[Freeipa-devel] [freeipa PR#74] [master, ipa-4-4] Tests: Add krb5kdc.service restart to integration trust tests (opened)

[mirielka]

mirielka's pull request #74: "[master, ipa-4-4] Tests: Add krb5kdc.service 
restart to integration trust tests" was opened

PR body:
"""
krb5kdc.service restart is necessary for proper running of integration trust
related tests.

https://fedorahosted.org/freeipa/ticket/6322
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/74
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/74/head:pr74
git checkout pr74
From a220977bcd55137a6f96bc60987e24978390332f Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Tue, 13 Sep 2016 08:17:53 +0200
Subject: [PATCH] Tests: Add krb5kdc.service restart to integration trust tests

krb5kdc.service restart is necessary for proper running of integration trust
related tests.

https://fedorahosted.org/freeipa/ticket/6322
---
 ipatests/test_integration/tasks.py  | 2 ++
 ipatests/test_integration/test_trust.py | 3 ---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index c60d436..b8defa7 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -490,6 +490,8 @@ def establish_trust_with_ad(master, ad_domain, extra_args=()):
 stdin_text=master.config.ad_admin_password)
 master.run_command(['smbcontrol', 'all', 'debug', '1'])
 clear_sssd_cache(master)
+master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
+time.sleep(60)
 
 
 def remove_trust_with_ad(master, ad_domain):
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 69418dc..6b30338 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -24,7 +24,6 @@
 from ipatests.test_integration import tasks
 from ipatests.test_integration import util
 from ipaplatform.paths import paths
-import time
 
 
 class ADTrustBase(IntegrationTest):
@@ -400,8 +399,6 @@ def test_upn_user_resolution_in_nonposix_trust(self):
 
 def test_upn_user_authentication(self):
 """ Check that AD user with UPN can authenticate in IPA """
-self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
-time.sleep(60)
 self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
 stdin_text=self.upn_password)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Karma Requests for pki-core-10.3.5-6

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 on Fedora 
24, 25, and 26 (rawhide) consist of the following:

*

  * *Fedora 24*
  o *pki-core-10.3.5-5.fc24

*


 * *pki-core-10.3.5-6.fc24
   *


  o **
  * *Fedora 25*
  o *pki-core-10.3.5-5.fc25
*


 o *pki-core-10.3.5-6.fc25
   *


  o **
  * *Fedora 26*
  o *pki-core-10.3.5-5.fc26
*


 o *pki-core-10.3.5-6.fc26
   **
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were 
also updated:*


  * 
*https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo*



[group_pki-10.3.3]
name=Copr repo for 10.3.3 owned by @pki

baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
skip_if_unavailable=True
gpgcheck=1

gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
enabled=1
enabled_metadata=1

*These builds address the following PKI tickets:
*

  * PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
deletion 
  * PKI TRAC Ticket #2346 - Dogtag 10.3.6: Miscellaneous Enhancements

  * PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA
entry deleted 
  * PKI TRAC Ticket #2444 - Authority entry without entryUSN is
skipped even if USN plugin enabled
https://fedorahosted.org/pki/ticket/2444>
  * PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique
per instance name (for shared HSM)

  * PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs

  * PKI TRAC Ticket #2449 - Unable to create system certificates in
different tokens 


 * *REVOKES PATCH FOR **PKI TRAC Ticket #2449 - Unable to create system
   certificates in different tokens
   *


*Please provide Karma for the following builds:
*

  * *Fedora 24*
  o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-994f943797pki-core-10.3.5-5.fc24
*


 o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-7b06393ae4**pki-core-10.3.5-6.fc24*


  * *Fedora 25*
  o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-d363d36e22pki-core-10.3.5-5.fc25
*


 o 
*https://bodhi.fedoraproject.org/updates/FEDORA-2016-734ba29899**pki-core-10.3.5-6.fc25**
   *

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FleetCommander integration

[Alberto Ruiz Ruiz]

Hey Alexander,

Just a heads up, we're in the middle of releasing 0.8 just this week so
we're testing like mad.

Right after 0.8 is out, we should be able to sit down and look into FreeIPA
integration right away and will certainly look into this.

And sorry for the late reply

On Tue, Sep 6, 2016 at 11:18 AM, Alexander Bokovoy 
wrote:

> Hi,
>
> Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for
> FleetCommander integration: https://github.com/abbra/freei
> pa-desktop-profile/
>
> You can read the design page:
> https://github.com/abbra/freeipa-desktop-profile/blob/master
> /plugin/Feature.mediawiki
>
> The design was mostly figured out in discussions with Alberto, Fabiano,
> Nathaniel, and Jakub, so we are more or less on the common ground here
> between SSSD and FleetCommander. You can send pull requests to me on
> github to update the design. ;)
>
> You can cut a tarball using
> git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \
>   --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz
> \
>   freeipa-desktop-profile-0.0.1
>
> And then build the package with
> rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz
>
> When installed, the package does not run ipa-server-upgrade by itself,
> yet. So you need to run ipa-server-upgrade manually. Once ran,
> deskprofile/deskprofilerule topics would become available and can be
> used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from
> COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today.
>
> UI plugin is not ready yet and is disabled in the spec file as it breaks
> loading the whole UI.
>
> --
> / Alexander Bokovoy
>



-- 
Alberto Ruiz
Engineering Supervisor - Desktop Management Tools
Red Hat
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#73] Tests for certificates with SAN (opened)

[apophys]

apophys's pull request #73: "Tests for certificates with SAN" was opened

PR body:
"""
Commits include several new test cases for CA ACLs and cert request for CSRs 
containing subject alternative name extension.

Also included minor fixes in used tracker and couple of new context managers 
used in the test cases.
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/73
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/73/head:pr73
git checkout pr73
From c76d81a83e723634558bc1d8d3b0c8923414ff7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 12 Sep 2016 14:52:05 +0200
Subject: [PATCH 1/3] ipatests: provide context manager for keytab usage in RPC
 tests

https://fedorahosted.org/freeipa/ticket/6291
---
 ipatests/util.py | 52 +++-
 1 file changed, 47 insertions(+), 5 deletions(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 8878993..4c1a77a 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -40,7 +40,9 @@
 from ipalib.plugable import Plugin
 from ipalib.request import context
 from ipapython.dn import DN
-from ipapython.ipautil import private_ccache, kinit_password, run
+from ipapython.ipautil import (
+private_ccache, kinit_password, kinit_keytab, run
+)
 from ipaplatform.paths import paths
 
 if six.PY3:
@@ -693,8 +695,8 @@ def unlock_principal_password(user, oldpw, newpw):
 
 
 @contextmanager
-def change_principal(user, password, client=None, path=None,
- canonicalize=False, enterprise=False):
+def change_principal(principal, password=None, client=None, path=None,
+ canonicalize=False, enterprise=False, keytab=None):
 
 if path:
 ccache_name = path
@@ -709,8 +711,12 @@ def change_principal(user, password, client=None, path=None,
 
 try:
 with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name,
-   canonicalize=canonicalize, enterprise=enterprise)
+if keytab:
+kinit_keytab(principal, keytab, ccache_name)
+else:
+kinit_password(principal, password, ccache_name,
+   canonicalize=canonicalize,
+   enterprise=enterprise)
 client.Backend.rpcclient.connect()
 
 try:
@@ -720,6 +726,42 @@ def change_principal(user, password, client=None, path=None,
 finally:
 client.Backend.rpcclient.connect()
 
+
+@contextmanager
+def get_entity_keytab(principal, options=None):
+"""Requests a keytab for an entity
+
+The keytab will generate new keys if not specified
+otherwise in the options.
+To retrieve existing keytab, use the -r option
+"""
+keytab_filename = os.path.join('/tmp', str(uuid.uuid4()))
+
+try:
+cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename]
+
+if options:
+cmd.extend(options)
+run(cmd)
+
+yield keytab_filename
+finally:
+os.remove(keytab_filename)
+
+
+@contextmanager
+def host_keytab(hostname, options=None):
+"""Retrieves keytab for a particular host
+
+After leaving the context manager, the keytab file is
+deleted.
+"""
+principal = u'host/{}'.format(hostname)
+
+with get_entity_keytab(principal, options) as keytab:
+yield keytab
+
+
 def get_group_dn(cn):
 return DN(('cn', cn), api.env.container_group, api.env.basedn)
 

From 98c89a239b4b16a1be67aac72ac1b556900f46c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 12 Sep 2016 14:53:48 +0200
Subject: [PATCH 2/3] ipatests: Fix name property on a service tracker

https://fedorahosted.org/freeipa/ticket/6291
---
 ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py
index fe34390..8a52446 100644
--- a/ipatests/test_xmlrpc/tracker/service_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/service_plugin.py
@@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker):
 
 def __init__(self, name, host_fqdn, options=None):
 super(ServiceTracker, self).__init__(default_version=None)
-self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm)
+self._name = u"{0}/{1}@{2}".format(name, host_fqdn, api.env.realm)
 self.dn = DN(
 ('krbprincipalname', self.name), api.env.container_service,
 api.env.basedn)

From 89be52d2cf3db8b978429607d0d730a32898f047 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 12 Sep 2016 14:54:40 +0200
Subject: [PATCH 3/3] ipatests: Implement tests with CSRs requesting SAN

The patch implements several test cases testing the enforcement
of CA ACLs on certificate requests with subject alternative nam

[Freeipa-devel] [freeipa PR#72] WebUI: Add handling for HTTP error 404 (opened)

[pvomacka]

pvomacka's pull request #72: "WebUI: Add handling for HTTP error 404" was opened

PR body:
"""
In case that API is not accessible the 404 error is thrown. There was error 
dialog
with almost no information. The new dialog says what error is there and what 
can be
the main cause of the error.

https://fedorahosted.org/freeipa/ticket/4821
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/72
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/72/head:pr72
git checkout pr72
From 90315fd79744ba7c5d3f4ab154e07e5ccb7fe813 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 24 Aug 2016 18:55:18 +0200
Subject: [PATCH] WebUI: Add handling for HTTP error 404

In case that API is not accessible the 404 error is thrown. There was error dialog
with almost no information. The new dialog says what error is there and what can be
the main cause of the error.

https://fedorahosted.org/freeipa/ticket/4821
---
 install/ui/src/freeipa/rpc.js | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index e2257a9..65bed77 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -124,7 +124,8 @@ rpc.command = function(spec) {
 
 /** @property {ordered_map.} error_messages Error messages map */
 that.error_messages = $.ordered_map({
-911: 'Missing HTTP referer. You have to configure your browser to send HTTP referer header.'
+911: 'Missing HTTP referer. You have to configure your browser to send HTTP referer header.',
+404: 'Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)'
 });
 
 /**
@@ -317,6 +318,12 @@ rpc.command = function(spec) {
 if (xhr.status === 401) {
 error_handler_auth(xhr, text_status, error_thrown);
 return;
+} else if (xhr.status === 404) {
+error_thrown = {
+code: xhr.status,
+name: xhr.responseText || text.get('@i18n:errors.http_error',
+'HTTP Error')+' '+xhr.status
+};
 } else if (!error_thrown) {
 error_thrown = {
 name: xhr.responseText || text.get('@i18n:errors.unknown_error', 'Unknown Error'),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] ca-less tests updated

[David Kupka]

Hi Oleg,
thank you, now it's completely different game.
Please add prefix to commit message summaries. Simply prepending "tests: 
" should be OK.


0041 - -h is deprecated in favor of -H.
0062 - 0068 - LGTM
0069 - I see 2 unrelated changes in the patch, please split them:
- 1 - certutil - > paths.CERTUTIL
- 2 - assert
0070 - I see 2 unrelated changes in the patch, please split them:
- 1 - teardown
- 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install
0071 - typos in commit message, I see 5 unrelated changes in that patch:
 - 1 - error messages in assert
 - 2 - certificates used
 - 3 - verify_installation called only in DOMAIN_LEVEL_0.
 - 4 - TestCertinstall.install
 - 5 - TestCertinstall.certinstall
0072 - 0077 - LGTM

On 09/09/16 15:22, Oleg Fayans wrote:

Hi David, team

According to your suggestions I've splitted my commits so that each
commit addresses some particular problem. One patch (0071) still
contains several unrelated fixes, but they mostly reflect changes in
error messages and really small but numerous bugfixes that I did not
consider worthy of a separate commit each. Please, whenever you have a
free time take a look at this new bunch of patches.

Thanks!

On 09/06/2016 04:41 PM, David Kupka wrote:

Hi Oleg!

0013 - It looks like there are two unrelated changes, addition of CRL
distribution extension and creating certificate signed by no longer
existing CA. Please create separate patch for each of the changes, and
describe the change and reason for it in commit messages.

0014 - Could you please split the patch to "numerous" commit each fixing
one error? Please also describe each fix so everyone has at least vague
idea about the patch without reading its code. Also why do you introduce
global variable config, I don't see its used anywhere.

0039 - It looks like multiple different changes and commit message says
nothing again. Please split and describe what did you change and why.

0041 - Looks like weird workaround to me. It would be better to
investigate the root cause and fix it. Or at least describe the cause in
commit message and code comment if it can't be fixed. Also "-h is
deprecated in favor of -H" says man 1 ldapmodify.


On 05/09/16 14:32, Oleg Fayans wrote:

Hi guys,

Finally the ca-less tests are stable. Here in the attachment is the full
set of necessary patches.


On 08/09/2016 10:57 AM, Oleg Fayans wrote:

Hi all,

Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it reviewed/merged

The rest patches should be re-tested, since they were prepared a good
while ago

On 05/10/2016 05:08 PM, Oleg Fayans wrote:

Hi David,

After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible

The full set of necessary patches is attached


On 04/20/2016 10:35 AM, David Kupka wrote:

On 19/04/16 11:13, Oleg Fayans wrote:

OK, that one, though passing lint, did not actually work. I gave
up my
attempts to define method decorators inside the class. Now it passes
lint AND works:)



Hi Oleg!

1) Current commit message is useless. Please use it to describe
what is
the point of the patch.

2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2
blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2
blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator


3) Isn't there a way to do this with pytest's fixtures?


+def server_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+args[0].uninstall_server()
+return wrapped
+
+def replica_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+# Uninstall replica
+replica = args[0].replicas[0]
+tasks.kinit_admin(args[0].master)
+args[0].uninstall_server(replica)
+args[0].master.run_command(['ipa-replica-manage',
'del',
+replica.hostname,
'--force'],
+   raiseonerr=False)
+args[0].master.run_command(['ipa', 'host-del',
+replica.hostname],
+   raiseonerr=False)
+return wrapped
+


There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it
does
not work.



4) Is it necessary to create the $TEST_DIR in the test? Isn't it
created
by the framework?