[Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables
URL: https://github.com/freeipa/freeipa/pull/745 Title: #745: tests: add missing dependency iptables apophys commented: """ The kdc proxy test requiring the package is also in ipa-4-5 branch. Should it not go there as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/745#issuecomment-300455303 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#693][+ack] [tests] collect audit.log for easier selinux investigation
URL: https://github.com/freeipa/freeipa/pull/693 Title: #693: [tests] collect audit.log for easier selinux investigation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin apophys commented: """ will do """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288355769 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][comment] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin apophys commented: """ Thanks for the update """ See the full comment at https://github.com/freeipa/freeipa/pull/626#issuecomment-288140640 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#626][+ack] Move helper code for integration plugin
URL: https://github.com/freeipa/freeipa/pull/626 Title: #626: Move helper code for integration plugin Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator
URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator apophys commented: """ Ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284012793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#537][+ack] test_csrgen: adjusted comparison test scripts for CSRGenerator
URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#537][comment] test_csrgen: adjusted comparison test scripts for CSRGenerator
URL: https://github.com/freeipa/freeipa/pull/537 Title: #537: test_csrgen: adjusted comparison test scripts for CSRGenerator apophys commented: """ Ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/537#issuecomment-284012793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing apophys commented: """ Hi, can this PR get little more attention? The issue seems to be a cause for a lot of failures in our integration tests. (I'm not 100% sure though) """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283999510 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#424][+ack] Tests: fix wait_for_replication task
URL: https://github.com/freeipa/freeipa/pull/424 Title: #424: Tests: fix wait_for_replication task Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#415][comment] ca-del: require CA to already be disabled
URL: https://github.com/freeipa/freeipa/pull/415 Title: #415: ca-del: require CA to already be disabled apophys commented: """ Could you please extend the tests with the invalid order of the commands on a ca entry? """ See the full comment at https://github.com/freeipa/freeipa/pull/415#issuecomment-276363432 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][closed] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Author: apophys Title: #196: ipatests: unresolvable nested netgroups Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/196/head:pr196 git checkout pr196 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ Yes. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-274738684 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#391][+ack] ipapython: Add dependencies on version.py
URL: https://github.com/freeipa/freeipa/pull/391 Title: #391: ipapython: Add dependencies on version.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#369][+ack] Catch ValueError raised by pytest.config.getoption()
URL: https://github.com/freeipa/freeipa/pull/369 Title: #369: Catch ValueError raised by pytest.config.getoption() Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][comment] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py apophys commented: """ Thank you for squashing the commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/366#issuecomment-270653055 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][+ack] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ The rewrite to integration test is in my queue. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-266418775 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases apophys commented: """ The tests look good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264854251 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][+ack] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for addressing the issues. The implementation is somehow minimal, however in the future it can be extended as needed. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263638790 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][+ack] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Thank you for rebasing the commits. The test looks good. """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-263578009 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Thank you for the change of the order and using the objectclasses module. There are still things I'd like to be changed, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-263505112 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality
URL: https://github.com/freeipa/freeipa/pull/200 Title: #200: Test: basic kerberos over http functionality apophys commented: """ Please rebase the commits in the right order. What will happen when the hosts in the topology have both IPv4 and IPv6 stacks when you disable ports for only one? Is the IPA server serving on both network stacks? """ See the full comment at https://github.com/freeipa/freeipa/pull/200#issuecomment-262982688 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Please address the inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-262961820 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values apophys commented: """ I think in this case we can go with keyword arguments only. Most of the uses of the tracker in the tests do it already. What I will need in the case of keyword arguments is an explicit check for some non-empty unicode string for the required attributes in the __init__ method. All of this applies to `StageUserTracker` in #210 as well """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-261940072 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#240][+ack] Document make_delete_command method in UserTracker
URL: https://github.com/freeipa/freeipa/pull/240 Title: #240: Document make_delete_command method in UserTracker Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides
URL: https://github.com/freeipa/freeipa/pull/225 Title: #225: tests: Added basic tests for certs in idoverrides apophys commented: """ Please address the inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/225#issuecomment-259679240 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ Ping for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-259666959 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][opened] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Author: apophys Title: #196: ipatests: unresolvable nested netgroups Action: opened PR body: """ Adds a test case for issue in SSSD that manifested in an inability to resolve nested membership in netgroups The test case tests for direct and indirect membership. https://fedorahosted.org/freeipa/ticket/6439 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/196/head:pr196 git checkout pr196 From 92f114d7b93fe13c4f9f6d06a02916aa8cb00cf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Wed, 26 Oct 2016 13:41:02 + Subject: [PATCH] ipatests: unresolvable nested netgroups Adds a test case for issue in SSSD that manifested in an inability to resolve nested membership in netgroups The test case tests for direct and indirect membership. https://fedorahosted.org/freeipa/ticket/6439 --- ipatests/test_xmlrpc/test_netgroup_plugin.py | 113 +++ 1 file changed, 113 insertions(+) diff --git a/ipatests/test_xmlrpc/test_netgroup_plugin.py b/ipatests/test_xmlrpc/test_netgroup_plugin.py index b6f004e..42bc579 100644 --- a/ipatests/test_xmlrpc/test_netgroup_plugin.py +++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py @@ -26,8 +26,10 @@ from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits, fuzzy_uuid, fuzzy_netgroupdn) from ipatests.test_xmlrpc import objectclasses +from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker from ipapython.dn import DN from ipatests.test_xmlrpc.test_user_plugin import get_user_result +from ipatests.util import run import pytest # Global so we can save the value between tests @@ -1408,3 +1410,114 @@ class test_netgroup(Declarative): ## and even which user gets into which triple can be random. #assert '(nosuchhost,jexample,example.com)' in triples #assert '(ipatesthost.%s,pexample,example.com)' % api.env.domain in triples + + +@pytest.fixture(scope='function') +def netgroup_test1(request): +name = u'netgroup-test-1' + +def ng_cleanup(): +api.Command.netgroup_del(name) + +request.addfinalizer(ng_cleanup) + +api.Command.netgroup_add(name) +return name + + +@pytest.fixture(scope='function') +def netgroup_test2(request): +name = u'netgroup-test-2' + +def ng_cleanup(): +api.Command.netgroup_del(name) +request.addfinalizer(ng_cleanup) + +api.Command.netgroup_add(name) +return name + + +@pytest.fixture(scope='function') +def netgroup_test3(request): +name = u'netgroup-test-3' + +def ng_cleanup(): +api.Command.netgroup_del(name) +request.addfinalizer(ng_cleanup) + +api.Command.netgroup_add(name) +return name + + +@pytest.fixture(scope='function') +def netgroup_user1(request): +tr = UserTracker(u'ng_user_1', u'ng', u'user') + +return tr.make_fixture(request) + + +@pytest.fixture(scope='function') +def netgroup_user2(request): +tr = UserTracker(u'ng_user_2', u'ng', u'user') + +return tr.make_fixture(request) + + +@pytest.fixture(scope='function') +def netgroup_user3(request): +tr = UserTracker(u'ng_user_3', u'ng', u'user') + +return tr.make_fixture(request) + + +def test_netgroup_nested_groups( +netgroup_test1, netgroup_test2, netgroup_test3, +netgroup_user1, netgroup_user2, netgroup_user3): +"""Test resolution of nested netgroup membership + +The test sets up a chain of netgroups with user members in +each of the groups. Then the membership is evaluated on each +group, expecting the membership of users in nested groups to be +propagated into parent groups. +""" + +netgroup_user1.create() +netgroup_user2.create() +netgroup_user3.create() + +# Prepare the nested netgroup hierarchy +api.Command.netgroup_add_member(netgroup_test1, netgroup=netgroup_test2) +api.Command.netgroup_add_member(netgroup_test2, netgroup=netgroup_test3) + +# Add an user to each group +api.Command.netgroup_add_member(netgroup_test1, user=netgroup_user1.name) +api.Command.netgroup_add_member(netgroup_test2, user=netgroup_user2.name) +api.Command.netgroup_add_member(netgroup_test3, user=netgroup_user3.name) + +# Clean the sssd cache +run(['sudo', 'sss_cache', '-E'], raiseonerr=False) + +# Call getent for each group and check if the users are in the right groups + +# Expected results: getent output in form (-,USERNAME,DOMAIN) +# where the DOMAIN part is the nisDomainName of the netgroup +nisdomain = ( +api.Command.netgroup_show(netgroup_test1)['result']['nisdomainname'][0] +) + +ng_rec_tmpl = '(-,{user},{domain})' +ng_rec_u1 = ng_rec_tmpl.format(user=netgroup_user1.name, domain=nisdomain) +ng_rec_u2 = ng_rec_tmpl.format(user=netgroup_user
[Freeipa-devel] [freeipa PR#148][+ack] Unaccessible variable self.attrs in Tracker
URL: https://github.com/freeipa/freeipa/pull/148 Title: #148: Unaccessible variable self.attrs in Tracker Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#148][comment] Unaccessible variable self.attrs in Tracker
URL: https://github.com/freeipa/freeipa/pull/148 Title: #148: Unaccessible variable self.attrs in Tracker apophys commented: """ Thank you, ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/148#issuecomment-255363641 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#178][opened] ipatests: Fix assert_deepequal outside of pytest process
URL: https://github.com/freeipa/freeipa/pull/178 Author: apophys Title: #178: ipatests: Fix assert_deepequal outside of pytest process Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6420 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/178/head:pr178 git checkout pr178 From 9ea5c11a90bdf9d41b874b34904afaa567cecf74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Fri, 21 Oct 2016 14:29:50 +0200 Subject: [PATCH] ipatests: Fix assert_deepequal outside of pytest process https://fedorahosted.org/freeipa/ticket/6420 --- ipatests/util.py | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 889e850..bca8e9c 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -330,7 +330,12 @@ def assert_deepequal(expected, got, doc='', stack=tuple()): Note that lists and tuples are considered equivalent, and the order of their elements does not matter. """ -if pytest.config.getoption("pretty_print"): # pylint: disable=no-member +try: +pretty_print = pytest.config.getoption("pretty_print") # pylint: disable=no-member +except AttributeError: +pretty_print = False + +if pretty_print: expected_str = struct_to_string(expected, EXPECTED_LEN) got_str = struct_to_string(got, GOT_LEN) else: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#148][comment] Unaccessible variable self.attrs in Tracker
URL: https://github.com/freeipa/freeipa/pull/148 Title: #148: Unaccessible variable self.attrs in Tracker apophys commented: """ NACK, comments inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/148#issuecomment-252603864 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][comment] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker apophys commented: """ Looks good, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/123#issuecomment-251931803 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][+ack] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Title: #73: Tests for certificates with SAN apophys commented: """ I have fixed typos and implemented the proposed test cases. I have also provided docstring to the change_principal context manager. """ See the full comment at https://github.com/freeipa/freeipa/pull/73#issuecomment-250461484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 From 7ef1437d1edca904ef6528ca3b9571e35351b8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:52:05 +0200 Subject: [PATCH 1/3] ipatests: provide context manager for keytab usage in RPC tests https://fedorahosted.org/freeipa/ticket/6366 --- ipatests/util.py | 72 1 file changed, 67 insertions(+), 5 deletions(-) diff --git a/ipatests/util.py b/ipatests/util.py index 0b50f85..aed5cc5 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -40,7 +40,9 @@ from ipalib.plugable import Plugin from ipalib.request import context from ipapython.dn import DN -from ipapython.ipautil import private_ccache, kinit_password, run +from ipapython.ipautil import ( +private_ccache, kinit_password, kinit_keytab, run +) from ipaplatform.paths import paths if six.PY3: @@ -693,8 +695,28 @@ def unlock_principal_password(user, oldpw, newpw): @contextmanager -def change_principal(user, password, client=None, path=None, - canonicalize=False, enterprise=False): +def change_principal(principal, password=None, client=None, path=None, + canonicalize=False, enterprise=False, keytab=None): +"""Temporarily change the kerberos principal + +Most of the test cases run with the admin ipa user which is granted +all access and exceptions from rules on some occasions. + +When the test needs to test for an application of some kind +of a restriction it needs to authenticate as a different principal +with required set of rights to the operation. + +The context manager changes the principal identity in two ways: + +* using password +* using keytab + +If the context manager is to be used with a keytab, the keytab +option must be its absolute path. + +The context manager can be used to authenticate with enterprise +principals and aliases when given respective options. +""" if path: ccache_name = path @@ -709,8 +731,12 @@ def change_principal(user, password, client=None, path=None, try: with private_ccache(ccache_name): -kinit_password(user, password, ccache_name, - canonicalize=canonicalize, enterprise=enterprise) +if keytab: +kinit_keytab(principal, keytab, ccache_name) +else: +kinit_password(principal, password, ccache_name, + canonicalize=canonicalize, + enterprise=enterprise) client.Backend.rpcclient.connect() try: @@ -720,6 +746,42 @@ def change_principal(user, password, client=None, path=None, finally: client.Backend.rpcclient.connect() + +@contextmanager +def get_entity_keytab(principal, options=None): +"""Requests a keytab for an entity + +The keytab will generate new keys if not specified +otherwise in the options. +To retrieve existing keytab, use the -r option +""" +keytab_filename = os.path.join('/tmp', str(uuid.uuid4())) + +try: +cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename] + +if options: +cmd.extend(options) +run(cmd) + +yield keytab_filename +finally: +os.remove(keytab_filename) + + +@contextmanager +def host_keytab(hostname, options=None): +"""Retrieves keytab for a particular host + +After leaving the context manager, the keytab file is +deleted. +""" +principal = u'host/{}'.format(hostname) + +with get_entity_keytab(principal, options) as keytab: +yield keytab + + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) From 0b39203678b709da375740f9e78349f3903c8035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:53:48 +0200 Subject: [PATCH 2/3] ipatests: Fix name property on a service tracker https://fedorahosted.org/freeipa/ticket/6366 --- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index a0bb884..0a90115 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): def __init__(self, name, host_fqdn, options=None): super(ServiceTracker, self).__init__(default_version=None)
[Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 From 2159887dc5d01d3cf578d45825163e1add52e8a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:52:05 +0200 Subject: [PATCH 1/5] ipatests: provide context manager for keytab usage in RPC tests https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/util.py | 52 +++- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/util.py b/ipatests/util.py index 0b50f85..48a0faf 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -40,7 +40,9 @@ from ipalib.plugable import Plugin from ipalib.request import context from ipapython.dn import DN -from ipapython.ipautil import private_ccache, kinit_password, run +from ipapython.ipautil import ( +private_ccache, kinit_password, kinit_keytab, run +) from ipaplatform.paths import paths if six.PY3: @@ -693,8 +695,8 @@ def unlock_principal_password(user, oldpw, newpw): @contextmanager -def change_principal(user, password, client=None, path=None, - canonicalize=False, enterprise=False): +def change_principal(principal, password=None, client=None, path=None, + canonicalize=False, enterprise=False, keytab=None): if path: ccache_name = path @@ -709,8 +711,12 @@ def change_principal(user, password, client=None, path=None, try: with private_ccache(ccache_name): -kinit_password(user, password, ccache_name, - canonicalize=canonicalize, enterprise=enterprise) +if keytab: +kinit_keytab(principal, keytab, ccache_name) +else: +kinit_password(principal, password, ccache_name, + canonicalize=canonicalize, + enterprise=enterprise) client.Backend.rpcclient.connect() try: @@ -720,6 +726,42 @@ def change_principal(user, password, client=None, path=None, finally: client.Backend.rpcclient.connect() + +@contextmanager +def get_entity_keytab(principal, options=None): +"""Requests a keytab for an entity + +The keytab will generate new keys if not specified +otherwise in the options. +To retrieve existing keytab, use the -r option +""" +keytab_filename = os.path.join('/tmp', str(uuid.uuid4())) + +try: +cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename] + +if options: +cmd.extend(options) +run(cmd) + +yield keytab_filename +finally: +os.remove(keytab_filename) + + +@contextmanager +def host_keytab(hostname, options=None): +"""Retrieves keytab for a particular host + +After leaving the context manager, the keytab file is +deleted. +""" +principal = u'host/{}'.format(hostname) + +with get_entity_keytab(principal, options) as keytab: +yield keytab + + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) From 9ed0d71a133fdd0d888f0b588a8e56e67b12e774 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:53:48 +0200 Subject: [PATCH 2/5] ipatests: Fix name property on a service tracker https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index a0bb884..0a90115 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): def __init__(self, name, host_fqdn, options=None): super(ServiceTracker, self).__init__(default_version=None) -self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) +self._name = u"{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) self.dn = DN( ('krbprincipalname', self.name), api.env.container_service, api.env.basedn) From 2d75883302db07061f8062751aae392ece23bcf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:54:40 +0200 Subject: [PATCH 3/5] ipatests: Implement tests with CSRs requesting SAN The patch implements several test cases testing the enforcement of CA ACLs on certificate requests with subject alternative names. https://fedorahosted.org/freeipa/ticket/6291 --- freeipa.spec.in
[Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 From 909ab9fa6405acb346162508729cda8b56e08f9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:52:05 +0200 Subject: [PATCH 1/5] ipatests: provide context manager for keytab usage in RPC tests https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/util.py | 52 +++- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/util.py b/ipatests/util.py index 8878993..4c1a77a 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -40,7 +40,9 @@ from ipalib.plugable import Plugin from ipalib.request import context from ipapython.dn import DN -from ipapython.ipautil import private_ccache, kinit_password, run +from ipapython.ipautil import ( +private_ccache, kinit_password, kinit_keytab, run +) from ipaplatform.paths import paths if six.PY3: @@ -693,8 +695,8 @@ def unlock_principal_password(user, oldpw, newpw): @contextmanager -def change_principal(user, password, client=None, path=None, - canonicalize=False, enterprise=False): +def change_principal(principal, password=None, client=None, path=None, + canonicalize=False, enterprise=False, keytab=None): if path: ccache_name = path @@ -709,8 +711,12 @@ def change_principal(user, password, client=None, path=None, try: with private_ccache(ccache_name): -kinit_password(user, password, ccache_name, - canonicalize=canonicalize, enterprise=enterprise) +if keytab: +kinit_keytab(principal, keytab, ccache_name) +else: +kinit_password(principal, password, ccache_name, + canonicalize=canonicalize, + enterprise=enterprise) client.Backend.rpcclient.connect() try: @@ -720,6 +726,42 @@ def change_principal(user, password, client=None, path=None, finally: client.Backend.rpcclient.connect() + +@contextmanager +def get_entity_keytab(principal, options=None): +"""Requests a keytab for an entity + +The keytab will generate new keys if not specified +otherwise in the options. +To retrieve existing keytab, use the -r option +""" +keytab_filename = os.path.join('/tmp', str(uuid.uuid4())) + +try: +cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename] + +if options: +cmd.extend(options) +run(cmd) + +yield keytab_filename +finally: +os.remove(keytab_filename) + + +@contextmanager +def host_keytab(hostname, options=None): +"""Retrieves keytab for a particular host + +After leaving the context manager, the keytab file is +deleted. +""" +principal = u'host/{}'.format(hostname) + +with get_entity_keytab(principal, options) as keytab: +yield keytab + + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) From 7b962b358198559966f0f750edd9210a140b57c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:53:48 +0200 Subject: [PATCH 2/5] ipatests: Fix name property on a service tracker https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index a0bb884..0a90115 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): def __init__(self, name, host_fqdn, options=None): super(ServiceTracker, self).__init__(default_version=None) -self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) +self._name = u"{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) self.dn = DN( ('krbprincipalname', self.name), api.env.container_service, api.env.basedn) From 941b2f8e7b0661837d6fb10bfd9a4d26c45158e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= <mku...@redhat.com> Date: Mon, 12 Sep 2016 14:54:40 +0200 Subject: [PATCH 3/5] ipatests: Implement tests with CSRs requesting SAN The patch implements several test cases testing the enforcement of CA ACLs on certificate requests with subject alternative names. https://fedorahosted.org/freeipa/ticket/6291 --- freeipa.spec.in
[Freeipa-devel] [freeipa PR#73] Tests for certificates with SAN (opened)
apophys's pull request #73: "Tests for certificates with SAN" was opened PR body: """ Commits include several new test cases for CA ACLs and cert request for CSRs containing subject alternative name extension. Also included minor fixes in used tracker and couple of new context managers used in the test cases. """ See the full pull-request at https://github.com/freeipa/freeipa/pull/73 ... or pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 From c76d81a83e723634558bc1d8d3b0c8923414ff7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?=Date: Mon, 12 Sep 2016 14:52:05 +0200 Subject: [PATCH 1/3] ipatests: provide context manager for keytab usage in RPC tests https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/util.py | 52 +++- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/util.py b/ipatests/util.py index 8878993..4c1a77a 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -40,7 +40,9 @@ from ipalib.plugable import Plugin from ipalib.request import context from ipapython.dn import DN -from ipapython.ipautil import private_ccache, kinit_password, run +from ipapython.ipautil import ( +private_ccache, kinit_password, kinit_keytab, run +) from ipaplatform.paths import paths if six.PY3: @@ -693,8 +695,8 @@ def unlock_principal_password(user, oldpw, newpw): @contextmanager -def change_principal(user, password, client=None, path=None, - canonicalize=False, enterprise=False): +def change_principal(principal, password=None, client=None, path=None, + canonicalize=False, enterprise=False, keytab=None): if path: ccache_name = path @@ -709,8 +711,12 @@ def change_principal(user, password, client=None, path=None, try: with private_ccache(ccache_name): -kinit_password(user, password, ccache_name, - canonicalize=canonicalize, enterprise=enterprise) +if keytab: +kinit_keytab(principal, keytab, ccache_name) +else: +kinit_password(principal, password, ccache_name, + canonicalize=canonicalize, + enterprise=enterprise) client.Backend.rpcclient.connect() try: @@ -720,6 +726,42 @@ def change_principal(user, password, client=None, path=None, finally: client.Backend.rpcclient.connect() + +@contextmanager +def get_entity_keytab(principal, options=None): +"""Requests a keytab for an entity + +The keytab will generate new keys if not specified +otherwise in the options. +To retrieve existing keytab, use the -r option +""" +keytab_filename = os.path.join('/tmp', str(uuid.uuid4())) + +try: +cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename] + +if options: +cmd.extend(options) +run(cmd) + +yield keytab_filename +finally: +os.remove(keytab_filename) + + +@contextmanager +def host_keytab(hostname, options=None): +"""Retrieves keytab for a particular host + +After leaving the context manager, the keytab file is +deleted. +""" +principal = u'host/{}'.format(hostname) + +with get_entity_keytab(principal, options) as keytab: +yield keytab + + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) From 98c89a239b4b16a1be67aac72ac1b556900f46c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= Date: Mon, 12 Sep 2016 14:53:48 +0200 Subject: [PATCH 2/3] ipatests: Fix name property on a service tracker https://fedorahosted.org/freeipa/ticket/6291 --- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index fe34390..8a52446 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): def __init__(self, name, host_fqdn, options=None): super(ServiceTracker, self).__init__(default_version=None) -self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) +self._name = u"{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) self.dn = DN( ('krbprincipalname', self.name), api.env.container_service, api.env.basedn) From 89be52d2cf3db8b978429607d0d730a32898f047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= Date: Mon, 12 Sep 2016 14:54:40 +0200 Subject: [PATCH 3/3] ipatests: Implement tests with CSRs requesting SAN The patch implements several test cases testing the enforcement of CA
[Freeipa-devel] [freeipa PR#38] Removed incorrect check for returncode (comment)
apophys commented on a pull request """ Can you please rewrite the commit message in second commit to something meaningful? """ See the full comment at https://github.com/freeipa/freeipa/pull/38#issuecomment-243400759 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code