From d5cca835d5439331c05475d0ad2f993ac6f8b615 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Wed, 11 Nov 2020 14:55:32 +0530
Subject: [PATCH] ipatests: support subordinate upn suffixes

This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipatests/test_integration/test_trust.py | 45 +++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 7e4dbcc6e..31349ced7 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -245,6 +245,51 @@ class TestTrust(BaseTestTrust):
         self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
                                 stdin_text=self.upn_password)
 
+    def test_subordinate_suffix(self):
+        """Test subordinate UPN Suffixes"""
+        tasks.configure_dns_for_trust(self.master, self.ad)
+        tasks.establish_trust_with_ad(
+            self.master, self.ad_domain,
+            extra_args=['--range-type', 'ipa-ad-trust'])
+        # Clear all UPN Suffixes
+        ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+        self.ad.run_command(["powershell", "-c", ps_cmd])
+        result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+        assert (
+            "ipantadditionalsuffixes: {}".format(self.upn_suffix)
+            not in result.stdout_text
+        )
+        # Run Get-ADForest
+        ps_cmd1 = "Get-ADForest"
+        self.ad.run_command(["powershell", "-c", ps_cmd1])
+        # Add new UPN for AD
+        ps_cmd2 = (
+            'Get-ADForest | Set-ADForest -UPNSuffixes '
+            '@{add="new.ad.test", "upn.dom"}'
+        )
+        self.ad.run_command(["powershell", "-c", ps_cmd2])
+        self.ad.run_command(["powershell", "-c", ps_cmd1])
+        self.master.run_command(
+            ["ipa", "trust-fetch-domains", self.ad_domain],
+            raiseonerr=False)
+        self.master.run_command(["ipa", "trust-show", self.ad_domain])
+        # Set UPN for the aduser
+        ps_cmd3 = (
+            'set-aduser -UserPrincipalName '
+            'Administrator@new.ad.test -Identity Administrator'
+        )
+        self.ad.run_command(["powershell", "-c", ps_cmd3])
+        # kinit to IPA using AD user Administrator@new.ad.test
+        result = self.master.run_command(
+            ["getent", "passwd", "Administrator@new.ad.test"]
+        )
+        assert result.returncode == 0
+        self.master.run_command(
+            ["kinit", "-E", "Administrator@new.ad.test"],
+            stdin_text="Secret123",
+        )
+        tasks.kdestroy_all(self.master)
+
     def test_remove_nonposix_trust(self):
         self.remove_trust(self.ad)
         tasks.unconfigure_dns_for_trust(self.master, self.ad)
-- 
2.29.2