ipa/0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch

From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Jul 2024 18:14:52 +0530
Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails
 to assign sid

related: https://pagure.io/freeipa/issue/9618

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++-
 1 file changed, 71 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest):
 
     def get_dirsrv_id(self):
         serverid = realm_to_serverid(self.master.domain.realm)
-        return("dirsrv@%s.service" % serverid)
+        return ("dirsrv@%s.service" % serverid)
 
     def test_ipa_nis_manage_enable(self):
         """
@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):
             api.bootstrap_with_global_options(context='server')
             api.finalize()
             api.Backend.ldap2.connect()
-            
+
             api.Command["group_add"]("testgroup1", external=True)
             api.Command["group_add"]("testgroup2", external=False)
             result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501
@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest):
                                           '/tmp/reproducer2_code.py'])
         assert "missing attribute" not in result.stdout_text
 
+    def test_sidgen_task_continue_on_error(self):
+        """Verify that SIDgen task continue even if it fails to assign sid
+        scenario:
+            - add a user with no uid (it will be auto-assigned inside
+              the range)
+            - add a user with uid 2000
+            - add a user with no uid (it will be auto-assigned inside
+              the range)
+            - edit the first and 3rd users, remove the objectclass
+              ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier
+            - run the sidgen task
+            - verify that user1 and user3 have a ipaNTSecurityIdentifier
+            - verify that old error message is not seen in dirsrv error log
+            - verify that new error message is seen in dirsrv error log
+
+        related: https://pagure.io/freeipa/issue/9618
+        """
+        test_user1 = 'test_user1'
+        test_user2 = 'test_user2'
+        test_user2000 = 'test_user2000'
+        base_dn = str(self.master.domain.basedn)
+        old_err_msg = 'Cannot add SID to existing entry'
+        new_err_msg = r'Finished with [0-9]+ failures, please check the log'
+
+        tasks.kinit_admin(self.master)
+        tasks.user_add(self.master, test_user1)
+        self.master.run_command(
+            ['ipa', 'user-add', test_user2000,
+             '--first', 'test', '--last', 'user',
+             '--uid', '2000']
+        )
+        tasks.user_add(self.master, test_user2)
+
+        for user in (test_user1, test_user2):
+            entry_ldif = textwrap.dedent("""
+                dn: uid={user},cn=users,cn=accounts,{base_dn}
+                changetype: modify
+                delete: ipaNTSecurityIdentifier
+                -
+                delete: objectclass
+                objectclass: ipaNTUserAttrs
+            """).format(
+                user=user,
+                base_dn=base_dn)
+            tasks.ldapmodify_dm(self.master, entry_ldif)
+
+        # run sidgen task
+        self.master.run_command(
+            ['ipa', 'config-mod', '--add-sids', '--enable-sid']
+        )
+
+        # ensure that sidgen have added the attr removed above
+        for user in (test_user1, test_user2):
+            result = tasks.ldapsearch_dm(
+                self.master,
+                'uid={user},cn=users,cn=accounts,{base_dn}'.format(
+                    user=user, base_dn=base_dn),
+                ['ipaNTSecurityIdentifier']
+            )
+            assert 'ipaNTSecurityIdentifier' in result.stdout_text
+
+        dashed_domain = self.master.domain.realm.replace(".", '-')
+        dirsrv_error_log = self.master.get_file_contents(
+            paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain),
+            encoding='utf-8'
+        )
+        assert old_err_msg not in dirsrv_error_log
+        assert re.search(new_err_msg, dirsrv_error_log)
+
 
 class TestIPAautomount(IntegrationTest):
     @classmethod
-- 
2.45.2
ipa-4.12.0-7 - Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them - Resolves: RHEL-52306 Unconditionally add MS-PAC to global config - Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync" - Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure - Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages - Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error' - Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w - Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-08-08 14:12:28 +00:00			`From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001`
			`From: Mohammad Rizwan <myusuf@redhat.com>`
			`Date: Thu, 11 Jul 2024 18:14:52 +0530`
			`Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails`
			`to assign sid`

			`related: https://pagure.io/freeipa/issue/9618`

			`Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>`
			`Reviewed-By: Rob Crittenden <rcritten@redhat.com>`
			`Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>`
			`---`
			`ipatests/test_integration/test_commands.py \| 73 +++++++++++++++++++++-`
			`1 file changed, 71 insertions(+), 2 deletions(-)`

			`diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py`
			`index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644`
			`--- a/ipatests/test_integration/test_commands.py`
			`+++ b/ipatests/test_integration/test_commands.py`
			`@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest):`

			`def get_dirsrv_id(self):`
			`serverid = realm_to_serverid(self.master.domain.realm)`
			`- return("dirsrv@%s.service" % serverid)`
			`+ return ("dirsrv@%s.service" % serverid)`

			`def test_ipa_nis_manage_enable(self):`
			`"""`
			`@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):`
			`api.bootstrap_with_global_options(context='server')`
			`api.finalize()`
			`api.Backend.ldap2.connect()`
			`-`
			`+`
			`api.Command["group_add"]("testgroup1", external=True)`
			`api.Command["group_add"]("testgroup2", external=False)`
			`result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501`
			`@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest):`
			`'/tmp/reproducer2_code.py'])`
			`assert "missing attribute" not in result.stdout_text`

			`+ def test_sidgen_task_continue_on_error(self):`
			`+ """Verify that SIDgen task continue even if it fails to assign sid`
			`+ scenario:`
			`+ - add a user with no uid (it will be auto-assigned inside`
			`+ the range)`
			`+ - add a user with uid 2000`
			`+ - add a user with no uid (it will be auto-assigned inside`
			`+ the range)`
			`+ - edit the first and 3rd users, remove the objectclass`
			`+ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier`
			`+ - run the sidgen task`
			`+ - verify that user1 and user3 have a ipaNTSecurityIdentifier`
			`+ - verify that old error message is not seen in dirsrv error log`
			`+ - verify that new error message is seen in dirsrv error log`
			`+`
			`+ related: https://pagure.io/freeipa/issue/9618`
			`+ """`
			`+ test_user1 = 'test_user1'`
			`+ test_user2 = 'test_user2'`
			`+ test_user2000 = 'test_user2000'`
			`+ base_dn = str(self.master.domain.basedn)`
			`+ old_err_msg = 'Cannot add SID to existing entry'`
			`+ new_err_msg = r'Finished with [0-9]+ failures, please check the log'`
			`+`
			`+ tasks.kinit_admin(self.master)`
			`+ tasks.user_add(self.master, test_user1)`
			`+ self.master.run_command(`
			`+ ['ipa', 'user-add', test_user2000,`
			`+ '--first', 'test', '--last', 'user',`
			`+ '--uid', '2000']`
			`+ )`
			`+ tasks.user_add(self.master, test_user2)`
			`+`
			`+ for user in (test_user1, test_user2):`
			`+ entry_ldif = textwrap.dedent("""`
			`+ dn: uid={user},cn=users,cn=accounts,{base_dn}`
			`+ changetype: modify`
			`+ delete: ipaNTSecurityIdentifier`
			`+ -`
			`+ delete: objectclass`
			`+ objectclass: ipaNTUserAttrs`
			`+ """).format(`
			`+ user=user,`
			`+ base_dn=base_dn)`
			`+ tasks.ldapmodify_dm(self.master, entry_ldif)`
			`+`
			`+ # run sidgen task`
			`+ self.master.run_command(`
			`+ ['ipa', 'config-mod', '--add-sids', '--enable-sid']`
			`+ )`
			`+`
			`+ # ensure that sidgen have added the attr removed above`
			`+ for user in (test_user1, test_user2):`
			`+ result = tasks.ldapsearch_dm(`
			`+ self.master,`
			`+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(`
			`+ user=user, base_dn=base_dn),`
			`+ ['ipaNTSecurityIdentifier']`
			`+ )`
			`+ assert 'ipaNTSecurityIdentifier' in result.stdout_text`
			`+`
			`+ dashed_domain = self.master.domain.realm.replace(".", '-')`
			`+ dirsrv_error_log = self.master.get_file_contents(`
			`+ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain),`
			`+ encoding='utf-8'`
			`+ )`
			`+ assert old_err_msg not in dirsrv_error_log`
			`+ assert re.search(new_err_msg, dirsrv_error_log)`
			`+`

			`class TestIPAautomount(IntegrationTest):`
			`@classmethod`
			`--`
			`2.45.2`