Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0312] CI: extend backup restore tests with DNS/DNSSEC
On 09/10/2015 10:48 AM, Martin Basti wrote: Self NACK On 09/10/2015 10:21 AM, Martin Basti wrote: Patch attached. Updated patch attached. From d91945aade1931b37e6b431729c43ae0cfb71311 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 8 Sep 2015 13:08:31 +0200 Subject: [PATCH] backup CI: test DNS/DNSSEC after backup and restore --- ipatests/test_integration/tasks.py | 23 .../test_integration/test_backup_and_restore.py| 132 + 2 files changed, 155 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 820507022e6b5e8cc7a57c66c7f9e8e8b1500c7e..06049d4ae01332e0af4d8775b745342406fc868d 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -26,6 +26,7 @@ import collections import itertools import time import StringIO +import dns from ldif import LDIFWriter @@ -801,3 +802,25 @@ def add_a_record(master, host): master.domain.name, host.hostname, '--a-rec', host.ip]) + + +def resolve_record(nameserver, query, rtype="SOA", retry=True, timeout=100): +"""Resolve DNS record +:retry: if resolution failed try again until timeout is reached +:timeout: max period of time while method will try to resolve query + (requires retry=True) +""" +res = dns.resolver.Resolver() +res.nameservers = [nameserver] +res.lifetime = 10 # wait max 10 seconds for reply + +wait_until = time.time() + timeout + +while time.time() < wait_until: +try: +ans = res.query(query, rtype) +return ans +except dns.exception.DNSException: +if not retry: +raise +time.sleep(1) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index 0ce1aaf29f76fec207b6ac64fab81190dae12e7f..93f5d131c7de2b40d9be9434a372477d5924c1b9 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -27,6 +27,7 @@ from ipapython.ipa_log_manager import log_mgr from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks +from ipatests.test_integration.test_dnssec import wait_until_record_is_signed from ipatests.util import assert_deepequal log = log_mgr.get_logger(__name__) @@ -206,3 +207,134 @@ class TestBackupAndRestore(IntegrationTest): ]) assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text + + +class BaseBackupAndRestoreWithDNS(IntegrationTest): +""" +Abstract class for DNS restore tests +""" +topology = 'star' + +example_test_zone = "example.test." +example2_test_zone = "example2.test." + +@classmethod +def install(cls, mh): +tasks.install_master(cls.master, setup_dns=True) + +def _full_backup_restore_with_DNS_zone(self, reinstall=False): +"""backup, uninstall, restore""" +with restore_checker(self.master): + +self.master.run_command([ +'ipa', 'dnszone-add', +self.example_test_zone, +]) + +tasks.resolve_record(self.master.ip, self.example_test_zone) + +backup_path = backup(self.master) + +self.master.run_command(['ipa-server-install', + '--uninstall', + '-U']) + +if reinstall: +tasks.install_master(self.master, setup_dns=True) + +dirman_password = self.master.config.dirman_password +self.master.run_command(['ipa-restore', backup_path], +stdin_text=dirman_password + '\nyes') + +tasks.resolve_record(self.master.ip, self.example_test_zone) + +self.master.run_command([ +'ipa', 'dnszone-add', +self.example2_test_zone, +]) + +tasks.resolve_record(self.master.ip, self.example2_test_zone) + + +class TestBackupAndRestoreWithDNS(BaseBackupAndRestoreWithDNS): +def test_full_backup_and_restore_with_DNS_zone(self): +"""backup, uninstall, restore""" +self._full_backup_restore_with_DNS_zone(reinstall=False) + + +class TestBackupReinstallRestoreWithDNS(BaseBackupAndRestoreWithDNS): +def test_full_backup_reinstall_restore_with_DNS_zone(self): +"""backup, uninstall, reinstall, restore""" +self._full_backup_restore_with_DNS_zone(reinstall=True) + + +class BaseBackupAndRestoreWithDNSSEC(IntegrationTest): +""" +Abstract class for DNSSEC restore tests +""" +topology = 'star' + +example_test_zone = "example.test." +example2_test_zone = "example2.test." + +@classmethod +
Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/11/2015 09:51 AM, Lenka Doudova wrote: On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka Do we need new util.py in test_xmlrpc? Why not just add it into existing ipatests/util.py? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/11/2015 10:27 AM, Martin Basti wrote: On 09/11/2015 09:51 AM, Lenka Doudova wrote: On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka Do we need new util.py in test_xmlrpc? Why not just add it into existing ipatests/util.py? I will move it there. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/11/2015 10:27 AM, Martin Basti wrote: On 09/11/2015 09:51 AM, Lenka Doudova wrote: On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka Do we need new util.py in test_xmlrpc? Why not just add it into existing ipatests/util.py? Updated patch attached. Changes: content of ipatests.test_xmlrpc.utils moved to ipatests.utils make-lint updated to ignore py.path submodule From a01d9bb444f9ecbb6a8d0b99b5ea4eff905bb908 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?=Date: Sun, 23 Aug 2015 16:19:59 +0200 Subject: [PATCH] ipatests: Add basic tests for certificate profile plugin --- .../test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 619 + .../test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 .../test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 .../data/caIPAserviceCert_mod_mal.cfg.tmpl | 109 ipatests/test_xmlrpc/test_certprofile_plugin.py| 203 ++- ipatests/util.py | 13 + make-lint | 1 + 7 files changed, 1162 insertions(+), 1 deletion(-) create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl new file mode 100644 index ..99548192346b6105ea4f1a015738bfec612e3acd --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl @@ -0,0 +1,619 @@ + +http://www.w3.org/2005/Atom; id="caIPAserviceCert_xml"> +caEnrollImpl +IPA-RA Agent-Authenticated Server Certificate Enrollment +This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +true +false +ipara +raCertAuth + +false +false + +certReqInputImpl +Certificate Request Input + + +cert_request_type +Certificate Request Type + + + + +cert_request +Certificate Request + + + + +submitterInfoInputImpl +Requestor Information + + +string +Requestor Name + + + + +string +Requestor Email + + + + +string +Requestor Phone + + + + +Certificate Output +certOutputImpl + + +pretty_print +Certificate Pretty Print + + + + +pretty_print +Certificate Base-64 Encoded + + + + + +serverCertSet + + +This default populates a Certificate Subject Name to the request. The default values are Subject Name=CN=$request.req_subject_name.cn$, O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM + + +string +Subject Name + + +
Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/11/2015 12:43 PM, Lenka Doudova wrote: On 09/11/2015 11:45 AM, Milan Kubík wrote: On 09/11/2015 10:27 AM, Martin Basti wrote: On 09/11/2015 09:51 AM, Lenka Doudova wrote: On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka Do we need new util.py in test_xmlrpc? Why not just add it into existing ipatests/util.py? Updated patch attached. Changes: content of ipatests.test_xmlrpc.utils moved to ipatests.utils make-lint updated to ignore py.path submodule Again got an error: Module ipatests.test_xmlrpc.test_certprofile_plugin ipatests/test_xmlrpc/test_certprofile_plugin.py:16: [E0611(no-name-in-module), ] No name 'utils' in module 'ipatests') Probably just extra 's' in: from ipatests.utils import prepare_config Lenka Typo fixed. Removed the py module from the code after an offline discussion. Patch attached. Milan From b21dbf8e4ce6215f1bd06b250c48d826372e354b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?=Date: Sun, 23 Aug 2015 16:19:59 +0200 Subject: [PATCH] ipatests: Add basic tests for certificate profile plugin --- .../test_xmlrpc/data/caIPAserviceCert.xml.tmpl | 619 + .../test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl | 109 .../test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl | 109 .../data/caIPAserviceCert_mod_mal.cfg.tmpl | 109 ipatests/test_xmlrpc/test_certprofile_plugin.py| 203 ++- ipatests/util.py | 10 + 6 files changed, 1158 insertions(+), 1 deletion(-) create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mal.cfg.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod.cfg.tmpl create mode 100644 ipatests/test_xmlrpc/data/caIPAserviceCert_mod_mal.cfg.tmpl diff --git a/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl new file mode 100644 index ..99548192346b6105ea4f1a015738bfec612e3acd --- /dev/null +++ b/ipatests/test_xmlrpc/data/caIPAserviceCert.xml.tmpl @@ -0,0 +1,619 @@ + +http://www.w3.org/2005/Atom; id="caIPAserviceCert_xml"> +caEnrollImpl +IPA-RA Agent-Authenticated Server Certificate Enrollment +This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +true +false +ipara +raCertAuth + +false +false + +certReqInputImpl +Certificate Request Input + + +cert_request_type +Certificate Request Type + + + + +cert_request +Certificate Request + + + + +submitterInfoInputImpl +Requestor Information + + +string +Requestor Name + + + + +string +Requestor Email + + + + +string +Requestor Phone + + + + +Certificate Output +certOutputImpl + + +pretty_print +Certificate Pretty Print + + + + +pretty_print +Certificate
Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed
On Fri, 2015-09-11 at 14:49 +0200, Martin Basti wrote: > > On 09/03/2015 03:56 PM, Simo Sorce wrote: > > On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote: > >> On 09/03/2015 02:42 PM, Simo Sorce wrote: > >>> On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote: > On 09/02/2015 06:00 PM, Simo Sorce wrote: > > On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote: > >> Client installation is done as "Restarting web server". This step > >> deserve own message. > >> > >> Patch attached > > I've seen various cases like this. And I can't understand why these > > steps aren't embedded in the actual instance install steps that need the > > restart (which implicitly also provide a message). > > > > In the promotion patchset I did move steps like this into the proper > > instances, so I would prefer you do the same with the install path as > > that is more appropriate. > > > > Simo. > > > We need restart httpd after CA, DNS(optional) installation, so thats why > it is outside of httpd instance. > >>> You need to restart httpd always after CA install as it changes the > >>> proxy settings, but why do you need to restart it after DNS > >>> installation ? > >> It is needed due changes in resolv.conf > >>> (I think it is fine to restart it twice if it is really needed after DNS > >>> change). > >> IMO it is waste of time to restart httpd twice in one minute > >> > >> Can we resolve this in 4.4, where might be place to finish improvements > >> in installer? (If this is not blocking replica promotion) > > Ok, it is not important enough to waste time now. > > > > Simo. > > > > Can be this patch pushed to master then? Yes -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] cert profiles - test plan + patches
On 09/11/2015 11:45 AM, Milan Kubík wrote: On 09/11/2015 10:27 AM, Martin Basti wrote: On 09/11/2015 09:51 AM, Lenka Doudova wrote: On 09/10/2015 02:11 PM, Milan Kubík wrote: On 09/04/2015 03:57 PM, Martin Babinsky wrote: On 09/04/2015 11:06 AM, Lenka Doudova wrote: Hi, there's no traceback in the file you mentioned, but I'm running it through lite-server, so here's the traceback from there: http://pastebin.test.redhat.com/310598 I can't really get to the problem. What I forgot to mention in the previous email was that the tests fail when attempting to add a certprofile, but if I try to do is manually using 'ipa certprofile-import' command with the exact same data as used in the test, it works fine. Lenka Do you get the traceback also when you run the tests using 'ipa-run-tests' with installed IPA master? Hello, I don't think it is possible to run these tests against the lite server. Please do it on regular installation. Anyway, sorry for the long delay. I send the updated patches. I updated them to reflect the fix for rename option and extended about test with importing a profile from XML file. The test case may need to be updated, based on the resolution of [1]. This at the moment raises remote retrieve error (400 from dogtag), I think there should be more clear message (detecting xml). [1]: https://fedorahosted.org/freeipa/ticket/5294 Cheers, Milan Hi, can't build rpms after applying the patches (namely patch 0009.2): Module ipatests.test_xmlrpc.utils ipatests/test_xmlrpc/utils.py:10: [E1101(no-member), prepare_config] Module 'py' has no 'path' member) Lenka Do we need new util.py in test_xmlrpc? Why not just add it into existing ipatests/util.py? Updated patch attached. Changes: content of ipatests.test_xmlrpc.utils moved to ipatests.utils make-lint updated to ignore py.path submodule Again got an error: Module ipatests.test_xmlrpc.test_certprofile_plugin ipatests/test_xmlrpc/test_certprofile_plugin.py:16: [E0611(no-name-in-module), ] No name 'utils' in module 'ipatests') Probably just extra 's' in: from ipatests.utils import prepare_config Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off
On 10/09/15 18:50, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5287 Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off
On 09/11/2015 01:50 PM, David Kupka wrote: On 10/09/15 18:50, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5287 Patch attached. Works for me, ACK. Pushed to: master: 5762ad951fca025f17d00095bd7d89a14536ae85 ipa-4-2: c3d8a138aaad52af9c10ef8816b23cc81d79a680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
On 09/10/2015 06:41 PM, Milan Kubík wrote: On 09/10/2015 06:36 PM, Alexander Bokovoy wrote: On Thu, 10 Sep 2015, Milan Kubík wrote: Hi list, before my PTO, I was trying to write a functional test for CA ACLs with the tracker along all other acceptance/functional tests. I wasn't successful, the approach doesn't seem to work for CA ACLs as they have specific requirements for kerberos credentials that none of my attempts were able to met. I have tried several approaches and the memo I got out of this is that currently, there seems to be no way how to conveniently run a test that changes the user identity during the functional test (xmlrpc tests). I haven't had much time to write an integration test that should solve these problems with changing identity. The approaches I have tried include, in no particular order: * switch the default ccache to the identity desired, before calls made on an API object - in case of FILE ccache, moving it back and forth - in case of kernel keyring, using kswitch * instantiating another API instance in the process running the test, while the other ccache is active - the API object internals seem to prevent this as there is still a lot of shared state between the API instances * running the command supposed to have different identity as a subprocess after switching the identity - this attempt seemed to have inherited the opened connection to the backend from the parent python process, creating a conflict during the client bootstrap * injecting the KRB5CCNAME environment variable with second identity into the python process - the API instance doesn't seem to be affected by this value half of the times. - randomly, the new credentials are used, breaking all the things. Unable to change the user during the test, the code I wrote for this wasn't doing what I intended it to do because the admin user used in the tests overrides all CA ACLs. One way to do it is to use keyctl to create subsessions for different authenticated users and switch between subsessions for the separate calls. See keyctl manual page and 'keyctl session ' part. Thanks, I'll take a look at this next week. Maybe you can also try to wrap the user auth, connection and API calls in 'ipapython.ipautil.private_ccache' context manager like this: """ from ipalib import api from ipapython.ipautil import private_ccache, kinit_password, run api.bootstrap() api.finalize() tmp_ccache='krb5cc_jdoe' run(['klist']) # should list admin as default principal with private_ccache(tmp_ccache): kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache) run(['klist']) # lists jdoe as default principal api.Backend.rpcclient.connect(ccache=tmp_ccache) api.Command.ping() api.backend.rpcclient.disconnect() run(['klist']) # KRB5CCNAME should be reset back to admin ccache """ I have tested it and it seems to work. I haven't played with it very extensively, though. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0313] IPA Restore: allow to specify dirs/files which should be removed before restore
On 09/11/2015 02:56 PM, David Kupka wrote: On 11/09/15 14:44, Martin Basti wrote: On 09/10/2015 05:34 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5293 Patch attached. Updated patch attached. * list of dirs/files was moved to class (the same way is in ipa-backup) * log errors if dir/file cannot be removed (errors other than dir/file does not exist) Looks good to me and works as expected, ACK. Pushed to: master: f8f5bd644aee5c54acc857061868e659ae449e48 ipa-4-2: 21f2a3d1731a43551cc130356329bcadba7ffdfe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed
On 09/03/2015 03:56 PM, Simo Sorce wrote: On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote: On 09/03/2015 02:42 PM, Simo Sorce wrote: On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote: On 09/02/2015 06:00 PM, Simo Sorce wrote: On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote: Client installation is done as "Restarting web server". This step deserve own message. Patch attached I've seen various cases like this. And I can't understand why these steps aren't embedded in the actual instance install steps that need the restart (which implicitly also provide a message). In the promotion patchset I did move steps like this into the proper instances, so I would prefer you do the same with the install path as that is more appropriate. Simo. We need restart httpd after CA, DNS(optional) installation, so thats why it is outside of httpd instance. You need to restart httpd always after CA install as it changes the proxy settings, but why do you need to restart it after DNS installation ? It is needed due changes in resolv.conf (I think it is fine to restart it twice if it is really needed after DNS change). IMO it is waste of time to restart httpd twice in one minute Can we resolve this in 4.4, where might be place to finish improvements in installer? (If this is not blocking replica promotion) Ok, it is not important enough to waste time now. Simo. Can be this patch pushed to master then? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 481-486] Metaclass and str modernization
On 09/07/2015 08:02 AM, Jan Cholasta wrote: > On 3.9.2015 19:23, Petr Viktorin wrote: >> On 09/01/2015 04:47 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patches add some more modernization to our code. [...] >> 484: >> To avoid merge conflicts later, perhaps it would be better to have >> >> if six.PY3: >> unicode = str >> >> at the start of each affected file, instead of scattering changes in the >> files? >> (I can prepare the patch if you agree) > > (Be my guest) > >> >> >> 485: >> six.binary_type is named "bytes" since Python 2.6. I think it would be >> better to use that, to avoid another change when py2 is dropped. >> (I can prepare the patch here, too) > > (OK) > >> >> >> 486: ACK Here are the two patches updated to use "unicode" and "bytes". -- Petr Viktorin From 8ffd5c92767b5c49c1ab03aca08cc3fceb3bbeaf Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Fri, 11 Sep 2015 13:43:28 +0200 Subject: [PATCH] Alias "unicode" to "str" under Python 3 The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. --- doc/examples/examples.py | 6 ++ install/certmonger/dogtag-ipa-ca-renew-agent-submit | 6 ++ install/oddjob/com.redhat.idm.trust-fetch-domains| 5 + install/tools/ipa-adtrust-install| 4 ipa-client/ipaclient/ipachangeconf.py| 4 ipalib/cli.py| 3 +++ ipalib/config.py | 2 ++ ipalib/frontend.py | 4 ipalib/krb_utils.py | 5 + ipalib/messages.py | 2 ++ ipalib/output.py | 4 ipalib/parameters.py | 3 +++ ipalib/pkcs10.py | 5 + ipalib/plugable.py | 5 + ipalib/plugins/aci.py| 5 + ipalib/plugins/automember.py | 4 ipalib/plugins/automount.py | 5 + ipalib/plugins/baseldap.py | 3 +++ ipalib/plugins/baseuser.py | 3 +++ ipalib/plugins/batch.py | 5 + ipalib/plugins/cert.py | 5 + ipalib/plugins/dns.py| 3 +++ ipalib/plugins/group.py | 3 +++ ipalib/plugins/hbactest.py | 4 ipalib/plugins/host.py | 5 + ipalib/plugins/hostgroup.py | 5 + ipalib/plugins/idrange.py| 5 + ipalib/plugins/idviews.py| 5 + ipalib/plugins/migration.py | 5 + ipalib/plugins/netgroup.py | 4 ipalib/plugins/otptoken.py | 5 + ipalib/plugins/otptoken_yubikey.py | 4 ipalib/plugins/permission.py | 3 +++ ipalib/plugins/pwpolicy.py | 5 + ipalib/plugins/realmdomains.py | 4 ipalib/plugins/service.py| 4 ipalib/plugins/servicedelegation.py | 5 + ipalib/plugins/stageuser.py | 6 ++ ipalib/plugins/sudorule.py | 4 ipalib/plugins/topology.py | 4 ipalib/plugins/trust.py | 5 + ipalib/plugins/user.py | 5 + ipalib/rpc.py| 3 +++ ipalib/text.py | 3 +++ ipalib/util.py | 3 +++ ipapython/dn.py | 3 +++ ipapython/dnsutil.py | 3 +++ ipapython/dogtag.py | 4 ipapython/ipaldap.py | 3 +++ ipapython/ssh.py | 5 + ipapython/sysrestore.py | 5 + ipaserver/dcerpc.py | 4 ipaserver/install/adtrustinstance.py
Re: [Freeipa-devel] [PATCH 0313] IPA Restore: allow to specify dirs/files which should be removed before restore
On 09/10/2015 05:34 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5293 Patch attached. Updated patch attached. * list of dirs/files was moved to class (the same way is in ipa-backup) * log errors if dir/file cannot be removed (errors other than dir/file does not exist) From 43c339ea20404347fd58a34597ac69c99d674745 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 10 Sep 2015 16:35:54 +0200 Subject: [PATCH] IPA Restore: allows to specify files that should be removed Some files/directories should be removed before backup files are copied to filesystem. In case of DNSSEC, the /var/lib/ipa/dnssec/tokens directory has to be removed, otherwise tokens that are backed up and existing tokens will be mixed and SOFTHSM log in will not work https://fedorahosted.org/freeipa/ticket/5293 --- ipaserver/install/ipa_restore.py | 28 1 file changed, 28 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index e8820b99ede4bb8eaa95bb8f25d946cb369f3048..b7af88d99e0e291ea086cf64c410e9a2f10aefaf 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -128,6 +128,14 @@ class Restore(admintool.AdminTool): description = "Restore IPA files and databases." +# directories and files listed here will be removed from filesystem before +# files from backup are copied +DIRS_TO_BE_REMOVED = [ +paths.DNSSEC_TOKENS_DIR, +] + +FILES_TO_BE_REMOVED = [] + def __init__(self, options, args): super(Restore, self).__init__(options, args) self._conn = None @@ -365,6 +373,7 @@ class Restore(admintool.AdminTool): # We do either a full file restore or we restore data. if restore_type == 'FULL': +self.remove_old_files() if 'CA' in self.backup_services: create_ca_user() self.cert_restore_prepare() @@ -647,6 +656,25 @@ class Restore(admintool.AdminTool): (paths.IPA_DEFAULT_CONF, stderr)) os.chdir(cwd) +def remove_old_files(self): +""" +Removes all directories, files or temporal files that should be +removed before backup files are copied, to prevent errors. +""" +for d in self.DIRS_TO_BE_REMOVED: +try: +shutil.rmtree(d) +except OSError as e: +if e.errno != 2: # 2: dir does not exist +self.log.warning("Could not remove directory: %s (%s)", + d, e) + +for f in self.FILES_TO_BE_REMOVED: +try: +os.remove(f) +except OSError as e: +if e.errno != 2: # 2: file does not exist +self.log.warning("Could not remove file: %s (%s)", f, e) def file_restore(self, nologs=False): ''' -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0307] Server Install: print message that client is being installed
On 09/11/2015 04:00 PM, Simo Sorce wrote: On Fri, 2015-09-11 at 14:49 +0200, Martin Basti wrote: On 09/03/2015 03:56 PM, Simo Sorce wrote: On Thu, 2015-09-03 at 15:32 +0200, Martin Basti wrote: On 09/03/2015 02:42 PM, Simo Sorce wrote: On Thu, 2015-09-03 at 10:19 +0200, Martin Basti wrote: On 09/02/2015 06:00 PM, Simo Sorce wrote: On Wed, 2015-09-02 at 17:57 +0200, Martin Basti wrote: Client installation is done as "Restarting web server". This step deserve own message. Patch attached I've seen various cases like this. And I can't understand why these steps aren't embedded in the actual instance install steps that need the restart (which implicitly also provide a message). In the promotion patchset I did move steps like this into the proper instances, so I would prefer you do the same with the install path as that is more appropriate. Simo. We need restart httpd after CA, DNS(optional) installation, so thats why it is outside of httpd instance. You need to restart httpd always after CA install as it changes the proxy settings, but why do you need to restart it after DNS installation ? It is needed due changes in resolv.conf (I think it is fine to restart it twice if it is really needed after DNS change). IMO it is waste of time to restart httpd twice in one minute Can we resolve this in 4.4, where might be place to finish improvements in installer? (If this is not blocking replica promotion) Ok, it is not important enough to waste time now. Simo. Can be this patch pushed to master then? Yes Pushed to master: 7f0076b9a5f2aced1f27b976217309be2eec0b1c -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0315] CI: backup with KRA installed
Patch mbasti-0312-2 Patch attached. From 55fe01eeeb72f87be212fdff452375ff50961030 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Fri, 11 Sep 2015 14:33:17 +0200 Subject: [PATCH] CI: backup and restore with KRA --- .../test_integration/test_backup_and_restore.py| 77 ++ 1 file changed, 77 insertions(+) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index 93f5d131c7de2b40d9be9434a372477d5924c1b9..1c79e318bab4bd59ba8a717ba66dc7237f4ed0cb 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -338,3 +338,80 @@ class TestBackupReinstallRestoreWithDNSSEC(BaseBackupAndRestoreWithDNSSEC): def test_full_backup_reinstall_restore_with_DNSSEC_zone(self): """backup, uninstall, install, restore""" self._full_backup_and_restore_with_DNSSEC_zone(reinstall=True) + + +class BaseBackupAndRestoreWithKRA(IntegrationTest): +""" +Abstract class for KRA restore tests +""" +topology = 'star' + +vault_name = "ci_test_vault" +vault_password = "password" +vault_data = "SSBsb3ZlIENJIHRlc3RzCg==" + +@classmethod +def install(cls, mh): +tasks.install_master(cls.master, setup_dns=True) +args = [ +"ipa-kra-install", +"-p", cls.master.config.dirman_password, +"-U", +] +cls.master.run_command(args) + +def _full_backup_restore_with_vault(self, reinstall=False): +with restore_checker(self.master): +# create vault +self.master.run_command([ +"ipa", "vault-add", +self.vault_name, +"--password", self.vault_password, +"--type", "symmetric", +]) + +# archive secret +self.master.run_command([ +"ipa", "vault-archive", +self.vault_name, +"--password", self.vault_password, +"--data", self.vault_data, +]) + +# retrieve secret +self.master.run_command([ +"ipa", "vault-retrieve", +self.vault_name, +"--password", self.vault_password, +]) + +backup_path = backup(self.master) + +self.master.run_command(['ipa-server-install', + '--uninstall', + '-U']) + +if reinstall: +tasks.install_master(self.master, setup_dns=True) + +dirman_password = self.master.config.dirman_password +self.master.run_command(['ipa-restore', backup_path], +stdin_text=dirman_password + '\nyes') + +# retrieve secret after restore +self.master.run_command([ +"ipa", "vault-retrieve", +self.vault_name, +"--password", self.vault_password, +]) + + +class TestBackupAndRestoreWithKRA(BaseBackupAndRestoreWithKRA): +def test_full_backup_restore_with_vault(self): +"""backup, uninstall, restore""" +self._full_backup_restore_with_vault(reinstall=False) + +class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA): +def test_full_backup_reinstall_restore_with_vault(self): +"""backup, uninstall, reinstall, restore""" +self._full_backup_restore_with_vault(reinstall=True) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code