756 lines
29 KiB
Diff
756 lines
29 KiB
Diff
|
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||
|
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
||
|
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
||
|
|
||
|
Scenario 1:
|
||
|
Setup master with --ca-signing-algorithm=SHA384withRSA
|
||
|
Run certutil and check Signing Algorithm
|
||
|
|
||
|
Scenario 2:
|
||
|
Setup a master
|
||
|
Stop services
|
||
|
Modify default.params.signingAlg in CS.cfg
|
||
|
Restart services
|
||
|
Resubmit cert (Resubmitted cert should have new Algorithm)
|
||
|
|
||
|
Pagure Link: https://pagure.io/freeipa/issue/8906
|
||
|
|
||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||
|
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
||
|
---
|
||
|
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
||
|
1 file changed, 63 insertions(+)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||
|
index 0947241ae..f2d372c0c 100644
|
||
|
--- a/ipatests/test_integration/test_installation.py
|
||
|
+++ b/ipatests/test_integration/test_installation.py
|
||
|
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
||
|
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||
|
from ipatests.test_integration.base import IntegrationTest
|
||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||
|
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||
|
from ipaplatform import services
|
||
|
|
||
|
|
||
|
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
||
|
tasks.install_replica(
|
||
|
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
||
|
)
|
||
|
+
|
||
|
+
|
||
|
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
||
|
+ num_replicas = 0
|
||
|
+
|
||
|
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
||
|
+ tasks.install_master(
|
||
|
+ self.master,
|
||
|
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
||
|
+ )
|
||
|
+
|
||
|
+ # check Signing Algorithm post installation
|
||
|
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
||
|
+ cmd_args = ['certutil', '-L', '-d',
|
||
|
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
||
|
+ '-n', 'Server-Cert']
|
||
|
+ result = self.master.run_command(cmd_args)
|
||
|
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
||
|
+
|
||
|
+ def test_install_master_modify_existing(self, server_cleanup):
|
||
|
+ """
|
||
|
+ Setup a master
|
||
|
+ Stop services
|
||
|
+ Modify default.params.signingAlg in CS.cfg
|
||
|
+ Restart services
|
||
|
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
||
|
+ """
|
||
|
+ tasks.install_master(self.master)
|
||
|
+ self.master.run_command(['ipactl', 'stop'])
|
||
|
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
||
|
+ encoding='utf-8')
|
||
|
+ new_lines = []
|
||
|
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
||
|
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
||
|
+ for line in cs_cfg_content.split('\n'):
|
||
|
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
||
|
+ new_lines.append(replace_str)
|
||
|
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
||
|
+ new_lines.append(ocsp_rep_str)
|
||
|
+ else:
|
||
|
+ new_lines.append(line)
|
||
|
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
||
|
+ '\n'.join(new_lines))
|
||
|
+ self.master.run_command(['ipactl', 'start'])
|
||
|
+
|
||
|
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
||
|
+ result = self.master.run_command(cmd)
|
||
|
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
||
|
+
|
||
|
+ # resubmit RA Agent cert
|
||
|
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
||
|
+ self.master.run_command(cmd)
|
||
|
+
|
||
|
+ tasks.wait_for_certmonger_status(self.master,
|
||
|
+ ('CA_WORKING', 'MONITORING'),
|
||
|
+ request_id)
|
||
|
+
|
||
|
+ cmd_args = ['openssl', 'x509', '-in',
|
||
|
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
||
|
+ result = self.master.run_command(cmd_args)
|
||
|
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
||
|
+ assert assert_str in result.stdout_text
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
|
||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||
|
Date: Thu, 25 Nov 2021 17:48:20 +0530
|
||
|
Subject: [PATCH] Extend test to see if replica is not shown when running
|
||
|
`ipa-replica-manage list -v <FQDN>`
|
||
|
|
||
|
Related: https://pagure.io/freeipa/issue/8605
|
||
|
|
||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_simple_replication.py | 3 ++-
|
||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
|
||
|
index 8de385144..17092a499 100644
|
||
|
--- a/ipatests/test_integration/test_simple_replication.py
|
||
|
+++ b/ipatests/test_integration/test_simple_replication.py
|
||
|
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
|
||
|
# has to be run with --force, there is no --unattended
|
||
|
self.master.run_command(['ipa-replica-manage', 'del',
|
||
|
self.replicas[0].hostname, '--force'])
|
||
|
- result = self.master.run_command(['ipa-replica-manage', 'list'])
|
||
|
+ result = self.master.run_command(
|
||
|
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
|
||
|
assert self.replicas[0].hostname not in result.stdout_text
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
|
||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
Date: Fri, 26 Nov 2021 12:11:21 +0530
|
||
|
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
|
||
|
teardown
|
||
|
|
||
|
Fixture `expire_certs` moves date back after renewing the certs.
|
||
|
This is causing the ipa-replica to fail. This fix first uninstalls
|
||
|
the server then moves back the date.
|
||
|
|
||
|
Fixes: https://pagure.io/freeipa/issue/9052
|
||
|
|
||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
|
||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
index 39904d5de..5b56054b4 100644
|
||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||
|
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
|
||
|
setup_dns=False, extra_args=['--no-ntp']
|
||
|
)
|
||
|
|
||
|
+ @classmethod
|
||
|
+ def uninstall(cls, mh):
|
||
|
+ # Uninstall method is empty as the uninstallation is done in
|
||
|
+ # the fixture
|
||
|
+ pass
|
||
|
+
|
||
|
@pytest.fixture
|
||
|
def expire_certs(self):
|
||
|
# move system date to expire certs
|
||
|
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
|
||
|
yield
|
||
|
|
||
|
# move date back on replica and master
|
||
|
- for host in self.master, self.replicas[0]:
|
||
|
+ for host in self.replicas[0], self.master:
|
||
|
+ tasks.uninstall_master(host)
|
||
|
tasks.move_date(host, 'start', '-3years-1days')
|
||
|
|
||
|
def test_renew_expired_cert_replica(self, expire_certs):
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
|
||
|
From: Anuja More <amore@redhat.com>
|
||
|
Date: Mon, 13 Dec 2021 17:37:05 +0530
|
||
|
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
|
||
|
|
||
|
related : https://pagure.io/freeipa/issue/8962
|
||
|
|
||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_installation.py | 13 +++++++++++++
|
||
|
1 file changed, 13 insertions(+)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||
|
index 95cfaad54..0947241ae 100644
|
||
|
--- a/ipatests/test_integration/test_installation.py
|
||
|
+++ b/ipatests/test_integration/test_installation.py
|
||
|
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
|
||
|
)
|
||
|
assert "nsslapd-db-locks" not in result.stdout_text
|
||
|
|
||
|
+ def test_nsslapd_sizelimit(self):
|
||
|
+ """ Test for default value of nsslapd-sizelimit.
|
||
|
+
|
||
|
+ Related : https://pagure.io/freeipa/issue/8962
|
||
|
+ """
|
||
|
+ result = tasks.ldapsearch_dm(
|
||
|
+ self.master,
|
||
|
+ "cn=config",
|
||
|
+ ["nsslapd-sizelimit"],
|
||
|
+ scope="base"
|
||
|
+ )
|
||
|
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
|
||
|
+
|
||
|
def test_admin_root_alias_CVE_2020_10747(self):
|
||
|
# Test for CVE-2020-10747 fix
|
||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
|
||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
Date: Thu, 25 Nov 2021 13:10:05 +0530
|
||
|
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
|
||
|
segfault
|
||
|
|
||
|
When empty cert request is submitted to certmonger, it goes to
|
||
|
segfault. This fix test that if something like this happens,
|
||
|
certmonger should gracefuly handle it
|
||
|
|
||
|
and some PEP8 fixes
|
||
|
|
||
|
related: https://pagure.io/certmonger/issue/191
|
||
|
|
||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
|
||
|
1 file changed, 78 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||
|
index 5ffb8c608..0518d7954 100644
|
||
|
--- a/ipatests/test_integration/test_cert.py
|
||
|
+++ b/ipatests/test_integration/test_cert.py
|
||
|
@@ -14,6 +14,7 @@ import random
|
||
|
import re
|
||
|
import string
|
||
|
import time
|
||
|
+import textwrap
|
||
|
|
||
|
from ipaplatform.paths import paths
|
||
|
from ipapython.dn import DN
|
||
|
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
|
||
|
tasks.kinit_admin(self.master)
|
||
|
tasks.user_add(self.master, user)
|
||
|
|
||
|
- for id in (0,1):
|
||
|
+ for id in (0, 1):
|
||
|
csr_file = f'{id}.csr'
|
||
|
key_file = f'{id}.key'
|
||
|
cert_file = f'{id}.crt'
|
||
|
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
|
||
|
error_msg = 'ipa: ERROR: The certificate for ' \
|
||
|
'{} is not available on this server.'.format(lwca)
|
||
|
assert error_msg in result.stderr_text
|
||
|
+
|
||
|
+ def test_certmonger_empty_cert_not_segfault(self):
|
||
|
+ """Test empty cert request doesn't force certmonger to segfault
|
||
|
+
|
||
|
+ Test scenario:
|
||
|
+ create a cert request file in /var/lib/certmonger/requests which is
|
||
|
+ missing most of the required information, and ask request a new
|
||
|
+ certificate to certmonger. The wrong request file should not make
|
||
|
+ certmonger crash.
|
||
|
+
|
||
|
+ related: https://pagure.io/certmonger/issue/191
|
||
|
+ """
|
||
|
+ empty_cert_req_content = textwrap.dedent("""
|
||
|
+ id=dogtag-ipa-renew-agent
|
||
|
+ key_type=UNSPECIFIED
|
||
|
+ key_gen_type=UNSPECIFIED
|
||
|
+ key_size=0
|
||
|
+ key_gen_size=0
|
||
|
+ key_next_type=UNSPECIFIED
|
||
|
+ key_next_gen_type=UNSPECIFIED
|
||
|
+ key_next_size=0
|
||
|
+ key_next_gen_size=0
|
||
|
+ key_preserve=0
|
||
|
+ key_storage_type=NONE
|
||
|
+ key_perms=0
|
||
|
+ key_requested_count=0
|
||
|
+ key_issued_count=0
|
||
|
+ cert_storage_type=FILE
|
||
|
+ cert_perms=0
|
||
|
+ cert_is_ca=0
|
||
|
+ cert_ca_path_length=0
|
||
|
+ cert_no_ocsp_check=0
|
||
|
+ last_need_notify_check=19700101000000
|
||
|
+ last_need_enroll_check=19700101000000
|
||
|
+ template_is_ca=0
|
||
|
+ template_ca_path_length=-1
|
||
|
+ template_no_ocsp_check=0
|
||
|
+ state=NEED_KEY_PAIR
|
||
|
+ autorenew=0
|
||
|
+ monitor=0
|
||
|
+ submitted=19700101000000
|
||
|
+ """)
|
||
|
+ # stop certmonger service
|
||
|
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
|
||
|
+
|
||
|
+ # place an empty cert request file to certmonger request dir
|
||
|
+ self.master.put_file_contents(
|
||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||
|
+ empty_cert_req_content
|
||
|
+ )
|
||
|
+
|
||
|
+ # start certmonger, it should not fail
|
||
|
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
|
||
|
+
|
||
|
+ # request a new cert, should succeed and certmonger doesn't goes
|
||
|
+ # to segfault
|
||
|
+ result = self.master.run_command([
|
||
|
+ "ipa-getcert", "request",
|
||
|
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
|
||
|
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
|
||
|
+ ])
|
||
|
+ request_id = re.findall(r'\d+', result.stdout_text)
|
||
|
+
|
||
|
+ # check if certificate is in MONITORING state
|
||
|
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
|
||
|
+ assert status == "MONITORING"
|
||
|
+
|
||
|
+ self.master.run_command(
|
||
|
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
|
||
|
+ )
|
||
|
+ self.master.run_command([
|
||
|
+ 'rm', '-rf',
|
||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||
|
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
|
||
|
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
|
||
|
+ ])
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
|
||
|
From: Anuja More <amore@redhat.com>
|
||
|
Date: Mon, 6 Dec 2021 20:50:01 +0530
|
||
|
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
|
||
|
|
||
|
Added web-ui tests to verify where operations
|
||
|
using subordinate ids are working as expected.
|
||
|
|
||
|
Related : https://pagure.io/freeipa/issue/8361
|
||
|
|
||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
|
||
|
ipatests/test_webui/ui_driver.py | 28 ++++++
|
||
|
2 files changed, 169 insertions(+)
|
||
|
create mode 100644 ipatests/test_webui/test_subid.py
|
||
|
|
||
|
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
|
||
|
new file mode 100644
|
||
|
index 000000000..26decdba0
|
||
|
--- /dev/null
|
||
|
+++ b/ipatests/test_webui/test_subid.py
|
||
|
@@ -0,0 +1,141 @@
|
||
|
+
|
||
|
+"""
|
||
|
+Tests for subordinateid.
|
||
|
+"""
|
||
|
+
|
||
|
+from ipatests.test_webui.ui_driver import UI_driver
|
||
|
+import ipatests.test_webui.data_config as config_data
|
||
|
+import ipatests.test_webui.data_user as user_data
|
||
|
+from ipatests.test_webui.ui_driver import screenshot
|
||
|
+import re
|
||
|
+
|
||
|
+
|
||
|
+class test_subid(UI_driver):
|
||
|
+
|
||
|
+ def add_user(self, pkey, name, surname):
|
||
|
+ self.add_record('user', {
|
||
|
+ 'pkey': pkey,
|
||
|
+ 'add': [
|
||
|
+ ('textbox', 'uid', pkey),
|
||
|
+ ('textbox', 'givenname', name),
|
||
|
+ ('textbox', 'sn', surname),
|
||
|
+ ]
|
||
|
+ })
|
||
|
+
|
||
|
+ def set_default_subid(self):
|
||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||
|
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
|
||
|
+ self.facet_button_click('save')
|
||
|
+
|
||
|
+ def get_user_count(self, user_pkey):
|
||
|
+ self.navigate_to_entity('subid', facet='search')
|
||
|
+ self.apply_search_filter(user_pkey)
|
||
|
+ self.wait_for_request()
|
||
|
+ return self.get_rows()
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_set_defaultsubid(self):
|
||
|
+ """
|
||
|
+ Test to verify that enable/disable is working for
|
||
|
+ adding subids to new users.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.add_record(user_data.ENTITY, user_data.DATA2)
|
||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||
|
+ # test subid can be enabled/disabled.
|
||
|
+ self.set_default_subid()
|
||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||
|
+ self.set_default_subid()
|
||
|
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_user_defaultsubid(self):
|
||
|
+ """
|
||
|
+ Test to verify that subid is generated for new user.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ user_pkey = "some-user"
|
||
|
+
|
||
|
+ self.set_default_subid()
|
||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||
|
+
|
||
|
+ before_count = self.get_user_count(user_pkey)
|
||
|
+ assert len(before_count) == 0
|
||
|
+
|
||
|
+ self.add_user(user_pkey, 'Some', 'User')
|
||
|
+ after_count = self.get_user_count(user_pkey)
|
||
|
+ assert len(after_count) == 1
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_user_subid_mod_desc(self):
|
||
|
+ """
|
||
|
+ Test to verify that auto-assigned subid description is modified.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.navigate_to_record("some-user")
|
||
|
+ self.switch_to_facet('memberof_subid')
|
||
|
+ rows = self.get_rows()
|
||
|
+ self.navigate_to_row_record(rows[-1])
|
||
|
+ self.fill_textbox("description", "some-user-subid-desc")
|
||
|
+ self.facet_button_click('save')
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_admin_subid(self):
|
||
|
+ """
|
||
|
+ Test to verify that subid range is created with owner admin.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.navigate_to_entity('subid', facet='search')
|
||
|
+ self.facet_button_click('add')
|
||
|
+ self.select_combobox('ipaowner', 'admin')
|
||
|
+ self.dialog_button_click('add')
|
||
|
+ self.wait(0.3)
|
||
|
+ self.assert_no_error_dialog()
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_admin_subid_negative(self):
|
||
|
+ """
|
||
|
+ Test to verify that readding the subid fails with error.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.navigate_to_entity('subid', facet='search')
|
||
|
+ self.facet_button_click('add')
|
||
|
+ self.select_combobox('ipaowner', 'admin')
|
||
|
+ self.dialog_button_click('add')
|
||
|
+ self.wait(0.3)
|
||
|
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
|
||
|
+ text = self.get_text('.modal-body div p', err_dialog)
|
||
|
+ text = text.strip()
|
||
|
+ pattern = r'Subordinate id with with name .* already exists.'
|
||
|
+ assert re.search(pattern, text) is not None
|
||
|
+ self.close_all_dialogs()
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_user_subid_add(self):
|
||
|
+ """
|
||
|
+ Test to verify that subid range is created for given user.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.navigate_to_entity('subid', facet='search')
|
||
|
+ before_count = self.get_rows()
|
||
|
+ self.facet_button_click('add')
|
||
|
+ self.select_combobox('ipaowner', user_data.PKEY2)
|
||
|
+ self.dialog_button_click('add')
|
||
|
+ self.wait(0.3)
|
||
|
+ self.assert_no_error_dialog()
|
||
|
+ after_count = self.get_rows()
|
||
|
+ assert len(before_count) < len(after_count)
|
||
|
+
|
||
|
+ @screenshot
|
||
|
+ def test_subid_del(self):
|
||
|
+ """
|
||
|
+ Test to remove subordinate id for given user.
|
||
|
+ """
|
||
|
+ self.init_app()
|
||
|
+ self.navigate_to_entity('subid', facet='search')
|
||
|
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
|
||
|
+ table_name="ipauniqueid")
|
||
|
+ before_count = self.get_rows()
|
||
|
+ self.delete_record(user_uid, table_name="ipauniqueid")
|
||
|
+ after_count = self.get_rows()
|
||
|
+ assert len(before_count) > len(after_count)
|
||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||
|
index 46fd512ae..77fd74e49 100644
|
||
|
--- a/ipatests/test_webui/ui_driver.py
|
||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||
|
@@ -1151,6 +1151,34 @@ class UI_driver:
|
||
|
return row
|
||
|
return None
|
||
|
|
||
|
+ def get_row_by_column_value(self, key, column_name, parent=None,
|
||
|
+ table_name=None):
|
||
|
+ """
|
||
|
+ Get the first matched row element of a search table with given key
|
||
|
+ matched against selected column. None if not found
|
||
|
+ """
|
||
|
+ rows = self.get_rows(parent, table_name)
|
||
|
+ s = "td div[name='%s']" % column_name
|
||
|
+ for row in rows:
|
||
|
+ has = self.find(s, By.CSS_SELECTOR, row)
|
||
|
+ if has.text == key:
|
||
|
+ return row
|
||
|
+ return None
|
||
|
+
|
||
|
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
|
||
|
+ """
|
||
|
+ Get record pkey if value of column is known
|
||
|
+ """
|
||
|
+ row = self.get_row_by_column_value(key,
|
||
|
+ column_name=column,
|
||
|
+ parent=parent,
|
||
|
+ table_name=table_name)
|
||
|
+ val = None
|
||
|
+ if row:
|
||
|
+ el = self.find("td input", By.CSS_SELECTOR, row)
|
||
|
+ val = el.get_attribute("value")
|
||
|
+ return val
|
||
|
+
|
||
|
def navigate_to_row_record(self, row, pkey_column=None):
|
||
|
"""
|
||
|
Navigate to record by clicking on a link.
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
|
||
|
From: Michal Polovka <mpolovka@redhat.com>
|
||
|
Date: Fri, 7 Jan 2022 12:12:26 +0100
|
||
|
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
|
||
|
configuration file
|
||
|
|
||
|
FullLoader class for YAML loader was introduced in version 5.1 which
|
||
|
also deprecated default loader. SafeLoader, however, stays consistent
|
||
|
across the versions and brings added security.
|
||
|
|
||
|
This fix is necessary as PyYAML > 5.1 is not available in downstream.
|
||
|
|
||
|
Related: https://pagure.io/freeipa/issue/9009
|
||
|
|
||
|
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||
|
---
|
||
|
ipatests/test_webui/ui_driver.py | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||
|
index 77fd74e49..519efee9b 100644
|
||
|
--- a/ipatests/test_webui/ui_driver.py
|
||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||
|
@@ -192,7 +192,7 @@ class UI_driver:
|
||
|
if not NO_YAML and os.path.isfile(path):
|
||
|
try:
|
||
|
with open(path, 'r') as conf:
|
||
|
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
|
||
|
+ cls.config = yaml.safe_load(stream=conf)
|
||
|
except yaml.YAMLError as e:
|
||
|
pytest.skip("Invalid Web UI config.\n%s" % e)
|
||
|
except IOError as e:
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
|
||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
Date: Thu, 18 Nov 2021 18:43:22 +0530
|
||
|
Subject: [PATCH] PEP8 Fixes
|
||
|
|
||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
---
|
||
|
.../test_integration/test_replica_promotion.py | 14 +++++++-------
|
||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||
|
index 1a4e9bc12..c328b1a08 100644
|
||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||
|
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||
|
assert res.returncode == 1
|
||
|
assert expected_err in res.stderr_text
|
||
|
|
||
|
-
|
||
|
@replicas_cleanup
|
||
|
def test_one_command_installation(self):
|
||
|
"""
|
||
|
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||
|
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
|
||
|
"freeipa-ldaps"])
|
||
|
self.replicas[0].run_command(['ipa-replica-install', '-w',
|
||
|
- self.master.config.admin_password,
|
||
|
- '-n', self.master.domain.name,
|
||
|
- '-r', self.master.domain.realm,
|
||
|
- '--server', self.master.hostname,
|
||
|
- '-U'])
|
||
|
+ self.master.config.admin_password,
|
||
|
+ '-n', self.master.domain.name,
|
||
|
+ '-r', self.master.domain.realm,
|
||
|
+ '--server', self.master.hostname,
|
||
|
+ '-U'])
|
||
|
# Ensure that pkinit is properly configured, test for 7566
|
||
|
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
|
||
|
assert "PKINIT is enabled" in result.stdout_text
|
||
|
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||
|
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
|
||
|
self.master.config.dirman_password],
|
||
|
raiseonerr=False)
|
||
|
- assert(result1.returncode == 0), (
|
||
|
+ assert (result1.returncode == 0), (
|
||
|
'Failed to promote the client installed with the upcase domain name')
|
||
|
|
||
|
def test_client_rollback(self):
|
||
|
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||
|
assert("An error occurred while removing SSSD" not in
|
||
|
result.stdout_text)
|
||
|
|
||
|
+
|
||
|
class TestRenewalMaster(IntegrationTest):
|
||
|
|
||
|
topology = 'star'
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
|
||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
Date: Thu, 18 Nov 2021 18:36:58 +0530
|
||
|
Subject: [PATCH] Test cases for ipa-replica-conncheck command
|
||
|
|
||
|
Following test cases would be checked:
|
||
|
- when called with --principal (it should then prompt for a password)
|
||
|
- when called with --principal / --password
|
||
|
- when called without principal and password but with a kerberos TGT,
|
||
|
kinit admin done before calling ipa-replica-conncheck
|
||
|
- when called without principal and password, and without any kerberos
|
||
|
TGT (it should default to principal=admin and prompt for a password)
|
||
|
|
||
|
related: https://pagure.io/freeipa/issue/9047
|
||
|
|
||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||
|
---
|
||
|
.../test_replica_promotion.py | 70 +++++++++++++++++++
|
||
|
1 file changed, 70 insertions(+)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||
|
index b9c56f775..1a4e9bc12 100644
|
||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||
|
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
|
||
|
self.assertCARenewalMaster(master, replica.hostname)
|
||
|
self.assertCARenewalMaster(replica, replica.hostname)
|
||
|
|
||
|
+ def test_replica_concheck(self):
|
||
|
+ """Test cases for ipa-replica-conncheck command
|
||
|
+
|
||
|
+ Following test cases would be checked:
|
||
|
+ - when called with --principal (it should then prompt for a password)
|
||
|
+ - when called with --principal / --password
|
||
|
+ - when called without principal and password but with a kerberos TGT,
|
||
|
+ kinit admin done before calling ipa-replica-conncheck
|
||
|
+ - when called without principal and password, and without any kerberos
|
||
|
+ TGT (it should default to principal=admin and prompt for a password)
|
||
|
+
|
||
|
+ related: https://pagure.io/freeipa/issue/9047
|
||
|
+ """
|
||
|
+ exp_str1 = "Connection from replica to master is OK."
|
||
|
+ exp_str2 = "Connection from master to replica is OK"
|
||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||
|
+ # when called with --principal (it should then prompt for a password)
|
||
|
+ result = self.replicas[0].run_command(
|
||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||
|
+ '--master', self.master.hostname,
|
||
|
+ '-r', self.replicas[0].domain.realm,
|
||
|
+ '-p', self.replicas[0].config.admin_name],
|
||
|
+ stdin_text=self.master.config.admin_password
|
||
|
+ )
|
||
|
+ assert result.returncode == 0
|
||
|
+ assert (
|
||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||
|
+ )
|
||
|
+
|
||
|
+ # when called with --principal / --password
|
||
|
+ result = self.replicas[0].run_command([
|
||
|
+ 'ipa-replica-conncheck', '--auto-master-check',
|
||
|
+ '--master', self.master.hostname,
|
||
|
+ '-r', self.replicas[0].domain.realm,
|
||
|
+ '-p', self.replicas[0].config.admin_name,
|
||
|
+ '-w', self.master.config.admin_password
|
||
|
+ ])
|
||
|
+ assert result.returncode == 0
|
||
|
+ assert (
|
||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||
|
+ )
|
||
|
+
|
||
|
+ # when called without principal and password, and without
|
||
|
+ # any kerberos TGT, it should default to principal=admin
|
||
|
+ # and prompt for a password
|
||
|
+ result = self.replicas[0].run_command(
|
||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||
|
+ '--master', self.master.hostname,
|
||
|
+ '-r', self.replicas[0].domain.realm],
|
||
|
+ stdin_text=self.master.config.admin_password
|
||
|
+ )
|
||
|
+ assert result.returncode == 0
|
||
|
+ assert (
|
||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||
|
+ )
|
||
|
+
|
||
|
+ # when called without principal and password but with a kerberos TGT,
|
||
|
+ # kinit admin done before calling ipa-replica-conncheck
|
||
|
+ tasks.kinit_admin(self.replicas[0])
|
||
|
+ result = self.replicas[0].run_command(
|
||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||
|
+ '--master', self.master.hostname,
|
||
|
+ '-r', self.replicas[0].domain.realm]
|
||
|
+ )
|
||
|
+ assert result.returncode == 0
|
||
|
+ assert (
|
||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||
|
+ )
|
||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||
|
+
|
||
|
def test_automatic_renewal_master_transfer_ondelete(self):
|
||
|
# Test that after replica uninstallation, master overtakes the cert
|
||
|
# renewal master role from replica (which was previously set there)
|
||
|
--
|
||
|
2.34.1
|
||
|
|