[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

Milan Kubík mkubik at redhat.com
Wed Nov 9 15:43:40 UTC 2016 

On 10/25/2016 10:24 AM, Oleg Fayans wrote:
> Integration part of the tests is ready. 2 tests:
>
> 1. Adds a cert to idoverride of a windows user
> 2. sssd part - looks up user by his certificate using dbus-sssd
>
> Second and third dbus call are executed as a string insted of as array 
> of strings because it just does not work otherwise. Some quote 
> escaping gets screwed probably, but the system returns "Error 
> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the 
> command is executed using the standard array-based approach
>
> The run looks like this:
>
> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
> Permission denied: 'lextab.py'
> WARNING: yacc table file version is out of date
> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
> denied: 'yacctab.py'
> ==================================== test session starts 
> ====================================
> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
> plugins: sourceorder-0.5, multihost-1.0
> collected 2 items
>
> test_integration/test_idviews.py ..
>
> ================================ 2 passed in 948.44 seconds 
> =================================
>
>
> On 10/21/2016 10:54 AM, Oleg Fayans wrote:
>> Added one more test, resolved the pep8 issues
>>
>> On 10/19/2016 12:32 PM, Oleg Fayans wrote:
>>> Hi Martin,
>>>
>>> As you suggested, I've extended the
>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for 
>>> certs
>>> in idoverrides.
>>> The integration part still needs some polishing in the part related to
>>> user lookup by cert
>>>
>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote:
>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote:
>>>>> So, did I understand correctly, that there would be 2 patches: one
>>>>> containing test for basic idoverrides functionality without
>>>>> AD-integration, and the second one - with AD-integration and an sssd
>>>>> check, correct?
>>>>> I guess, the
>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> might be a good candidate for the first one, I only have to change 
>>>>> the
>>>>> filename to test_idviews.py, right?
>>>>>
>>>>
>>>> Oleg, we already have XMLRPC tests for idoverrides:
>>>>
>>>> ipatests/test_xmlrpc/test_idviews_plugin.py
>>>>
>>>> Is there any particular reason why not to extend them with add
>>>> cert/remove cert operations?
>>>>
>>>> Even better, you can extend
>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
>>>> same set of tests on idoverrideuser objects.
>>>>
>>>> Or am I missing something?
>>>>
>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>>>>>> Hi Martin,
>>>>>>>
>>>>>>> The file was renamed. Did I understand correctly that for now we 
>>>>>>> are
>>>>>>> leaving the test as is and are planning to extend it later?
>>>>>>
>>>>>> I would like to have there SSSD check involved, please use what 
>>>>>> Summit
>>>>>> recommends. No new test cases.
>>>>>>
>>>>>> And this can be done by separate patch, I want to have API/CLI
>>>>>> certificate override tests for non-AD idview (extending current
>>>>>> tests I
>>>>>> posted in this thread)
>>>>>>
>>>>>> Martin^2
>>>>>>>
>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>>>>>
>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>>> 1)
>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you 
>>>>>>>>>>>>> will
>>>>>>>>>>>>> not be
>>>>>>>>>>>>> able to set up certificates to ID override which does not
>>>>>>>>>>>>> exist.
>>>>>>>>>>>>>
>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD 
>>>>>>>>>>>>> users,
>>>>>>>>>>>>> so using
>>>>>>>>>>>>> some other view and then assign certificate for a ID
>>>>>>>>>>>>> override in
>>>>>>>>>>>>> that
>>>>>>>>>>>>> one.
>>>>>>>>>>>>>
>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>>>>>>>> feature with proper output validation.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> How can be this tested with SSSD?
>>>>>>>>>>> You need to log into the system with a certificate...
>>>>>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>>>>>> there any
>>>>>>>>>> cmdline util which allows us to test certificate against AD 
>>>>>>>>>> user?
>>>>>>>>>
>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which 
>>>>>>>>> should
>>>>>>>>> return the ssh key derived from the public key in the 
>>>>>>>>> certificate.
>>>>>>>>> This
>>>>>>>>> should work for certificate stored in AD as well as for 
>>>>>>>>> overrides.
>>>>>>>>>
>>>>>>>>> You can also you the DBus lookup by certificate as described in
>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> .
>>>>>>>>>
>>>>>>>>> HTH
>>>>>>>>>
>>>>>>>>> bye,
>>>>>>>>> Sumit
>>>>>>>>
>>>>>>>> Thank you Alexander and Summit for hints.
>>>>>>>>
>>>>>>>> Oleg I realized we don't have any other idviews integration tests
>>>>>>>>
>>>>>>>> So I propose to rename test file you are adding to
>>>>>>>> test_idviews.py. We
>>>>>>>> can add more testcases for idviews there later
>>>>>>>>
>>>>>>>> Martin^2
>>>>>>>>>> Martin^2
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>>> Contribute to FreeIPA: 
>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

Putting `config.ad_domains[0].ads[0]` to a class variable prevents other 
classes from running without enough resources for the 
TestCertsInIDOverrides class. Please do this kind of things in the 
__init__ method.

As for the actual test run, me or Lenka will check that tomorrow.

-- 
Milan Kubik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161109/6d03de89/attachment.htm>

More information about the Freeipa-devel mailing list