Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
On 09/10/2015 06:41 PM, Milan Kubík wrote: On 09/10/2015 06:36 PM, Alexander Bokovoy wrote: On Thu, 10 Sep 2015, Milan Kubík wrote: Hi list, before my PTO, I was trying to write a functional test for CA ACLs with the tracker along all other acceptance/functional tests. I wasn't successful, the approach doesn't seem to work for CA ACLs as they have specific requirements for kerberos credentials that none of my attempts were able to met. I have tried several approaches and the memo I got out of this is that currently, there seems to be no way how to conveniently run a test that changes the user identity during the functional test (xmlrpc tests). I haven't had much time to write an integration test that should solve these problems with changing identity. The approaches I have tried include, in no particular order: * switch the default ccache to the identity desired, before calls made on an API object - in case of FILE ccache, moving it back and forth - in case of kernel keyring, using kswitch * instantiating another API instance in the process running the test, while the other ccache is active - the API object internals seem to prevent this as there is still a lot of shared state between the API instances * running the command supposed to have different identity as a subprocess after switching the identity - this attempt seemed to have inherited the opened connection to the backend from the parent python process, creating a conflict during the client bootstrap * injecting the KRB5CCNAME environment variable with second identity into the python process - the API instance doesn't seem to be affected by this value half of the times. - randomly, the new credentials are used, breaking all the things. Unable to change the user during the test, the code I wrote for this wasn't doing what I intended it to do because the admin user used in the tests overrides all CA ACLs. One way to do it is to use keyctl to create subsessions for different authenticated users and switch between subsessions for the separate calls. See keyctl manual page and 'keyctl session ' part. Thanks, I'll take a look at this next week. Maybe you can also try to wrap the user auth, connection and API calls in 'ipapython.ipautil.private_ccache' context manager like this: """ from ipalib import api from ipapython.ipautil import private_ccache, kinit_password, run api.bootstrap() api.finalize() tmp_ccache='krb5cc_jdoe' run(['klist']) # should list admin as default principal with private_ccache(tmp_ccache): kinit_password(u'jdoe', u'jdoepasswd', tmp_ccache) run(['klist']) # lists jdoe as default principal api.Backend.rpcclient.connect(ccache=tmp_ccache) api.Command.ping() api.backend.rpcclient.disconnect() run(['klist']) # KRB5CCNAME should be reset back to admin ccache """ I have tested it and it seems to work. I haven't played with it very extensively, though. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
Hi list, before my PTO, I was trying to write a functional test for CA ACLs with the tracker along all other acceptance/functional tests. I wasn't successful, the approach doesn't seem to work for CA ACLs as they have specific requirements for kerberos credentials that none of my attempts were able to met. I have tried several approaches and the memo I got out of this is that currently, there seems to be no way how to conveniently run a test that changes the user identity during the functional test (xmlrpc tests). I haven't had much time to write an integration test that should solve these problems with changing identity. The approaches I have tried include, in no particular order: * switch the default ccache to the identity desired, before calls made on an API object - in case of FILE ccache, moving it back and forth - in case of kernel keyring, using kswitch * instantiating another API instance in the process running the test, while the other ccache is active - the API object internals seem to prevent this as there is still a lot of shared state between the API instances * running the command supposed to have different identity as a subprocess after switching the identity - this attempt seemed to have inherited the opened connection to the backend from the parent python process, creating a conflict during the client bootstrap * injecting the KRB5CCNAME environment variable with second identity into the python process - the API instance doesn't seem to be affected by this value half of the times. - randomly, the new credentials are used, breaking all the things. Unable to change the user during the test, the code I wrote for this wasn't doing what I intended it to do because the admin user used in the tests overrides all CA ACLs. The patches implement the CA ACL tracker and, at the moment, one simple test. This can (and will) be extended to full CRUD test that will be run as a part of the acceptance suite, while functional test will be written as an integration test. I include the code that doesn't work as an example of what will be in the integration test. The patch 0013 needs to be applied after the certprofile tracker patch (0008). Cheers, Milan From 894c3692bf96d3ddf0431cadb86dea8c39b610a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?=Date: Fri, 17 Jul 2015 14:42:23 +0200 Subject: [PATCH 3/5] ipatests: add fuzzy instances for CA ACL DN and RDN --- ipatests/test_xmlrpc/xmlrpc_test.py | 8 1 file changed, 8 insertions(+) diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py index 56ddad9b8a0a1164c29f38970e0a97513d1a8d1f..c8be6160bdca0a95622ce5f8e4752e609f73dec5 100644 --- a/ipatests/test_xmlrpc/xmlrpc_test.py +++ b/ipatests/test_xmlrpc/xmlrpc_test.py @@ -77,6 +77,14 @@ fuzzy_sudocmddn = Fuzzy( '(?i)ipauniqueid=%s,cn=sudocmds,cn=sudo,%s' % (uuid_re, api.env.basedn) ) +# Matches caacl dn +fuzzy_caacldn = Fuzzy( +'(?i)ipauniqueid=%s,cn=caacls,cn=ca,%s' % (uuid_re, api.env.basedn) +) + +# Matches fuzzy ipaUniqueID DN group (RDN) +fuzzy_ipauniqueid = Fuzzy('(?i)ipauniqueid=%s' % uuid_re) + # Matches a hash signature, not enforcing length fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_types) -- 2.5.1 From a2eef3966d297c1e90327f994de8ee47b8e30fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= Date: Tue, 30 Jun 2015 17:00:18 +0200 Subject: [PATCH 4/5] ipatests: Add initial CAACLTracker implementation The patch implements the tracker for CA ACL feature. The basic CRUD checkers has been implemented. The methods for adding and removing the association of the resources with the ACL do not have the check methods. These will be provided as a separate test suite. --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_caacl_plugin.py | 318 ++ 2 files changed, 323 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_caacl_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1cd77c7f885fe408d0d9d48fc6d8284900c91b7f..134a08803f3abca1124c4d26274d9e3fc981b941 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -217,3 +217,8 @@ certprofile = [ u'top', u'ipacertprofile', ] + +caacl = [ +u'ipaassociation', +u'ipacaacl' +] diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py new file mode 100644 index ..ba3408813d5d47f7f6261f187129fbee645c5ef7 --- /dev/null +++ b/ipatests/test_xmlrpc/test_caacl_plugin.py @@ -0,0 +1,318 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +""" +Test the `ipalib.plugins.caacl` module. +""" + +import os + +import pytest + +from ipapython import ipautil +from ipalib import
Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
On 09/10/2015 06:36 PM, Alexander Bokovoy wrote: On Thu, 10 Sep 2015, Milan Kubík wrote: Hi list, before my PTO, I was trying to write a functional test for CA ACLs with the tracker along all other acceptance/functional tests. I wasn't successful, the approach doesn't seem to work for CA ACLs as they have specific requirements for kerberos credentials that none of my attempts were able to met. I have tried several approaches and the memo I got out of this is that currently, there seems to be no way how to conveniently run a test that changes the user identity during the functional test (xmlrpc tests). I haven't had much time to write an integration test that should solve these problems with changing identity. The approaches I have tried include, in no particular order: * switch the default ccache to the identity desired, before calls made on an API object - in case of FILE ccache, moving it back and forth - in case of kernel keyring, using kswitch * instantiating another API instance in the process running the test, while the other ccache is active - the API object internals seem to prevent this as there is still a lot of shared state between the API instances * running the command supposed to have different identity as a subprocess after switching the identity - this attempt seemed to have inherited the opened connection to the backend from the parent python process, creating a conflict during the client bootstrap * injecting the KRB5CCNAME environment variable with second identity into the python process - the API instance doesn't seem to be affected by this value half of the times. - randomly, the new credentials are used, breaking all the things. Unable to change the user during the test, the code I wrote for this wasn't doing what I intended it to do because the admin user used in the tests overrides all CA ACLs. One way to do it is to use keyctl to create subsessions for different authenticated users and switch between subsessions for the separate calls. See keyctl manual page and 'keyctl session ' part. Thanks, I'll take a look at this next week. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests
On Thu, 10 Sep 2015, Milan Kubík wrote: Hi list, before my PTO, I was trying to write a functional test for CA ACLs with the tracker along all other acceptance/functional tests. I wasn't successful, the approach doesn't seem to work for CA ACLs as they have specific requirements for kerberos credentials that none of my attempts were able to met. I have tried several approaches and the memo I got out of this is that currently, there seems to be no way how to conveniently run a test that changes the user identity during the functional test (xmlrpc tests). I haven't had much time to write an integration test that should solve these problems with changing identity. The approaches I have tried include, in no particular order: * switch the default ccache to the identity desired, before calls made on an API object - in case of FILE ccache, moving it back and forth - in case of kernel keyring, using kswitch * instantiating another API instance in the process running the test, while the other ccache is active - the API object internals seem to prevent this as there is still a lot of shared state between the API instances * running the command supposed to have different identity as a subprocess after switching the identity - this attempt seemed to have inherited the opened connection to the backend from the parent python process, creating a conflict during the client bootstrap * injecting the KRB5CCNAME environment variable with second identity into the python process - the API instance doesn't seem to be affected by this value half of the times. - randomly, the new credentials are used, breaking all the things. Unable to change the user during the test, the code I wrote for this wasn't doing what I intended it to do because the admin user used in the tests overrides all CA ACLs. One way to do it is to use keyctl to create subsessions for different authenticated users and switch between subsessions for the separate calls. See keyctl manual page and 'keyctl session ' part. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code