[Freeipa-devel] ipalib as RPC client in Web UI CI tests, forms-based auth in ipalib
Petr Vobornik
pvoborni at redhat.com
Thu Jan 8 14:39:28 UTC 2015
Hello,
tl;dr; I want to add forms based auth in ipalib's rpc client and use
method 2.e) for API configuration. Will be used in otp tests (ipa-4-1
upstream). Want to know if you are OK with it. PoC implementation attached.
== Background ==
I want to call FreeIPA API from our Web UI CI tests.
Uses case are:
* speed up data preparation (the biggest time consumer in Web UI tests)
* prepare data or do stuff which could not be done in Web UI (little bit
part of https://fedorahosted.org/freeipa/ticket/4772)
For this task I want to reuse ipalib's rpcclient to avoid yet another
RPC client implementation.
Plan is to use it in OTP web ui tests.
== ipalib limitations ==
Please note that web ui tests could be run as a normal user on a machine
which is not a FreeIPA client, i.e. on developers machine with local
browser to observe the progress.
=== 1 Forms based authentication ===
ipalib doesn't support forms-based auth and kerberos might not be
available. I have investigated the option to add forms auth and managed
to write a PoC patch(attached) which enables it. Question is whether we
want to allow it in ipalib even for non-test uses cases. I think it
could be beneficial for some users.
=== 2 API/environment finalization in ipalib/__init__.py for tests ===
Tests which are run by make-test are initialized with
os.environ['IPA_UNIT_TEST_MODE'] = 'cli_test'
in such case, ipalib automatically finalizes API. Unfortunately the
default configuration is unusable if run on a machine without IPA
configuration files (~/.ipa/default.conf, /etc/ipa/default.conf, ...).
We can't even supply the values afterwards because api.env is 'set-once'
object.
There are several approaches which could be taken:
Proper fixes:
a) Finish the idea, mentioned in Registry, of storing plugin
registrations to allow multiple API creation with all plugins and
therefore custom instances of API. Would be probably quite a lot of work
because of wide use of global api object. I.e., various test can use
their own instance of api.
b) Remove the API initialization in ipalib/__init__.py. Initialize API
only in tests which use it. Without a) It might suffer from the same
issue as d)
c) Remove 'set-once' constraint from Env object to allow config change
after API initialization
Workarounds:
d) Change the os.env variable to a different than 'cli_test' value
before api import in uidriver.py to prevent the automatic
initialization. Init api in Web UI tests. Might cause issues if other
tests were run and initialized api before Web ui tests.
e) override values in Env object by a hack:
object.__setattr__(api.env, key, val)
api.env._Env__d[key] = val
Advantage is that it's self-contained in Web UI tests. Must be changed
back at the end of test not to interfere with other tests.
f) require IPA configuration file even on non-ipa client machines. Easy,
but not very pleasant for user - all required configuration values are
already present in webui test config file or in env variables ->
multiple files has to be changed when switching between testing
instances(frequent use case).
g) other
From longer perspective I would like to see a) and b), maybe c). But I
would like to use this feature in otptests which should land in 4.1 ->
a) is not an option because of its complexity. Therefore, atm, I would
like to go with e) or c)
Thanks
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wip-freeipa-pvoborni-0739-webui-tests-support-direct-IPA-API-calls.patch
Type: text/x-patch
Size: 5523 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150108/30e2da83/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wip-freeipa-pvoborni-0738-rpc-client-add-forms-based-auth-support.patch
Type: text/x-patch
Size: 17972 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150108/30e2da83/attachment-0001.bin>
More information about the Freeipa-devel
mailing list