Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

All the patches from this thread were converted into github pull requests:
[1]: https://github.com/freeipa/freeipa/pull/224
[2]: https://github.com/freeipa/freeipa/pull/225

On 11/09/2016 04:43 PM, Milan Kubík wrote:

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote
escaping gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch




might be a good candidate for the first one, I only have to change
the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we
are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which
should
return the ssh key derived from the public key in the
certificate.
This
should work for certificate stored in AD as well as for
overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate




.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are 

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Milan Kubík]

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array 
of strings because it just does not work otherwise. Some quote 
escaping gets screwed probably, but the system returns "Error 
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the 
command is executed using the standard array-based approach


The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'

WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
 test session starts 


platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds 
=



On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for 
certs

in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch 





might be a good candidate for the first one, I only have to change 
the

filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we 
are

leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what 
Summit

recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?
You cannot add non-AD user to 'default trust view', so you 
will

not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD 
users,

so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD 
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which 
should
return the ssh key derived from the public key in the 
certificate.

This
should work for certificate stored in AD as well as for 
overrides.


You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate 





.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Never give up pinging :)

On 11/03/2016 12:43 PM, Martin Basti wrote:

LGTM


On 03.11.2016 09:42, Oleg Fayans wrote:

One more ping for review

On 10/27/2016 02:21 PM, Oleg Fayans wrote:

ping for review

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote escaping
gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
certs
in idoverrides.
The integration part still needs some polishing in the part
related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an
sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch






might be a good candidate for the first one, I only have to change
the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing
the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we
are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed.
Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for
this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which
should
return the ssh key derived from the public key in the
certificate.
This
should work for certificate stored in AD as well as for
overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate






.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration
tests

So I propose to rename test file you are adding t

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

LGTM


On 03.11.2016 09:42, Oleg Fayans wrote:

One more ping for review

On 10/27/2016 02:21 PM, Oleg Fayans wrote:

ping for review

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote escaping
gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
certs
in idoverrides.
The integration part still needs some polishing in the part 
related to

user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an 
sssd

check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch 







might be a good candidate for the first one, I only have to change
the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing 
the

same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we
are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. 
Default

trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.

Ok then, but anyway I would like to see API/CLI tests for 
this

feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which
should
return the ssh key derived from the public key in the
certificate.
This
should work for certificate stored in AD as well as for
overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate 







.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration 
tests


So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

One more ping for review

On 10/27/2016 02:21 PM, Oleg Fayans wrote:

ping for review

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote escaping
gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch





might be a good candidate for the first one, I only have to change
the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we
are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD
user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which
should
return the ssh key derived from the public key in the
certificate.
This
should work for certificate stored in AD as well as for
overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate





.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

ping for review

On 10/25/2016 10:24 AM, Oleg Fayans wrote:

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array
of strings because it just does not work otherwise. Some quote escaping
gets screwed probably, but the system returns "Error
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
 test session starts

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds
=


On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch




might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what
Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you
will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD
users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate




.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array 
of strings because it just does not work otherwise. Some quote escaping 
gets screwed probably, but the system returns "Error 
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the 
command is executed using the standard array-based approach


The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'

WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
 test session starts 


platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds 
=



On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch



might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate



.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.fr

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch


might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate


.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 91a14f2604370c2fc314af6768ddaa112b9b0649 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 21 Oct 2016 10:53:19 +0200
Subject: [PATCH] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 91 
 1 file changed, 91 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..cc190329416dd001dc7435737b33c696a9f9ac7e 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -352,3 +352,94 @@ class TestCertManipCmdService(CertManipCmdTestBase):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+idview = u'testview'
+testuser = u'testuser'
+entity_subject = testuser
+entity_principal = testuser
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_fro

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Hi Martin,

As you suggested, I've extended the 
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs 
in idoverrides.
The integration part still needs some polishing in the part related to 
user lookup by cert


On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch

might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate

.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From de874f4e7bae77a1149846b2dd1fd4ce487e8c66 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Wed, 19 Oct 2016 11:59:44 +0200
Subject: [PATCH] tests: Added basic tests for certs in idoverrides

https://fedorahosted.org/freeipa/ticket/6412
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 88 
 1 file changed, 88 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..82a81b04997b8b4b41a45d65e00b773daef52099 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -352,3 +352,91 @@ class TestCertManipCmdService(CertManipCmdTestBase):
 api.Command.host_del(TestCertManipCmdHost.entity_pkey)
 except errors.NotFound:
 pass
+
+
+@pytest.mark.tier1
+class TestCertManipIdOverride(XMLRPC_test):
+idview = u'testview'
+testuser = u'testuser'
+entity_subject = testuser
+entity_principal = testuser
+
+cert_add_cmd = api.Command.idoverrideuser_add_cert
+cert_del_cmd = api.Command.idoverrideuser_remove_cert
+
+def del_cert_from_idoverride(self, username, view_name, cert):
+result = self.cert_del_cmd(view_name,

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Hi, Martin,

Right. The point is to have a test that emulates the real-world usecase 
of this feature. Which is AD integration. No xmlrpc test is able to do 
so. Of course we can automate testing of CLI options using XMLRPC. But 
that would not mean we do not need an integration test for the "real" 
part. So, I'll add the cert manipulation tests to the xmlrpc test.


On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch

might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate

.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Babinsky]

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add 
cert/remove cert operations?


Even better, you can extend 
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the 
same set of tests on idoverrideuser objects.


Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code















--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

So, did I understand correctly, that there would be 2 patches: one 
containing test for basic idoverrides functionality without 
AD-integration, and the second one - with AD-integration and an sssd 
check, correct?
I guess, the 
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch 
might be a good candidate for the first one, I only have to change the 
filename to test_idviews.py, right?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code












--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are 
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit 
recommends. No new test cases.


And this can be done by separate patch, I want to have API/CLI 
certificate override tests for non-AD idview (extending current tests I 
posted in this thread)


Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in 
that

one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is 
there any

cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate 
.


HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code








-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Hi Martin,

The file was renamed. Did I understand correctly that for now we are 
leaving the test as is and are planning to extend it later?


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_idviews.py  | 121 +
 1 file changed, 121 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+ad = config.ad_domains[0].ads[0]
+ad_domain = ad.domain.name
+aduser = "testuser@%s" % ad_domain
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+tasks.sync_time(cls.master, cls.ad)
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+   

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to test_idviews.py. We 
can add more testcases for idviews there later


Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Alexander Bokovoy]

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default 
trust ID view is added just by ipa-adtrust-install, adding 
trust is not needed for current implementation. You don't need 
AD for this, IDviews is generic feature not just for AD. Is 
that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, 
so using

some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this 
feature with proper output validation.



How can be this tested with SSSD?

You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is there 
any cmdline util which allows us to test certificate against AD user?

https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD

The only thing that differentiates AD user from IPA is the fact that
you'd need to trust a certificate authority that issued the certificate
for this user.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Sumit Bose]

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
> 
> 
> On 14.09.2016 17:53, Alexander Bokovoy wrote:
> > On Wed, 14 Sep 2016, Martin Basti wrote:
> > > 
> > > 
> > > On 14.09.2016 17:41, Alexander Bokovoy wrote:
> > > > On Wed, 14 Sep 2016, Martin Basti wrote:
> > > > > 1)
> > > > > I still don't see the reason why AD trust is needed. Default
> > > > > trust ID view is added just by ipa-adtrust-install, adding
> > > > > trust is not needed for current implementation. You don't
> > > > > need AD for this, IDviews is generic feature not just for
> > > > > AD. Is that user configured on AD side?
> > > > You cannot add non-AD user to 'default trust view', so you will not be
> > > > able to set up certificates to ID override which does not exist.
> > > > 
> > > > For non-'default trust view' you can add both IPA and AD users,
> > > > so using
> > > > some other view and then assign certificate for a ID override in that
> > > > one.
> > > > 
> > > 
> > > Ok then, but anyway I would like to see API/CLI tests for this
> > > feature with proper output validation.
> > > 
> > > 
> > > How can be this tested with SSSD?
> > You need to log into the system with a certificate...
> Is this possible from test? We are logged remotely as root, is there any
> cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .

HTH

bye,
Sumit

> 
> Martin^2
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust 
ID view is added just by ipa-adtrust-install, adding trust is not 
needed for current implementation. You don't need AD for this, 
IDviews is generic feature not just for AD. Is that user configured 
on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so 
using

some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this 
feature with proper output validation.



How can be this tested with SSSD?
You need to log into the system with a certificate... 
Is this possible from test? We are logged remotely as root, is there any 
cmdline util which allows us to test certificate against AD user?


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Alexander Bokovoy]

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust 
ID view is added just by ipa-adtrust-install, adding trust is not 
needed for current implementation. You don't need AD for this, 
IDviews is generic feature not just for AD. Is that user 
configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so using
some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this feature 
with proper output validation.



How can be this tested with SSSD?

You need to log into the system with a certificate...
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so using
some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this feature 
with proper output validation.



How can be this tested with SSSD?

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Alexander Bokovoy]

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so using
some other view and then assign certificate for a ID override in that
one.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 06.09.2016 13:57, Oleg Fayans wrote:

The test is updated to clean up after itself

On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:
The test was redesigned so that it actually tests against an AD 
user.

cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', 
'>',

+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', 
'>',

+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the 
same

evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3












1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?


2)
The test itself looks for me as just API/CLI test. IMO it can be in 
ipatests/test_xmlrpc/test_idviews_plugin.py or 
ipatests/test_xmlrpc/test_add_remove_cert_cmd.py


3)
I don't see any integration with SSSD in that test, just pure IPA CLI 
test, shouldn't be this tested against SSSD here?



Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Ping for review.

On 09/06/2016 01:57 PM, Oleg Fayans wrote:

The test is updated to clean up after itself

On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD
user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3











--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

The test is updated to clean up after itself

On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3







--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_certs_in_idoverrides.py  | 121 +
 1 file changed, 121 insertions(+)
 create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+ad = config.ad_domains[0].ads[0]
+ad_domain = ad.domain.name
+aduser = "testuser@%s" % ad_domain
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Forgot to attach the test run output:

-bash-4.3$ ipa-run-tests test_integration/test_certs_in_idoverrides.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'

WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
 
test session starts 
=

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 1 items

test_integration/test_certs_in_idoverrides.py .

= 
1 passed in 681.90 seconds 
=



On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3







--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my 
comments below


On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are 
heavily used in the certs_id_idoverrides test. Thus, this trick is 
really needed




3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For 
example, you can not issue and sign cert requests for AD-users the way 
you would do it for local users. We want to have tests that can be taken 
by end-users as example how to use our software, that's why it is better 
to be as close to real-world use-cases as it is possible.




Martin^3



--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 867c603183d792b0056c0f8895f52577bc67d7b0 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d43699d6577abe930ac8d6ab696feea837331..0e329f4ad5d754fd61a9ca911488230677daad77 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1187,6 +1187,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-- 
1.8.3.1

From fb0591407a64dcf84eda1a28a06d1ead2fa7ab0d Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:41:06 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_certs_in_idoverrides.py  | 120 +
 1 file changed, 120 insertions(+)
 create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..d72fc1e898f0574015c6b7dd5f601cec8e4350d6
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,120 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+con

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions

2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)

3)
To make it more usable you should add raiseonerr as kwarg to 
run_certutil (True as default)


NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set 
raiseonerr=False (multiple times)


2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not 
in install method, adding new class variables in classmethod is the same 
evil as adding instance variables outside __init__


3)
I have question, why do you need AD for this test? AFAIK you can use ID 
overrides without AD


Martin^3

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/

















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/













--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From e8944743236af1fbcf56cbaecb6a4203b4086be9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 1 Aug 2016 22:18:44 +0200
Subject: [PATCH] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 8cd9ec71bc5ee22b8aba5d5c6324d1e7bf8b28a6..7f6c79e65cda31bdba3d882a72bb5e2dcdb1f355 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1179,6 +1179,11 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=False,
+stdin_text=stdin)
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text
-- 
1.8.3.1

From cc88677030efe05044a79486b87533d416b6bcc3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Mon, 1 Aug 2016 22:40:00 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_certs_in_idoverrides.py  | 118 +
 1 file changed, 118 insertions(+)
 create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..9114c4f91cd6378acc53caa068b852ae15670d7a
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,118 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+
+@classmethod
+def uninstall(cls, mh):
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+tasks.sync_time(cls.master, cls.ad)
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+'--store=true', '--desc="User Certs"'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Init

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 01.08.2016 22:46, Oleg Fayans wrote:
The test was redesigned so that it actually tests against an AD user. 
cleanly applies, passes lint and passes


https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/











--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

The test was redesigned so that it actually tests against an AD user. 
cleanly applies, passes lint and passes


https://paste.fedoraproject.org/399504/00843641/


On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/









--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:
> Passing test output:
> 
> https://paste.fedoraproject.org/385774/71035231/
> 
> 
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From f032df3a1d58e200d0f8bf8dbc121e5f03eb041e Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 28 Jun 2016 10:16:06 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 .../test_integration/test_certs_in_idoverrides.py  | 85 ++
 1 file changed, 85 insertions(+)
 create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py

diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..a6b5a60ad5c171ef9fb35848d81a637df979ccaf
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,85 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+user_certprofile = 'caIPAuserCert'
+user = 'testuser'
+user_cn = "CN=%s" % user
+idview = 'MyView'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+'--store=true', '--desc="User Certs"'])
+
+master.run_command(['ipa', 'idview-add', cls.idview,
+'--desc=description'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create an empty password file
+master.run_command(['mkdir', cls.reqdir])
+# Create an empty password file
+master.run_command(["touch", cls.pwname])
+
+# Create our temporary NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+   cls.reqfile1, cls.pwname)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+   cls.reqfile2, cls.pwname)
+master.run_command(['ipa', 'user-add', cls.user,
+'--first', 'a', '--last', 'b', '--random'])
+
+def test_certs_in_idoverrides(self):
+self.master.run_command(['ipa', 'idoverrideuser-add',
+ self.idview, self.user])
+result1 = self.master.run_command([
+'ipa', 'cert-request', self.reqfile1,
+"--principal=%s" % self.user, '--add',
+"--profile-id=%s" % self.user_certprofile])
+cert1 = self.cert_re.search(result1.stdout_text).group('cert')
+result2 = self.master.run_command([
+'ipa', 'cert-request', self.reqfile2,
+"--principal=%s" % self.user, '--add',
+"--profile-id=%s" % self.user_certprofile])
+cert2 = self.cert_re.search(result2.stdout_text).group('cert')
+
+args1 = ['ipa', 'idoverrideuser-add-cert', self.idview,
+ self.user, "--certificate=%s" % cert1]
+args2 = ['ipa', 'idoverrideuser-add-cert', self.idview,
+ self.user, "--certificate=%s" % cert2]
+self.master.run_command(args1)
+result3 = self.master.run_command(args1, raiseonerr=False)
+assert_error(result3, "already contains one or more values")
+result4 = self.master.run_command(args2, raiseonerr=False)
+assert(result4.returncode == 0), 'Failed to add second certificate'
+self.master.run_command(['ipa', 'idoverrideuser-remove-cert',
+ self.idview, self.user,
+ "--certificate=%s" % cert2])
+self.master.run_command(['ipa', 'idoverrideuser-remove-cert',
+ self.idview, self.user,
+ "--certificate=%s" % cert1])
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-