ipa/0007-ipatests-add-Random-Password-based-replica-promotion.patch

From a55f9185c96457bdffe9099ddde39ec696f1f998 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Tue, 6 Jan 2026 18:30:06 +0530
Subject: [PATCH] ipatests: add Random Password based replica promotion
 coverage

Added missing test coverage for :
- Installing IPA replica server using  random password.
- Installing IPA replica server using random password installed client

- Automated with Cursor+Claude

Fixes: https://pagure.io/freeipa/issue/9922

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
---
 .../nightly_ipa-4-13_latest.yaml              | 12 +++
 .../nightly_ipa-4-13_latest_selinux.yaml      | 13 +++
 ipatests/pytest_ipa/integration/tasks.py      | 15 ++++
 .../test_replica_promotion.py                 | 87 +++++++++++++++++++
 4 files changed, 127 insertions(+)

diff --git a/ipatests/prci_definitions/nightly_ipa-4-13_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-13_latest.yaml
index aff55727e463207fb235ff340989491e62162149..c61701ef5f88760f1d6fc36d4acce453a22b6f8f 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-13_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-13_latest.yaml
@@ -1000,6 +1000,18 @@ jobs:
         timeout: 7200
         topology: *ad_master_1repl_1client
 
+  fedora-latest-ipa-4-13/test_replica_promotion_TestReplicaPromotionRandomPassword:
+    requires: [fedora-latest-ipa-4-13/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest-ipa-4-13/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestReplicaPromotionRandomPassword
+        template: *ci-ipa-4-13-latest
+        timeout: 7200
+        topology: *master_1repl
+
   fedora-latest-ipa-4-13/test_upgrade:
     requires: [fedora-latest-ipa-4-13/build]
     priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-13_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-13_latest_selinux.yaml
index e6c57ea060b3bb8bfdf8b6f981f8fd28e4a7d320..9b96f3e857e2125478b45632d8d58e42b6e92668 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-13_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-13_latest_selinux.yaml
@@ -1078,6 +1078,19 @@ jobs:
         timeout: 7200
         topology: *ad_master_1repl_1client
 
+  fedora-latest-ipa-4-13/test_replica_promotion_TestReplicaPromotionRandomPassword:
+    requires: [fedora-latest-ipa-4-13/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest-ipa-4-13/build_url}'
+        selinux_enforcing: True
+        test_suite: test_integration/test_replica_promotion.py::TestReplicaPromotionRandomPassword
+        template: *ci-ipa-4-13-latest
+        timeout: 7200
+        topology: *master_1repl
+
   fedora-latest-ipa-4-13/test_upgrade:
     requires: [fedora-latest-ipa-4-13/build]
     priority: 50
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 32ac5cbc2c6fe87850dfb15c1d5beae6fa648dfb..ff2ea9792d04ebd2e6bd7bb3b51d97f35cb3fbfb 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -3340,3 +3340,18 @@ def service_control_dirsrv(host, function='restart'):
     instance = realm_to_serverid(host.domain.realm)
     cmd = host.run_command(['systemctl', function, f"dirsrv@{instance}"])
     assert cmd.returncode == 0
+
+
+def host_add_with_random_password(host, new_host):
+    """
+    Add a new host with a random password and return the generated password.
+    """
+    kinit_admin(host)
+    cmd = host.run_command(
+        ['ipa', 'host-add', new_host.hostname, '--random']
+    )
+    result = re.search("Random password: (?P<password>.*$)",
+                       cmd.stdout_text,
+                       re.MULTILINE)
+    randpasswd1 = result.group('password')
+    return randpasswd1
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 76d6aa24e2ab3d88b7013e0d107d0e27ae7f3426..f8c8414eefbc015cfc0947de575ea349a65a5e73 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -1368,3 +1368,90 @@ class TestReplicaConn(IntegrationTest):
         logs = self.replica.get_file_contents(paths.IPAREPLICA_CONNCHECK_LOG)
         error = "not allowed to perform server connection check"
         assert error.encode() not in logs
+
+
+class TestReplicaPromotionRandomPassword(IntegrationTest):
+    """
+    Test installation of a replica using Random Password
+    (one step install and two-steps installation
+    with client and promotion).
+    """
+    num_replicas = 1
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=True)
+        cls.replicas[0].resolver.backup()
+        nameservers = cls.master.ip
+        cls.replicas[0].resolver.setup_resolver(
+            nameservers, cls.master.domain.name
+        )
+
+    @replicas_cleanup
+    def test_replica_random_password_install(self):
+        """
+        Installing IPA replica server using Random Password.
+
+        Steps:
+          1. Ensure replica host/server entries are clean and add DNS A record.
+          2. Add the replica host with a random password and add it to
+             the ipaservers hostgroup.
+          3. Install the replica using random password.
+        """
+        replica = self.replicas[0]
+        tasks.kinit_admin(self.master)
+        tasks.add_a_record(self.master, replica)
+        randpasswd = tasks.host_add_with_random_password(self.master,
+                                                         replica)
+        self.master.run_command([
+            'ipa', 'hostgroup-add-member', '--hosts',
+            replica.hostname, 'ipaservers'
+        ])
+        replica.run_command(
+            ['ipa-replica-install', '-p', randpasswd, '-U']
+        )
+
+    @replicas_cleanup
+    def test_replica_two_step_install(self):
+        """
+        Installing IPA replica server using Random Password installed client
+
+        Steps:
+          1. Ensure replica host/server entries are clean and add DNS A record.
+          2. Add the replica host with a random password and add it to
+             the ipaservers hostgroup.
+          3. Install the IPA client using the Random Password.
+          4. Promote the client to a replica.
+          5. Install CA on the replica and verify the server role.
+        """
+        replica = self.replicas[0]
+        replica.resolver.backup()
+        tasks.kinit_admin(self.master)
+        tasks.add_a_record(self.master, replica)
+        randpasswd = tasks.host_add_with_random_password(self.master,
+                                                         replica)
+        self.master.run_command([
+            'ipa', 'hostgroup-add-member', '--hosts',
+            replica.hostname, 'ipaservers'
+        ])
+        replica.resolver.setup_resolver(
+            self.master.ip, self.master.domain.name
+        )
+        replica.run_command(
+            ['ipa-client-install', '-w', randpasswd, '-U']
+        )
+        Firewall(replica).enable_services(["freeipa-ldap",
+                                           "freeipa-ldaps"])
+        replica.run_command(['ipa-replica-install', '-U'])
+        tasks.kinit_admin(replica)
+        replica.run_command([
+            'ipa-ca-install', '-p',
+            self.master.config.admin_password,
+            '-w', self.master.config.admin_password
+        ])
+        result = self.replicas[0].run_command([
+            'ipa', 'server-role-find',
+            '--server', self.replicas[0].hostname,
+            '--role', 'CA server'
+        ])
+        assert 'Role status: enabled' in result.stdout_text
-- 
2.52.0