Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Martin Basti]

On 18.07.2016 18:09, Martin Babinsky wrote:

On 07/14/2016 03:39 PM, Lenka Doudova wrote:



On 07/13/2016 06:04 PM, Martin Babinsky wrote:

On 07/01/2016 04:45 PM, Lenka Doudova wrote:



On 07/01/2016 03:04 PM, Martin Babinsky wrote:

On 07/01/2016 11:13 AM, Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or 
later, if

there's will be more fixes to that patch).


Lenka







Hi Lenka,

test data such as usernames, etc. should be stored either in separate
resource files or at least as class attributes like this:

diff --git a/ipatests/test_integration/test_trust.py
b/ipatests/test_integration/test_trust.py
index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
 """
 Test support of UPN for trusted domains
 """
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
 def test_upn_in_nonposix_trust(self):
 """ Check that UPN is listed as trust attribute """
 result = self.master.run_command(['ipa', 'trust-show',
self.ad_domain,
   '--all', '--raw'])

-assert "ipantadditionalsuffixes: UPNsuffix.com" in
result.stdout_text
+assert ("ipantadditionalsuffixes:
{}".format(self.upn_suffix) in
+result.stdout_text)

 def test_upn_user_resolution_in_nonposix_trust(self):
 """ Check that user with UPN can be resolved """
-upnuser = 'upnu...@upnsuffix.com'
-result = self.master.run_command(['getent', 'passwd',
upnuser])
+result = self.master.run_command(['getent', 'passwd',
self.upn_princ])

 # result will contain AD domain, not UPN
-upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN
User:/:$".format(
-self.ad_domain)
+upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.upn_username, self.ad_domain)
 assert re.search(upnuser_regex, result.stdout_text)

 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
 self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-self.master.run_command(['kinit', '-C', '-E',
'upnu...@upnsuffix.com'],
- stdin_text='Secret123456')
+self.master.run_command(['kinit', '-C', '-E', 
self.upn_princ],

+ stdin_text=self.upn_password)

otherwise LGTM.


Thanks for review, fixed patch attached.

Few notes:
1. mbabinsky's suggestion to store testdata as class attributes or
separate resource file: I decided to use the class attribute approach.
The separate resource file is a nice idea, which I have already put on
my "to do" list - there's a lot of hardcoded stuff in the trust tests,
even in the original ones (before my patches), so when there's time 
I'll
work on a way how to dynamically provide this data as test 
configuration

2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the
getent command, since according to mbasti the alternative would not 
work

in CI.

Lenka


Hi Lenka,

I am not sure 'test_all_trustdomains_found' should be run as a part of
this test suite. Maybe yes, I'm not sure.

Also I would add a 60 second sleep after KDC restart in
'test_upn_user_authentication' so that MS-PAC cache gets refreshed
before trying to kinit as enterprise principal.

Two of the tests fail on my setup but that is probably due to
https://fedorahosted.org/freeipa/ticket/6082 .


Hi,

the "test_all_trustdomains_found" method is inherited from parent class,
and I believe it cannot hurt to have it there.
I added the sleep as you requested.
I also tried to run the tests with two way trust and since everything
was fine then, the failures you experienced are really most likely due
to the oddjob issue you linked. Of course the patch still contains tests
with one way trusts, so until the oddjob issue is solved, the tests will
probably fail, and should be fine once the fix is provided.

Fixed patch attached.
Lenka


Yes I think that the failing tests are due to bugs in trust, not the 
test code. ACK.




New ticket created for tests https://fedorahosted.org/freeipa/ticket/6094

Pushed to master: 6a072f3c5c114747c190d0c309a8d53dd8e46394

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Lenka Doudova]

On 07/13/2016 06:04 PM, Martin Babinsky wrote:

On 07/01/2016 04:45 PM, Lenka Doudova wrote:



On 07/01/2016 03:04 PM, Martin Babinsky wrote:

On 07/01/2016 11:13 AM, Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka







Hi Lenka,

test data such as usernames, etc. should be stored either in separate
resource files or at least as class attributes like this:

diff --git a/ipatests/test_integration/test_trust.py
b/ipatests/test_integration/test_trust.py
index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
 """
 Test support of UPN for trusted domains
 """
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
 def test_upn_in_nonposix_trust(self):
 """ Check that UPN is listed as trust attribute """
 result = self.master.run_command(['ipa', 'trust-show',
self.ad_domain,
   '--all', '--raw'])

-assert "ipantadditionalsuffixes: UPNsuffix.com" in
result.stdout_text
+assert ("ipantadditionalsuffixes: 
{}".format(self.upn_suffix) in

+result.stdout_text)

 def test_upn_user_resolution_in_nonposix_trust(self):
 """ Check that user with UPN can be resolved """
-upnuser = 'upnu...@upnsuffix.com'
-result = self.master.run_command(['getent', 'passwd', 
upnuser])

+result = self.master.run_command(['getent', 'passwd',
self.upn_princ])

 # result will contain AD domain, not UPN
-upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN
User:/:$".format(
-self.ad_domain)
+upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.upn_username, self.ad_domain)
 assert re.search(upnuser_regex, result.stdout_text)

 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
 self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-self.master.run_command(['kinit', '-C', '-E',
'upnu...@upnsuffix.com'],
-stdin_text='Secret123456')
+self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
+stdin_text=self.upn_password)

otherwise LGTM.


Thanks for review, fixed patch attached.

Few notes:
1. mbabinsky's suggestion to store testdata as class attributes or
separate resource file: I decided to use the class attribute approach.
The separate resource file is a nice idea, which I have already put on
my "to do" list - there's a lot of hardcoded stuff in the trust tests,
even in the original ones (before my patches), so when there's time I'll
work on a way how to dynamically provide this data as test configuration
2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the
getent command, since according to mbasti the alternative would not work
in CI.

Lenka


Hi Lenka,

I am not sure 'test_all_trustdomains_found' should be run as a part of 
this test suite. Maybe yes, I'm not sure.


Also I would add a 60 second sleep after KDC restart in 
'test_upn_user_authentication' so that MS-PAC cache gets refreshed 
before trying to kinit as enterprise principal.


Two of the tests fail on my setup but that is probably due to 
https://fedorahosted.org/freeipa/ticket/6082 .



Hi,

the "test_all_trustdomains_found" method is inherited from parent class, 
and I believe it cannot hurt to have it there.

I added the sleep as you requested.
I also tried to run the tests with two way trust and since everything 
was fine then, the failures you experienced are really most likely due 
to the oddjob issue you linked. Of course the patch still contains tests 
with one way trusts, so until the oddjob issue is solved, the tests will 
probably fail, and should be fine once the fix is provided.


Fixed patch attached.
Lenka
From 985bfe7ff3d87f3c3a73543ea5cc625687099db7 Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH 1/2] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
 ipatests/test_integration/test_trust.py | 42 +
 1 file changed, 42 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Martin Babinsky]

On 07/01/2016 04:45 PM, Lenka Doudova wrote:



On 07/01/2016 03:04 PM, Martin Babinsky wrote:

On 07/01/2016 11:13 AM, Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka







Hi Lenka,

test data such as usernames, etc. should be stored either in separate
resource files or at least as class attributes like this:

diff --git a/ipatests/test_integration/test_trust.py
b/ipatests/test_integration/test_trust.py
index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
 """
 Test support of UPN for trusted domains
 """
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
 def test_upn_in_nonposix_trust(self):
 """ Check that UPN is listed as trust attribute """
 result = self.master.run_command(['ipa', 'trust-show',
self.ad_domain,
   '--all', '--raw'])

-assert "ipantadditionalsuffixes: UPNsuffix.com" in
result.stdout_text
+assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+result.stdout_text)

 def test_upn_user_resolution_in_nonposix_trust(self):
 """ Check that user with UPN can be resolved """
-upnuser = 'upnu...@upnsuffix.com'
-result = self.master.run_command(['getent', 'passwd', upnuser])
+result = self.master.run_command(['getent', 'passwd',
self.upn_princ])

 # result will contain AD domain, not UPN
-upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN
User:/:$".format(
-self.ad_domain)
+upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.upn_username, self.ad_domain)
 assert re.search(upnuser_regex, result.stdout_text)

 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
 self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-self.master.run_command(['kinit', '-C', '-E',
'upnu...@upnsuffix.com'],
-stdin_text='Secret123456')
+self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
+stdin_text=self.upn_password)

otherwise LGTM.


Thanks for review, fixed patch attached.

Few notes:
1. mbabinsky's suggestion to store testdata as class attributes or
separate resource file: I decided to use the class attribute approach.
The separate resource file is a nice idea, which I have already put on
my "to do" list - there's a lot of hardcoded stuff in the trust tests,
even in the original ones (before my patches), so when there's time I'll
work on a way how to dynamically provide this data as test configuration
2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the
getent command, since according to mbasti the alternative would not work
in CI.

Lenka


Hi Lenka,

I am not sure 'test_all_trustdomains_found' should be run as a part of 
this test suite. Maybe yes, I'm not sure.


Also I would add a 60 second sleep after KDC restart in 
'test_upn_user_authentication' so that MS-PAC cache gets refreshed 
before trying to kinit as enterprise principal.


Two of the tests fail on my setup but that is probably due to 
https://fedorahosted.org/freeipa/ticket/6082 .


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Lenka Doudova]

On 07/01/2016 03:04 PM, Martin Babinsky wrote:

On 07/01/2016 11:13 AM, Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka







Hi Lenka,

test data such as usernames, etc. should be stored either in separate 
resource files or at least as class attributes like this:


diff --git a/ipatests/test_integration/test_trust.py 
b/ipatests/test_integration/test_trust.py

index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
 """
 Test support of UPN for trusted domains
 """
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
 def test_upn_in_nonposix_trust(self):
 """ Check that UPN is listed as trust attribute """
 result = self.master.run_command(['ipa', 'trust-show', 
self.ad_domain,

   '--all', '--raw'])

-assert "ipantadditionalsuffixes: UPNsuffix.com" in 
result.stdout_text

+assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+result.stdout_text)

 def test_upn_user_resolution_in_nonposix_trust(self):
 """ Check that user with UPN can be resolved """
-upnuser = 'upnu...@upnsuffix.com'
-result = self.master.run_command(['getent', 'passwd', upnuser])
+result = self.master.run_command(['getent', 'passwd', 
self.upn_princ])


 # result will contain AD domain, not UPN
-upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN 
User:/:$".format(

-self.ad_domain)
+upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.upn_username, self.ad_domain)
 assert re.search(upnuser_regex, result.stdout_text)

 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
 self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-self.master.run_command(['kinit', '-C', '-E', 
'upnu...@upnsuffix.com'],

-stdin_text='Secret123456')
+self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
+stdin_text=self.upn_password)

otherwise LGTM.


Thanks for review, fixed patch attached.

Few notes:
1. mbabinsky's suggestion to store testdata as class attributes or 
separate resource file: I decided to use the class attribute approach. 
The separate resource file is a nice idea, which I have already put on 
my "to do" list - there's a lot of hardcoded stuff in the trust tests, 
even in the original ones (before my patches), so when there's time I'll 
work on a way how to dynamically provide this data as test configuration
2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the 
getent command, since according to mbasti the alternative would not work 
in CI.


Lenka
From 997ae46d6ee2ab5a147e9f57ef17778cad943cdd Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
 ipatests/test_integration/test_trust.py | 40 +
 1 file changed, 40 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index ba7ab8fdc0703369d55302ae3c20e79bd1b01daa..2507bf1747bfcdfdda4ae269ea403aad66fa903a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -345,3 +345,43 @@ class TestExternalTrustWithRootDomain(ADTrustSubdomainBase):
 def test_remove_nonposix_trust(self):
 tasks.remove_trust_with_ad(self.master, self.ad_domain)
 tasks.clear_sssd_cache(self.master)
+
+
+class TestTrustWithUPN(ADTrustBase):
+"""
+Test support of UPN for trusted domains
+"""
+
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_name = 'UPN User'
+upn_principal = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
+def test_upn_in_nonposix_trust(self):
+""" Check that UPN is listed as trust attribute """
+result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
+  '--all', '--raw'])
+
+assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Martin Babinsky]

On 07/01/2016 11:13 AM, Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka







Hi Lenka,

test data such as usernames, etc. should be stored either in separate 
resource files or at least as class attributes like this:


diff --git a/ipatests/test_integration/test_trust.py 
b/ipatests/test_integration/test_trust.py

index e8fdc6b..86ba7cc 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
 """
 Test support of UPN for trusted domains
 """
+upn_suffix = 'UPNsuffix.com'
+upn_username = 'upnuser'
+upn_princ = '{}@{}'.format(upn_username, upn_suffix)
+upn_password = 'Secret123456'
+
 def test_upn_in_nonposix_trust(self):
 """ Check that UPN is listed as trust attribute """
 result = self.master.run_command(['ipa', 'trust-show', 
self.ad_domain,

   '--all', '--raw'])

-assert "ipantadditionalsuffixes: UPNsuffix.com" in 
result.stdout_text

+assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in
+result.stdout_text)

 def test_upn_user_resolution_in_nonposix_trust(self):
 """ Check that user with UPN can be resolved """
-upnuser = 'upnu...@upnsuffix.com'
-result = self.master.run_command(['getent', 'passwd', upnuser])
+result = self.master.run_command(['getent', 'passwd', 
self.upn_princ])


 # result will contain AD domain, not UPN
-upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN User:/:$".format(
-self.ad_domain)
+upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.upn_username, self.ad_domain)
 assert re.search(upnuser_regex, result.stdout_text)

 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
 self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-self.master.run_command(['kinit', '-C', '-E', 
'upnu...@upnsuffix.com'],

-stdin_text='Secret123456')
+self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
+stdin_text=self.upn_password)

otherwise LGTM.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Martin Basti]

On 01.07.2016 13:08, Alexander Bokovoy wrote:

On Fri, 01 Jul 2016, Lukas Slebodnik wrote:

On (01/07/16 11:13), Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka






From 5c8cb8727322371b7246f6d939b38ac1cbd61e4c Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
ipatests/test_integration/test_trust.py | 32 


1 file changed, 32 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py 
b/ipatests/test_integration/test_trust.py
index 
d662e80727b6eab3df93166d35ddbaea6a0f6f7a..e8fdc6ba68fb6275a0d7920c76ca434ed830ed84 
100644

--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -388,3 +388,35 @@ class 
TestExternalTrustWithRootDomain(ADTrustBase):


tasks.remove_trust_with_ad(self.master, self.ad_domain)
tasks.clear_sssd_cache(self.master)
+
+
+class TestTrustWithUPN(ADTrustBase):
+"""
+Test support of UPN for trusted domains
+"""
+def test_upn_in_nonposix_trust(self):
+""" Check that UPN is listed as trust attribute """
+result = self.master.run_command(['ipa', 'trust-show', 
self.ad_domain,

+  '--all', '--raw'])
+
+assert "ipantadditionalsuffixes: UPNsuffix.com" in 
result.stdout_text

+
+def test_upn_user_resolution_in_nonposix_trust(self):
+""" Check that user with UPN can be resolved """
+upnuser = 'upnu...@upnsuffix.com'
+result = self.master.run_command(['getent', 'passwd', 
upnuser])

Is there a special reason for not using pwd.getpwnam() ?

Technically -- yes. In case there was a change in the system
configuration (/etc/nsswitch.conf), then these changes wouldn't be
reflected in the application that is already using NSSWITCH interface.

However, in this particular case no change to config files is expected
so pwd.getpwnam() can be used.


Please note that the commands are executed remotely in CI tests, 
pwd.getpwnam() provides only local data.

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Alexander Bokovoy]

On Fri, 01 Jul 2016, Lukas Slebodnik wrote:

On (01/07/16 11:13), Lenka Doudova wrote:

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if
there's will be more fixes to that patch).


Lenka






From 5c8cb8727322371b7246f6d939b38ac1cbd61e4c Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
ipatests/test_integration/test_trust.py | 32 
1 file changed, 32 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py 
b/ipatests/test_integration/test_trust.py
index 
d662e80727b6eab3df93166d35ddbaea6a0f6f7a..e8fdc6ba68fb6275a0d7920c76ca434ed830ed84
 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -388,3 +388,35 @@ class TestExternalTrustWithRootDomain(ADTrustBase):

tasks.remove_trust_with_ad(self.master, self.ad_domain)
tasks.clear_sssd_cache(self.master)
+
+
+class TestTrustWithUPN(ADTrustBase):
+"""
+Test support of UPN for trusted domains
+"""
+def test_upn_in_nonposix_trust(self):
+""" Check that UPN is listed as trust attribute """
+result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
+  '--all', '--raw'])
+
+assert "ipantadditionalsuffixes: UPNsuffix.com" in result.stdout_text
+
+def test_upn_user_resolution_in_nonposix_trust(self):
+""" Check that user with UPN can be resolved """
+upnuser = 'upnu...@upnsuffix.com'
+result = self.master.run_command(['getent', 'passwd', upnuser])

Is there a special reason for not using pwd.getpwnam() ?

Technically -- yes. In case there was a change in the system
configuration (/etc/nsswitch.conf), then these changes wouldn't be
reflected in the application that is already using NSSWITCH interface.

However, in this particular case no change to config files is expected
so pwd.getpwnam() can be used.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Lukas Slebodnik]

On (01/07/16 11:13), Lenka Doudova wrote:
>And, of course, a patch file :)
>
>
>On 07/01/2016 11:09 AM, Lenka Doudova wrote:
>> Hi all,
>> 
>> here's patch with basic test suite for support of UPN.
>> 
>> Note: it needs to be applied on top of my patch 0025.2 (or later, if
>> there's will be more fixes to that patch).
>> 
>> 
>> Lenka
>> 
>

>From 5c8cb8727322371b7246f6d939b38ac1cbd61e4c Mon Sep 17 00:00:00 2001
>From: Lenka Doudova 
>Date: Fri, 1 Jul 2016 11:00:57 +0200
>Subject: [PATCH] Tests: Support of UPN for trusted domains
>
>Basic set of tests to verify support of UPN functionality.
>
>Test cases:
>- establish trust
>- verify the trust recognizes UPN
>- verify AD user with UPN can be resolved
>- verify AD user with UPN can authenticate
>- remove trust
>
>https://fedorahosted.org/freeipa/ticket/5354
>---
> ipatests/test_integration/test_trust.py | 32 
> 1 file changed, 32 insertions(+)
>
>diff --git a/ipatests/test_integration/test_trust.py 
>b/ipatests/test_integration/test_trust.py
>index 
>d662e80727b6eab3df93166d35ddbaea6a0f6f7a..e8fdc6ba68fb6275a0d7920c76ca434ed830ed84
> 100644
>--- a/ipatests/test_integration/test_trust.py
>+++ b/ipatests/test_integration/test_trust.py
>@@ -388,3 +388,35 @@ class TestExternalTrustWithRootDomain(ADTrustBase):
> 
> tasks.remove_trust_with_ad(self.master, self.ad_domain)
> tasks.clear_sssd_cache(self.master)
>+
>+
>+class TestTrustWithUPN(ADTrustBase):
>+"""
>+Test support of UPN for trusted domains
>+"""
>+def test_upn_in_nonposix_trust(self):
>+""" Check that UPN is listed as trust attribute """
>+result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
>+  '--all', '--raw'])
>+
>+assert "ipantadditionalsuffixes: UPNsuffix.com" in result.stdout_text
>+
>+def test_upn_user_resolution_in_nonposix_trust(self):
>+""" Check that user with UPN can be resolved """
>+upnuser = 'upnu...@upnsuffix.com'
>+result = self.master.run_command(['getent', 'passwd', upnuser])
Is there a special reason for not using pwd.getpwnam() ?

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Lenka Doudova]

And, of course, a patch file :)


On 07/01/2016 11:09 AM, Lenka Doudova wrote:

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if 
there's will be more fixes to that patch).



Lenka



From 5c8cb8727322371b7246f6d939b38ac1cbd61e4c Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Fri, 1 Jul 2016 11:00:57 +0200
Subject: [PATCH] Tests: Support of UPN for trusted domains

Basic set of tests to verify support of UPN functionality.

Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust

https://fedorahosted.org/freeipa/ticket/5354
---
 ipatests/test_integration/test_trust.py | 32 
 1 file changed, 32 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index d662e80727b6eab3df93166d35ddbaea6a0f6f7a..e8fdc6ba68fb6275a0d7920c76ca434ed830ed84 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -388,3 +388,35 @@ class TestExternalTrustWithRootDomain(ADTrustBase):
 
 tasks.remove_trust_with_ad(self.master, self.ad_domain)
 tasks.clear_sssd_cache(self.master)
+
+
+class TestTrustWithUPN(ADTrustBase):
+"""
+Test support of UPN for trusted domains
+"""
+def test_upn_in_nonposix_trust(self):
+""" Check that UPN is listed as trust attribute """
+result = self.master.run_command(['ipa', 'trust-show', self.ad_domain,
+  '--all', '--raw'])
+
+assert "ipantadditionalsuffixes: UPNsuffix.com" in result.stdout_text
+
+def test_upn_user_resolution_in_nonposix_trust(self):
+""" Check that user with UPN can be resolved """
+upnuser = 'upnu...@upnsuffix.com'
+result = self.master.run_command(['getent', 'passwd', upnuser])
+
+# result will contain AD domain, not UPN
+upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN User:/:$".format(
+self.ad_domain)
+assert re.search(upnuser_regex, result.stdout_text)
+
+def test_upn_user_authentication(self):
+""" Check that AD user with UPN can authenticate in IPA """
+self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
+self.master.run_command(['kinit', '-C', '-E', 'upnu...@upnsuffix.com'],
+stdin_text='Secret123456')
+
+def test_remove_nonposix_trust(self):
+tasks.remove_trust_with_ad(self.master, self.ad_domain)
+tasks.clear_sssd_cache(self.master)
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

[Lenka Doudova]

Hi all,

here's patch with basic test suite for support of UPN.

Note: it needs to be applied on top of my patch 0025.2 (or later, if 
there's will be more fixes to that patch).



Lenka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code