka Doudova wrote:


Hi,



there's no traceback in the file you mentioned, but I'm running it

through lite-server, so here's the traceback from there:

http://pastebin.test.redhat.com/310598



I can't really get to the problem. What I forgot to mention in the

previous email was that the tests fail when attempting to add a

certprofile, but if I try to do is manually using 'ipa

certprofile-import' command with the exact same data as used in the

test, it works fine.



Lenka




Do you get the traceback also when you run the tests using
'ipa-run-tests' with installed IPA master?






Hello,

I don't think it is possible to run these tests against the lite 
server. Please do it on regular installation.


Anyway, sorry for the long delay. I send the updated patches.
I updated them to reflect the fix for rename option and extended 
about test with importing a profile from XML file. The test case 
may need to be updated, based on the resolution of [1].
This at the moment raises remote retrieve error (400 from dogtag), 
I think there should be more clear message (detecting xml).


[1]: https://fedorahosted.org/freeipa/ticket/5294


Cheers,
Milan


Hi,

can't build rpms after applying the patches (namely patch 0009.2):

Module ipatests.test_xmlrpc.utils
ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] 
Module 'py' has no 'path' member)



Lenka

Do we need new util.py in test_xmlrpc? Why not just add it into 
existing ipatests/util.py?




Updated patch attached.
Changes:
content of ipatests.test_xmlrpc.utils moved to ipatests.utils
make-lint updated to ignore py.path submodule


Again got an error:

Module ipatests.test_xmlrpc.test_certprofile_plugin

ipatests/test_xmlrpc/test_certprofile_plugin.py:16: [E0611(no-name-in-module), 
] No name 'utils' in module 'ipatests')


Probably just extra 's' in:

from ipatests.utils import prepare_config

Lenka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off

[David Kupka]

On 10/09/15 18:50, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5287

Patch attached.



Works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off

[Martin Basti]

On 09/11/2015 01:50 PM, David Kupka wrote:

On 10/09/15 18:50, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5287

Patch attached.



Works for me, ACK.


Pushed to:
master: 5762ad951fca025f17d00095bd7d89a14536ae85
ipa-4-2: c3d8a138aaad52af9c10ef8816b23cc81d79a680

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

[Martin Babinsky]

On 09/10/2015 06:41 PM, Milan Kubík wrote:

On 09/10/2015 06:36 PM, Alexander Bokovoy wrote:

On Thu, 10 Sep 2015, Milan Kubík wrote:

Hi list,

before my PTO, I was trying to write a functional test for CA ACLs
with the tracker along all other acceptance/functional tests.

I wasn't successful, the approach doesn't seem to work for CA ACLs as
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the
user identity during the functional test (xmlrpc tests).

I haven't had much time to write an integration test that should
solve these problems with changing identity.

The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls
made on an API object
   - in case of FILE ccache, moving it back and forth
   - in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test,
while the other ccache is active
   - the API object internals seem to prevent this as there is still
a lot of shared state between the API instances

* running the command supposed to have different identity as a
subprocess after switching the identity
   - this attempt seemed to have inherited the opened connection to
the backend from the parent python process,
 creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity
into the python process
   - the API instance doesn't seem to be affected by this value half
of the times.
   - randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this
wasn't doing what I intended it to do
because the admin user used in the tests overrides all CA ACLs.

One way to do it is to use keyctl to create subsessions for different
authenticated users and switch between subsessions for the separate
calls.

See keyctl manual page and 'keyctl session ' part.

Thanks, I'll take a look at this next week.



Maybe you can also try to wrap the user auth, connection and API calls
in 'ipapython.ipautil.private_ccache' context manager like this:

"""
from ipalib import api
from ipapython.ipautil import private_ccache, kinit_password, run

api.bootstrap()
api.finalize()

tmp_ccache='krb5cc_jdoe'

run(['klist']) # should list admin as default principal

with private_ccache(tmp_ccache):
kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache)
run(['klist']) # lists jdoe as default principal
api.Backend.rpcclient.connect(ccache=tmp_ccache)
api.Command.ping()
api.backend.rpcclient.disconnect()

run(['klist']) # KRB5CCNAME should be reset back to admin ccache
"""

I have tested it and it seems to work. I haven't played with it very 
extensively, though.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0313] IPA Restore: allow to specify dirs/files which should be removed before restore

[Martin Basti]

On 09/11/2015 02:56 PM, David Kupka wrote:

On 11/09/15 14:44, Martin Basti wrote:



On 09/10/2015 05:34 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5293

Patch attached.




Updated patch attached.

* list of dirs/files was moved to class (the same way is in ipa-backup)
* log errors if dir/file cannot be removed (errors other than dir/file
does not exist)


Looks good to me and works as expected, ACK.


Pushed to:
master: f8f5bd644aee5c54acc857061868e659ae449e48
ipa-4-2: 21f2a3d1731a43551cc130356329bcadba7ffdfe

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed

[Martin Basti]

On 09/03/2015 03:56 PM, Simo Sorce wrote:

On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote:

On 09/03/2015 02:42 PM, Simo Sorce wrote:

On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote:

On 09/02/2015 06:00 PM, Simo Sorce wrote:

On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote:

Client installation is done as "Restarting web server". This step
deserve own message.

Patch attached

I've seen various cases like this. And I can't understand why these
steps aren't embedded in the actual instance install steps that need the
restart (which implicitly also provide a message).

In the promotion patchset I did move steps like this into the proper
instances, so I would prefer you do the same with the install path as
that is more appropriate.

Simo.


We need restart httpd after CA, DNS(optional) installation, so thats why
it is outside of httpd instance.

You need to restart httpd always after CA install as it changes the
proxy settings, but why do you need to restart it after DNS
installation ?

It is needed due changes in resolv.conf

(I think it is fine to restart it twice if it is really needed after DNS
change).

IMO it is waste of time to restart httpd twice in one minute

Can we resolve this in 4.4, where might be place to finish improvements
in installer? (If this is not blocking replica promotion)

Ok, it is not important enough to waste time now.

Simo.



Can be this patch pushed to master then?
Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 481-486] Metaclass and str modernization

[Petr Viktorin]

On 09/07/2015 08:02 AM, Jan Cholasta wrote:
> On 3.9.2015 19:23, Petr Viktorin wrote:
>> On 09/01/2015 04:47 PM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> the attached patches add some more modernization to our code.
[...]
>> 484:
>> To avoid merge conflicts later, perhaps it would be better to have
>>
>>  if six.PY3:
>>  unicode = str
>>
>> at the start of each affected file, instead of scattering changes in the
>> files?
>> (I can prepare the patch if you agree)
> 
> (Be my guest)
> 
>>
>>
>> 485:
>> six.binary_type is named "bytes" since Python 2.6. I think it would be
>> better to use that, to avoid another change when py2 is dropped.
>> (I can prepare the patch here, too)
> 
> (OK)
> 
>>
>>
>> 486: ACK

Here are the two patches updated to use "unicode" and "bytes".


-- 
Petr Viktorin
From 8ffd5c92767b5c49c1ab03aca08cc3fceb3bbeaf Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 11 Sep 2015 13:43:28 +0200
Subject: [PATCH] Alias "unicode" to "str" under Python 3

The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
---
 doc/examples/examples.py | 6 ++
 install/certmonger/dogtag-ipa-ca-renew-agent-submit  | 6 ++
 install/oddjob/com.redhat.idm.trust-fetch-domains| 5 +
 install/tools/ipa-adtrust-install| 4 
 ipa-client/ipaclient/ipachangeconf.py| 4 
 ipalib/cli.py| 3 +++
 ipalib/config.py | 2 ++
 ipalib/frontend.py   | 4 
 ipalib/krb_utils.py  | 5 +
 ipalib/messages.py   | 2 ++
 ipalib/output.py | 4 
 ipalib/parameters.py | 3 +++
 ipalib/pkcs10.py | 5 +
 ipalib/plugable.py   | 5 +
 ipalib/plugins/aci.py| 5 +
 ipalib/plugins/automember.py | 4 
 ipalib/plugins/automount.py  | 5 +
 ipalib/plugins/baseldap.py   | 3 +++
 ipalib/plugins/baseuser.py   | 3 +++
 ipalib/plugins/batch.py  | 5 +
 ipalib/plugins/cert.py   | 5 +
 ipalib/plugins/dns.py| 3 +++
 ipalib/plugins/group.py  | 3 +++
 ipalib/plugins/hbactest.py   | 4 
 ipalib/plugins/host.py   | 5 +
 ipalib/plugins/hostgroup.py  | 5 +
 ipalib/plugins/idrange.py| 5 +
 ipalib/plugins/idviews.py| 5 +
 ipalib/plugins/migration.py  | 5 +
 ipalib/plugins/netgroup.py   | 4 
 ipalib/plugins/otptoken.py   | 5 +
 ipalib/plugins/otptoken_yubikey.py   | 4 
 ipalib/plugins/permission.py | 3 +++
 ipalib/plugins/pwpolicy.py   | 5 +
 ipalib/plugins/realmdomains.py   | 4 
 ipalib/plugins/service.py| 4 
 ipalib/plugins/servicedelegation.py  | 5 +
 ipalib/plugins/stageuser.py  | 6 ++
 ipalib/plugins/sudorule.py   | 4 
 ipalib/plugins/topology.py   | 4 
 ipalib/plugins/trust.py  | 5 +
 ipalib/plugins/user.py   | 5 +
 ipalib/rpc.py| 3 +++
 ipalib/text.py   | 3 +++
 ipalib/util.py   | 3 +++
 ipapython/dn.py  | 3 +++
 ipapython/dnsutil.py | 3 +++
 ipapython/dogtag.py  | 4 
 ipapython/ipaldap.py | 3 +++
 ipapython/ssh.py | 5 +
 ipapython/sysrestore.py  | 5 +
 ipaserver/dcerpc.py  | 4 
 ipaserver/install/adtrustinstance.py   

Re: [Freeipa-devel] [PATCH 0313] IPA Restore: allow to specify dirs/files which should be removed before restore

[Martin Basti]

On 09/10/2015 05:34 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5293

Patch attached.




Updated patch attached.

* list of dirs/files was moved to class (the same way is in ipa-backup)
* log errors if dir/file cannot be removed (errors other than dir/file 
does not exist)
From 43c339ea20404347fd58a34597ac69c99d674745 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 10 Sep 2015 16:35:54 +0200
Subject: [PATCH] IPA Restore: allows to specify files that should be removed

Some files/directories should be removed before backup files are copied
to filesystem.

In case of DNSSEC, the /var/lib/ipa/dnssec/tokens directory has to be
removed, otherwise tokens that are backed up and existing tokens will be
mixed and SOFTHSM log in will not work

https://fedorahosted.org/freeipa/ticket/5293
---
 ipaserver/install/ipa_restore.py | 28 
 1 file changed, 28 insertions(+)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index e8820b99ede4bb8eaa95bb8f25d946cb369f3048..b7af88d99e0e291ea086cf64c410e9a2f10aefaf 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -128,6 +128,14 @@ class Restore(admintool.AdminTool):
 
 description = "Restore IPA files and databases."
 
+# directories and files listed here will be removed from filesystem before
+# files from backup are copied
+DIRS_TO_BE_REMOVED = [
+paths.DNSSEC_TOKENS_DIR,
+]
+
+FILES_TO_BE_REMOVED = []
+
 def __init__(self, options, args):
 super(Restore, self).__init__(options, args)
 self._conn = None
@@ -365,6 +373,7 @@ class Restore(admintool.AdminTool):
 
 # We do either a full file restore or we restore data.
 if restore_type == 'FULL':
+self.remove_old_files()
 if 'CA' in self.backup_services:
 create_ca_user()
 self.cert_restore_prepare()
@@ -647,6 +656,25 @@ class Restore(admintool.AdminTool):
   (paths.IPA_DEFAULT_CONF, stderr))
 os.chdir(cwd)
 
+def remove_old_files(self):
+"""
+Removes all directories, files or temporal files that should be
+removed before backup files are copied, to prevent errors.
+"""
+for d in self.DIRS_TO_BE_REMOVED:
+try:
+shutil.rmtree(d)
+except OSError as e:
+if e.errno != 2:  # 2: dir does not exist
+self.log.warning("Could not remove directory: %s (%s)",
+ d, e)
+
+for f in self.FILES_TO_BE_REMOVED:
+try:
+os.remove(f)
+except OSError as e:
+if e.errno != 2:  # 2: file does not exist
+self.log.warning("Could not remove file: %s (%s)", f, e)
 
 def file_restore(self, nologs=False):
 '''
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed

[Martin Basti]

On 09/11/2015 04:00 PM, Simo Sorce wrote:

On Fri, 2015-09-11 at 14:49 +0200, Martin Basti wrote:

On 09/03/2015 03:56 PM, Simo Sorce wrote:

On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote:

On 09/03/2015 02:42 PM, Simo Sorce wrote:

On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote:

On 09/02/2015 06:00 PM, Simo Sorce wrote:

On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote:

Client installation is done as "Restarting web server". This step
deserve own message.

Patch attached

I've seen various cases like this. And I can't understand why these
steps aren't embedded in the actual instance install steps that need the
restart (which implicitly also provide a message).

In the promotion patchset I did move steps like this into the proper
instances, so I would prefer you do the same with the install path as
that is more appropriate.

Simo.


We need restart httpd after CA, DNS(optional) installation, so thats why
it is outside of httpd instance.

You need to restart httpd always after CA install as it changes the
proxy settings, but why do you need to restart it after DNS
installation ?

It is needed due changes in resolv.conf

(I think it is fine to restart it twice if it is really needed after DNS
change).

IMO it is waste of time to restart httpd twice in one minute

Can we resolve this in 4.4, where might be place to finish improvements
in installer? (If this is not blocking replica promotion)

Ok, it is not important enough to waste time now.

Simo.


Can be this patch pushed to master then?

Yes


Pushed to master: 7f0076b9a5f2aced1f27b976217309be2eec0b1c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0315] CI: backup with KRA installed

[Martin Basti]

Patch mbasti-0312-2

Patch attached.
From 55fe01eeeb72f87be212fdff452375ff50961030 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 11 Sep 2015 14:33:17 +0200
Subject: [PATCH] CI: backup and restore with KRA

---
 .../test_integration/test_backup_and_restore.py| 77 ++
 1 file changed, 77 insertions(+)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 93f5d131c7de2b40d9be9434a372477d5924c1b9..1c79e318bab4bd59ba8a717ba66dc7237f4ed0cb 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -338,3 +338,80 @@ class TestBackupReinstallRestoreWithDNSSEC(BaseBackupAndRestoreWithDNSSEC):
 def test_full_backup_reinstall_restore_with_DNSSEC_zone(self):
 """backup, uninstall, install, restore"""
 self._full_backup_and_restore_with_DNSSEC_zone(reinstall=True)
+
+
+class BaseBackupAndRestoreWithKRA(IntegrationTest):
+"""
+Abstract class for KRA restore tests
+"""
+topology = 'star'
+
+vault_name = "ci_test_vault"
+vault_password = "password"
+vault_data = "SSBsb3ZlIENJIHRlc3RzCg=="
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, setup_dns=True)
+args = [
+"ipa-kra-install",
+"-p", cls.master.config.dirman_password,
+"-U",
+]
+cls.master.run_command(args)
+
+def _full_backup_restore_with_vault(self, reinstall=False):
+with restore_checker(self.master):
+# create vault
+self.master.run_command([
+"ipa", "vault-add",
+self.vault_name,
+"--password", self.vault_password,
+"--type", "symmetric",
+])
+
+# archive secret
+self.master.run_command([
+"ipa", "vault-archive",
+self.vault_name,
+"--password", self.vault_password,
+"--data", self.vault_data,
+])
+
+# retrieve secret
+self.master.run_command([
+"ipa", "vault-retrieve",
+self.vault_name,
+"--password", self.vault_password,
+])
+
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+if reinstall:
+tasks.install_master(self.master, setup_dns=True)
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+stdin_text=dirman_password + '\nyes')
+
+# retrieve secret after restore
+self.master.run_command([
+"ipa", "vault-retrieve",
+self.vault_name,
+"--password", self.vault_password,
+])
+
+
+class TestBackupAndRestoreWithKRA(BaseBackupAndRestoreWithKRA):
+def test_full_backup_restore_with_vault(self):
+"""backup, uninstall, restore"""
+self._full_backup_restore_with_vault(reinstall=False)
+
+class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
+def test_full_backup_reinstall_restore_with_vault(self):
+"""backup, uninstall, reinstall, restore"""
+self._full_backup_restore_with_vault(reinstall=True)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code