[Freeipa-devel] CentOS 7 COPR repository with ipa 4.3.1 available for testing
Hello everyone, Copr repository @freeipa/freeipa-4-3-centos-7 is available for testing of Freeipa 4.3.1[1] on CentOS 7. https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ Your feedback is welcome! Disclaimer: the build was not thoroughly tested and works mainly as a preview. Use at your own risk. Do not use in production. There is no guarantee of update stability of the repository. The repository could be deleted or recreated at any time. Known issues: Testing replica promotion[2]: CentOS 7.2 doesn't have updated SELinux policy with policies[3] required for this build therefore replica promotion will fail in SELinux enforcing mode. [1] http://www.freeipa.org/page/Releases/4.3.1 [2] http://www.freeipa.org/page/Releases/4.3.0#New_method_-_domain_level_1 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1289930 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST][Patch-0030]Next part of replica promotion tests
On 04/01/2016 11:41 AM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! The new version is attached
On 03/24/2016 06:08 PM, Martin Babinsky wrote:
On 03/21/2016 01:51 PM, Oleg Fayans wrote:
Hi Oleg,
I have a few comments:
1.)
please make the commit message more clear, briefly describe what kind of
test cases were added to the suite and maybe add a link to the test plan.
Done
2.)
I see negative test scenarios for attempting to issue
'ipa-csreplica-manage connect' and 'disconnect' under domain level 1.
However, for full coverage there should be also a negative test case for
'ipa-csreplica-manage del' which should also issue error in domain level
1, see
https://git.fedorahosted.org/cgit/freeipa.git/commit/install/tools/ipa-csreplica-manage?h=ipa-4-3&id=6119dbb9a915283434f718b38a70017e3ad00840
Could you please add this case to the patch and also to the Test plan so
that we have full coverage of this?
Done
3.)
test_one_command_installation exploded during client enrollment part on
"Joining realm failed: incorrect password". This is probably caused by
missing '-P', 'admin' option here:
"""
+self.replicas[0].run_command(['ipa-replica-install', '-p',
+ self.master.config.admin_password,
+ '-n', self.master.domain.name,
+ '-r', self.master.domain.realm])
+
"""
Fixed. Turned out, it's enough to just provide '-w'
4.)
I am not very happy about the organization of
'TestUnprivilegedUserPermissions' class.
For starters, I would add this whole block:
"""
+password = self.master.config.dirman_password
+new_password = '$ome0therPaaS'
+replica = self.replicas[0]
+adduser_stdin_text = "%s\n%s\n" %
(self.master.config.admin_password,
+ self.master.config.admin_password)
+user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, new_password,
+ new_password)
+tasks.kinit_admin(self.master)
+self.master.run_command(['ipa', 'user-add', 'testuser',
'--password',
+ '--first', 'John', '--last', 'Donn'],
+stdin_text=adduser_stdin_text)
+# Now we need to change the password for the user
+self.master.run_command(['kinit', 'testuser'],
+stdin_text=user_kinit_stdin_text)
+# And again kinit admin
+tasks.kinit_admin(self.master)
"""
into 'install()' method, since it indeed sets-up the test harness. You
can add the user name and password to class members so that you can then
use them from the test cases. Which brings me to the second point: I
know that the test plan mentions this as a single test case, but I would
like this:
"""
+result1 = replica.run_command(['ipa-client-install', '-p',
'testuser',
+ '-w', new_password,
+ '--domain', replica.domain.name,
+ '--realm', replica.domain.realm,
'-U'],
+ raiseonerr=False)
+assert_error(result1, "No permission to join this host", 1)
+tasks.install_client(self.master, replica)
+result2 = replica.run_command(['ipa-replica-install', '-P',
'testuser',
+ '-p', new_password,
+ '-n', self.master.domain.name,
+ '-r', self.master.domain.realm],
+ raiseonerr=False)
+assert_error(result2,
+ "Insufficient privileges to promote the server", 1)
+self.master.run_command(['ipa', 'group-add-member', 'admins',
+ '--users=testuser'])
+
+replica.run_command(['ipa-replica-install', '-P', 'testuser',
+ '-p', new_password,
+ '-n', self.master.domain.name,
+ '-r', self.master.domain.realm])
"""
to be split into three separate test methods for the sake of clarity, e.g.:
"test_client_enrollment_by_unprivileged_user"
"test_replica_install_by_unprovileged_user"
"test_replica_install_after_adding_to_admin_group"
I like that! Implemented.
5.)
"""
+result = self.replicas[0].run_command(['ipa-server-install',
+ '--uninstall', '-U'],
+ raiseonerr=False)
+assert("Uninstallation leads to disconnected topology"
+ in result.stderr_text)
+self.replicas[0].run_command(['ipa-server-install', '--uninstall',
+ '-U',
'--ignore-topology-disconnect'])
"""
here you should assert against command stdout, since the error message
is emitted only by plain print(). Yes it is weird but that's the way it
is. It will probably
Re: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache
On 03/31/2016 08:50 AM, Oleg Fayans wrote: Hi, The updated patch is included On 03/30/2016 08:50 PM, Robbie Harwood wrote: Rob Crittenden writes: Would it be more robust to call kdestroy -A or is that just overkill in this case? I believe it would be superior to call `kdestroy -A`, yes. ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0035] ipatests: Add test case for requesting a certificate with full principal.
On 04/05/2016 10:17 AM, Milan Kubík wrote:
On 04/05/2016 09:31 AM, Martin Babinsky wrote:
On 04/01/2016 12:02 PM, Milan Kubík wrote:
Patches attached.
https://fedorahosted.org/freeipa/ticket/5733
Hi Milan,
I would be more happy if you could send a separate patch for the context
manager fix, since the issue is orthogonal to the added test case (even
if the test suite explodes without it).
Otherwise LGTM.
Done. Patch 0035 now applies to all branches, context manager fix
needs separate patch for ipa-4-2.
Updated commit message in patches 0036 to include the ticket.
--
Milan Kubik
From eebad5ad31107f3383b4b2755a97929a75170d6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:03 +0200
Subject: [PATCH 1/2] ipatests: Add test case for requesting a certificate with
full principal.
https://fedorahosted.org/freeipa/ticket/5733
---
ipatests/test_xmlrpc/test_caacl_profile_enforcement.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
index dca4151d614a4c2e2f5a09455426d117da4c1c80..a0b8d614cf6dd42b18eb03100a318e4a3fbfb4e0 100644
--- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
+++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
@@ -130,6 +130,14 @@ class TestCertSignMIME(XMLRPC_test):
api.Command.cert_request(csr, principal=smime_user,
profile_id=smime_profile.name)
+@pytest.mark.xfail(strict=True, reason='freeipa ticket 5733')
+def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):
+csr = generate_user_csr(smime_user)
+smime_user_principal = '@'.join((smime_user, api.env.realm))
+with change_principal(smime_user, SMIME_USER_PW):
+api.Command.cert_request(csr, principal=smime_user_principal,
+ profile_id=smime_profile.name)
+
@pytest.mark.tier1
class TestSignWithDisabledACL(XMLRPC_test):
--
2.8.0
From b103f0165db3536db0c3bd02aec82961e631c08b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:37 +0200
Subject: [PATCH] ipatests: fix for change_principal context manager
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
https://fedorahosted.org/freeipa/ticket/5733
---
ipatests/util.py | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/ipatests/util.py b/ipatests/util.py
index 6aefe74d34fd7b1bd063c4b17c98af4840d6f042..118c47a12e0d97907cb559d716989a9ca6c5f304 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -696,17 +696,18 @@ def change_principal(user, password, client=None, path=None):
client.Backend.rpcclient.disconnect()
-with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name)
+try:
+with private_ccache(ccache_name):
+kinit_password(user, password, ccache_name)
+client.Backend.rpcclient.connect()
+
+try:
+yield
+finally:
+client.Backend.rpcclient.disconnect()
+finally:
client.Backend.rpcclient.connect()
-try:
-yield
-finally:
-client.Backend.rpcclient.disconnect()
-
-client.Backend.rpcclient.connect()
-
def get_group_dn(cn):
return DN(('cn', cn), api.env.container_group, api.env.basedn)
--
2.8.0
From b15dc58c9b810cdff02438cb78c89240c9eb5416 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:37 +0200
Subject: [PATCH] ipatests: fix for change_principal context manager
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
https://fedorahosted.org/freeipa/ticket/5733
---
ipatests/util.py | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/ipatests/util.py b/ipatests/util.py
index 4d99ff6e0a505cd3f75053f97caca9edbc802bcf..56b731407b3544b3b922f1831df4bc59845486d1 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -687,13 +687,14 @@ def change_principal(user, password, client=None, path=None):
client.Backend.rpcclient.disconnect()
-with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name)
+try:
+with private_ccache(ccache_name):
+kinit_password(user, password, ccache_name)
+client.Backend.rpcclient.connect()
+
+try:
+yield
+finally:
+client.Backend.rpcclient.disconnect()
+finally:
client.Backend.rpcclient.connect()
-
-try:
-yield
-finally:
-client.Backend.rpcclient.disconnect()
-
-client.Backend.rpcclient.connect()
--
2.8.0
Re: [Freeipa-devel] [patch 0035] ipatests: Add test case for requesting a certificate with full principal.
On 04/05/2016 09:31 AM, Martin Babinsky wrote:
On 04/01/2016 12:02 PM, Milan Kubík wrote:
Patches attached.
https://fedorahosted.org/freeipa/ticket/5733
Hi Milan,
I would be more happy if you could send a separate patch for the context
manager fix, since the issue is orthogonal to the added test case (even
if the test suite explodes without it).
Otherwise LGTM.
Done. Patch 0035 now applies to all branches, context manager fix needs
separate patch for ipa-4-2.
--
Milan Kubik
From eebad5ad31107f3383b4b2755a97929a75170d6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:03 +0200
Subject: [PATCH 1/2] ipatests: Add test case for requesting a certificate with
full principal.
https://fedorahosted.org/freeipa/ticket/5733
---
ipatests/test_xmlrpc/test_caacl_profile_enforcement.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
index dca4151d614a4c2e2f5a09455426d117da4c1c80..a0b8d614cf6dd42b18eb03100a318e4a3fbfb4e0 100644
--- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
+++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py
@@ -130,6 +130,14 @@ class TestCertSignMIME(XMLRPC_test):
api.Command.cert_request(csr, principal=smime_user,
profile_id=smime_profile.name)
+@pytest.mark.xfail(strict=True, reason='freeipa ticket 5733')
+def test_sign_smime_csr_full_principal(self, smime_profile, smime_user):
+csr = generate_user_csr(smime_user)
+smime_user_principal = '@'.join((smime_user, api.env.realm))
+with change_principal(smime_user, SMIME_USER_PW):
+api.Command.cert_request(csr, principal=smime_user_principal,
+ profile_id=smime_profile.name)
+
@pytest.mark.tier1
class TestSignWithDisabledACL(XMLRPC_test):
--
2.8.0
From a9c7fe8b5a2f477e5dd6e70496e878c373183747 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:37 +0200
Subject: [PATCH 2/2] ipatests: fix for change_principal context manager
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
---
ipatests/util.py | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/ipatests/util.py b/ipatests/util.py
index 6aefe74d34fd7b1bd063c4b17c98af4840d6f042..118c47a12e0d97907cb559d716989a9ca6c5f304 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -696,17 +696,18 @@ def change_principal(user, password, client=None, path=None):
client.Backend.rpcclient.disconnect()
-with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name)
+try:
+with private_ccache(ccache_name):
+kinit_password(user, password, ccache_name)
+client.Backend.rpcclient.connect()
+
+try:
+yield
+finally:
+client.Backend.rpcclient.disconnect()
+finally:
client.Backend.rpcclient.connect()
-try:
-yield
-finally:
-client.Backend.rpcclient.disconnect()
-
-client.Backend.rpcclient.connect()
-
def get_group_dn(cn):
return DN(('cn', cn), api.env.container_group, api.env.basedn)
--
2.8.0
From 3923b51494cd5336a5a9cd9c2120d6d639f6b9ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Tue, 5 Apr 2016 10:04:37 +0200
Subject: [PATCH] ipatests: fix for change_principal context manager
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
---
ipatests/util.py | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/ipatests/util.py b/ipatests/util.py
index 4d99ff6e0a505cd3f75053f97caca9edbc802bcf..56b731407b3544b3b922f1831df4bc59845486d1 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -687,13 +687,14 @@ def change_principal(user, password, client=None, path=None):
client.Backend.rpcclient.disconnect()
-with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name)
+try:
+with private_ccache(ccache_name):
+kinit_password(user, password, ccache_name)
+client.Backend.rpcclient.connect()
+
+try:
+yield
+finally:
+client.Backend.rpcclient.disconnect()
+finally:
client.Backend.rpcclient.connect()
-
-try:
-yield
-finally:
-client.Backend.rpcclient.disconnect()
-
-client.Backend.rpcclient.connect()
--
2.8.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0035] ipatests: Add test case for requesting a certificate with full principal.
On 04/01/2016 12:02 PM, Milan Kubík wrote: Patches attached. https://fedorahosted.org/freeipa/ticket/5733 Hi Milan, I would be more happy if you could send a separate patch for the context manager fix, since the issue is orthogonal to the added test case (even if the test suite explodes without it). Otherwise LGTM. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
