Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
All the patches from this thread were converted into github pull requests: [1]: https://github.com/freeipa/freeipa/pull/224 [2]: https://github.com/freeipa/freeipa/pull/225 On 11/09/2016 04:43 PM, Milan Kubík wrote: On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Never give up pinging :) On 11/03/2016 12:43 PM, Martin Basti wrote: LGTM On 03.11.2016 09:42, Oleg Fayans wrote: One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding t
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
LGTM On 03.11.2016 09:42, Oleg Fayans wrote: One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.fr
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 91a14f2604370c2fc314af6768ddaa112b9b0649 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Fri, 21 Oct 2016 10:53:19 +0200 Subject: [PATCH] tests: Added basic tests for certs in idoverrides https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 91 1 file changed, 91 insertions(+) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..cc190329416dd001dc7435737b33c696a9f9ac7e 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -352,3 +352,94 @@ class TestCertManipCmdService(CertManipCmdTestBase): api.Command.host_del(TestCertManipCmdHost.entity_pkey) except errors.NotFound: pass + + +@pytest.mark.tier1 +class TestCertManipIdOverride(XMLRPC_test): +idview = u'testview' +testuser = u'testuser' +entity_subject = testuser +entity_principal = testuser + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remove_cert + +def del_cert_fro
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From de874f4e7bae77a1149846b2dd1fd4ce487e8c66 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Wed, 19 Oct 2016 11:59:44 +0200 Subject: [PATCH] tests: Added basic tests for certs in idoverrides https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 88 1 file changed, 88 insertions(+) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..82a81b04997b8b4b41a45d65e00b773daef52099 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -352,3 +352,91 @@ class TestCertManipCmdService(CertManipCmdTestBase): api.Command.host_del(TestCertManipCmdHost.entity_pkey) except errors.NotFound: pass + + +@pytest.mark.tier1 +class TestCertManipIdOverride(XMLRPC_test): +idview = u'testview' +testuser = u'testuser' +entity_subject = testuser +entity_principal = testuser + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remove_cert + +def del_cert_from_idoverride(self, username, view_name, cert): +result = self.cert_del_cmd(view_name,
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi, Martin, Right. The point is to have a test that emulates the real-world usecase of this feature. Which is AD integration. No xmlrpc test is able to do so. Of course we can automate testing of CLI options using XMLRPC. But that would not mean we do not need an integration test for the "real" part. So, I'll add the cert manipulation tests to the xmlrpc test. On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 6 Sep 2016 13:55:16 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_idviews.py | 121 + 1 file changed, 121 insertions(+) create mode 100644 ipatests/test_integration/test_idviews.py diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py new file mode 100644 index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb --- /dev/null +++ b/ipatests/test_integration/test_idviews.py @@ -0,0 +1,121 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import assert_error +from ipatests.test_integration.env_config import get_global_config +config = get_global_config() + + +class TestCertsInIDOverrides(IntegrationTest): +topology = "line" +service_certprofile = 'caIPAserviceCert' +num_ad_domains = 1 +user_certprofile = 'caIPAuserCert' +adview = 'Default Trust View' +cert_re = re.compile('Certificate: (?P.*?)\\s+.*') +ad = config.ad_domains[0].ads[0] +ad_domain = ad.domain.name +aduser = "testuser@%s" % ad_domain +adcert1 = 'MyCert1' +adcert2 = 'MyCert2' +adcert1_file = adcert1 + '.crt' +adcert2_file = adcert2 + '.crt' + +@classmethod +def uninstall(cls, mh): +super(TestCertsInIDOverrides, cls).uninstall(mh) +cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False) + +@classmethod +def install(cls, mh): +super(TestCertsInIDOverrides, cls).install(mh) +master = cls.master + +# AD-related stuff +tasks.install_adtrust(master) +tasks.sync_time(master, cls.ad) +tasks.establish_trust_with_ad(cls.master, cls.ad_domain, + extra_args=['--range-type', + 'ipa-ad-trust']) + +tasks.sync_time(cls.master, cls.ad) +master.run_command(['ipa', 'certprofile-show', cls.service_certprofile, +"--out=%s.txt" % cls.user_certprofile]) +master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % ( +cls.service_certprofile, cls.user_certprofile, +cls.user_certprofile) +) +master.run_command(['ipa', 'certprofile-import', cls.user_certprofile, +"--file=%s.txt" % cls.user_certprofile, +
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD The only thing that differentiates AD user from IPA is the fact that you'd need to trust a certificate authority that issued the certificate for this user. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: > > > On 14.09.2016 17:53, Alexander Bokovoy wrote: > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > > > > > On 14.09.2016 17:41, Alexander Bokovoy wrote: > > > > On Wed, 14 Sep 2016, Martin Basti wrote: > > > > > 1) > > > > > I still don't see the reason why AD trust is needed. Default > > > > > trust ID view is added just by ipa-adtrust-install, adding > > > > > trust is not needed for current implementation. You don't > > > > > need AD for this, IDviews is generic feature not just for > > > > > AD. Is that user configured on AD side? > > > > You cannot add non-AD user to 'default trust view', so you will not be > > > > able to set up certificates to ID override which does not exist. > > > > > > > > For non-'default trust view' you can add both IPA and AD users, > > > > so using > > > > some other view and then assign certificate for a ID override in that > > > > one. > > > > > > > > > > Ok then, but anyway I would like to see API/CLI tests for this > > > feature with proper output validation. > > > > > > > > > How can be this tested with SSSD? > > You need to log into the system with a certificate... > Is this possible from test? We are logged remotely as root, is there any > cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit > > Martin^2 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 06.09.2016 13:57, Oleg Fayans wrote: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? 2) The test itself looks for me as just API/CLI test. IMO it can be in ipatests/test_xmlrpc/test_idviews_plugin.py or ipatests/test_xmlrpc/test_add_remove_cert_cmd.py 3) I don't see any integration with SSSD in that test, just pure IPA CLI test, shouldn't be this tested against SSSD here? Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Ping for review. On 09/06/2016 01:57 PM, Oleg Fayans wrote: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 6 Sep 2016 13:55:16 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_certs_in_idoverrides.py | 121 + 1 file changed, 121 insertions(+) create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py new file mode 100644 index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb --- /dev/null +++ b/ipatests/test_integration/test_certs_in_idoverrides.py @@ -0,0 +1,121 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import assert_error +from ipatests.test_integration.env_config import get_global_config +config = get_global_config() + + +class TestCertsInIDOverrides(IntegrationTest): +topology = "line" +service_certprofile = 'caIPAserviceCert' +num_ad_domains = 1 +user_certprofile = 'caIPAuserCert' +adview = 'Default Trust View' +cert_re = re.compile('Certificate: (?P.*?)\\s+.*') +ad = config.ad_domains[0].ads[0] +ad_domain = ad.domain.name +aduser = "testuser@%s" % ad_domain +adcert1 = 'MyCert1' +adcert2 = 'MyCert2' +adcert1_file = adcert1 + '.crt' +adcert2_file = adcert2 + '.crt' + +@classmethod +def uninstall(cls, mh): +super(TestCertsInIDOverrides, cls).uninstall(mh) +cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False) + +@classmethod +def install(cls, mh): +super(TestCertsInIDOverrides, cls).install(mh) +master = cls.master + +# AD-related stuff +tasks.install_adtrust(master) +tasks.sync_time(master, cls.ad) +tasks.establish_trust_with_ad(cls.master, cls.ad_domain, +
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Forgot to attach the test run output: -bash-4.3$ ipa-run-tests test_integration/test_certs_in_idoverrides.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 1 items test_integration/test_certs_in_idoverrides.py . = 1 passed in 681.90 seconds = On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 867c603183d792b0056c0f8895f52577bc67d7b0 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 6 Sep 2016 12:39:45 +0200 Subject: [PATCH] Added interface to certutil --- ipatests/test_integration/tasks.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index c60d43699d6577abe930ac8d6ab696feea837331..0e329f4ad5d754fd61a9ca911488230677daad77 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -1187,6 +1187,13 @@ def run_server_del(host, server_to_delete, force=False, return host.run_command(args, raiseonerr=False) +def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True): +new_args = [paths.CERTUTIL, "-d", reqdir] +new_args = " ".join(new_args + args) +return host.run_command(new_args, raiseonerr=raiseonerr, +stdin_text=stdin) + + def assert_error(result, stderr_text, returncode=None): "Assert that `result` command failed and its stderr contains `stderr_text`" assert stderr_text in result.stderr_text, result.stderr_text -- 1.8.3.1 From fb0591407a64dcf84eda1a28a06d1ead2fa7ab0d Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 6 Sep 2016 12:41:06 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_certs_in_idoverrides.py | 120 + 1 file changed, 120 insertions(+) create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py new file mode 100644 index ..d72fc1e898f0574015c6b7dd5f601cec8e4350d6 --- /dev/null +++ b/ipatests/test_integration/test_certs_in_idoverrides.py @@ -0,0 +1,120 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import assert_error +from ipatests.test_integration.env_config import get_global_config +con
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Martin^3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From e8944743236af1fbcf56cbaecb6a4203b4086be9 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Mon, 1 Aug 2016 22:18:44 +0200 Subject: [PATCH] Added interface to certutil --- ipatests/test_integration/tasks.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 8cd9ec71bc5ee22b8aba5d5c6324d1e7bf8b28a6..7f6c79e65cda31bdba3d882a72bb5e2dcdb1f355 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -1179,6 +1179,11 @@ def run_server_del(host, server_to_delete, force=False, return host.run_command(args, raiseonerr=False) +def run_certutil(host, args, reqdir, stdin=None): +new_args = [paths.CERTUTIL, "-d", reqdir] +new_args = " ".join(new_args + args) +return host.run_command(new_args, raiseonerr=False, +stdin_text=stdin) def assert_error(result, stderr_text, returncode=None): "Assert that `result` command failed and its stderr contains `stderr_text`" assert stderr_text in result.stderr_text, result.stderr_text -- 1.8.3.1 From cc88677030efe05044a79486b87533d416b6bcc3 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Mon, 1 Aug 2016 22:40:00 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_certs_in_idoverrides.py | 118 + 1 file changed, 118 insertions(+) create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py new file mode 100644 index ..9114c4f91cd6378acc53caa068b852ae15670d7a --- /dev/null +++ b/ipatests/test_integration/test_certs_in_idoverrides.py @@ -0,0 +1,118 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import assert_error + + +class TestCertsInIDOverrides(IntegrationTest): +topology = "line" +service_certprofile = 'caIPAserviceCert' +num_ad_domains = 1 +user_certprofile = 'caIPAuserCert' +adview = 'Default Trust View' +cert_re = re.compile('Certificate: (?P.*?)\\s+.*') + +@classmethod +def uninstall(cls, mh): +cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False) + +@classmethod +def install(cls, mh): +super(TestCertsInIDOverrides, cls).install(mh) +master = cls.master + +# AD-related stuff +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' +tasks.install_adtrust(master) +tasks.sync_time(master, cls.ad) +tasks.establish_trust_with_ad(cls.master, cls.ad_domain, + extra_args=['--range-type', + 'ipa-ad-trust']) + +tasks.sync_time(cls.master, cls.ad) +master.run_command(['ipa', 'certprofile-show', cls.service_certprofile, +"--out=%s.txt" % cls.user_certprofile]) +master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % ( +cls.service_certprofile, cls.user_certprofile, +cls.user_certprofile) +) +master.run_command(['ipa', 'certprofile-import', cls.user_certprofile, +"--file=%s.txt" % cls.user_certprofile, +'--store=true', '--desc="User Certs"']) + +cls.reqdir = os.path.join(master.config.test_dir, "certs") +cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") +cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") +cls.pwname = os.path.join(cls.reqdir, "pwd") + +# Create a NSS database folder +master.run_command(['mkdir', cls.reqdir], raiseonerr=False) +# Create an empty password file +master.run_command(["touch", cls.pwname], raiseonerr=False) + +# Init
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: > Passing test output: > > https://paste.fedoraproject.org/385774/71035231/ > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From f032df3a1d58e200d0f8bf8dbc121e5f03eb041e Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: Tue, 28 Jun 2016 10:16:06 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_certs_in_idoverrides.py | 85 ++ 1 file changed, 85 insertions(+) create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py new file mode 100644 index ..a6b5a60ad5c171ef9fb35848d81a637df979ccaf --- /dev/null +++ b/ipatests/test_integration/test_certs_in_idoverrides.py @@ -0,0 +1,85 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +from ipatests.test_integration import tasks +from ipatests.test_integration.base import IntegrationTest +from ipatests.test_integration.tasks import assert_error + + +class TestCertsInIDOverrides(IntegrationTest): +topology = "line" +service_certprofile = 'caIPAserviceCert' +user_certprofile = 'caIPAuserCert' +user = 'testuser' +user_cn = "CN=%s" % user +idview = 'MyView' +cert_re = re.compile('Certificate: (?P.*?)\\s+.*') + +@classmethod +def install(cls, mh): +super(TestCertsInIDOverrides, cls).install(mh) +master = cls.master +master.run_command(['ipa', 'certprofile-show', cls.service_certprofile, +"--out=%s.txt" % cls.user_certprofile]) +master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % ( +cls.service_certprofile, cls.user_certprofile, +cls.user_certprofile) +) +master.run_command(['ipa', 'certprofile-import', cls.user_certprofile, +"--file=%s.txt" % cls.user_certprofile, +'--store=true', '--desc="User Certs"']) + +master.run_command(['ipa', 'idview-add', cls.idview, +'--desc=description']) + +cls.reqdir = os.path.join(master.config.test_dir, "certs") +cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") +cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") +cls.pwname = os.path.join(cls.reqdir, "pwd") + +# Create an empty password file +master.run_command(['mkdir', cls.reqdir]) +# Create an empty password file +master.run_command(["touch", cls.pwname]) + +# Create our temporary NSS database +tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir) +tasks.generate_csr(master, cls.user_cn, cls.reqdir, + cls.reqfile1, cls.pwname) +tasks.generate_csr(master, cls.user_cn, cls.reqdir, + cls.reqfile2, cls.pwname) +master.run_command(['ipa', 'user-add', cls.user, +'--first', 'a', '--last', 'b', '--random']) + +def test_certs_in_idoverrides(self): +self.master.run_command(['ipa', 'idoverrideuser-add', + self.idview, self.user]) +result1 = self.master.run_command([ +'ipa', 'cert-request', self.reqfile1, +"--principal=%s" % self.user, '--add', +"--profile-id=%s" % self.user_certprofile]) +cert1 = self.cert_re.search(result1.stdout_text).group('cert') +result2 = self.master.run_command([ +'ipa', 'cert-request', self.reqfile2, +"--principal=%s" % self.user, '--add', +"--profile-id=%s" % self.user_certprofile]) +cert2 = self.cert_re.search(result2.stdout_text).group('cert') + +args1 = ['ipa', 'idoverrideuser-add-cert', self.idview, + self.user, "--certificate=%s" % cert1] +args2 = ['ipa', 'idoverrideuser-add-cert', self.idview, + self.user, "--certificate=%s" % cert2] +self.master.run_command(args1) +result3 = self.master.run_command(args1, raiseonerr=False) +assert_error(result3, "already contains one or more values") +result4 = self.master.run_command(args2, raiseonerr=False) +assert(result4.returncode == 0), 'Failed to add second certificate' +self.master.run_command(['ipa', 'idoverrideuser-remove-cert', + self.idview, self.user, + "--certificate=%s" % cert2]) +self.master.run_command(['ipa', 'idoverrideuser-remove-cert', + self.idview, self.user, + "--certificate=%s" % cert1]) -- 1.8.3.1 -- Manage your subscription for the Freeipa-