Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)
The patch was added to existing PR: https://github.com/freeipa/freeipa/pull/224 On 11/08/2016 05:24 PM, Oleg Fayans wrote: And this one. On 11/03/2016 09:42 AM, Oleg Fayans wrote: One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 11:29 AM, Oleg Fayans wrote: The patch was rebased to be able to apply on top of latest version of certs in idoverrides patch. As before, it requires patches NN 0049 and 0059 to apply On 08/10/2016 01:46 PM, Oleg Fayans wrote: Hi Martin, I am sorry, yes it depends on my patches 0049 and 0050. On 08/10/2016 12:27 PM, Martin Basti wrote: On 10.08.2016 10:38, Oleg Fayans wrote: Hello, I cannot apply this patch error: ipatests/test_integration/test_certs_in_idoverrides.py: does not exist in index It probably depends on another patch (which one?) Please, use human readable subjects in email, I do not remember from top of my head what #6146 is. Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
All the patches from this thread were converted into github pull requests: [1]: https://github.com/freeipa/freeipa/pull/224 [2]: https://github.com/freeipa/freeipa/pull/225 On 11/09/2016 04:43 PM, Milan KubĂk wrote: On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename tes
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
On 11/10/2016 09:43 AM, Martin Basti wrote: ACK On the other hand, make it a conditional one. The link in the comment does not work. Please fix that. -- Milan Kubik -- Milan Kubik After offline discussion and some clarification, the comment is right. ACK -- Milan Kubik Because patches are scattered over this thread, am I right that those versions should be pushed? freeipa-ofayans-0047.7-Automated-clean-ruv-subcommand-tests.patch freeipa-ofayans-0048.4-Automated-ipa-replica-manage-del-tests.patch Precisely! Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)
And this one. On 11/03/2016 09:42 AM, Oleg Fayans wrote: One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 11:29 AM, Oleg Fayans wrote: The patch was rebased to be able to apply on top of latest version of certs in idoverrides patch. As before, it requires patches NN 0049 and 0059 to apply On 08/10/2016 01:46 PM, Oleg Fayans wrote: Hi Martin, I am sorry, yes it depends on my patches 0049 and 0050. On 08/10/2016 12:27 PM, Martin Basti wrote: On 10.08.2016 10:38, Oleg Fayans wrote: Hello, I cannot apply this patch error: ipatests/test_integration/test_certs_in_idoverrides.py: does not exist in index It probably depends on another patch (which one?) Please, use human readable subjects in email, I do not remember from top of my head what #6146 is. Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Never give up pinging :) On 11/03/2016 12:43 PM, Martin Basti wrote: LGTM On 03.11.2016 09:42, Oleg Fayans wrote: One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
another ping for review
On 11/08/2016 09:32 AM, Oleg Fayans wrote:
Ping for review
On 11/03/2016 04:56 PM, Oleg Fayans wrote:
Hi Martin,
The commit message was updated with the correct ticket link
Thanks for review!
On 11/03/2016 04:22 PM, Martin Basti wrote:
almost ACK, but the ticket in commit message is closed as invalid. So
I'm quite puzzled now what to do.
On 03.11.2016 13:28, Oleg Fayans wrote:
ping for review
On 10/19/2016 04:54 PM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review. Fixed both issues.
$ ipa-run-tests test_integration/test_topology.py -k
TestCASpecificRUVs
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
test session starts
=
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31,
pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile:
pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 5 items
test_integration/test_topology.py ..
2 passed in 2444.84 seconds
=
On 10/17/2016 07:05 PM, Martin Basti wrote:
1)
you don't need to disable/enable dirsrv, just stop/start. Please
remove
disable/enable parts
2)
traceback
self =
def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 'list-ruv',
'-p',
master.config.dirman_password])
assert(res1.stdout_text.count(replica.hostname) == 2 and
"Certificate Server Replica Update Vectors" in
res1), (
"CA-specific RUVs are not displayed")
E TypeError: argument of type 'SSHCommand' is not iterable
test_integration/test_topology.py:215: TypeError
entering PDB
/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs()
-> assert(res1.stdout_text.count(replica.hostname) == 2 and
On 14.10.2016 11:36, Oleg Fayans wrote:
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the
hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables
magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in
the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the
clue on
how
does this feature work. When we uninstall the replica, the
master
cleans the replication agreements with this replica and
automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication
works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get
reviewed
before
4.4 release? They cover a good part of the Managed
Topology
4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more
testcases
from
http://www.freeipa.org/page/V4/Manage
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Ping for review
On 11/03/2016 04:56 PM, Oleg Fayans wrote:
Hi Martin,
The commit message was updated with the correct ticket link
Thanks for review!
On 11/03/2016 04:22 PM, Martin Basti wrote:
almost ACK, but the ticket in commit message is closed as invalid. So
I'm quite puzzled now what to do.
On 03.11.2016 13:28, Oleg Fayans wrote:
ping for review
On 10/19/2016 04:54 PM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review. Fixed both issues.
$ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
test session starts
=
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 5 items
test_integration/test_topology.py ..
2 passed in 2444.84 seconds
=
On 10/17/2016 07:05 PM, Martin Basti wrote:
1)
you don't need to disable/enable dirsrv, just stop/start. Please
remove
disable/enable parts
2)
traceback
self =
def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 'list-ruv',
'-p',
master.config.dirman_password])
assert(res1.stdout_text.count(replica.hostname) == 2 and
"Certificate Server Replica Update Vectors" in res1), (
"CA-specific RUVs are not displayed")
E TypeError: argument of type 'SSHCommand' is not iterable
test_integration/test_topology.py:215: TypeError
entering PDB
/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs()
-> assert(res1.stdout_text.count(replica.hostname) == 2 and
On 14.10.2016 11:36, Oleg Fayans wrote:
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the
hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables
magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in
the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on
how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and
automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication
works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get
reviewed
before
4.4 release? They cover a good part of the Managed Topology
4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more
testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Ol
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
The commit message was updated with the correct ticket link
Thanks for review!
On 11/03/2016 04:22 PM, Martin Basti wrote:
almost ACK, but the ticket in commit message is closed as invalid. So
I'm quite puzzled now what to do.
On 03.11.2016 13:28, Oleg Fayans wrote:
ping for review
On 10/19/2016 04:54 PM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review. Fixed both issues.
$ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
test session starts
=
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 5 items
test_integration/test_topology.py ..
2 passed in 2444.84 seconds
=
On 10/17/2016 07:05 PM, Martin Basti wrote:
1)
you don't need to disable/enable dirsrv, just stop/start. Please remove
disable/enable parts
2)
traceback
self =
def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 'list-ruv',
'-p',
master.config.dirman_password])
assert(res1.stdout_text.count(replica.hostname) == 2 and
"Certificate Server Replica Update Vectors" in res1), (
"CA-specific RUVs are not displayed")
E TypeError: argument of type 'SSHCommand' is not iterable
test_integration/test_topology.py:215: TypeError
entering PDB
/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs()
-> assert(res1.stdout_text.count(replica.hostname) == 2 and
On 14.10.2016 11:36, Oleg Fayans wrote:
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the
hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables
magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in
the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on
how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and
automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication
works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get
reviewed
before
4.4 release? They cover a good part of the Managed Topology
4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more
testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine com
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
ping for review
On 10/19/2016 04:54 PM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review. Fixed both issues.
$ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
test session starts
=
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 5 items
test_integration/test_topology.py ..
2 passed in 2444.84 seconds
=
On 10/17/2016 07:05 PM, Martin Basti wrote:
1)
you don't need to disable/enable dirsrv, just stop/start. Please remove
disable/enable parts
2)
traceback
self =
def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 'list-ruv',
'-p',
master.config.dirman_password])
assert(res1.stdout_text.count(replica.hostname) == 2 and
"Certificate Server Replica Update Vectors" in res1), (
"CA-specific RUVs are not displayed")
E TypeError: argument of type 'SSHCommand' is not iterable
test_integration/test_topology.py:215: TypeError
entering PDB
/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs()
-> assert(res1.stdout_text.count(replica.hostname) == 2 and
On 14.10.2016 11:36, Oleg Fayans wrote:
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables
magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on
how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and
automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get
reviewed
before
4.4 release? They cover a good part of the Managed Topology
4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more
testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup
done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology
without
manual cleanup and manual start.
+replica = self.replicas[0]
+repl
Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)
One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 11:29 AM, Oleg Fayans wrote: The patch was rebased to be able to apply on top of latest version of certs in idoverrides patch. As before, it requires patches NN 0049 and 0059 to apply On 08/10/2016 01:46 PM, Oleg Fayans wrote: Hi Martin, I am sorry, yes it depends on my patches 0049 and 0050. On 08/10/2016 12:27 PM, Martin Basti wrote: On 10.08.2016 10:38, Oleg Fayans wrote: Hello, I cannot apply this patch error: ipatests/test_integration/test_certs_in_idoverrides.py: does not exist in index It probably depends on another patch (which one?) Please, use human readable subjects in email, I do not remember from top of my head what #6146 is. Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
One more ping for review On 10/27/2016 02:21 PM, Oleg Fayans wrote: ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your su
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
ping for review On 10/25/2016 10:24 AM, Oleg Fayans wrote: Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.c
Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)
ping for review On 10/25/2016 11:29 AM, Oleg Fayans wrote: The patch was rebased to be able to apply on top of latest version of certs in idoverrides patch. As before, it requires patches NN 0049 and 0059 to apply On 08/10/2016 01:46 PM, Oleg Fayans wrote: Hi Martin, I am sorry, yes it depends on my patches 0049 and 0050. On 08/10/2016 12:27 PM, Martin Basti wrote: On 10.08.2016 10:38, Oleg Fayans wrote: Hello, I cannot apply this patch error: ipatests/test_integration/test_certs_in_idoverrides.py: does not exist in index It probably depends on another patch (which one?) Please, use human readable subjects in email, I do not remember from top of my head what #6146 is. Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Integration part of the tests is ready. 2 tests: 1. Adds a cert to idoverride of a windows user 2. sssd part - looks up user by his certificate using dbus-sssd Second and third dbus call are executed as a string insted of as array of strings because it just does not work otherwise. Some quote escaping gets screwed probably, but the system returns "Error org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the command is executed using the standard array-based approach The run looks like this: bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 2 items test_integration/test_idviews.py .. 2 passed in 948.44 seconds = On 10/21/2016 10:54 AM, Oleg Fayans wrote: Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to Fre
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Added one more test, resolved the pep8 issues On 10/19/2016 12:32 PM, Oleg Fayans wrote: Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 91a14f2604370c2fc314af6768ddaa112b9b0649 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Fri, 21 Oct 2016 10:53:19 +0200 Subject: [PATCH] tests: Added basic tests for certs in idoverrides https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 91 1 file changed, 91 insertions(+) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..cc190329416dd001dc7435737b33c696a9f9ac7e 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -352,3 +352,94 @@ class TestCertManipCmdService(CertManipCmdTestBase): api.Command.host_del(TestCertManipCmdHost.entity_pkey) except errors.NotFound: pass + + +@pytest.mark.tier1 +class TestCertManipIdOverride(XMLRPC_test): +idview = u'testview' +testuser = u'testuser' +entity_subject = testuser +entity_principal = testuser + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remov
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
Thanks for the review. Fixed both issues.
$ ipa-run-tests test_integration/test_topology.py -k TestCASpecificRUVs
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'
test session starts
=
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 5 items
test_integration/test_topology.py ..
2 passed in 2444.84 seconds
=
On 10/17/2016 07:05 PM, Martin Basti wrote:
1)
you don't need to disable/enable dirsrv, just stop/start. Please remove
disable/enable parts
2)
traceback
self =
def test_delete_ruvs(self):
"""
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
Test_Plan#Test_case:_clean-ruv_subcommand
"""
replica = self.replicas[0]
master = self.master
res1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
master.config.dirman_password])
assert(res1.stdout_text.count(replica.hostname) == 2 and
"Certificate Server Replica Update Vectors" in res1), (
"CA-specific RUVs are not displayed")
E TypeError: argument of type 'SSHCommand' is not iterable
test_integration/test_topology.py:215: TypeError
entering PDB
/usr/lib/python2.7/site-packages/ipatests/test_integration/test_topology.py(215)test_delete_ruvs()
-> assert(res1.stdout_text.count(replica.hostname) == 2 and
On 14.10.2016 11:36, Oleg Fayans wrote:
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables
magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the
replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to
updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup
done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology
without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, As you suggested, I've extended the test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs in idoverrides. The integration part still needs some polishing in the part related to user lookup by cert On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From de874f4e7bae77a1149846b2dd1fd4ce487e8c66 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Wed, 19 Oct 2016 11:59:44 +0200 Subject: [PATCH] tests: Added basic tests for certs in idoverrides https://fedorahosted.org/freeipa/ticket/6412 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 88 1 file changed, 88 insertions(+) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index edc97f07b0bf7d621bf9313a8ba20b4071b9e394..82a81b04997b8b4b41a45d65e00b773daef52099 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -352,3 +352,91 @@ class TestCertManipCmdService(CertManipCmdTestBase): api.Command.host_del(TestCertManipCmdHost.entity_pkey) except errors.NotFound: pass + + +@pytest.mark.tier1 +class TestCertManipIdOverride(XMLRPC_test): +idview = u'testview' +testuser = u'testuser' +entity_subject = testuser +entity_principal = testuser + +cert_add_cmd = api.Command.idoverrideuser_add_cert +cert_del_cmd = api.Command.idoverrideuser_remove_cert + +def del_cert_from_idoverride(self, username, view_name, cert): +
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi, Martin, Right. The point is to have a test that emulates the real-world usecase of this feature. Which is AD integration. No xmlrpc test is able to do so. Of course we can automate testing of CLI options using XMLRPC. But that would not mean we do not need an integration test for the "real" part. So, I'll add the cert manipulation tests to the xmlrpc test. On 10/14/2016 03:57 PM, Martin Babinsky wrote: On 10/14/2016 03:48 PM, Oleg Fayans wrote: So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? Oleg, we already have XMLRPC tests for idoverrides: ipatests/test_xmlrpc/test_idviews_plugin.py Is there any particular reason why not to extend them with add cert/remove cert operations? Even better, you can extend `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the same set of tests on idoverrideuser objects. Or am I missing something? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
So, did I understand correctly, that there would be 2 patches: one containing test for basic idoverrides functionality without AD-integration, and the second one - with AD-integration and an sssd check, correct? I guess, the freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch might be a good candidate for the first one, I only have to change the filename to test_idviews.py, right? On 09/15/2016 10:32 AM, Martin Basti wrote: On 15.09.2016 10:10, Oleg Fayans wrote: Hi Martin, The file was renamed. Did I understand correctly that for now we are leaving the test as is and are planning to extend it later? I would like to have there SSSD check involved, please use what Summit recommends. No new test cases. And this can be done by separate patch, I want to have API/CLI certificate override tests for non-AD idview (extending current tests I posted in this thread) Martin^2 On 09/15/2016 09:49 AM, Martin Basti wrote: On 14.09.2016 18:53, Sumit Bose wrote: On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote: On 14.09.2016 17:53, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: On 14.09.2016 17:41, Alexander Bokovoy wrote: On Wed, 14 Sep 2016, Martin Basti wrote: 1) I still don't see the reason why AD trust is needed. Default trust ID view is added just by ipa-adtrust-install, adding trust is not needed for current implementation. You don't need AD for this, IDviews is generic feature not just for AD. Is that user configured on AD side? You cannot add non-AD user to 'default trust view', so you will not be able to set up certificates to ID override which does not exist. For non-'default trust view' you can add both IPA and AD users, so using some other view and then assign certificate for a ID override in that one. Ok then, but anyway I would like to see API/CLI tests for this feature with proper output validation. How can be this tested with SSSD? You need to log into the system with a certificate... Is this possible from test? We are logged remotely as root, is there any cmdline util which allows us to test certificate against AD user? You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should return the ssh key derived from the public key in the certificate. This should work for certificate stored in AD as well as for overrides. You can also you the DBus lookup by certificate as described in https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate . HTH bye, Sumit Thank you Alexander and Summit for hints. Oleg I realized we don't have any other idviews integration tests So I propose to rename test file you are adding to test_idviews.py. We can add more testcases for idviews there later Martin^2 Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Right you are! I am sorry.
On 10/13/2016 06:10 PM, Martin Basti wrote:
I think that you forgot to squash commits. Patch 47 doesn't apply
On 13.10.2016 14:01, Oleg Fayans wrote:
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup
done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology
without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of
'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" %
replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will
receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error
'could not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of
substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of
simplicity. Patch-0048 was not changed
On 10/12/2016 02:35 PM, Martin Basti wrote:
1)
Can you just turn off dirsrv on replica instead of doing iptables magic?
2) NACK
No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.
+evalhost = eval("args[0].%s" % host)
Martin^2
On 12.10.2016 14:03, Oleg Fayans wrote:
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to updates
from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error
'could not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname tha
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master cleans
the replication agreements with this replica and automatically cleans
all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the replica,
the replica's RUVs get recreated on master (replication works!). So, the
only way to test the clean-ruv subcommand is to turn off the replica, or
block the traffic on it so it gets inaccessible to updates from master.
The testcases were updated, see [1] and [2]
The updated versions of the patches are attached
[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs
[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could not
connect to replica ', or something similar. instead of
listing/cleaning/whatever operation was executed. I think that it should
be more specific regexp than just finding a replica name substring (Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv). Maybe some sleep
should be there, but this needs investigation.
+assert(replica.hostname in result2.stdout_text), (
+"The wrong RUV was deleted")
+result3 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p',
master.config.dirman_password])
+assert(result3.stdout_text.count(replica.hostna
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Ludwig,
Thanks for the clarification! But then why does CSRUV allows to be
deleted on a working replica? Shouldn't we keep this behavior somehow
consistent?
On 10/07/2016 09:29 AM, Ludwig Krispenz wrote:
On 09/13/2016 10:10 AM, Oleg Fayans wrote:
Hi Ludwig,
The ipa-replica-manage clean-ruv sometimes does not quite work.
For example: I have a master and 2 replicas. Initial output of
'ipa-replica-manage list-ruv' looks like this:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica1.pesen.net:389: 5
f24replica2.pesen.net:389: 8
When I do 'ipa-replica-manage clean-ruv 5' and then list-ruv, it shows
the expected result:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica2.pesen.net:389: 8
But when I then do 'ipa-replica-manage clean-ruv 3', the command
executes successfully, but list-ruv still shows 5 RUVs instead of four.
After all nodes are restarted still 5 RUV's are displaayed, but if I
clean the RUV N 3 manually again, it works and leaves (expected) 4 RUVs.
Do you have an idea, what it might be and how to debug this?
did you remove the replica before cleaning the ruv, you cannot just run
cleanruv for an active replica, it always will come back.
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error
'could not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we d
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Ping for review
On 10/05/2016 12:02 PM, Oleg Fayans wrote:
Hi Ludwig,
Could you please take a look at it when you have time?
On 09/13/2016 10:10 AM, Oleg Fayans wrote:
Hi Ludwig,
The ipa-replica-manage clean-ruv sometimes does not quite work.
For example: I have a master and 2 replicas. Initial output of
'ipa-replica-manage list-ruv' looks like this:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica1.pesen.net:389: 5
f24replica2.pesen.net:389: 8
When I do 'ipa-replica-manage clean-ruv 5' and then list-ruv, it shows
the expected result:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica2.pesen.net:389: 8
But when I then do 'ipa-replica-manage clean-ruv 3', the command
executes successfully, but list-ruv still shows 5 RUVs instead of four.
After all nodes are restarted still 5 RUV's are displaayed, but if I
clean the RUV N 3 manually again, it works and leaves (expected) 4 RUVs.
Do you have an idea, what it might be and how to debug this?
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could
not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv).
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Ludwig,
Could you please take a look at it when you have time?
On 09/13/2016 10:10 AM, Oleg Fayans wrote:
Hi Ludwig,
The ipa-replica-manage clean-ruv sometimes does not quite work.
For example: I have a master and 2 replicas. Initial output of
'ipa-replica-manage list-ruv' looks like this:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica1.pesen.net:389: 5
f24replica2.pesen.net:389: 8
When I do 'ipa-replica-manage clean-ruv 5' and then list-ruv, it shows
the expected result:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica2.pesen.net:389: 8
But when I then do 'ipa-replica-manage clean-ruv 3', the command
executes successfully, but list-ruv still shows 5 RUVs instead of four.
After all nodes are restarted still 5 RUV's are displaayed, but if I
clean the RUV N 3 manually again, it works and leaves (expected) 4 RUVs.
Do you have an idea, what it might be and how to debug this?
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could
not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv). Maybe some sleep
should be there, but this needs investigation.
+
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Fixed patch N 41 On 09/21/2016 04:21 PM, Oleg Fayans wrote: Patch-0076 rebased to current master On 09/21/2016 02:41 PM, Oleg Fayans wrote: Hi David, As per your comments the patches were once again refactored. I am attaching the full set of them, please ignore any previous versions The patches apply cleanly on master and pylint swallows the resulting code silently On 09/12/2016 09:51 AM, David Kupka wrote: Hi Oleg, thank you, now it's completely different game. Please add prefix to commit message summaries. Simply prepending "tests: " should be OK. 0041 - -h is deprecated in favor of -H. 0062 - 0068 - LGTM 0069 - I see 2 unrelated changes in the patch, please split them: - 1 - certutil - > paths.CERTUTIL - 2 - assert 0070 - I see 2 unrelated changes in the patch, please split them: - 1 - teardown - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install 0071 - typos in commit message, I see 5 unrelated changes in that patch: - 1 - error messages in assert - 2 - certificates used - 3 - verify_installation called only in DOMAIN_LEVEL_0. - 4 - TestCertinstall.install - 5 - TestCertinstall.certinstall 0072 - 0077 - LGTM On 09/09/16 15:22, Oleg Fayans wrote: Hi David, team According to your suggestions I've splitted my commits so that each commit addresses some particular problem. One patch (0071) still contains several unrelated fixes, but they mostly reflect changes in error messages and really small but numerous bugfixes that I did not consider worthy of a separate commit each. Please, whenever you have a free time take a look at this new bunch of patches. Thanks! On 09/06/2016 04:41 PM, David Kupka wrote: Hi Oleg! 0013 - It looks like there are two unrelated changes, addition of CRL distribution extension and creating certificate signed by no longer existing CA. Please create separate patch for each of the changes, and describe the change and reason for it in commit messages. 0014 - Could you please split the patch to "numerous" commit each fixing one error? Please also describe each fix so everyone has at least vague idea about the patch without reading its code. Also why do you introduce global variable config, I don't see its used anywhere. 0039 - It looks like multiple different changes and commit message says nothing again. Please split and describe what did you change and why. 0041 - Looks like weird workaround to me. It would be better to investigate the root cause and fix it. Or at least describe the cause in commit message and code comment if it can't be fixed. Also "-h is deprecated in favor of -H" says man 1 ldapmodify. On 05/09/16 14:32, Oleg Fayans wrote: Hi guys, Finally the ca-less tests are stable. Here in the attachment is the full set of necessary patches. On 08/09/2016 10:57 AM, Oleg Fayans wrote: Hi all, Bump for the review of the 0013 patch. The script it addresses can be reused in some WebUI tests - one more reason to have it reviewed/merged The rest patches should be re-tested, since they were prepared a good while ago On 05/10/2016 05:08 PM, Oleg Fayans wrote: Hi David, After quite a while and some more struggles here comes the updated version of the patch together with other patches fixing things in ipatests/test_integration/tasks.py Server and replica installation was refactored in a way to utilize the code from tasks.py as much as it is possible The full set of necessary patches is attached On 04/20/2016 10:35 AM, David Kupka wrote: On 19/04/16 11:13, Oleg Fayans wrote: OK, that one, though passing lint, did not actually work. I gave up my attempts to define method decorators inside the class. Now it passes lint AND works:) Hi Oleg! 1) Current commit message is useless. Please use it to describe what is the point of the patch. 2) $ git show -U0 | pep8 --diff ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank lines (2) ./ipatests/test_integration/test_caless.py:825:80: E501 line too long (80 > 79 characters) ./ipatests/test_integration/test_caless.py:1035:44: E225 missing whitespace around operator 3) Isn't there a way to do this with pytest's fixtures? +def server_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +args[0].uninstall_server() +return wrapped + +def replica_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +# Uninstall replica +replica = args[0].replicas[0] +tasks.kinit_admin(args[0].master) +args[0].uninstall_server(replica) +args[0].master.run_command(['ipa-replica-manage', 'del', +replica.hostname, '--force'], +
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Patch-0076 rebased to current master On 09/21/2016 02:41 PM, Oleg Fayans wrote: Hi David, As per your comments the patches were once again refactored. I am attaching the full set of them, please ignore any previous versions The patches apply cleanly on master and pylint swallows the resulting code silently On 09/12/2016 09:51 AM, David Kupka wrote: Hi Oleg, thank you, now it's completely different game. Please add prefix to commit message summaries. Simply prepending "tests: " should be OK. 0041 - -h is deprecated in favor of -H. 0062 - 0068 - LGTM 0069 - I see 2 unrelated changes in the patch, please split them: - 1 - certutil - > paths.CERTUTIL - 2 - assert 0070 - I see 2 unrelated changes in the patch, please split them: - 1 - teardown - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install 0071 - typos in commit message, I see 5 unrelated changes in that patch: - 1 - error messages in assert - 2 - certificates used - 3 - verify_installation called only in DOMAIN_LEVEL_0. - 4 - TestCertinstall.install - 5 - TestCertinstall.certinstall 0072 - 0077 - LGTM On 09/09/16 15:22, Oleg Fayans wrote: Hi David, team According to your suggestions I've splitted my commits so that each commit addresses some particular problem. One patch (0071) still contains several unrelated fixes, but they mostly reflect changes in error messages and really small but numerous bugfixes that I did not consider worthy of a separate commit each. Please, whenever you have a free time take a look at this new bunch of patches. Thanks! On 09/06/2016 04:41 PM, David Kupka wrote: Hi Oleg! 0013 - It looks like there are two unrelated changes, addition of CRL distribution extension and creating certificate signed by no longer existing CA. Please create separate patch for each of the changes, and describe the change and reason for it in commit messages. 0014 - Could you please split the patch to "numerous" commit each fixing one error? Please also describe each fix so everyone has at least vague idea about the patch without reading its code. Also why do you introduce global variable config, I don't see its used anywhere. 0039 - It looks like multiple different changes and commit message says nothing again. Please split and describe what did you change and why. 0041 - Looks like weird workaround to me. It would be better to investigate the root cause and fix it. Or at least describe the cause in commit message and code comment if it can't be fixed. Also "-h is deprecated in favor of -H" says man 1 ldapmodify. On 05/09/16 14:32, Oleg Fayans wrote: Hi guys, Finally the ca-less tests are stable. Here in the attachment is the full set of necessary patches. On 08/09/2016 10:57 AM, Oleg Fayans wrote: Hi all, Bump for the review of the 0013 patch. The script it addresses can be reused in some WebUI tests - one more reason to have it reviewed/merged The rest patches should be re-tested, since they were prepared a good while ago On 05/10/2016 05:08 PM, Oleg Fayans wrote: Hi David, After quite a while and some more struggles here comes the updated version of the patch together with other patches fixing things in ipatests/test_integration/tasks.py Server and replica installation was refactored in a way to utilize the code from tasks.py as much as it is possible The full set of necessary patches is attached On 04/20/2016 10:35 AM, David Kupka wrote: On 19/04/16 11:13, Oleg Fayans wrote: OK, that one, though passing lint, did not actually work. I gave up my attempts to define method decorators inside the class. Now it passes lint AND works:) Hi Oleg! 1) Current commit message is useless. Please use it to describe what is the point of the patch. 2) $ git show -U0 | pep8 --diff ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank lines (2) ./ipatests/test_integration/test_caless.py:825:80: E501 line too long (80 > 79 characters) ./ipatests/test_integration/test_caless.py:1035:44: E225 missing whitespace around operator 3) Isn't there a way to do this with pytest's fixtures? +def server_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +args[0].uninstall_server() +return wrapped + +def replica_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +# Uninstall replica +replica = args[0].replicas[0] +tasks.kinit_admin(args[0].master) +args[0].uninstall_server(replica) +args[0].master.run_command(['ipa-replica-manage', 'del', +replica.hostname, '--force'], + raiseonerr=False) +args[
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi David, As per your comments the patches were once again refactored. I am attaching the full set of them, please ignore any previous versions The patches apply cleanly on master and pylint swallows the resulting code silently On 09/12/2016 09:51 AM, David Kupka wrote: Hi Oleg, thank you, now it's completely different game. Please add prefix to commit message summaries. Simply prepending "tests: " should be OK. 0041 - -h is deprecated in favor of -H. 0062 - 0068 - LGTM 0069 - I see 2 unrelated changes in the patch, please split them: - 1 - certutil - > paths.CERTUTIL - 2 - assert 0070 - I see 2 unrelated changes in the patch, please split them: - 1 - teardown - 2 - TestReplicaInstall.setUp -> TestReplicaInstall.install 0071 - typos in commit message, I see 5 unrelated changes in that patch: - 1 - error messages in assert - 2 - certificates used - 3 - verify_installation called only in DOMAIN_LEVEL_0. - 4 - TestCertinstall.install - 5 - TestCertinstall.certinstall 0072 - 0077 - LGTM On 09/09/16 15:22, Oleg Fayans wrote: Hi David, team According to your suggestions I've splitted my commits so that each commit addresses some particular problem. One patch (0071) still contains several unrelated fixes, but they mostly reflect changes in error messages and really small but numerous bugfixes that I did not consider worthy of a separate commit each. Please, whenever you have a free time take a look at this new bunch of patches. Thanks! On 09/06/2016 04:41 PM, David Kupka wrote: Hi Oleg! 0013 - It looks like there are two unrelated changes, addition of CRL distribution extension and creating certificate signed by no longer existing CA. Please create separate patch for each of the changes, and describe the change and reason for it in commit messages. 0014 - Could you please split the patch to "numerous" commit each fixing one error? Please also describe each fix so everyone has at least vague idea about the patch without reading its code. Also why do you introduce global variable config, I don't see its used anywhere. 0039 - It looks like multiple different changes and commit message says nothing again. Please split and describe what did you change and why. 0041 - Looks like weird workaround to me. It would be better to investigate the root cause and fix it. Or at least describe the cause in commit message and code comment if it can't be fixed. Also "-h is deprecated in favor of -H" says man 1 ldapmodify. On 05/09/16 14:32, Oleg Fayans wrote: Hi guys, Finally the ca-less tests are stable. Here in the attachment is the full set of necessary patches. On 08/09/2016 10:57 AM, Oleg Fayans wrote: Hi all, Bump for the review of the 0013 patch. The script it addresses can be reused in some WebUI tests - one more reason to have it reviewed/merged The rest patches should be re-tested, since they were prepared a good while ago On 05/10/2016 05:08 PM, Oleg Fayans wrote: Hi David, After quite a while and some more struggles here comes the updated version of the patch together with other patches fixing things in ipatests/test_integration/tasks.py Server and replica installation was refactored in a way to utilize the code from tasks.py as much as it is possible The full set of necessary patches is attached On 04/20/2016 10:35 AM, David Kupka wrote: On 19/04/16 11:13, Oleg Fayans wrote: OK, that one, though passing lint, did not actually work. I gave up my attempts to define method decorators inside the class. Now it passes lint AND works:) Hi Oleg! 1) Current commit message is useless. Please use it to describe what is the point of the patch. 2) $ git show -U0 | pep8 --diff ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank lines, found 1 ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank lines (2) ./ipatests/test_integration/test_caless.py:825:80: E501 line too long (80 > 79 characters) ./ipatests/test_integration/test_caless.py:1035:44: E225 missing whitespace around operator 3) Isn't there a way to do this with pytest's fixtures? +def server_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +args[0].uninstall_server() +return wrapped + +def replica_install_teardown(func): +def wrapped(*args): +try: +func(*args) +finally: +# Uninstall replica +replica = args[0].replicas[0] +tasks.kinit_admin(args[0].master) +args[0].uninstall_server(replica) +args[0].master.run_command(['ipa-replica-manage', 'del', +replica.hostname, '--force'], + raiseonerr=False) +args[0].master.run_command(['ipa', 'host-del', +replica.hostname], +
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin,
The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?
On 09/15/2016 09:49 AM, Martin Basti wrote:
On 14.09.2016 18:53, Sumit Bose wrote:
On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
On 14.09.2016 17:53, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
On 14.09.2016 17:41, Alexander Bokovoy wrote:
On Wed, 14 Sep 2016, Martin Basti wrote:
1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?
You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not exist.
For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID override in that
one.
Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.
How can be this tested with SSSD?
You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is there any
cmdline util which allows us to test certificate against AD user?
You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.
You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .
HTH
bye,
Sumit
Thank you Alexander and Summit for hints.
Oleg I realized we don't have any other idviews integration tests
So I propose to rename test file you are adding to test_idviews.py. We
can add more testcases for idviews there later
Martin^2
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_idviews.py | 121 +
1 file changed, 121 insertions(+)
create mode 100644 ipatests/test_integration/test_idviews.py
diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+ad = config.ad_domains[0].ads[0]
+ad_domain = ad.domain.name
+aduser = "testuser@%s" % ad_domain
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+ extra_args=['--range-type',
+ 'ipa-ad-trust'])
+
+tasks.sync_time(cls.master, cls.ad)
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Ping for review. On 09/06/2016 01:57 PM, Oleg Fayans wrote: The test is updated to clean up after itself On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
Again ping for review, please it completely blocks the whole job. On 09/07/2016 03:27 PM, Oleg Fayans wrote: ping for review On 08/24/2016 01:58 PM, Oleg Fayans wrote: And here is how the run looks like: $ ipa-run-tests test_integration/test_topology.py WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ..x === 2 passed, 1 xfailed in 1558.66 seconds === On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listin
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Ludwig,
The ipa-replica-manage clean-ruv sometimes does not quite work.
For example: I have a master and 2 replicas. Initial output of
'ipa-replica-manage list-ruv' looks like this:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica1.pesen.net:389: 5
f24replica2.pesen.net:389: 8
When I do 'ipa-replica-manage clean-ruv 5' and then list-ruv, it shows
the expected result:
Replica Update Vectors:
f24replica2.pesen.net:389: 7
f24master.pesen.net:389: 4
f24replica1.pesen.net:389: 3
Certificate Server Replica Update Vectors:
f24master.pesen.net:389: 6
f24replica2.pesen.net:389: 8
But when I then do 'ipa-replica-manage clean-ruv 3', the command
executes successfully, but list-ruv still shows 5 RUVs instead of four.
After all nodes are restarted still 5 RUV's are displaayed, but if I
clean the RUV N 3 manually again, it works and leaves (expected) 4 RUVs.
Do you have an idea, what it might be and how to debug this?
On 08/05/2016 06:36 PM, Martin Basti wrote:
On 03.08.2016 14:45, Oleg Fayans wrote:
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could not
connect to replica ', or something similar. instead of
listing/cleaning/whatever operation was executed. I think that it should
be more specific regexp than just finding a replica name substring (Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv). Maybe some sleep
should be there, but this needs investigation.
+assert(replica.hostname in result2.stdout_text), (
+&qu
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi David, team
According to your suggestions I've splitted my commits so that each
commit addresses some particular problem. One patch (0071) still
contains several unrelated fixes, but they mostly reflect changes in
error messages and really small but numerous bugfixes that I did not
consider worthy of a separate commit each. Please, whenever you have a
free time take a look at this new bunch of patches.
Thanks!
On 09/06/2016 04:41 PM, David Kupka wrote:
Hi Oleg!
0013 - It looks like there are two unrelated changes, addition of CRL
distribution extension and creating certificate signed by no longer
existing CA. Please create separate patch for each of the changes, and
describe the change and reason for it in commit messages.
0014 - Could you please split the patch to "numerous" commit each fixing
one error? Please also describe each fix so everyone has at least vague
idea about the patch without reading its code. Also why do you introduce
global variable config, I don't see its used anywhere.
0039 - It looks like multiple different changes and commit message says
nothing again. Please split and describe what did you change and why.
0041 - Looks like weird workaround to me. It would be better to
investigate the root cause and fix it. Or at least describe the cause in
commit message and code comment if it can't be fixed. Also "-h is
deprecated in favor of -H" says man 1 ldapmodify.
On 05/09/16 14:32, Oleg Fayans wrote:
Hi guys,
Finally the ca-less tests are stable. Here in the attachment is the full
set of necessary patches.
On 08/09/2016 10:57 AM, Oleg Fayans wrote:
Hi all,
Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it reviewed/merged
The rest patches should be re-tested, since they were prepared a good
while ago
On 05/10/2016 05:08 PM, Oleg Fayans wrote:
Hi David,
After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible
The full set of necessary patches is attached
On 04/20/2016 10:35 AM, David Kupka wrote:
On 19/04/16 11:13, Oleg Fayans wrote:
OK, that one, though passing lint, did not actually work. I gave
up my
attempts to define method decorators inside the class. Now it passes
lint AND works:)
Hi Oleg!
1) Current commit message is useless. Please use it to describe
what is
the point of the patch.
2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator
3) Isn't there a way to do this with pytest's fixtures?
+def server_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+args[0].uninstall_server()
+return wrapped
+
+def replica_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+# Uninstall replica
+replica = args[0].replicas[0]
+tasks.kinit_admin(args[0].master)
+args[0].uninstall_server(replica)
+args[0].master.run_command(['ipa-replica-manage', 'del',
+replica.hostname,
'--force'],
+ raiseonerr=False)
+args[0].master.run_command(['ipa', 'host-del',
+replica.hostname],
+ raiseonerr=False)
+return wrapped
+
There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it
does
not work.
4) Is it necessary to create the $TEST_DIR in the test? Isn't it
created
by the framework?
+host.transport.mkdir_recursive(host.config.test_dir)
Removed.
5) I don't think the comment match the code.
+# Remove CA cert in /etc/pki/nssdb, in case of failed
(un)install
+for host in cls.get_all_hosts():
+cls.uninstall_server(host)
+
super(CALessBase, cls).uninstall(mh)
Not actual anymore
6) No! Create list with one element, iterate that list and append
every
item to the other list. Maybe there's better way (Hint: append).
I've seen this on multiple places.
if unattended:
args.extend(['-U'])
Agreed
7) Why don't you (extend and) use
ipatests.test_integaration.tasks.(un)install_{master,replica}?
This could be done pretty
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
ping for review On 08/24/2016 01:58 PM, Oleg Fayans wrote: And here is how the run looks like: $ ipa-run-tests test_integration/test_topology.py WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ..x === 2 passed, 1 xfailed in 1558.66 seconds === On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
The test is updated to clean up after itself
On 09/06/2016 12:57 PM, Oleg Fayans wrote:
Hi Martin,
Thanks for the review. The updated patches are attached. Please, see my
comments below
On 08/30/2016 01:58 PM, Martin Basti wrote:
On 22.08.2016 13:18, Oleg Fayans wrote:
ping for review
On 08/02/2016 01:11 PM, Oleg Fayans wrote:
Hi Martin,
I did! Thank you!
On 08/02/2016 12:31 PM, Martin Basti wrote:
On 01.08.2016 22:46, Oleg Fayans wrote:
The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes
https://paste.fedoraproject.org/399504/00843641/
Okay
Did you forget to send patches?
Martin^2
On 06/28/2016 01:40 PM, Oleg Fayans wrote:
Patch-0050 rebased against latest upstream branch
On 06/28/2016 10:45 AM, Oleg Fayans wrote:
Passing test output:
https://paste.fedoraproject.org/385774/71035231/
NACK for 0049.1
1)
PEP8: you must use 2 empty lines between functions
Fixed
2)
+new_args = " ".join(new_args + args)
you don't need this, run_command takes list as argument too
new_args.extend(args)
The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed
3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)
Done
NACK for 0050.2
1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)
IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)
Agreed. Done
2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'
New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__
Fair point. Fixed
3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD
Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.
Martin^3
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1a0039b64023b0bb3c9289128413b4ccef489ec4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 6 Sep 2016 13:55:16 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_certs_in_idoverrides.py | 121 +
1 file changed, 121 insertions(+)
create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py
diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..762ce71a5ed8883b2a2d5bc4185b5ffcb52a4edb
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+from ipatests.test_integration.env_config import get_global_config
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+ad = config.ad_domains[0].ads[0]
+ad_domain = ad.domain.name
+aduser = "testuser@%s" % ad_domain
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tas
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Forgot to attach the test run output: -bash-4.3$ ipa-run-tests test_integration/test_certs_in_idoverrides.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 1 items test_integration/test_certs_in_idoverrides.py . = 1 passed in 681.90 seconds = On 09/06/2016 12:57 PM, Oleg Fayans wrote: Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin, Thanks for the review. The updated patches are attached. Please, see my comments below On 08/30/2016 01:58 PM, Martin Basti wrote: On 22.08.2016 13:18, Oleg Fayans wrote: ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ NACK for 0049.1 1) PEP8: you must use 2 empty lines between functions Fixed 2) +new_args = " ".join(new_args + args) you don't need this, run_command takes list as argument too new_args.extend(args) The list-based approach does not work with shell redirects which are heavily used in the certs_id_idoverrides test. Thus, this trick is really needed 3) To make it more usable you should add raiseonerr as kwarg to run_certutil (True as default) Done NACK for 0050.2 1) +tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', +cls.adcert1_file], cls.reqdir) +tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', +cls.adcert2_file], cls.reqdir) IMO thus should raise an error if failed, but previously you set raiseonerr=False (multiple times) Agreed. Done 2) +cls.ad = cls.ad_domains[0].ads[0] +cls.ad_domain = cls.ad.domain.name +cls.aduser = "testuser@%s" % cls.ad_domain +cls.adcert1 = 'MyCert1' +cls.adcert2 = 'MyCert2' +cls.adcert1_file = cls.adcert1 + '.crt' +cls.adcert2_file = cls.adcert2 + '.crt' New definitions of variables/constants should be directly in class not in install method, adding new class variables in classmethod is the same evil as adding instance variables outside __init__ Fair point. Fixed 3) I have question, why do you need AD for this test? AFAIK you can use ID overrides without AD Correct. You can, but the workflow would be slightly different. For example, you can not issue and sign cert requests for AD-users the way you would do it for local users. We want to have tests that can be taken by end-users as example how to use our software, that's why it is better to be as close to real-world use-cases as it is possible. Martin^3 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 867c603183d792b0056c0f8895f52577bc67d7b0 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 6 Sep 2016 12:39:45 +0200 Subject: [PATCH] Added interface to certutil --- ipatests/test_integration/tasks.py | 7 +++ 1 file changed, 7 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index c60d43699d6577abe930ac8d6ab696feea837331..0e329f4ad5d754fd61a9ca911488230677daad77 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -1187,6 +1187,13 @@ def run_server_del(host, server_to_delete, force=False, return host.run_command(args, raiseonerr=False) +def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True): +new_args = [paths.CERTUTIL, "-d", reqdir] +new_args = " ".join(new_args + args) +return host.run_command(new_args, raiseonerr=raiseonerr, +stdin_text=stdin) + + def assert_error(result, stderr_text, returncode=None): "Assert that `result` command failed and its stderr contains `stderr_text`" assert stderr_text in result.stderr_text, result.stderr_text -- 1.8.3.1 From fb0591407a64dcf84eda1a28a06d1ead2fa7ab0d Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 6 Sep 2016 12:41:06 +0200 Subject: [PATCH] Automated test for certs in idoverrides feature https://fedorahosted.org/freeipa/ticket/6005 --- .../test_integration/test_certs_in_idoverrides.py | 120 + 1 file changed, 120 insertions(+) create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py new file mode 100644 index ..d72fc1e898f0574015c6b7dd5f601cec8e4350d6 --- /dev/null +++ b/ipatests/test_integration/test_certs_in_idoverrides.py @@ -0,0 +1,120 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +import os +import re +import string +from ipatests.test_integration import tasks +from ipatests.test_integration.base import Integration
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi guys,
Finally the ca-less tests are stable. Here in the attachment is the full
set of necessary patches.
On 08/09/2016 10:57 AM, Oleg Fayans wrote:
Hi all,
Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it reviewed/merged
The rest patches should be re-tested, since they were prepared a good
while ago
On 05/10/2016 05:08 PM, Oleg Fayans wrote:
Hi David,
After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible
The full set of necessary patches is attached
On 04/20/2016 10:35 AM, David Kupka wrote:
On 19/04/16 11:13, Oleg Fayans wrote:
OK, that one, though passing lint, did not actually work. I gave up my
attempts to define method decorators inside the class. Now it passes
lint AND works:)
Hi Oleg!
1) Current commit message is useless. Please use it to describe what is
the point of the patch.
2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator
3) Isn't there a way to do this with pytest's fixtures?
+def server_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+args[0].uninstall_server()
+return wrapped
+
+def replica_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+# Uninstall replica
+replica = args[0].replicas[0]
+tasks.kinit_admin(args[0].master)
+args[0].uninstall_server(replica)
+args[0].master.run_command(['ipa-replica-manage', 'del',
+replica.hostname, '--force'],
+ raiseonerr=False)
+args[0].master.run_command(['ipa', 'host-del',
+replica.hostname],
+ raiseonerr=False)
+return wrapped
+
There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it does
not work.
4) Is it necessary to create the $TEST_DIR in the test? Isn't it created
by the framework?
+host.transport.mkdir_recursive(host.config.test_dir)
Removed.
5) I don't think the comment match the code.
+# Remove CA cert in /etc/pki/nssdb, in case of failed
(un)install
+for host in cls.get_all_hosts():
+cls.uninstall_server(host)
+
super(CALessBase, cls).uninstall(mh)
Not actual anymore
6) No! Create list with one element, iterate that list and append every
item to the other list. Maybe there's better way (Hint: append).
I've seen this on multiple places.
if unattended:
args.extend(['-U'])
Agreed
7) Why don't you (extend and) use
ipatests.test_integaration.tasks.(un)install_{master,replica}?
This could be done pretty much all over the code.
host.run_command(['ipa-server-install', '--uninstall',
'-U'])
8) Use ipaplatform.paths for certutil and other binaries. If the binary
is not there feel free to add it.
I've seen this on multiple places.
+host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+ '-n', 'External CA cert'],
+ raiseonerr=False)
+# A workaround forhttps://fedorahosted.org/freeipa/ticket/4639
+result = host.run_command(['certutil', '-L', '-d',
+ paths.HTTPD_ALIAS_DIR])
+for rawcert in result.stdout_text.split('\n')[4: -1]:
+cert = rawcert.split('')[0]
+host.run_command(['certutil', '-D', '-d',
paths.HTTPD_ALIAS_DIR,
+ '-n', cert])
Done
9) certmonger is system service. You can check if is is .enabled() and
.running(). And IIUC the comment is negation of what the code does.
# Verify certmonger was not started
result = host.run_command(['getcert', 'list'],
raiseonerr=False)
-assert result > 0
-assert ('Please verify that the certmonger service has
been '
-'started.' in result.stdout_text),
result.stdout_text
+assert result.returncode == 0
10) What is the point of calling uninstall_server() when it will be
called in the finally block of server_install_teardown
Re: [Freeipa-devel] [Test][patch-0061] Fixed error in teardown method of replica_promotion tests
Bump for review. Other tests depend on this fix too, like replication_layouts_domainlevel_1 On 08/24/2016 04:26 PM, Oleg Fayans wrote: -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
Hi Martin, Updated the test according to our discussion. There are 2 patches: the one related to the dynamic segment naming and the one that xfails one of the tests which fails due to trac ticket 6250. Please, disregard my previous patch On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 6be984e1ff3ffa0dcbe3bc9fc415b7355a833c24 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Wed, 24 Aug 2016 13:48:56 +0200 Subject: [PATCH] Fixed segment naming in topology tests As the segment name is a stochastic valu, which can have either of the two nodes as the left node, we need to adapt the tests to not expect some particular segment name but rather to calculate it dynamically based on node names and the output of topologysegment-find ipa call --- ipatests/test_integration/test_topology.py | 33 -- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py index e956563c27eafd84deed5786274a73d0d3594642..a3e0488eacc116d5ac3fe83b021b8bf85bcc2ef3 100644 --- a/ipatests/test_integration/test_topology.py +++ b/ipatests/test_integration/test_topology.py @@ -15,6 +15,18 @@ from ipatests.util import assert_deepequal config = get_global_c
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
And here is how the run looks like: $ ipa-run-tests test_integration/test_topology.py WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ..x === 2 passed, 1 xfailed in 1558.66 seconds === On 08/12/2016 04:05 PM, Martin Basti wrote: On 12.08.2016 15:48, Oleg Fayans wrote: Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ludwig, do you know details about this change, why positions of server names are different than used to be in topology name? Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This is very good way how to report tickets: * nobody knows what happened * nobody can search in current tickets, what is wrong without proper description * developers cannot investigate issue, because there is even no name of exact test in ticket, no steps to reproduce, nothing * without proper tickets it is hard to backport patches correctly, if patch fixes different issue than is reported I'm closing ticket as invalid, please follow http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new proper ticket. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds = I don't care about test output until there is no valid description of problem, fixing test may just cover real issue. Martin^2 Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
ping for review On 08/02/2016 01:11 PM, Oleg Fayans wrote: Hi Martin, I did! Thank you! On 08/02/2016 12:31 PM, Martin Basti wrote: On 01.08.2016 22:46, Oleg Fayans wrote: The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ Okay Did you forget to send patches? Martin^2 On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] default debug_level of sssd
Hi all, Does anyone know what is the default debug_level for sssd daemon in ipa? We've found out that some tests (mainly basic-trust) generate huge volumes of sssd logs which we have to store. A quick glance into the logs show that these log every tiny bit of really low level information that we probably never gonna need. We'd like to tweak the tests to configure sssd for less logging, but I was unable to find info on default debug_level. The sssd configuration file does not explicitly specify it. Thanks! -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
Hi Martin, On 08/11/2016 10:05 AM, Martin Basti wrote: On 10.08.2016 20:32, Oleg Fayans wrote: Hello, before we jump into fixing tests, my question is: Was this planned change and not reflected by test, or switched values are unwanted side effect and thus bug for us? That's a marvelous question! The test used to pass, which means that at some point the convention of naming the segments must have changed. Is it a bug? I do not think so: the feature still works as expected. Ticket contains almost no info, except a traceback and it says nothing. Commit message says at least something. I'm not sure if this patch fixes that ticket, because traceback in test shows error message that "removal of segment will disconnect topology", but this patch only swap order of replica names in segment name. I would expect that you should get different error, something like segment does not exist. Which I do get in jenkins job N 37: "segment not found" In fact, the error in the issue is unrelated to the fix, you are right. To tell the truth, I just put a random error from one of the jenkins topology testruns into the issue. This particular error message was caused by a previous replica installation failure, which resulted in existing only one segment instead of three: master <-> replica1 instead of: master <-> replica1, master <-> replica2 replica1 <-> replica2 In fact the patch supplied fixes 2 tests at once: The first test tries to remove the unexisting segment master <-> replica2 and fails, the second test expects the line topology master <-> replica1 <-> replica2. It removes the connection between replica1 and replica2, expects the operation to fail but it does not because the connection between master and replica2 exists the output from the testrun with the patch applied: -bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] Permission denied: 'lextab.py' WARNING: yacc table file version is out of date WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied: 'yacctab.py' test session starts = platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder-0.5, multihost-1.0 collected 3 items test_integration/test_topology.py ... 3 passed in 2156.82 seconds ===== Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI
-- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 3befa8b390e4c5c02c81ad2efee19acc237c9222 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Wed, 10 Aug 2016 20:30:31 +0200 Subject: [PATCH] Fixed expected segment name Lately replica installation results in creation of a topology segment with replica being left node, not right node as it used to be. This broke tests that expected replica to be right node https://fedorahosted.org/freeipa/ticket/6201 --- ipatests/test_integration/test_topology.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py index e956563c27eafd84deed5786274a73d0d3594642..8853af71b5834934573bef25f2720de746306e4b 100644 --- a/ipatests/test_integration/test_topology.py +++ b/ipatests/test_integration/test_topology.py @@ -117,8 +117,8 @@ class TestTopologyOptions(IntegrationTest): "%s: segment not found" % segment['name']) # Remove master <-> replica2 segment and make sure that the changes get # there through replica1 -deleteme = "%s-to-%s" % (self.master.hostname, - self.replicas[1].hostname) +deleteme = "%s-to-%s" % (self.replicas[1].hostname, + self.master.hostname) returncode, error = tasks.destroy_segment(self.master, deleteme) assert returncode == 0, error # Wait till replication ends and make sure replica1 does not have -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [test][patch-0057] test for ticket N 6146 (installing rules with service principals)
Hi Martin, I am sorry, yes it depends on my patches 0049 and 0050. On 08/10/2016 12:27 PM, Martin Basti wrote: On 10.08.2016 10:38, Oleg Fayans wrote: Hello, I cannot apply this patch error: ipatests/test_integration/test_certs_in_idoverrides.py: does not exist in index It probably depends on another patch (which one?) Please, use human readable subjects in email, I do not remember from top of my head what #6146 is. Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [test][patch-0057] test for ticket N 6146
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From a33a5aea0f12f63d53ff773b3d5e615b1f582d7f Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 10 Aug 2016 10:29:59 +0200
Subject: [PATCH] Test for installing rules with service principals
https://fedorahosted.org/freeipa/ticket/6146
---
.../test_integration/test_certs_in_idoverrides.py | 82 ++
1 file changed, 82 insertions(+)
diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
index 9114c4f91cd6378acc53caa068b852ae15670d7a..b9eabdf36abff73d8cd5daab0a1ada2c4dffbca6 100644
--- a/ipatests/test_integration/test_certs_in_idoverrides.py
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -10,6 +10,88 @@ from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.tasks import assert_error
+class TestRulesWithServicePrincipals(IntegrationTest):
+"""
+https://fedorahosted.org/freeipa/ticket/6146
+"""
+
+topology = 'star'
+num_replicas = 0
+service_certprofile = 'caIPAserviceCert'
+caacl = 'test_caacl'
+keytab = "replica.keytab"
+csr = "my.csr"
+csr_conf = "replica.cnf"
+
+@classmethod
+def prepare_config(cls):
+template = """
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = %s
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = %s
+DNS.2 = %s
+EOF
+"""
+
+contents = template % (cls.replica, cls.replica, cls.master.hostname)
+cls.master.run_command("cat < %s\n%s" % (cls.csr_conf, contents))
+
+@classmethod
+def install(cls, mh):
+super(TestRulesWithServicePrincipals, cls).install(mh)
+master = cls.master
+tasks.kinit_admin(master)
+cls.replica = "replica.%s" % master.domain.name
+master.run_command(['ipa', 'host-add', cls.replica, '--force'])
+cls.service_name = "svc/%s" % master.hostname
+cls.replica_service_name = "svc/%s" % cls.replica
+master.run_command("ipa service-add %s" % cls.service_name)
+master.run_command("ipa service-add %s --force" %
+ cls.replica_service_name)
+master.run_command("ipa service-add-host %s --hosts %s" % (
+cls.service_name, cls.replica))
+master.run_command("ipa caacl-add %s --desc \"test\"" % cls.caacl)
+master.run_command("ipa caacl-add-host %s --hosts %s" % (cls.caacl,
+ cls.replica))
+master.run_command("ipa caacl-add-service %s --services"
+ " svc/`hostname`" % cls.caacl)
+master.run_command("ipa-getkeytab -p host/%s@%s -k %s" % (
+cls.replica, master.domain.realm, cls.keytab))
+master.run_command("kinit -kt %s host/%s" % (cls.keytab, cls.replica))
+
+# Prepare a CSR
+
+cls.prepare_config()
+stdin_text = "qwerty\nqwerty\n%s\n" % cls.replica
+
+master.run_command(['openssl', 'req', '-config', cls.csr_conf, '-new',
+'-out', cls.csr], stdin_text=stdin_text)
+
+def test_rules_with_service_principals(self):
+result = self.master.run_command(['ipa', 'cert-request', self.csr,
+ '--principal', "svc/%s@%s" % (
+ self.replica,
+ self.master.domain.realm),
+ '--profile-id',
+ self.service_certprofile],
+ raiseonerr=False)
+assert(result.returncode == 0), (
+'Failed to add a cert to custom certprofile')
+
+
class TestCertsInIDOverrides(IntegrationTest):
topology = "line"
service_certprofile = 'caIPAserviceCert'
--
1.8.3.1
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi all,
Bump for the review of the 0013 patch. The script it addresses can be
reused in some WebUI tests - one more reason to have it reviewed/merged
The rest patches should be re-tested, since they were prepared a good
while ago
On 05/10/2016 05:08 PM, Oleg Fayans wrote:
Hi David,
After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible
The full set of necessary patches is attached
On 04/20/2016 10:35 AM, David Kupka wrote:
On 19/04/16 11:13, Oleg Fayans wrote:
OK, that one, though passing lint, did not actually work. I gave up my
attempts to define method decorators inside the class. Now it passes
lint AND works:)
Hi Oleg!
1) Current commit message is useless. Please use it to describe what is
the point of the patch.
2) $ git show -U0 | pep8 --diff
./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
lines, found 1
./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
lines (2)
./ipatests/test_integration/test_caless.py:825:80: E501 line too long
(80 > 79 characters)
./ipatests/test_integration/test_caless.py:1035:44: E225 missing
whitespace around operator
3) Isn't there a way to do this with pytest's fixtures?
+def server_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+args[0].uninstall_server()
+return wrapped
+
+def replica_install_teardown(func):
+def wrapped(*args):
+try:
+func(*args)
+finally:
+# Uninstall replica
+replica = args[0].replicas[0]
+tasks.kinit_admin(args[0].master)
+args[0].uninstall_server(replica)
+args[0].master.run_command(['ipa-replica-manage', 'del',
+replica.hostname, '--force'],
+ raiseonerr=False)
+args[0].master.run_command(['ipa', 'host-del',
+replica.hostname],
+ raiseonerr=False)
+return wrapped
+
There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it does
not work.
4) Is it necessary to create the $TEST_DIR in the test? Isn't it created
by the framework?
+host.transport.mkdir_recursive(host.config.test_dir)
Removed.
5) I don't think the comment match the code.
+# Remove CA cert in /etc/pki/nssdb, in case of failed
(un)install
+for host in cls.get_all_hosts():
+cls.uninstall_server(host)
+
super(CALessBase, cls).uninstall(mh)
Not actual anymore
6) No! Create list with one element, iterate that list and append every
item to the other list. Maybe there's better way (Hint: append).
I've seen this on multiple places.
if unattended:
args.extend(['-U'])
Agreed
7) Why don't you (extend and) use
ipatests.test_integaration.tasks.(un)install_{master,replica}?
This could be done pretty much all over the code.
host.run_command(['ipa-server-install', '--uninstall', '-U'])
8) Use ipaplatform.paths for certutil and other binaries. If the binary
is not there feel free to add it.
I've seen this on multiple places.
+host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
+ '-n', 'External CA cert'],
+ raiseonerr=False)
+# A workaround forhttps://fedorahosted.org/freeipa/ticket/4639
+result = host.run_command(['certutil', '-L', '-d',
+ paths.HTTPD_ALIAS_DIR])
+for rawcert in result.stdout_text.split('\n')[4: -1]:
+cert = rawcert.split('')[0]
+host.run_command(['certutil', '-D', '-d',
paths.HTTPD_ALIAS_DIR,
+ '-n', cert])
Done
9) certmonger is system service. You can check if is is .enabled() and
.running(). And IIUC the comment is negation of what the code does.
# Verify certmonger was not started
result = host.run_command(['getcert', 'list'],
raiseonerr=False)
-assert result > 0
-assert ('Please verify that the certmonger service has
been '
-'started.' in result.stdout_text),
result.stdout_text
+assert result.returncode == 0
10) What is the point of calling uninstall_server() when it will be
called in the finally block of server_install_teardown anyway?
+@server_install_teardown
def test_revoked_http(self):
"IPA server install with revoked HTTP certificate"
if result
[Freeipa-devel] [Test][patch-0056] Fixed incorrect returncode assert in test
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 8b8732c3d86820124c117c88c6f892d9bb41cbc3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 4 Aug 2016 12:42:23 +0200
Subject: [PATCH] Fixed incorrect return code assert
The assert checked that the returncode of the replica uninstallation is zero
where in fact the uninstallation was expected to fail with the certain error
message
---
ipatests/test_integration/test_replica_promotion.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 7bc1d5281880221578df3c269a3d7715777bb8e0..e4cac69738bd9c265c88ccc23392adad38486c1a 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -345,7 +345,7 @@ class TestProhibitReplicaUninstallation(IntegrationTest):
result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
raiseonerr=False)
-assert(result.returncode == 0), ("The replica was removed without "
+assert(result.returncode > 0), ("The replica was removed without "
"'--ignore-topology-disconnect' option")
assert("Uninstallation leads to disconnected topology"
in result.stdout_text), ("Expected error message was not found")
--
1.8.3.1
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Tests][patch-0066] Fixed incorrect domainlevel determination in integration tests
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 2deee8b3baeb091904eb7c2ba61b90e669cc8df2 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 4 Aug 2016 09:22:31 +0200
Subject: [PATCH] Fixed incorrect domainlevel determination in tests
https://fedorahosted.org/freeipa/ticket/6167
---
ipatests/test_integration/tasks.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 7f6c79e65cda31bdba3d882a72bb5e2dcdb1f355..b01738aa14594560f70c98ccfb1faf25f44559b2 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -301,6 +301,7 @@ def get_replica_filename(replica):
def domainlevel(host):
# Dynamically determines the domainlevel on master. Needed for scenarios
# when domainlevel is changed during the test execution.
+kinit_admin(host)
result = host.run_command(['ipa', 'domainlevel-get'], raiseonerr=False)
level = 0
domlevel_re = re.compile('.*(\d)')
--
1.8.3.1
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
Thanks for the review! Both patches were updated.
On 07/28/2016 04:11 PM, Martin Basti wrote:
On 08.07.2016 15:41, Oleg Fayans wrote:
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
*Automated ipa-replica-manage del tests*
1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
Why do you need sleep here?
Removed, it was left from the old "poweroff" approach
2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before
Implemented the assert which checks that the output contains enough
replica RUVs
3)
assert(replica.hostname in result1.stdout_text)
I think that this is error prone. What if there is just error 'could not
connect to replica ', or something similar. instead of
listing/cleaning/whatever operation was executed. I think that it should
be more specific regexp than just finding a replica name substring (Yes
In IPA we dont always print error so stderr)
I'm not sure, but probably there might be cases when non critical error
happen and exist status is still 0
Agree. Implemented a regex-based search
4)
+replica.run_command(['poweroff'])
+time.sleep(3)
There should not be poweroff, probably sleep could be removed too.
Gone
* Automated clean-ruv subcommand test*
1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too long
(85 > 79 characters)
Fixed
2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?
Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong
3)
I'm not sure if clean-ruv is instant operations or there is some magic
happening in background (we have abort-clean-ruv). Maybe some sleep
should be there, but this needs investigation.
+assert(replica.hostname in result2.stdout_text), (
+"The wrong RUV was deleted")
+result3 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(result3.stdout_text.count(replica.hostname) == 1), (
+"CA RUV of the replica is still displayed")
Based on my discussion with Stanislav Laznicka, I understood that by
default clean-ruv does not return the shell until the operation is
finished. You can force dropping into the shell by pressing CTRL+C, in
which case the background job will still be running, but this is not the
default behavior
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 1003531981483bc63ebdad56139ac6815026b711 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Wed, 3 Aug 2016 09:17:10 +0200
Subject: [PATCH] Automated clean-ruv subcommand test
https://fedorahosted.org/freeipa/ticket/5964
---
ipatests/test_integration/test_topology.py | 53 ++
1 file changed, 53 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..87f78565e133de66251476e2c9d6ccbb368d000d 100644
Re: [Freeipa-devel] [Test][Patch-0051] Fixed import error in replica promotion test
Hi Martin, The commit message was extended. Thanks for the review! On 08/03/2016 10:36 AM, Martin Basti wrote: On 03.08.2016 09:55, Oleg Fayans wrote: ping for review On 06/28/2016 04:01 PM, Oleg Fayans wrote: ACK, if you improve commit messages -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 0268535dcc8426667f5742a05f4554f8ff9bd031 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 28 Jun 2016 16:00:08 +0200 Subject: [PATCH] Fixed import error assert_error was lately transfered from test_caless.py to tasks.py, which started to cause import errors in replica promotion tests --- ipatests/test_integration/test_replica_promotion.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 1f683b6d5c067ec526b307eea1460cafbadb80cb..2acd63b2c2e2c958478136f1cdfd5040c2052e15 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -4,7 +4,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks -from ipatests.test_integration.test_caless import assert_error +from ipatests.test_integration.tasks import assert_error from ipalib.constants import DOMAIN_LEVEL_0 from ipalib.constants import DOMAIN_LEVEL_1 from ipalib.constants import DOMAIN_SUFFIX_NAME -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0051] Fixed import error in replica promotion test
ping for review On 06/28/2016 04:01 PM, Oleg Fayans wrote: -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Hi Martin,
I did! Thank you!
On 08/02/2016 12:31 PM, Martin Basti wrote:
On 01.08.2016 22:46, Oleg Fayans wrote:
The test was redesigned so that it actually tests against an AD user.
cleanly applies, passes lint and passes
https://paste.fedoraproject.org/399504/00843641/
Okay
Did you forget to send patches?
Martin^2
On 06/28/2016 01:40 PM, Oleg Fayans wrote:
Patch-0050 rebased against latest upstream branch
On 06/28/2016 10:45 AM, Oleg Fayans wrote:
Passing test output:
https://paste.fedoraproject.org/385774/71035231/
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From e8944743236af1fbcf56cbaecb6a4203b4086be9 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 1 Aug 2016 22:18:44 +0200
Subject: [PATCH] Added interface to certutil
---
ipatests/test_integration/tasks.py | 5 +
1 file changed, 5 insertions(+)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 8cd9ec71bc5ee22b8aba5d5c6324d1e7bf8b28a6..7f6c79e65cda31bdba3d882a72bb5e2dcdb1f355 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1179,6 +1179,11 @@ def run_server_del(host, server_to_delete, force=False,
return host.run_command(args, raiseonerr=False)
+def run_certutil(host, args, reqdir, stdin=None):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=False,
+stdin_text=stdin)
def assert_error(result, stderr_text, returncode=None):
"Assert that `result` command failed and its stderr contains `stderr_text`"
assert stderr_text in result.stderr_text, result.stderr_text
--
1.8.3.1
From cc88677030efe05044a79486b87533d416b6bcc3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 1 Aug 2016 22:40:00 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_certs_in_idoverrides.py | 118 +
1 file changed, 118 insertions(+)
create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py
diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..9114c4f91cd6378acc53caa068b852ae15670d7a
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,118 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+num_ad_domains = 1
+user_certprofile = 'caIPAuserCert'
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+
+@classmethod
+def uninstall(cls, mh):
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+
+# AD-related stuff
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+ extra_args=['--range-type',
+ 'ipa-ad-trust'])
+
+tasks.sync_time(cls.master, cls.ad)
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+'--store=true', '--desc="User Certs"'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
The test was redesigned so that it actually tests against an AD user. cleanly applies, passes lint and passes https://paste.fedoraproject.org/399504/00843641/ On 06/28/2016 01:40 PM, Oleg Fayans wrote: Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file
ACK On 07/19/2016 01:19 PM, Lenka Doudova wrote: On 06/29/2016 06:49 PM, Petr Spacek wrote: On 29.6.2016 18:39, Oleg Fayans wrote: In fact, I believe /etc/hosts file should not be touched at all. Hostname resolution is usually governed by the DNS system of the lab in which tests are running. We do not modify it when perform tests manually, so I'd rather remove this method at all. +1, it should not be need. Let me know if it is needed for some reason and I will have a look. Petr^2 Spacek Hi, providing new (and renamed) patch as was suggested in the discussion above - removing manipulation with /etc/hosts file from the tests. The "fix_etc_hosts" function was completely removed from the tasks file. Verification that nothing is broken by this change was done by running some random integration test (trust tests), and also on Milan's suggestion by running a test requiring two replicas (replica promotion tests). Lenka On 06/29/2016 06:27 PM, Lenka Doudova wrote: Hi all, a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py produces incorrect /etc/hosts file (solitary IPv6 address), and currently parser is not able to resolve the issue, causing ipa-server-install to fail with 'list index out of range' error. Hence I'm attaching patch to fix this issue before parser is fixed (related ticket to it #6014). The fix is just change of regexs responsible for creating incorrect file so that all the lines containing defined hostname are removed, not just specific IP/hostname/shortname strings. Lenka -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0053] Forced-client-reenrollment test fixed.
Here is the test output:
https://paste.fedoraproject.org/395706/69538081/
On 07/26/2016 03:34 PM, Oleg Fayans wrote:
Hi Martin,
The patch was updated according to your suggestions. A separate patch
removing outdated tests is attached.
On 07/08/2016 02:10 PM, Martin Basti wrote:
On 07.07.2016 08:09, Oleg Fayans wrote:
Updated version of the patch is attached with the failing tests marked
as xfailed (let's make the jenkins green).
On 07/04/2016 10:50 PM, Oleg Fayans wrote:
2 out of 7 tests currently fail due to a known issue [1], others pass.
[1] https://fedorahosted.org/freeipa/ticket/6029
This is wrong:
1)
you are not getting SSHFP records, just SSH public key (with your
changes)
2)
you are using host-find without any arguments, so it will returns SSH
key for all hosts, the code before was getting SSHFP only for one host.
Would be better to use host-show?
3)
you actually found a bug, because host-find and host-show should print
only SSH fingerprints not SSH keys
https://fedorahosted.org/freeipa/ticket/6042
https://fedorahosted.org/freeipa/ticket/6043
4)
don't call it SSHFP records in code, because it is not DNS related,
probably you want to get SSH fingerprints instead of SSH keys
5)
It may contain multiple SSH keys, you always return only the first (the
original code returns all values)
def get_sshfp_record(self):
-sshfp_record = ''
-client_host = self.clients[0].hostname.split('.')[0]
-
result = self.master.run_command(
-['ipa', 'dnsrecord-show', self.master.domain.name,
client_host]
+['ipa', 'host-find']
)
-
-lines = result.stdout_text.splitlines()
-for line in lines:
-if 'SSHFP record:' in line:
-sshfp_record = line.replace('SSHFP record:', '').strip()
-
-assert sshfp_record, 'SSHFP record not found'
-
-sshfp_record = set(sshfp_record.split(', '))
-self.log.debug("SSHFP record for host %s: %s", client_host,
str(sshfp_record))
-
-return sshfp_record
+records = result.stdout_text.split('\n\n')
+sshkey_re = re.compile('.+SSH public key: ssh-\w+ (\S+?),.+')
+for hostrecord in records:
+if self.clients[0].hostname in hostrecord:
+sshfps = sshkey_re.findall(hostrecord)
+assert sshfps, 'SSHFP record not found'
+sshfp = sshfps[0]
+return sshfp
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][patch-0053] Forced-client-reenrollment test fixed.
Hi Martin,
The patch was updated according to your suggestions. A separate patch
removing outdated tests is attached.
On 07/08/2016 02:10 PM, Martin Basti wrote:
On 07.07.2016 08:09, Oleg Fayans wrote:
Updated version of the patch is attached with the failing tests marked
as xfailed (let's make the jenkins green).
On 07/04/2016 10:50 PM, Oleg Fayans wrote:
2 out of 7 tests currently fail due to a known issue [1], others pass.
[1] https://fedorahosted.org/freeipa/ticket/6029
This is wrong:
1)
you are not getting SSHFP records, just SSH public key (with your changes)
2)
you are using host-find without any arguments, so it will returns SSH
key for all hosts, the code before was getting SSHFP only for one host.
Would be better to use host-show?
3)
you actually found a bug, because host-find and host-show should print
only SSH fingerprints not SSH keys
https://fedorahosted.org/freeipa/ticket/6042
https://fedorahosted.org/freeipa/ticket/6043
4)
don't call it SSHFP records in code, because it is not DNS related,
probably you want to get SSH fingerprints instead of SSH keys
5)
It may contain multiple SSH keys, you always return only the first (the
original code returns all values)
def get_sshfp_record(self):
-sshfp_record = ''
-client_host = self.clients[0].hostname.split('.')[0]
-
result = self.master.run_command(
-['ipa', 'dnsrecord-show', self.master.domain.name, client_host]
+['ipa', 'host-find']
)
-
-lines = result.stdout_text.splitlines()
-for line in lines:
-if 'SSHFP record:' in line:
-sshfp_record = line.replace('SSHFP record:', '').strip()
-
-assert sshfp_record, 'SSHFP record not found'
-
-sshfp_record = set(sshfp_record.split(', '))
-self.log.debug("SSHFP record for host %s: %s", client_host,
str(sshfp_record))
-
-return sshfp_record
+records = result.stdout_text.split('\n\n')
+sshkey_re = re.compile('.+SSH public key: ssh-\w+ (\S+?),.+')
+for hostrecord in records:
+if self.clients[0].hostname in hostrecord:
+sshfps = sshkey_re.findall(hostrecord)
+assert sshfps, 'SSHFP record not found'
+sshfp = sshfps[0]
+return sshfp
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From d5e6dd5ab115a10a8a504f4f0c5b3117cdbc0176 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 26 Jul 2016 15:06:41 +0200
Subject: [PATCH] Removed outdated reenrollment tests
https://fedorahosted.org/freeipa/ticket/6029
---
.../test_forced_client_reenrollment.py | 38 +++---
1 file changed, 5 insertions(+), 33 deletions(-)
diff --git a/ipatests/test_integration/test_forced_client_reenrollment.py b/ipatests/test_integration/test_forced_client_reenrollment.py
index d430a98e74450f44eac286ac0ad35a5aee7cc602..1ea57a871b0830f9afa18de8029739cae8115a49 100644
--- a/ipatests/test_integration/test_forced_client_reenrollment.py
+++ b/ipatests/test_integration/test_forced_client_reenrollment.py
@@ -58,42 +58,14 @@ class TestForcedClientReenrollment(IntegrationTest):
def test_reenroll_with_keytab(self, client):
"""
-Client re-enrollment using keytab
+Client re-enrollment using keytab: the old keytab should be invalid,
+see https://fedorahosted.org/freeipa/ticket/6029 for reasoning
"""
self.backup_keytab()
-sshfp_record_pre = self.get_sshfp_record()
-self.restore_client()
-self.check_client_host_entry()
+self.uninstall_client()
+self.check_client_host_entry(enabled=False)
self.restore_keytab()
-self.reenroll_client(keytab=self.BACKUP_KEYTAB)
-sshfp_record_post = self.get_sshfp_record()
-assert sshfp_record_pre == sshfp_record_post
-
-def test_reenroll_with_both_force_join_and_keytab(self, client):
-"""
-Client re-enrollment using both --force-join and --keytab options
-"""
-self.backup_keytab()
-sshfp_record_pre = self.get_sshfp_record()
-self.restore_client()
-self.check_client_host_entry()
-self.restore_keytab()
-self.reenroll_client(force_join=True, keytab=self.BACKUP_KEYTAB)
-sshfp_record_post = self.get_sshfp_record()
-assert sshfp_record_pre == sshfp_record_post
-
-def test_reenroll_to_replica(self, client):
-"""
-Client re-enrollment using keytab, to a replica
-"""
-self.backup_keytab()
-sshfp_record_pre = self.get_sshfp_record()
-self.restore_client()
-self.check_client_host_entry()
-self.restore_keytab()
-self.reenroll_client(keytab=self.BACKUP_KEYTAB, to_replica=True)
-sshfp_record_post = self.get_sshfp_record()
-
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin,
Thanks for the review!
On 07/08/2016 02:18 PM, Martin Basti wrote:
On 27.06.2016 13:53, Oleg Fayans wrote:
Hi guys,
Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before
4.4 release? They cover a good part of the Managed Topology 4.4 feature.
On 06/17/2016 11:18 AM, Oleg Fayans wrote:
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
IIUC, this will turn off the machine completely, how is cleanup done
then. AFAIK our tests cannot turn on machine again and run cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
IMO would be better to just call 'ipactl stop' instead of 'poweroff'
Agreed! Fixed.
Martin^2
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 06cfa465895851c0f41d581ea43e345ef07b54c3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 17 Jun 2016 11:17:05 +0200
Subject: [PATCH] Automated ipa-replica-manage del tests
---
ipatests/test_integration/test_topology.py | 74 ++
1 file changed, 74 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index 7a7bbfa579731410d147791d73a9e07b0fd1b271..b5deb8b9e1bb713fe6642de1de89656ac1be8605 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -5,6 +5,7 @@
import re
import pytest
+import time
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration import tasks
@@ -207,3 +208,76 @@ class TestCASpecificRUVs(IntegrationTest):
raiseonerr=False)
assert(result6.returncode > 0), (
'Replication still works after all RUVs were deleted')
+
+
+class TestReplicaManageDel(IntegrationTest):
+domain_level = 0
+topology = 'star'
+num_replicas = 3
+
+def test_replica_managed_del_domlevel0(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa-replica-manage_del_with_turned_off_replica
+_under_domain_level_0_keeps_ca-related_RUVs
+"""
+master = self.master
+replica = self.replicas[0]
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)
+master.run_command(['ipa-replica-manage', 'del', '-f', '-p',
+master.config.dirman_password, replica.hostname])
+result = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+num_ruvs = result.stdout_text.count(replica.hostname)
+assert(num_ruvs == 1), ("Expected to find 1 replica's RUV, found %s" %
+num_ruvs)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
+result2 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(replica.hostname not in result2.stdout_text), (
+"Replica's RUV was not properly removed")
+
+def test_clean_dangling_ruv_multi_ca(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa-replica-manage_clean-dangling-ruv_in_a
+_multi-CA_setup
+"""
+master = self.master
+replica = self.replicas[1]
+replica.run_command(['ipa-server-install', '--uninstall', '-U'])
+master.run_command(['ipa-replica-manage', 'del', '-f', '-p',
+master.config.dirman_password, replica.hostname])
+result1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
+ master.config.dirman_password])
+assert(replica.hostname in result1.stdout_text), (
+"Replica's RUV should not be removed under domain level 0")
+master.run_command(['ipa-replica-manage', 'clean-dangling-ruv', '-p',
+master.config.dirman_password])
+result2 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
+ master.config.dirman_password])
+assert(replica.hostname not in result2.stdout_text), (
+&
Re: [Freeipa-devel] [Test][patch-0053] Forced-client-reenrollment test fixed.
Updated version of the patch is attached with the failing tests marked as xfailed (let's make the jenkins green). On 07/04/2016 10:50 PM, Oleg Fayans wrote: 2 out of 7 tests currently fail due to a known issue [1], others pass. [1] https://fedorahosted.org/freeipa/ticket/6029 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 7234a38fb99220ad9629c8fc84c40c23d8d5a263 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Thu, 7 Jul 2016 08:07:38 +0200 Subject: [PATCH] Updated forced_client_reenrollment test With current implementation the client host record stays in master's ldap after client uninstallation in a common way so there is no need to dance around with turning iptables on and off. Also, in some environments neither A nor SSHFP records don't get created for the client, it is more robust to check for host sshfp using host-find command --- .../test_forced_client_reenrollment.py | 100 +++-- 1 file changed, 32 insertions(+), 68 deletions(-) diff --git a/ipatests/test_integration/test_forced_client_reenrollment.py b/ipatests/test_integration/test_forced_client_reenrollment.py index d430a98e74450f44eac286ac0ad35a5aee7cc602..b4b2e987b56b821533d4273ce804f7dfd184ea38 100644 --- a/ipatests/test_integration/test_forced_client_reenrollment.py +++ b/ipatests/test_integration/test_forced_client_reenrollment.py @@ -17,6 +17,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re import subprocess from ipaplatform.paths import paths import pytest @@ -50,46 +51,52 @@ class TestForcedClientReenrollment(IntegrationTest): Client re-enrollment using admin credentials (--force-join) """ sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.reenroll_client(force_join=True) sshfp_record_post = self.get_sshfp_record() assert sshfp_record_pre == sshfp_record_post +@pytest.mark.xfail(strict=True, + reason='https://fedorahosted.org/freeipa/ticket/6029') def test_reenroll_with_keytab(self, client): """ Client re-enrollment using keytab """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB) sshfp_record_post = self.get_sshfp_record() assert sshfp_record_pre == sshfp_record_post +@pytest.mark.xfail(strict=True, + reason='https://fedorahosted.org/freeipa/ticket/6029') def test_reenroll_with_both_force_join_and_keytab(self, client): """ Client re-enrollment using both --force-join and --keytab options """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(force_join=True, keytab=self.BACKUP_KEYTAB) sshfp_record_post = self.get_sshfp_record() assert sshfp_record_pre == sshfp_record_post +@pytest.mark.xfail(strict=True, + reason='https://fedorahosted.org/freeipa/ticket/6029') def test_reenroll_to_replica(self, client): """ Client re-enrollment using keytab, to a replica """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, to_replica=True) sshfp_record_post = self.get_sshfp_record() @@ -101,7 +108,7 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() self.disable_client_host_entry() -self.restore_client() +self.uninstall_client() self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, expect_fail=True) @@ -112,7 +119,6 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() self.uninstall_client() -self.restore_client() self.check_client_host_entry(enabled=False) self
[Freeipa-devel] [Test][patch-0053] Forced-client-reenrollment test fixed.
2 out of 7 tests currently fail due to a known issue [1], others pass. [1] https://fedorahosted.org/freeipa/ticket/6029 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From b19ef400462c722976aea5d2eb853315af1e1099 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Mon, 4 Jul 2016 22:47:05 +0200 Subject: [PATCH] Updated forced_client_reenrollment test With current current implementation the clietn host record stays in master's ldap after client uninstallation in a common way so there is no need to dance around with turning iptables on and off. Also, in some environments neither A nor SSHFP records don't get created for the client, it is more robust to check for host sshfp using host-find command --- .../test_forced_client_reenrollment.py | 94 ++ 1 file changed, 26 insertions(+), 68 deletions(-) diff --git a/ipatests/test_integration/test_forced_client_reenrollment.py b/ipatests/test_integration/test_forced_client_reenrollment.py index d430a98e74450f44eac286ac0ad35a5aee7cc602..d0ad51bb1b5ff8854e17eb5a3060ce957ff65fbf 100644 --- a/ipatests/test_integration/test_forced_client_reenrollment.py +++ b/ipatests/test_integration/test_forced_client_reenrollment.py @@ -17,6 +17,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re import subprocess from ipaplatform.paths import paths import pytest @@ -50,8 +51,8 @@ class TestForcedClientReenrollment(IntegrationTest): Client re-enrollment using admin credentials (--force-join) """ sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.reenroll_client(force_join=True) sshfp_record_post = self.get_sshfp_record() assert sshfp_record_pre == sshfp_record_post @@ -62,8 +63,8 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB) sshfp_record_post = self.get_sshfp_record() @@ -75,8 +76,8 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(force_join=True, keytab=self.BACKUP_KEYTAB) sshfp_record_post = self.get_sshfp_record() @@ -88,8 +89,8 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() sshfp_record_pre = self.get_sshfp_record() -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, to_replica=True) sshfp_record_post = self.get_sshfp_record() @@ -101,7 +102,7 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() self.disable_client_host_entry() -self.restore_client() +self.uninstall_client() self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, expect_fail=True) @@ -112,7 +113,6 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() self.uninstall_client() -self.restore_client() self.check_client_host_entry(enabled=False) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, expect_fail=True) @@ -123,7 +123,7 @@ class TestForcedClientReenrollment(IntegrationTest): """ self.backup_keytab() self.delete_client_host_entry() -self.restore_client() +self.uninstall_client() self.check_client_host_entry(not_found=True) self.restore_keytab() self.reenroll_client(keytab=self.BACKUP_KEYTAB, expect_fail=True) @@ -136,45 +136,16 @@ class TestForcedClientReenrollment(IntegrationTest): self.clients[0].config.test_dir, 'empty.keytab' ) -self.restore_client() -self.check_client_host_entry() +self.uninstall_client() +self.check_client_host_entry(enabled=False) self.clients[0]
Re: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain
Hi Martin,
Thanks for the review. The updated patch is attached
On 07/01/2016 04:09 PM, Martin Basti wrote:
>
>
> On 01.07.2016 14:38, Oleg Fayans wrote:
>> Hi Martin. Now I have this client installation thing sorted out. The
>> test works as expected
>>
>> On 06/30/2016 02:57 PM, Martin Basti wrote:
>>>
>>> On 30.06.2016 14:40, Oleg Fayans wrote:
>>>> Hi Martin,
>>>>
>>>> Attached is a new version of the patch with two test cases separated.
>>>>
>>>> On 06/29/2016 12:23 PM, Martin Basti wrote:
>>>>> On 29.06.2016 10:56, Oleg Fayans wrote:
>>>>> Hello,
>>>>>
>>>>> +assert_error(result,
>>>>> + "Failed to verify that %s is an IPA Server" %
>>>>> + self.master.hostname)
>>>>>
>>>>>
>>>>> I would expect this error there:
>>>>>
>>>>> "Cannot promote this client to a replica. Local domain '{local}' does
>>>>> not match IPA domain '{ipadomain}'. "
>>>> Right, that's what this ticket is about:
>>>> https://fedorahosted.org/freeipa/ticket/6006
>>>>
>>>> Once these changes are implemented, we can update this test
>>> Wat?
>>>
>>> You get exactly the right message from ipa-replica-install, tested,
>>> reviewed by several people.
>>>>> You should not use random REALM, in this case you don't test
>>>>> domains but
>>>>> realms. You can leave the test with incorrect realm there, but as
>>>>> separated testcase
>>>> Oh, ok. But it does not seem possible to setup client providing only
>>>> --realm without --domain: installer would not do it.
>>>>
>>> Try to read again: "should not use *random* REALM". Nothing prevents you
>>> to use, --realm=TEST.REALM --domain=random-blah-domain
>>>>> Martin^2
>>>>>
>>>>>
>>>>
>>> NACK
>>>
>>> +domain_name = 'exxample.test'
>>> +realm_name = domain_name.upper()
>>>
>>> you still use random realm name, and you still don't test
>>> ipa-replica-install, that ticket has nothing related to domain in
>>> ipa-client-install, it is related to replica promotion
>>>
>>> Martin^2
>
> I have a few comments:
>
> 1)
> This is unused and should not be there
> +realm_name = domain_name.upper()
Done
>
> 2)
> teardown_method
> shouldn't be more robust, what happens if client uninstall raises an error?
Agree. Done
>
> 3) in both tests
> +'-w', self.master.config.dirman_password,
>
> -w means admin password (ipa-client-install --help), so you should use
> admin not directory manager password
Fixed
>
> 4)
> +result = client.run_command(['ipa-client-install', '-U',
> '--domain',
> + self.master.domain.realm, '-w',
>
> did you mean: '--domain', self.master.domain.name.upper()
Yes. Fixed.
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 28740cad2c6a1a8da80617579db1983bb35114d4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 1 Jul 2016 16:52:22 +0200
Subject: [PATCH] Test for incorrect client domain
https://fedorahosted.org/freeipa/ticket/5976
---
.../test_integration/test_replica_promotion.py | 52 ++
1 file changed, 52 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 1f683b6d5c067ec526b307eea1460cafbadb80cb..7bc1d5281880221578df3c269a3d7715777bb8e0 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -377,3 +377,55 @@ class TestOldReplicaWorksAfterDomainUpgrade(IntegrationTest):
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
+
+
+class TestWrongClientDomain(IntegrationTest):
+topology = "star"
+num_clients = 1
+domain_name = 'exxample.test'
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, domain_level=cls.domain_level)
+
+def teardown_method(self, method):
+self.clients[0].run_command(['ipa-client-install',
+ '--uninstall', '-U'],
+raiseonerr=
Re: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain
Hi Martin. Now I have this client installation thing sorted out. The
test works as expected
On 06/30/2016 02:57 PM, Martin Basti wrote:
>
>
> On 30.06.2016 14:40, Oleg Fayans wrote:
>> Hi Martin,
>>
>> Attached is a new version of the patch with two test cases separated.
>>
>> On 06/29/2016 12:23 PM, Martin Basti wrote:
>>>
>>> On 29.06.2016 10:56, Oleg Fayans wrote:
>>>>
>>> Hello,
>>>
>>> +assert_error(result,
>>> + "Failed to verify that %s is an IPA Server" %
>>> + self.master.hostname)
>>>
>>>
>>> I would expect this error there:
>>>
>>> "Cannot promote this client to a replica. Local domain '{local}' does
>>> not match IPA domain '{ipadomain}'. "
>> Right, that's what this ticket is about:
>> https://fedorahosted.org/freeipa/ticket/6006
>>
>> Once these changes are implemented, we can update this test
>
> Wat?
>
> You get exactly the right message from ipa-replica-install, tested,
> reviewed by several people.
>>
>>> You should not use random REALM, in this case you don't test domains but
>>> realms. You can leave the test with incorrect realm there, but as
>>> separated testcase
>> Oh, ok. But it does not seem possible to setup client providing only
>> --realm without --domain: installer would not do it.
>>
>
> Try to read again: "should not use *random* REALM". Nothing prevents you
> to use, --realm=TEST.REALM --domain=random-blah-domain
>>
>>> Martin^2
>>>
>>>
>>
>>
>
> NACK
>
> +domain_name = 'exxample.test'
> +realm_name = domain_name.upper()
>
> you still use random realm name, and you still don't test
> ipa-replica-install, that ticket has nothing related to domain in
> ipa-client-install, it is related to replica promotion
>
> Martin^2
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 056105d13fda655469d7a9c8ca2526a09ae31373 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 1 Jul 2016 14:33:06 +0200
Subject: [PATCH] Test for incorrect client domain
https://fedorahosted.org/freeipa/ticket/5976
---
.../test_integration/test_replica_promotion.py | 50 ++
1 file changed, 50 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 1f683b6d5c067ec526b307eea1460cafbadb80cb..1d72d08120a874eb93976d48b8b062bc28d64a0a 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -377,3 +377,53 @@ class TestOldReplicaWorksAfterDomainUpgrade(IntegrationTest):
result1 = self.master.run_command(['ipa', 'user-show', self.username],
raiseonerr=False)
assert_error(result1, "%s: user not found" % self.username, 2)
+
+
+class TestWrongClientDomain(IntegrationTest):
+topology = "star"
+num_clients = 1
+domain_name = 'exxample.test'
+realm_name = domain_name.upper()
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, domain_level=cls.domain_level)
+
+def teardown_method(self, method):
+self.clients[0].run_command(['ipa-client-install',
+ '--uninstall', '-U'])
+tasks.kinit_admin(self.master)
+self.master.run_command(['ipa', 'host-del', self.clients[0].hostname])
+
+def test_wrong_client_domain(self):
+client = self.clients[0]
+client.run_command(['ipa-client-install', '-U',
+'--domain', self.domain_name,
+'--realm', self.master.domain.realm,
+'-p', 'admin',
+'-w', self.master.config.dirman_password,
+'--server', self.master.hostname,
+'--force-join'])
+result = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+raiseonerr=False)
+assert_error(result,
+ "Cannot promote this client to a replica. Local domain "
+ "'%s' does not match IPA domain "
+ "'%s'" % (self.domain_name, self.master.domain.name))
+
+def test_upcase_client_domain(self):
+client = self.clients[0]
+result = client.run_command(['ipa-client-install', '-U', '--domain',
+ self.master.domain.realm, '-w',
+
Re: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust
Hi Lenka, The changes in test_trust.py are fine. As for tasks.py: 1. I'd rename sync_time_hostname to just sync_time and 2. I would start ntpd again in the same method: it's no good to keep this thing in mind each time you call it. Besides, I would split the changes into 2 patches: one for tasks.py and other for test_trust.py On 06/30/2016 03:47 PM, Lenka Doudova wrote: > Hi, > > attaching patch with some basic coverage for external trust feature. Bit > more detailed info in commit message. > > Since the feature requires me to run commands previously used only for > forest root domains even for subdomains, I made some changes in > ipatests/test_integration/tasks.py file, so that it would enable me to > reuse existing function without copy-pasting them for one variable change. > > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone
hen DNS is set up properly. I would simply remove the >>>>>>>>>> dnsforwardzone-add. >>>>>>>>>> >>>>>>>>> Grr, I meant this: >>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>> unnecessary when >>>>>>>>> DNS is >>>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>>> >>>>>>>> +1, our tests should not fiddle with the provisioned environment >>>>>>>> as much as >>>>>>>> they sometimes do. >>>>>>>> >>>>>>> Well, I have nothing against removing it completely, but left it >>>>>>> there just >>>>>>> because with previous AD machines with "wild" domains it was >>>>>>> necessary. >>>>>>> Looking at the code, your suggestion would probably mean to >>>>>>> entirely remove >>>>>>> method configure_dns_for_trust from >>>>>>> ipatests/test_integration/tasks.py, >>>>>>> right? I'll have to verify this won't break anything else. >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>> Hi, >>>>>> >>>>>> to get back to this issue: do we really want to have the DNS >>>>>> configuration >>>>>> method removed? I mean, we no longer need it for our CI tests, >>>>>> with new AD VMs >>>>>> it works without it, but should somebody else with different setup >>>>>> run these >>>>>> tests, they could experience failures because their AD domain >>>>>> would not be >>>>>> configured in DNS by default and the test would no longer provide >>>>>> that >>>>>> configuration. It doesn't feel right to delete something we needed >>>>>> before but >>>>>> don't need anymore, in case somebody else is depending on the same >>>>>> configuration. But of course, I'll abide by your counsel. >>>>>> In case the call on DNS configuration method really is removed, >>>>>> should I >>>>>> remove even it's definition? It's not used anywhere else, so it >>>>>> would be quite >>>>>> logical. >>>>> Feel free to keep empty method around as a "hook" for other people. >>>>> The >>>>> important thing is that it should do nothing by default. >>>>> >>>> So leave the method call, but erase method contents and let it just >>>> pass? >>> Fine with me. (List re-added.) >>> >> Ah, sorry for doing the wrong reply. >> Anyway, fixed patch attached. I decided to do as you suggested - the >> original DNS configuring function is now empty, I modified the comment >> to explain significance of this strange thing. I also changed patch >> title to better reflect proposed changes. >> >> Lenka >> >> > NACK the previous one, forgot PEP8. New patch attached. > > Lenka Functional ACK > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file
In fact, I believe /etc/hosts file should not be touched at all. Hostname resolution is usually governed by the DNS system of the lab in which tests are running. We do not modify it when perform tests manually, so I'd rather remove this method at all. On 06/29/2016 06:27 PM, Lenka Doudova wrote: > Hi all, > > a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py > produces incorrect /etc/hosts file (solitary IPv6 address), and > currently parser is not able to resolve the issue, causing > ipa-server-install to fail with 'list index out of range' error. > > Hence I'm attaching patch to fix this issue before parser is fixed > (related ticket to it #6014). The fix is just change of regexs > responsible for creating incorrect file so that all the lines containing > defined hostname are removed, not just specific IP/hostname/shortname > strings. > > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Test][patch-0052] Test for incorrect client domain
-- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 6fe2f67807a2cd3d9519c1c919c884dd18867f74 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Wed, 29 Jun 2016 10:53:44 +0200 Subject: [PATCH] Test for incorrect client domain https://fedorahosted.org/freeipa/ticket/5976 --- .../test_integration/test_replica_promotion.py | 30 ++ 1 file changed, 30 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 1f683b6d5c067ec526b307eea1460cafbadb80cb..e0d198b2385e443c79e6d3f5f6ecd0b564155e7b 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -377,3 +377,33 @@ class TestOldReplicaWorksAfterDomainUpgrade(IntegrationTest): result1 = self.master.run_command(['ipa', 'user-show', self.username], raiseonerr=False) assert_error(result1, "%s: user not found" % self.username, 2) + + +class TestWrongClientDomain(IntegrationTest): +topology = "star" +num_clients = 1 +domain_name = 'exxample.test' +realm_name = domain_name.upper() + +@classmethod +def install(cls, mh): +tasks.install_master(cls.master, domain_level=cls.domain_level) + +def test_wrong_client_domain(self): +client = self.clients[0] +result = client.run_command(['ipa-client-install', '-U', + '--domain', self.domain_name, + '--realm', self.realm_name, + '-w', self.master.config.dirman_password, + '--server', self.master.hostname], +raiseonerr=False) +assert_error(result, + "Failed to verify that %s is an IPA Server" % + self.master.hostname) +result1 = client.run_command(['ipa-client-install', '-U', '--domain', + self.master.domain.realm, '-w', + self.master.config.dirman_password, + '--server', self.master.hostname], + raiseonerr=False) +assert(result1.returncode == 0), ( +'Failed to setup client with the upcase domain name') -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Test][Patch-0051] Fixed import error in replica promotion test
-- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 0268535dcc8426667f5742a05f4554f8ff9bd031 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Tue, 28 Jun 2016 16:00:08 +0200 Subject: [PATCH] Fixed import error --- ipatests/test_integration/test_replica_promotion.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 1f683b6d5c067ec526b307eea1460cafbadb80cb..2acd63b2c2e2c958478136f1cdfd5040c2052e15 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -4,7 +4,7 @@ from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks -from ipatests.test_integration.test_caless import assert_error +from ipatests.test_integration.tasks import assert_error from ipalib.constants import DOMAIN_LEVEL_0 from ipalib.constants import DOMAIN_LEVEL_1 from ipalib.constants import DOMAIN_SUFFIX_NAME -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Patch-0050 rebased against latest upstream branch
On 06/28/2016 10:45 AM, Oleg Fayans wrote:
> Passing test output:
>
> https://paste.fedoraproject.org/385774/71035231/
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From f032df3a1d58e200d0f8bf8dbc121e5f03eb041e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 28 Jun 2016 10:16:06 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_certs_in_idoverrides.py | 85 ++
1 file changed, 85 insertions(+)
create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py
diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..a6b5a60ad5c171ef9fb35848d81a637df979ccaf
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,85 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import assert_error
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+user_certprofile = 'caIPAuserCert'
+user = 'testuser'
+user_cn = "CN=%s" % user
+idview = 'MyView'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+'--store=true', '--desc="User Certs"'])
+
+master.run_command(['ipa', 'idview-add', cls.idview,
+'--desc=description'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create an empty password file
+master.run_command(['mkdir', cls.reqdir])
+# Create an empty password file
+master.run_command(["touch", cls.pwname])
+
+# Create our temporary NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+ cls.reqfile1, cls.pwname)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+ cls.reqfile2, cls.pwname)
+master.run_command(['ipa', 'user-add', cls.user,
+'--first', 'a', '--last', 'b', '--random'])
+
+def test_certs_in_idoverrides(self):
+self.master.run_command(['ipa', 'idoverrideuser-add',
+ self.idview, self.user])
+result1 = self.master.run_command([
+'ipa', 'cert-request', self.reqfile1,
+"--principal=%s" % self.user, '--add',
+"--profile-id=%s" % self.user_certprofile])
+cert1 = self.cert_re.search(result1.stdout_text).group('cert')
+result2 = self.master.run_command([
+'ipa', 'cert-request', self.reqfile2,
+"--principal=%s" % self.user, '--add',
+"--profile-id=%s" % self.user_certprofile])
+cert2 = self.cert_re.search(result2.stdout_text).group('cert')
+
+args1 = ['ipa', 'idoverrideuser-add-cert', self.idview,
+ self.user, "--certificate=%s" % cert1]
+args2 = ['ipa', 'idoverrideuser-add-cert', self.idview,
+ self.user, "--certificate=%s" % cert2]
+self.master.run_command(args1)
+result3 = self.master.run_command(args1, raiseonerr=False)
+assert_error(result3, "already contains one or more values")
+result4 = self.master.run_command(args2, raiseonerr=False)
+assert(result4.returncode == 0), 'Failed to add second certificate'
+self.master.run_command(['ipa', 'idoverrideuser-remove-cert',
+ self.idview, self.user,
+ "--certifi
[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Passing test output:
https://paste.fedoraproject.org/385774/71035231/
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 7bc97eb762c951a8bc3762d8bd23da4ee06a6edb Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 28 Jun 2016 10:33:13 +0200
Subject: [PATCH] Added methods to manipulate certs
---
ipatests/test_integration/tasks.py | 15 +++
1 file changed, 15 insertions(+)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 38218fa709c2c220d5fea98a092b55e995d48d77..41b44ae8389510ec0ec9c8c1c4c5a9ee21e81ae4 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1209,3 +1209,18 @@ def assert_error(result, stderr_text, returncode=None):
assert result.returncode == returncode
else:
assert result.returncode > 0
+
+
+def run_certutil(host, args, reqdir, stdin=None):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = new_args + args
+return host.run_command(new_args, raiseonerr=False,
+stdin_text=stdin)
+
+
+def generate_csr(host, subject, reqdir, reqfile, pwname):
+args = ["-R", "-s", subject, "-o", reqfile,
+"-z", paths.GROUP, "-f", pwname, "-a"]
+result = run_certutil(host, args, reqdir)
+host.run_command(['cat', reqfile], raiseonerr=False)
+return result.stdout_text
--
1.8.3.1
From f032df3a1d58e200d0f8bf8dbc121e5f03eb041e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Tue, 28 Jun 2016 10:16:06 +0200
Subject: [PATCH] Automated test for certs in idoverrides feature
https://fedorahosted.org/freeipa/ticket/6005
---
.../test_integration/test_certs_in_idoverrides.py | 85 ++
1 file changed, 85 insertions(+)
create mode 100644 ipatests/test_integration/test_certs_in_idoverrides.py
diff --git a/ipatests/test_integration/test_certs_in_idoverrides.py b/ipatests/test_integration/test_certs_in_idoverrides.py
new file mode 100644
index ..a6b5a60ad5c171ef9fb35848d81a637df979ccaf
--- /dev/null
+++ b/ipatests/test_integration/test_certs_in_idoverrides.py
@@ -0,0 +1,85 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_caless import assert_error
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+service_certprofile = 'caIPAserviceCert'
+user_certprofile = 'caIPAuserCert'
+user = 'testuser'
+user_cn = "CN=%s" % user
+idview = 'MyView'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+master = cls.master
+master.run_command(['ipa', 'certprofile-show', cls.service_certprofile,
+"--out=%s.txt" % cls.user_certprofile])
+master.run_command("sed -i \"s/profileId=%s/profileId=%s/\" %s.txt" % (
+cls.service_certprofile, cls.user_certprofile,
+cls.user_certprofile)
+)
+master.run_command(['ipa', 'certprofile-import', cls.user_certprofile,
+"--file=%s.txt" % cls.user_certprofile,
+'--store=true', '--desc="User Certs"'])
+
+master.run_command(['ipa', 'idview-add', cls.idview,
+'--desc=description'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create an empty password file
+master.run_command(['mkdir', cls.reqdir])
+# Create an empty password file
+master.run_command(["touch", cls.pwname])
+
+# Create our temporary NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+ cls.reqfile1, cls.pwname)
+tasks.generate_csr(master, cls.user_cn, cls.reqdir,
+ cls.reqfile2, cls.pwname)
+master.run_command(['ipa', 'user-add', cls.user,
+'--first', 'a', '--last', 'b', '--random'])
+
+def test_certs_in_idoverrides(self):
+self.master.run_command(['ipa', 'idoverrideuser-add',
+ self.idview, self.user])
+result1 = self.master.run_command([
+'ipa', 'cert-request', self.reqfile1,
+"--principal=%s&
Re: [Freeipa-devel] [Testplan Review] Certs in ID overrides
Hi Sumit, The testplan is updated according to your second note. The WebUI part I'll test once Pavel's patch is merged. On 06/27/2016 10:28 AM, Sumit Bose wrote: > On Mon, Jun 27, 2016 at 10:06:23AM +0200, Oleg Fayans wrote: >> Hi Sumit, >> >> I've updated the testplan. (Thank you for the link to Fraser's blogpost, >> it was really very useful!). All the operations described were >> performed manually and succeed. Could you please review it again in case >> I forgot something? > > Thank you, the tests are looking good. > > I have two comments. First, for your information, I#m not sure if WebUI > is in the scope of this tests, Pavel already send '0058 WebUI: > certificate widget on ID override user page' to the freeipa-devel list, > so adding certificates to idoverrides with the WebUI should work soon as > well. > > Second, the LDAP attribute used to store the certificates is a > multi-value attribute. Adding a test where a second certificate is added > to the override and removed (without deleting the other certificate) > might be useful here. > > bye, > Sumit > >> >> >> On 06/09/2016 05:06 PM, Sumit Bose wrote: >>> On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: >>>> Hi guys, >>>> >>>> Here is the first somewhat skeletal and pretty short version of the >>>> testplan. Could you please review it anyone? >>>> >>>> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan >>> >>> Hi Oleg, >>> >>> 'Make sure the id view is applied to ipa master host' the IPA >>> masters/servers will always and only have the 'Default Trust View'. But >>> it is ok to use the 'Default Trust View' for testing the certificates in >>> the ID override. >>> >>> The 'openssl req ...' call will only generate a certificate request and >>> not the certificate itself. The request must still be signed by e.g. the >>> IPA CA. Please see the blog posts of Fraser >>> (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) >>> and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. >>> >>> Since you want to test certificates in overrides you should use >>> idoverrideuser-add-cert and idoverrideuser-remove-cert instead of >>> user-add-cert and user-remove-cert. >>> >>> bye, >>> Sumit >>> >>>> -- >>>> Oleg Fayans >>>> Quality Engineer >>>> FreeIPA team >>>> RedHat. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: > One more test was added to the patch-0048 > > On 06/17/2016 09:43 AM, Oleg Fayans wrote: >> Fixed a bug in the previous patch, automated 2 more testcases from >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >> >> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>> >>> >>> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan Review] Certs in ID overrides
Hi Sumit, I've updated the testplan. (Thank you for the link to Fraser's blogpost, it was really very useful!). All the operations described were performed manually and succeed. Could you please review it again in case I forgot something? On 06/09/2016 05:06 PM, Sumit Bose wrote: > On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: >> Hi guys, >> >> Here is the first somewhat skeletal and pretty short version of the >> testplan. Could you please review it anyone? >> >> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan > > Hi Oleg, > > 'Make sure the id view is applied to ipa master host' the IPA > masters/servers will always and only have the 'Default Trust View'. But > it is ok to use the 'Default Trust View' for testing the certificates in > the ID override. > > The 'openssl req ...' call will only generate a certificate request and > not the certificate itself. The request must still be signed by e.g. the > IPA CA. Please see the blog posts of Fraser > (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) > and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. > > Since you want to test certificates in overrides you should use > idoverrideuser-add-cert and idoverrideuser-remove-cert instead of > user-add-cert and user-remove-cert. > > bye, > Sumit > >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0021][Tests] Fix failing ipatests/test_ipaserver/test_rpcserver.py
ACK On 06/24/2016 10:29 AM, Lenka Doudova wrote: > Hi, > > attaching patch for one of the failing tests. Failure caused by an > assertion that was no longer valid. > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
One more test was added to the patch-0048
On 06/17/2016 09:43 AM, Oleg Fayans wrote:
> Fixed a bug in the previous patch, automated 2 more testcases from
> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
>
> On 06/16/2016 04:46 PM, Oleg Fayans wrote:
>>
>>
>>
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 06cfa465895851c0f41d581ea43e345ef07b54c3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 17 Jun 2016 11:17:05 +0200
Subject: [PATCH] Automated ipa-replica-manage del tests
---
ipatests/test_integration/test_topology.py | 74 ++
1 file changed, 74 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index 7a7bbfa579731410d147791d73a9e07b0fd1b271..b5deb8b9e1bb713fe6642de1de89656ac1be8605 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -5,6 +5,7 @@
import re
import pytest
+import time
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration import tasks
@@ -207,3 +208,76 @@ class TestCASpecificRUVs(IntegrationTest):
raiseonerr=False)
assert(result6.returncode > 0), (
'Replication still works after all RUVs were deleted')
+
+
+class TestReplicaManageDel(IntegrationTest):
+domain_level = 0
+topology = 'star'
+num_replicas = 3
+
+def test_replica_managed_del_domlevel0(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa-replica-manage_del_with_turned_off_replica
+_under_domain_level_0_keeps_ca-related_RUVs
+"""
+master = self.master
+replica = self.replicas[0]
+replica.run_command(['poweroff'])
+time.sleep(3)
+master.run_command(['ipa-replica-manage', 'del', '-f', '-p',
+master.config.dirman_password, replica.hostname])
+result = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+num_ruvs = result.stdout_text.count(replica.hostname)
+assert(num_ruvs == 1), ("Expected to find 1 replica's RUV, found %s" %
+num_ruvs)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])
+result2 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(replica.hostname not in result2.stdout_text), (
+"Replica's RUV was not properly removed")
+
+def test_clean_dangling_ruv_multi_ca(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa-replica-manage_clean-dangling-ruv_in_a
+_multi-CA_setup
+"""
+master = self.master
+replica = self.replicas[1]
+replica.run_command(['ipa-server-install', '--uninstall', '-U'])
+master.run_command(['ipa-replica-manage', 'del', '-f', '-p',
+master.config.dirman_password, replica.hostname])
+result1 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
+ master.config.dirman_password])
+assert(replica.hostname in result1.stdout_text), (
+"Replica's RUV should not be removed under domain level 0")
+master.run_command(['ipa-replica-manage', 'clean-dangling-ruv', '-p',
+master.config.dirman_password])
+result2 = master.run_command(['ipa-replica-manage', 'list-ruv', '-p',
+ master.config.dirman_password])
+assert(replica.hostname not in result2.stdout_text), (
+"Replica's RUV was not removed by a clean-dangling-ruv command")
+
+def test_replica_managed_del_domlevel1(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa-replica-manage_del_with_turned_off_replica
+_under_domain_level_1_removes_ca-related_RUVs
+"""
+master = self.master
+replica = self.replicas[2]
+master.run_command(['ipa', 'domainlevel-set', '1'])
+replica.run_command(['poweroff'])
+time.sleep(3)
+master.run_command(['ipa-replica-manage', 'del', '-f', '-p',
+master.
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Fixed a bug in the previous patch, automated 2 more testcases from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
On 06/16/2016 04:46 PM, Oleg Fayans wrote:
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 2b087b1dc64500d58e72296f287aabd82cbd011c Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 17 Jun 2016 09:38:04 +0200
Subject: [PATCH] Automated clean-ruv subcommand test
https://fedorahosted.org/freeipa/ticket/5964
---
ipatests/test_integration/test_topology.py | 48 ++
1 file changed, 48 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..7a7bbfa579731410d147791d73a9e07b0fd1b271 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -159,3 +159,51 @@ class TestTopologyOptions(IntegrationTest):
assert err == "", err
returncode, error = tasks.destroy_segment(self.master, "%s-to-%s" % replicas)
assert returncode == 0, error
+@pytest.mark.skipif(config.domain_level == 0, reason=reasoning)
+class TestCASpecificRUVs(IntegrationTest):
+num_replicas = 2
+topology = 'star'
+username = 'testuser'
+user_firstname = 'test'
+user_lastname = 'user'
+
+def test_ca_specific_ruvs(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
+#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended
+_to_handle_CA-specific_RUVs
+"""
+replica = self.replicas[0]
+master = self.master
+result1 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(result1.stdout_text.count(replica.hostname) == 2 and
+ "Certificate Server Replica Update Vectors" in result1.stdout_text), (
+"CA-specific RUVs are not displayed")
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruv_ids = ruvid_re.findall(result1.stdout_text)
+result2 = master.run_command(['ipa-replica-manage', 'clean-ruv',
+ replica_ruv_ids[1], '-p',
+ master.config.dirman_password, '-f'])
+assert(replica.hostname in result2.stdout_text), (
+"The wrong RUV was deleted")
+result3 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(result3.stdout_text.count(replica.hostname) == 1), (
+"CA RUV of the replica is still displayed")
+result4 = master.run_command(['ipa-replica-manage', 'clean-ruv',
+ replica_ruv_ids[0], '-p',
+ master.config.dirman_password, '-f'])
+assert(replica.hostname in result4.stdout_text), (
+"The wrong RUV was deleted")
+result5 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(replica.hostname not in result5.stdout_text), (
+"replica's RUV is still displayed")
+master.run_command(['ipa', 'user-add', self.username,
+"--first=%s" % self.user_firstname,
+"--last=%s" % self.user_lastname])
+result6 = replica.run_command(['ipa', 'user-show', self.username],
+ raiseonerr=False)
+assert(result6.returncode > 0), (
+ 'Replication still works after all RUVs were deleted')
--
1.8.3.1
From 83f7fb2a88bae52fa58ef244ded0aecd2966f91e Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Fri, 17 Jun 2016 09:40:28 +0200
Subject: [PATCH] Automated ipa-replica-manage del tests
---
ipatests/test_integration/test_topology.py | 51 ++
1 file changed, 51 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index 7a7bbfa579731410d147791d73a9e07b0fd1b271..227ed49b8b1db8f84d27dc2ea5773edbe0a1a1c2 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -207,3 +207,54 @@ class TestCASpecificRUVs(IntegrationTest):
raiseonerr=False)
assert(result6.returncode > 0), (
'Replication still works after all RUVs were deleted')
+
+
+class TestReplicaManageDel(IntegrationTest):
+domain_level = 0
+topology = 'star'
+num_replicas = 2
+
+def test_replica_managed_del_domlevel0(se
[Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From debac0cf5cb24e1c2072d10373f4d9f72cb875a7 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Thu, 16 Jun 2016 16:45:03 +0200
Subject: [PATCH] Automated clean-ruv subcommand test
https://fedorahosted.org/freeipa/ticket/5964
---
ipatests/test_integration/test_topology.py | 51 ++
1 file changed, 51 insertions(+)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..849ee12267b2f0412dee189440c2fe7bd0cdec85 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -159,3 +159,54 @@ class TestTopologyOptions(IntegrationTest):
assert err == "", err
returncode, error = tasks.destroy_segment(self.master, "%s-to-%s" % replicas)
assert returncode == 0, error
+
+
+@pytest.mark.skipif(config.domain_level == 0, reason=reasoning)
+class TestCASpecificRUVs(IntegrationTest):
+num_replicas = 1
+topology = 'star'
+username = 'testuser'
+user_firstname = 'test'
+user_lastname = 'user'
+
+def test_ca_specific_ruvs(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
+#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended
+_to_handle_CA-specific_RUVs
+"""
+replica = self.replicas[0]
+master = self.master
+result1 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(result1.stdout_text.count(replica.hostname) == 2 and
+ "Certificate Server Replica Update Vectors" in result1.stdout_text), (
+"CA-specific RUVs are not displayed")
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica)
+replica_ruv_ids = ruvid_re.findall(result1.stdout_text)
+result2 = master.run_command(['ipa-replica-manage', 'clean-ruv',
+ replica_ruv_ids[1], '-p',
+ master.config.dirman_password, '-f'])
+assert(replica.hostname in result2.stdout_text), (
+"The wrong RUV was deleted")
+result3 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(result3.stdout_text.count(replica.hostname) == 1), (
+"CA RUV of the replica is still displayed")
+result4 = master.run_command(['ipa-replica-manage', 'clean-ruv',
+ replica_ruv_ids[0], '-p',
+ master.config.dirman_password, '-f'])
+assert(replica.hostname in result4.stdout_text), (
+"The wrong RUV was deleted")
+result5 = master.run_command(['ipa-replica-manage', 'list-ruv',
+ '-p', master.config.dirman_password])
+assert(replica.hostname not in result5.stdout_text), (
+"replica's RUV is still displayed")
+tasks.kinit_admin(master)
+master.run_command(['ipa', 'user-add', self.username,
+"--first=%s" % self.user_firstname,
+"--last=%s" % self.user_lastname])
+result6 = replica.run_command(['ipa', 'user-show', self.username],
+ raiseonerr=False)
+assert(result6.returncode > 0), (
+'Replication still works after all RUVs were deleted')
--
1.8.3.1
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Patch-0046] Increased certmonger timeout to address ticket N 5758
With this change the certmonger timeout issue is no longer observed in abcd lab. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 2063d59f3d8303abf056d38a68ac75f9f2d9cd24 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Thu, 16 Jun 2016 10:25:59 +0200 Subject: [PATCH] Increased certmonger timeout https://fedorahosted.org/freeipa/ticket/5758 --- ipaserver/install/certs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 76f62751db8abbb27ca5849bcb09c5b5540e2cda..b3d273ff107f0493516845745c4f14242fc518ca 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -654,7 +654,7 @@ class CertDB(object): subject=host, passwd_fname=self.passwd_fname) # Now wait for the cert to appear. Check three times then abort -certmonger.wait_for_request(reqid, timeout=15) +certmonger.wait_for_request(reqid, timeout=60) class _CrossProcessLock(object): -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Test][Patch-0043-0045] DNSSec key rotation test
Hi guys,
Here is a test for dnssec key rotation mechanism.
The full set of commands works perfectly when run manually (even in the
mode of a full copy-pasting from the test). However, when run
automatically, the test always fails as `dig +rrcomments test.here DS`
does not display zone keytag. I tried to decrease default key TTL values
with no success. Could anyone take a look into this (after 4.4 is
released, of course)?
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From f7f3d8c256fc9de3f8f0d82056be5a6d10f6c9a7 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 08:47:34 +0200
Subject: [PATCH] Added dnssec-specific constants
---
ipaplatform/base/constants.py | 2 ++
ipaplatform/base/paths.py | 1 +
2 files changed, 3 insertions(+)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 3e1c4c6f761444bf1e8d527691aa53282e46f17e..0a632762af42cf294c85f268a873b8420c9f17b1 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -26,3 +26,5 @@ class BaseConstantsNamespace(object):
# nfsd init variable used to enable kerberized NFS
SECURE_NFS_VAR = "SECURE_NFS"
SSSD_USER = "sssd"
+DNSSEC_KSK_LIFETIME = 'P2Y'
+DNSSEC_ZSK_LIFETIME = 'P90D'
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..b0e701c453f13aad3ec700a3613cd4f7ecb1c779 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -349,5 +349,6 @@ class BasePathNamespace(object):
IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
+DNSSEC_KASP_TEMPLATE = '/usr/share/ipa/opendnssec_kasp.template'
path_namespace = BasePathNamespace
--
1.8.3.1
From 5e4700cf348727711cba7d6486ef4778513fc8ad Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 08:52:45 +0200
Subject: [PATCH] Added a method updating dnssec defaults
For dnssec key rotation test we need to severely decrease default TTL of the
dnssec keys. This method should be execute on master host before IPA
installation
---
ipatests/test_integration/tasks.py | 7 +++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index dbb9950c7db6b902d89cd4cd3cfb676bde68508b..6537b2552c2bc354ed1403e286769f2c285095e9 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -34,6 +34,7 @@ from six import StringIO
from ipapython import ipautil
from ipaplatform.paths import paths
+from ipaplatform.constants import constants
from ipapython.dn import DN
from ipapython.ipa_log_manager import log_mgr
from ipatests.test_integration import util
@@ -1206,3 +1207,9 @@ def replicas_cleanup(func):
"host-del",
host.hostname], raiseonerr=False)
return wrapped
+
+
+def update_dnssec_defaults(host, ksk="PT1H", zsk="PT15M"):
+backup_file(host, paths.DNSSEC_KASP_TEMPLATE)
+host.run_command("sed -i 's/%s/%s/' %s" % (constants.DNSSEC_KSK_LIFETIME, ksk, paths.DNSSEC_KASP_TEMPLATE))
+host.run_command("sed -i 's/%s/%s/' %s" % (constants.DNSSEC_ZSK_LIFETIME, zsk, paths.DNSSEC_KASP_TEMPLATE))
--
1.8.3.1
From 6e22ce72181153e4b50488193151f0776e36a59b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 09:48:58 +0200
Subject: [PATCH] Automated dnssec key rotation test
---
ipatests/test_integration/test_dnssec.py | 64
1 file changed, 64 insertions(+)
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 554e96c638fcac03379ed17cbc4d9ac1311ab7ea..c1eea542f9ba9db98b4bf3287d73dc9c24513b0c 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -649,3 +649,67 @@ class TestMigrateDNSSECMaster(IntegrationTest):
self.master.ip, example3_test_zone, self.log, timeout=200
), ("Zone %s is not signed (master)"
% example3_test_zone)
+class TestDNSSECRotation(IntegrationTest):
+num_replicas = 0
+testzone = "myexample.test."
+testzone_reduced = "myexample.test"
+
+@classmethod
+def install(cls, mh):
+tasks.update_dnssec_defaults(cls.master)
+tasks.install_master(cls.master, setup_dns=False)
+args = [
+"ipa-dns-install",
+"--dnssec-master",
+"--forwarder", cls.master.config.dns_forwarder,
+"-U",
+]
+cls.master.run_command(args)
+
+def test_dnssec_rotation(self):
+time.sleep(850)
+self.mast
[Freeipa-devel] [Testplan Review] Certs in ID overrides
Hi guys, Here is the first somewhat skeletal and pretty short version of the testplan. Could you please review it anyone? http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan Review]
Hi Petr, I've updated the testplan according to your notes. What should we do with this testcase about abort-clean-ruv? I mean, it would be quite complicated to reliably automate. Should we leave the testcase anyway with a note that the stem may fail if the command is not issued fast enough? On 05/31/2016 06:36 PM, Petr Vobornik wrote: > On 05/23/2016 09:23 AM, Oleg Fayans wrote: >> Hi Petr, >> >> The test plan is updated. > > Thanks, > > is it possible to number test cases? It is hard to refer to them without > copying the full name. > > 1. first test case: `ipa host-find` will show the host entry, but cert > will be revoked and kerb key removed > > 2. "Test case: server_del API call is executed at ipa-server-install > --uninstall on the replica under domain " > In dom. lvl 1(after step 3), checks/output from first test case should > apply here + server should be uninstalled. > > 3. *-ruv subcommands of ipa-replica-manage are extended to handle > CA-specific RUVs > > I'll assume that '97' is just an example. It might be different. > > It is possible that step 3 will fail - it's racy. > > 4. Last test case with the "autogenerated" placeholder is not much > important - so only if you have nothing more important to do. > > Web UI will get interactive add of segments + some other improvements in > a topology graph but I don't know if it can be tested easily. > >> >> On 05/19/2016 12:54 PM, Petr Vobornik wrote: >>> On 05/19/2016 12:38 PM, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> I've created the first versio of the testplan for Topology Management >>>> feature in 4.4 release: >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>> >>>> Could someone please review it? >>>> >>> >>> I'll mention what are the important parts. >>> >>> 1. In the 3 scenarios, the most important one is testing the >>> `ipa-server-install --uninstall`. There it is more important to check >>> whether it did the same as `ipa-csreplica-manage del`, >>> `ipa-replica-manage del` and `ipa-server-install --uninstall` procedure. >>> Which means removal of master entry, DNS records, Kerberos keys, >>> revocation of certificates... Checking RUVs is not the critical part. >>> >>> 2. I miss test for move of `ipa-replica-manage set-renewal-master` to API >> >> Isn't it more related to the server roles feature? Will it be one of the >> ipa server* commands? > > True > >> >>> >>> 3. test of new `ipa server-del` method >>> >>> when these three are done then I'd focus on RUVs >>> >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Test][patch-0042] Automated 2 testcases from Managed Topology testplan
The patch applies and passes pylint -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 39fd39118a6d6e84a4c8791c17ad54da5cbffd0d Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Fri, 3 Jun 2016 13:22:48 +0200 Subject: [PATCH] Automated 2 managed topology 4.4 testcases --- ipatests/test_integration/test_topology.py | 53 ++ 1 file changed, 53 insertions(+) diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py index e956563c27eafd84deed5786274a73d0d3594642..9deeb4c552cc147ef536bb515ac2e731e44b8b10 100644 --- a/ipatests/test_integration/test_topology.py +++ b/ipatests/test_integration/test_topology.py @@ -159,3 +159,56 @@ class TestTopologyOptions(IntegrationTest): assert err == "", err returncode, error = tasks.destroy_segment(self.master, "%s-to-%s" % replicas) assert returncode == 0, error + + +class TestServerDel(IntegrationTest): +num_replicas = 1 +topology = 'star' + +def test_server_del_command(self): +""" +http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ +Test_Plan#Test_case:_ipa_server-del_command +""" +self.master.run_command(['ipa', 'server-del', + self.replicas[0].hostname]) +result1 = self.master.run_command(['ipa', 'host-find']) +assert(self.replicas[0].hostname in result1.stdout_text), ( +"Server-del has deleted replica's host record from the master") +result2 = self.master.run_command(['ipa', 'dnsrecord-find', + self.master.domain.name]) +assert(self.replicas[0].hostname in result2.stdout_text), ( +"Server-del has removed replica's A record from master dns") +result3 = self.master.run_command(['ipa-replica-manage', 'list-ruv']) +assert(self.replicas[0].hostname not in result3.stdout_text), ( +"Server-del did not clean out replica's RUVs") + + +class TestRemoteServerDelCall(IntegrationTest): +num_replicas = 2 +domain_level = 0 +topology = 'star' + +def test_remote_server_del_execution(self): +""" +http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/ +Test_Plan#Test_case:_server_del_API_call_is_executed_at_ +ipa-server-install_--uninstall_on_the_replica_under_domain_level_1 +""" +tasks.uninstall_master(self.replicas[0]) +result1 = self.master.run_command(['ipa-replica-manage', 'list-ruv']) +assert(self.replicas[0].hostname in result1.stdout_text), ( +"Remote execution of server-del was performed under domain ldvel 0") +self.master.run_command(['ipa', 'domainlevel-set', '1']) +tasks.uninstall_master(self.replicas[1]) +result2 = self.master.run_command(['ipa', 'host-find']) +assert(self.replicas[1].hostname in result2.stdout_text), ( +"Server-del has deleted replica's host record from the master") +result3 = self.master.run_command(['ipa', 'dnsrecord-find', + self.master.domain.name]) +assert(self.replicas[1].hostname in result3.stdout_text), ( +"Server-del has removed replica's A record from master dns") +result4 = self.master.run_command(['ipa-replica-manage', 'list-ruv']) +assert(self.replicas[1].hostname not in result4.stdout_text), ( +"Replica uninstallation did not cause deleting of corresponding" +" RUVs from master") -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Testplan Review] Server Roles
Hi guys. Here is a rather schematic (as neither the feature not the design document is not complete) of the server roles testplan. Could you please review it and tell me what is missing? http://www.freeipa.org/page/V4/Server_Roles/Test_Plan -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Testplan Review]
Hi Petr, The test plan is updated. On 05/19/2016 12:54 PM, Petr Vobornik wrote: > On 05/19/2016 12:38 PM, Oleg Fayans wrote: >> Hi all, >> >> I've created the first versio of the testplan for Topology Management >> feature in 4.4 release: >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >> >> Could someone please review it? >> > > I'll mention what are the important parts. > > 1. In the 3 scenarios, the most important one is testing the > `ipa-server-install --uninstall`. There it is more important to check > whether it did the same as `ipa-csreplica-manage del`, > `ipa-replica-manage del` and `ipa-server-install --uninstall` procedure. > Which means removal of master entry, DNS records, Kerberos keys, > revocation of certificates... Checking RUVs is not the critical part. > > 2. I miss test for move of `ipa-replica-manage set-renewal-master` to API Isn't it more related to the server roles feature? Will it be one of the ipa server* commands? > > 3. test of new `ipa server-del` method > > when these three are done then I'd focus on RUVs > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [Testplan Review]
Hi all, I've created the first versio of the testplan for Topology Management feature in 4.4 release: http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan Could someone please review it? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN-REVIEW] V4/Manage_replication_topology_4_4
Hi Martin, I should probably rephrase my question: will the server_del API call be added to 'ipa-server-install --uninstall' within 4.4 or is it a more distant plan? On 05/18/2016 05:18 PM, Martin Babinsky wrote: > On 05/18/2016 05:01 PM, Oleg Fayans wrote: >> Hi guys, >> >> Did I understand correctly that in 4.4 release the function of both >> 'ipa-csreplica-manage del' and 'ipa-replica-manage del' will be >> transfered to the API calls executed during replica uninstallation with >> 'ipa-server-install --uninstall'? Which means that 'ipa-replica-manage >> del' will be deprecated? >> >> > > `ipa-csreplica-manage del` is deprecated in domain level 1 topology and > will raise an error, we even have a test case for this in replica > promotion CI tests ;). So no `server_del` here. > > `ipa-replica-manage del` will not be explicitly deprecated, but it will > call `server_del` behind the scenes. > >> On 05/16/2016 03:48 PM, Oleg Fayans wrote: >>> Hi, >>> >>> The design is OK, the onlz thing that is missing is a HowToTest section >>> in track tickets [1] and [2] about clean-dangling-ruvs and >>> abort-clean-ruv respectively. It would really help if these tickets had >>> detailed steps to test (in case of dangling RUV's - steps to generate >>> them) >>> >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN-REVIEW] V4/Manage_replication_topology_4_4
Hi guys, Did I understand correctly that in 4.4 release the function of both 'ipa-csreplica-manage del' and 'ipa-replica-manage del' will be transfered to the API calls executed during replica uninstallation with 'ipa-server-install --uninstall'? Which means that 'ipa-replica-manage del' will be deprecated? On 05/16/2016 03:48 PM, Oleg Fayans wrote: > Hi, > > The design is OK, the onlz thing that is missing is a HowToTest section > in track tickets [1] and [2] about clean-dangling-ruvs and > abort-clean-ruv respectively. It would really help if these tickets had > detailed steps to test (in case of dangling RUV's - steps to generate them) > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [DESIGN-REVIEW] V4/Manage_replication_topology_4_4
Sorry, I forgot to list the tickets themselves On 05/16/2016 03:48 PM, Oleg Fayans wrote: > Hi, > > The design is OK, the onlz thing that is missing is a HowToTest section > in track tickets [1] and [2] about clean-dangling-ruvs and > abort-clean-ruv respectively. It would really help if these tickets had > detailed steps to test (in case of dangling RUV's - steps to generate them) > [1] https://fedorahosted.org/freeipa/ticket/5411 [2] https://fedorahosted.org/freeipa/ticket/5396 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [DESIGN-REVIEW] V4/Manage_replication_topology_4_4
Hi, The design is OK, the onlz thing that is missing is a HowToTest section in track tickets [1] and [2] about clean-dangling-ruvs and abort-clean-ruv respectively. It would really help if these tickets had detailed steps to test (in case of dangling RUV's - steps to generate them) -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
Hi Martin, Here as per discussion on monday meeting, I removed from the patch everything unrelated to the workaround itself and added a separate test that runs a standard dnssec-enabled zone and queries it without restarting of named. The test is marked as xfail with strict=True, which means, once the bug is fixed it will start to unexpectedly pass causing the whole testrun to fail, so we will know precisely when to revert this change. This test is (apart from restarting named) an exact copy of the existing one, so it would be safe to remove it. Patch 0038 was rebased. On 05/06/2016 04:11 PM, Martin Basti wrote: > > > On 06.05.2016 14:58, Oleg Fayans wrote: >> >> On 05/06/2016 11:42 AM, Martin Basti wrote: >>> >>> On 06.05.2016 11:14, Oleg Fayans wrote: >>>> On 05/06/2016 09:48 AM, Martin Basti wrote: >>>>> On 06.05.2016 09:36, Oleg Fayans wrote: >>>>>> Tests are finally stable: >>>>>> >>>>>> = test session starts >>>>>> == >>>>>> platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: multihost, sourceorder >>>>>> collected 8 items >>>>>> >>>>>> test_integration/test_dnssec.py >>>>>> >>>>>> = 8 passed in 5561.48 seconds >>>>>> == >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> PATCH 38 LGTM >>>>> >>>>> PATCH 37 IIRC I refused to accept workaround for this issue when you >>>>> send this (almost the same) patch for first time, are you sure that we >>>>> want to hide real issues in tests, to just have green color there? >>>>> >>>> The underlying issue is 7 months old. Latest update in the issue from >>>> Peter Spacek is: "I do not have time to investigate this issue now", >>>> which means, that it will stay there for unpredictable amount of time >>>> more. If we want to have a "green" jenkins that actually tests existing >>>> features, we have to accept workarounds for such long-term issues >>>> >>>>> Martin >>> I leave decision if push this or not to different people, however I will >>> do review on this. >>> >>> >>> NACK >>> >>> 1) >>> Why do you change sleep time? How is it related to workaround? >>> >>> -time.sleep(20) # sleep a bit until LDAP changes are applied to >>> DNS >>> +time.sleep(10) # sleep a bit until LDAP changes are applied to >>> DNS >> 10 seconds proved to be enough even in our super-slow brno rhevm lab > Unrelated to workaround, send it as new patch > >> >>> >>> 2) >>> why do you removes sleep from several places? How is this related to >>> workaround? >>> @@ -281,13 +302,19 @@ class TestInstallDNSSECFirst(IntegrationTest): >>> "--a-rec=" + self.master.ip >>> ] >>> self.master.run_command(args) >>> -time.sleep(10) # sleep a bit until data are provided by >>> bind-dyndb-ldap >>> >>> args = [ >>> "ipa", "dnsrecord-add", root_zone, >>> self.master.domain.name, >>> "--ns-rec=" + self.master.hostname >>> ] >>> self.master.run_command(args) >> Because it's more reasonable to make changes on all hosts and then wait. > Now, this is NACK. > Yes, that is true wait when all changes are done, but you completely > misunderstood why that sleep is there. > Sleep is there because an A record was added, and it took time until > this change is propagated to DNS, without A record following command > (adding NS record) will fail. > Bind-dyndb-ldap feels happy so it can work today, but it may not work > tomorrow. > >> >>> 3) >>> You restart the same replica twice >>> +time.sleep(10) # sleep a bit until LDAP changes are applied to >>> DNS >>> +# A workaround for ticket N 5348 >>> +self.replicas[0].run_command(["systemctl", "restart", >>> + "named-pkcs11.service&quo
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi David,
After quite a while and some more struggles here comes the updated
version of the patch together with other patches fixing things in
ipatests/test_integration/tasks.py
Server and replica installation was refactored in a way to utilize the
code from tasks.py as much as it is possible
The full set of necessary patches is attached
On 04/20/2016 10:35 AM, David Kupka wrote:
> On 19/04/16 11:13, Oleg Fayans wrote:
>> OK, that one, though passing lint, did not actually work. I gave up my
>> attempts to define method decorators inside the class. Now it passes
>> lint AND works:)
>>
>
> Hi Oleg!
>
> 1) Current commit message is useless. Please use it to describe what is
> the point of the patch.
>
> 2) $ git show -U0 | pep8 --diff
> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
> lines, found 1
> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
> lines, found 1
> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
> lines (2)
> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long
> (80 > 79 characters)
> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing
> whitespace around operator
>
>
> 3) Isn't there a way to do this with pytest's fixtures?
>
>> +def server_install_teardown(func):
>> +def wrapped(*args):
>> +try:
>> +func(*args)
>> +finally:
>> +args[0].uninstall_server()
>> +return wrapped
>> +
>> +def replica_install_teardown(func):
>> +def wrapped(*args):
>> +try:
>> +func(*args)
>> +finally:
>> +# Uninstall replica
>> +replica = args[0].replicas[0]
>> +tasks.kinit_admin(args[0].master)
>> +args[0].uninstall_server(replica)
>> +args[0].master.run_command(['ipa-replica-manage', 'del',
>> +replica.hostname, '--force'],
>> + raiseonerr=False)
>> +args[0].master.run_command(['ipa', 'host-del',
>> +replica.hostname],
>> + raiseonerr=False)
>> +return wrapped
>> +
There is a standard pytest method called 'method_teardown', that is
indent to be executed after each test method, but with our setup it does
not work.
>
> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it created
> by the framework?
>
>> +host.transport.mkdir_recursive(host.config.test_dir)
>
Removed.
>
> 5) I don't think the comment match the code.
>
>>
>> +# Remove CA cert in /etc/pki/nssdb, in case of failed
>> (un)install
>> +for host in cls.get_all_hosts():
>> +cls.uninstall_server(host)
>> +
>> super(CALessBase, cls).uninstall(mh)
>
Not actual anymore
>
> 6) No! Create list with one element, iterate that list and append every
> item to the other list. Maybe there's better way (Hint: append).
> I've seen this on multiple places.
>
>> if unattended:
>> args.extend(['-U'])
Agreed
>
> 7) Why don't you (extend and) use
> ipatests.test_integaration.tasks.(un)install_{master,replica}?
> This could be done pretty much all over the code.
>
>> host.run_command(['ipa-server-install', '--uninstall', '-U'])
>
> 8) Use ipaplatform.paths for certutil and other binaries. If the binary
> is not there feel free to add it.
> I've seen this on multiple places.
>
>> +host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
>> + '-n', 'External CA cert'],
>> + raiseonerr=False)
>> +# A workaround forhttps://fedorahosted.org/freeipa/ticket/4639
>> +result = host.run_command(['certutil', '-L', '-d',
>> + paths.HTTPD_ALIAS_DIR])
>> +for rawcert in result.stdout_text.split('\n')[4: -1]:
>> +cert = rawcert.split('')[0]
>> +host.run_command(['certutil', '-D', '-d',
>> paths.HTTPD_ALIAS_DIR,
>> + '-n', cert])
>>
Done
>
> 9) certmonger is system service. You can check if is is .enabled() and
> .running(). And IIUC the comment is negation of what the code does.
>
>>
>> # Verify certmonger was not started
>> result = host.run_command(['getcert', 'list'],
>> raiseonerr=False)
>> -assert result > 0
>> -asser
[Freeipa-devel] [TBD] Automated tests, regressions and workarounds
Hi guys, As a result of a situation formed around dnssec tests and one of the long-term bugs in dnssec feature [1], I'd like to share some general considerations with the whole team. First I'll state a couple of obvious things just to eliminate all possible fundamental disagreements. 1. The biggest purpose of test automation is to quickly find regressions in existing, released features 2. In order for the automated tests to effectively catch these regressions, the testsuite must 100% pas, so that any introduced issue will be noticed upon the very first test failure 3. Now, the standard workflow of using of automated tests is as follows: What happens, when a regression is found? Right, it's being quickly fixed, a new release is published, the test is green again, everybody is happy. What happens, if a team does not have enough resources to quickly (like within a week or so) fix this bug? Well. that's also quite a common situation. The company then elaborates a workaround, issues a notice with description of this bug and a workaround so that customers know about it and it would not affect their workflows. The tests are then tweaked accordingly with this known workaround automated so that each run is green again and ready to catch the next regression. Now, what happens if the tests are NOT tweaked? The team then has constantly "red" testruns which are not able to catch a next possible regression. And it inevitably occurs. Being uncaught by a team's CI it creeps into production and reach customers, who (quite expectedly) become nervous, because they would expect to receive at least a notice from the vendor, that the feature they are using has some more bugs in it. Guys, I am really sorry for being Captain Obvious here, but it seems that most of our team puts the principle "No workarounds, we need to fix the bug no matter what" above any common sense. [1] https://fedorahosted.org/freeipa/ticket/5348 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
On 05/06/2016 03:25 PM, Petr Spacek wrote: > On 6.5.2016 15:03, Oleg Fayans wrote: >> >> >> On 05/06/2016 12:08 PM, Martin Babinsky wrote: >>> On 05/06/2016 11:14 AM, Oleg Fayans wrote: >>>> >>>> >>>> On 05/06/2016 09:48 AM, Martin Basti wrote: >>>>> >>>>> >>>>> On 06.05.2016 09:36, Oleg Fayans wrote: >>>>>> Tests are finally stable: >>>>>> >>>>>> = test session starts >>>>>> == >>>>>> platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>>>> plugins: multihost, sourceorder >>>>>> collected 8 items >>>>>> >>>>>> test_integration/test_dnssec.py >>>>>> >>>>>> = 8 passed in 5561.48 seconds >>>>>> == >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> PATCH 38 LGTM >>>>> >>>>> PATCH 37 IIRC I refused to accept workaround for this issue when you >>>>> send this (almost the same) patch for first time, are you sure that we >>>>> want to hide real issues in tests, to just have green color there? >>>>> >>>> >>>> The underlying issue is 7 months old. Latest update in the issue from >>>> Peter Spacek is: "I do not have time to investigate this issue now", >>>> which means, that it will stay there for unpredictable amount of time >>>> more. If we want to have a "green" jenkins that actually tests existing >>>> features, we have to accept workarounds for such long-term issues >>>> >>>>> Martin >>>> >>> I have never been a big fan of "having a green jenkins whatever it >>> takes" but I understand that there are all kinds of pressure on your >>> team to deliver 100% stable test results. >>> >>> If the test fails, let it fail or, even better, use 'xfail' markers so >>> that we know that this test fails and we should investigate. >> Then all 8 existing cases would have to be marked as xfailed. > > That is perfectly fine - the test simply found a bug and we have to fix it. > There is no point in having "green" tests just to have them. > > Let me clarify my comment in the ticket that this is not a test blocker: > Red Hat Bugzilla is using this definition of TestBlocker: > A test blocker is a bug that prevents at least one test (test case) from > being executed. > > As far as I can tell this issue does not block anything. The tests execute and > correctly detect a bug. > > It would be a TestBlocker if it was e.g. a bug in installer which prevented > the install and thus prevented some other test cases from being executed. > > AFAIK this is not the case. Or am I wrong? > >>> I fit fails for such a long time, we should really invest some time to >>> look for the root cause of failure(s). If the appointed person does not >>> have time for this, he/she should be able to negotiate some time >>> allocated for the investigation. If you feel that the test failures are >>> not getting enough attention from us then you perhaps need to be more >>> proactive in the reporting. >> >> I am quite OK if Peter Spacek receives some more time for investigation >> of the root cause of the problem. What I am not OK with is having a >> perfectly functional testsuite for otherwise working feature, that is >> being deferred for months just because we do not approve of issue >> workarounds. > > Sorry, I do not understand this. What do you mean? What I mean is: Do we support adding dnssec-enabled zones? - Yes Does a dnssec-enabled zone display signature? - Yes, but after restarting of named-pkcs11. Should this feature in it's current state be covered with automated tests - YES, definitely! But I understand that most of the team have the opposite opinion on the subject We could probably add a separate test that checks exactly this bug: add a dnssec-enabled zone and query it WITHOUT restarting named-pkcs11. And mark it as xfail. This way we hit 2 goals simultaneously: test the feature itself and have a constant reminder for you guys, that we still have this problem that needs your attention. > > >>> We really should be fixing issues, not adding workarounds so that tests >>> pass. > > +1, it is just a matter of priority > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
On 05/06/2016 12:08 PM, Martin Babinsky wrote: > On 05/06/2016 11:14 AM, Oleg Fayans wrote: >> >> >> On 05/06/2016 09:48 AM, Martin Basti wrote: >>> >>> >>> On 06.05.2016 09:36, Oleg Fayans wrote: >>>> Tests are finally stable: >>>> >>>> = test session starts >>>> == >>>> platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: multihost, sourceorder >>>> collected 8 items >>>> >>>> test_integration/test_dnssec.py >>>> >>>> = 8 passed in 5561.48 seconds >>>> == >>>> >>>> >>>> >>>> >>>> >>> PATCH 38 LGTM >>> >>> PATCH 37 IIRC I refused to accept workaround for this issue when you >>> send this (almost the same) patch for first time, are you sure that we >>> want to hide real issues in tests, to just have green color there? >>> >> >> The underlying issue is 7 months old. Latest update in the issue from >> Peter Spacek is: "I do not have time to investigate this issue now", >> which means, that it will stay there for unpredictable amount of time >> more. If we want to have a "green" jenkins that actually tests existing >> features, we have to accept workarounds for such long-term issues >> >>> Martin >> > I have never been a big fan of "having a green jenkins whatever it > takes" but I understand that there are all kinds of pressure on your > team to deliver 100% stable test results. > > If the test fails, let it fail or, even better, use 'xfail' markers so > that we know that this test fails and we should investigate. Then all 8 existing cases would have to be marked as xfailed. > > I fit fails for such a long time, we should really invest some time to > look for the root cause of failure(s). If the appointed person does not > have time for this, he/she should be able to negotiate some time > allocated for the investigation. If you feel that the test failures are > not getting enough attention from us then you perhaps need to be more > proactive in the reporting. I am quite OK if Peter Spacek receives some more time for investigation of the root cause of the problem. What I am not OK with is having a perfectly functional testsuite for otherwise working feature, that is being deferred for months just because we do not approve of issue workarounds. > > We really should be fixing issues, not adding workarounds so that tests > pass. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
On 05/06/2016 11:42 AM, Martin Basti wrote: > > > On 06.05.2016 11:14, Oleg Fayans wrote: >> >> On 05/06/2016 09:48 AM, Martin Basti wrote: >>> >>> On 06.05.2016 09:36, Oleg Fayans wrote: >>>> Tests are finally stable: >>>> >>>> = test session starts >>>> == >>>> platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: multihost, sourceorder >>>> collected 8 items >>>> >>>> test_integration/test_dnssec.py >>>> >>>> = 8 passed in 5561.48 seconds >>>> == >>>> >>>> >>>> >>>> >>>> >>> PATCH 38 LGTM >>> >>> PATCH 37 IIRC I refused to accept workaround for this issue when you >>> send this (almost the same) patch for first time, are you sure that we >>> want to hide real issues in tests, to just have green color there? >>> >> The underlying issue is 7 months old. Latest update in the issue from >> Peter Spacek is: "I do not have time to investigate this issue now", >> which means, that it will stay there for unpredictable amount of time >> more. If we want to have a "green" jenkins that actually tests existing >> features, we have to accept workarounds for such long-term issues >> >>> Martin > I leave decision if push this or not to different people, however I will > do review on this. > > > NACK > > 1) > Why do you change sleep time? How is it related to workaround? > > -time.sleep(20) # sleep a bit until LDAP changes are applied to > DNS > +time.sleep(10) # sleep a bit until LDAP changes are applied to > DNS 10 seconds proved to be enough even in our super-slow brno rhevm lab > > > 2) > why do you removes sleep from several places? How is this related to > workaround? > @@ -281,13 +302,19 @@ class TestInstallDNSSECFirst(IntegrationTest): > "--a-rec=" + self.master.ip > ] > self.master.run_command(args) > -time.sleep(10) # sleep a bit until data are provided by > bind-dyndb-ldap > > args = [ > "ipa", "dnsrecord-add", root_zone, self.master.domain.name, > "--ns-rec=" + self.master.hostname > ] > self.master.run_command(args) Because it's more reasonable to make changes on all hosts and then wait. > > 3) > You restart the same replica twice > +time.sleep(10) # sleep a bit until LDAP changes are applied to > DNS > +# A workaround for ticket N 5348 > +self.replicas[0].run_command(["systemctl", "restart", > + "named-pkcs11.service"]) > +self.replicas[0].run_command(["systemctl", "restart", > + "named-pkcs11.service"]) > +# End of workaround My bad. > > 4) > Can you create a function doing workaround instead of copying the same > code several times? > > something like > def restart_named(*args): > for host in args: ># host$ systemctl restart named-pkcs11 > > where args are instances self.host, or self.master, or self.replica Now, that's a marvelous idea! Implemented. And put the sleep interval in it too just to keep it in one place > > 5) > Why did you removed this comment? > -# wait until zone is signed Because this is kin of obvious from the name of the function: wait_until_record_is_signed > > 6) > I'm not sure, but is sleep there needed? Because restart of named will > download all LDAP data again. It turns out, without this interval the restart does not always help > If timeout is required maybe reason why > time is there should be rephrased, to something like, make sure the > dnssec keys were exported for named, or so. Rephrased > +time.sleep(10) # sleep a bit until LDAP changes are applied to > DNS > +# A workaround for ticket N 5348 > +self.master.run_command(["systemctl", "restart", > + "named-pkcs11.service"]) > +self.replicas[0].run_command(["systemctl", "restart", > + "named-pkcs11.service"]) > +# End of workaround > > Martin^2 -- Oleg Fayans Quality Engineer FreeIPA tea
Re: [Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
On 05/06/2016 09:48 AM, Martin Basti wrote: > > > On 06.05.2016 09:36, Oleg Fayans wrote: >> Tests are finally stable: >> >> = test session starts >> == >> platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: multihost, sourceorder >> collected 8 items >> >> test_integration/test_dnssec.py >> >> = 8 passed in 5561.48 seconds >> == >> >> >> >> >> > PATCH 38 LGTM > > PATCH 37 IIRC I refused to accept workaround for this issue when you > send this (almost the same) patch for first time, are you sure that we > want to hide real issues in tests, to just have green color there? > The underlying issue is 7 months old. Latest update in the issue from Peter Spacek is: "I do not have time to investigate this issue now", which means, that it will stay there for unpredictable amount of time more. If we want to have a "green" jenkins that actually tests existing features, we have to accept workarounds for such long-term issues > Martin -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [TEST][patch-0037]Fixes of dnssec tests
Tests are finally stable: = test session starts == platform linux2 -- Python 2.7.11 -- py-1.4.30 -- pytest-2.7.3 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: multihost, sourceorder collected 8 items test_integration/test_dnssec.py = 8 passed in 5561.48 seconds == -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From c716ef162166758795f30f9ee79124ad7cd0f752 Mon Sep 17 00:00:00 2001 From: Oleg Fayans <ofay...@redhat.com> Date: Fri, 6 May 2016 08:56:46 +0200 Subject: [PATCH] A workaround for ticket N 5348 A freshly created dnssec-enabled zone does not always display the signature until you restart named-pkcs11. Added restarting of this service after each dnssec-enabled zone. https://fedorahosted.org/freeipa/ticket/5348 --- ipatests/test_integration/test_dnssec.py | 67 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index e90fb1f477ab50050f619399ee168c0e4b248ac2..6f80f3443af97fe0e950a53e8efce435477de478 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -104,7 +104,14 @@ class TestInstallDNSSECLast(IntegrationTest): "--dnssec", "true", ] self.master.run_command(args) +time.sleep(10) # sleep a bit until LDAP changes are applied to DNS +# A workaround for ticket N 5348 +self.master.run_command(["systemctl", "restart", + "named-pkcs11.service"]) +self.replicas[0].run_command(["systemctl", "restart", + "named-pkcs11.service"]) +# End of workaround # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -124,8 +131,12 @@ class TestInstallDNSSECLast(IntegrationTest): "--dnssec", "true", ] self.replicas[0].run_command(args) - +time.sleep(10) # sleep a bit until LDAP changes are applied to DNS # test replica +# A workaround for ticket N 5348 +self.replicas[0].run_command(["systemctl", "restart", + "named-pkcs11.service"]) +# End of workaround assert wait_until_record_is_signed( self.replicas[0].ip, test_zone_repl, self.log, timeout=300 ), "Zone %s is not signed (replica)" % test_zone_repl @@ -169,8 +180,12 @@ class TestInstallDNSSECLast(IntegrationTest): "--dnssec", "true", ] self.master.run_command(args) +time.sleep(10) # sleep a bit until LDAP changes are applied to DNS -time.sleep(20) # sleep a bit until LDAP changes are applied to DNS +# A workaround for ticket N 5348 +self.master.run_command(["systemctl", "restart", + "named-pkcs11.service"]) +# End of workaround # test master assert wait_until_record_is_signed( @@ -199,7 +214,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) -time.sleep(20) # sleep a bit until LDAP changes are applied to DNS +time.sleep(10) # sleep a bit until LDAP changes are applied to DNS # test master assert not is_record_signed( @@ -219,7 +234,13 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) -time.sleep(20) # sleep a bit until LDAP changes are applied to DNS +time.sleep(10) # sleep a bit until LDAP changes are applied to DNS +# A workaround for ticket N 5348 +self.master.run_command(["systemctl", "restart", + "named-pkcs11.service"]) +self.replicas[0].run_command(["systemctl", "restart", + "named-pkcs11.service"]) +# End of workaround # test master assert wait_until_record_is_signed( @@ -281,13 +302,19 @@ class TestInstallDNSSECFirst(IntegrationTest): "--a-rec=" + self.master.ip ] self.master.run_command(args) -time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap args = [ "ipa", "dnsrecord-add", root_zone, self.master.domain.name, "--ns-rec=" + self.master.hostname ] self.master.run_command(args) +time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap +
[Freeipa-devel] [DESIGN REVIEW] V4/Server_Roles
The document is perfect. No remarks from QE side: ready for testplan design -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [DESIGN REVIEW] V4/Certs_in_ID_overrides
Hi, The document looks fine. Would be nice if it had some link on a HOWTO page about generation of a user certificate to use for AD-originated users. Apart from that - everything is pretty clear -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] ca-less tests updated
Hi David,
On 04/20/2016 11:55 AM, David Kupka wrote:
> On 20/04/16 10:35, David Kupka wrote:
>> On 19/04/16 11:13, Oleg Fayans wrote:
>>> OK, that one, though passing lint, did not actually work. I gave up my
>>> attempts to define method decorators inside the class. Now it passes
>>> lint AND works:)
>>>
>>
>> Hi Oleg!
>>
>> 1) Current commit message is useless. Please use it to describe what is
>> the point of the patch.
>>
>> 2) $ git show -U0 | pep8 --diff
>> ./ipatests/test_integration/test_caless.py:66:1: E302 expected 2 blank
>> lines, found 1
>> ./ipatests/test_integration/test_caless.py:74:1: E302 expected 2 blank
>> lines, found 1
>> ./ipatests/test_integration/test_caless.py:820:5: E303 too many blank
>> lines (2)
>> ./ipatests/test_integration/test_caless.py:825:80: E501 line too long
>> (80 > 79 characters)
>> ./ipatests/test_integration/test_caless.py:1035:44: E225 missing
>> whitespace around operator
>>
>>
>> 3) Isn't there a way to do this with pytest's fixtures?
>>
>>> +def server_install_teardown(func):
>>> +def wrapped(*args):
>>> +try:
>>> +func(*args)
>>> +finally:
>>> +args[0].uninstall_server()
>>> +return wrapped
>>> +
>>> +def replica_install_teardown(func):
>>> +def wrapped(*args):
>>> +try:
>>> +func(*args)
>>> +finally:
>>> +# Uninstall replica
>>> +replica = args[0].replicas[0]
>>> +tasks.kinit_admin(args[0].master)
>>> +args[0].uninstall_server(replica)
>>> +args[0].master.run_command(['ipa-replica-manage', 'del',
>>> +replica.hostname, '--force'],
>>> + raiseonerr=False)
>>> +args[0].master.run_command(['ipa', 'host-del',
>>> +replica.hostname],
>>> + raiseonerr=False)
>>> +return wrapped
>>> +
>>
>> 4) Is it necessary to create the $TEST_DIR in the test? Isn't it created
>> by the framework?
>>
>>> +host.transport.mkdir_recursive(host.config.test_dir)
>>
>>
>> 5) I don't think the comment match the code.
>>
>>>
>>> +# Remove CA cert in /etc/pki/nssdb, in case of failed
>>> (un)install
>>> +for host in cls.get_all_hosts():
>>> +cls.uninstall_server(host)
>>> +
>>> super(CALessBase, cls).uninstall(mh)
>>
>>
>> 6) No! Create list with one element, iterate that list and append every
>> item to the other list. Maybe there's better way (Hint: append).
>> I've seen this on multiple places.
>>
>>> if unattended:
>>> args.extend(['-U'])
>>
>> 7) Why don't you (extend and) use
>> ipatests.test_integaration.tasks.(un)install_{master,replica}?
>> This could be done pretty much all over the code.
>>
>>> host.run_command(['ipa-server-install', '--uninstall', '-U'])
>>
>> 8) Use ipaplatform.paths for certutil and other binaries. If the binary
>> is not there feel free to add it.
>> I've seen this on multiple places.
>>
>>> +host.run_command(['certutil', '-d', paths.NSS_DB_DIR, '-D',
>>> + '-n', 'External CA cert'],
>>> + raiseonerr=False)
>>> +# A workaround forhttps://fedorahosted.org/freeipa/ticket/4639
>>> +result = host.run_command(['certutil', '-L', '-d',
>>> + paths.HTTPD_ALIAS_DIR])
>>> +for rawcert in result.stdout_text.split('\n')[4: -1]:
>>> +cert = rawcert.split('')[0]
>>> +host.run_command(['certutil', '-D', '-d',
>>> paths.HTTPD_ALIAS_DIR,
>>> + '-n', cert])
>>>
>>
>> 9) certmonger is system service. You can check if is is .enabled() and
>> .running(). And IIUC the comment is negation of what the code does.
>>
>>>
>>> # Verify certmonger was not started
>>> result = host.run_command(['getcert', 'list'],
>>> raiseonerr=False)
>>> -assert result > 0
>>> -assert ('Please verify that the certmonger service has
>>> been '
>>> -
