[Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients

Tomas Babej tbabej at redhat.com
Fri Nov 1 12:47:33 UTC 2013 

On 11/01/2013 12:35 PM, Alexander Bokovoy wrote:
> On Fri, 01 Nov 2013, Tomas Babej wrote:
>
>> Hi,
>>
>> This implements the test cases for legacy clients using SSSD, 
>> nss-ldap and nss-pam-ldapd.
>>
>> Part of: https://fedorahosted.org/freeipa/ticket/3833
>>
>> -- 
>> Tomas Babej
>> Associate Software Engeneer | Red Hat | Identity Management
>> RHCE | Brno Site | IRC: tbabej | freeipa.org
>>
>>
>
>> From c68d67d6502c576d23e50838be54c0fe7c343c95 Mon Sep 17 00:00:00 2001
>> From: Tomas Babej <tbabej at redhat.com>
>> Date: Wed, 30 Oct 2013 16:52:25 +0100
>> Subject: [PATCH] ipatests: Add integration tests for legacy clients
>>
>> Part of: https://fedorahosted.org/freeipa/ticket/3833
>> ---
>> ipatests/test_integration/test_legacy_clients.py | 271 
>> +++++++++++++++++++++++
>> 1 file changed, 271 insertions(+)
>> create mode 100644 ipatests/test_integration/test_legacy_clients.py
>>
>> diff --git a/ipatests/test_integration/test_legacy_clients.py 
>> b/ipatests/test_integration/test_legacy_clients.py
>> new file mode 100644
>> index 
>> 0000000000000000000000000000000000000000..d0b1fd20a4ef21811e418e88bb7d45194fd230d1
>> --- /dev/null
>> +++ b/ipatests/test_integration/test_legacy_clients.py
>> @@ -0,0 +1,271 @@
>> +# Authors:
>> +#   Tomas Babej <tbabej at redhat.com>
>> +#
>> +# Copyright (C) 2013  Red Hat
>> +# see file 'COPYING' for use and warranty information
>> +#
>> +# This program is free software; you can redistribute it and/or modify
>> +# it under the terms of the GNU General Public License as published by
>> +# the Free Software Foundation, either version 3 of the License, or
>> +# (at your option) any later version.
>> +#
>> +# This program is distributed in the hope that it will be useful,
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>> +# GNU General Public License for more details.
>> +#
>> +# You should have received a copy of the GNU General Public License
>> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
>> +
>> +import re
>> +
>> +import nose
>> +
>> +from ipatests.test_integration import tasks
>> +
>> +# the 'as' part is a workaround around Nose agressive execution of 
>> Test classes
>> +from ipatests.test_integration import test_trust as trust_tests
>
> Can you explain what does this 'agressive execution' mean?
>
>

This was done to make Nose not execute the imported test class (since it 
starts with Test prefix).
It was necessary to import whole module under a different name.

>> +class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust):
>> +    """
>> +    Tests legacy client support.
>> +    """
>> +
>> +    advice_id = None
>> +    legacy_client_role = None
>> +    backup_files = ['/etc/sysconfig/authconfig',
>> +                    '/etc/pam.d',
>> +                    '/etc/openldap/cacerts',
>> +                    '/etc/openldap/ldap.conf',
>> +                    '/etc/nsswitch.conf',
>> +                    '/etc/sssd/sssd.conf']
>> +
>> +    @classmethod
>> +    def setup_class(cls):
>> +        super(BaseTestLegacyClient, cls).setup_class()
>> +        cls.ad = cls.ad_domains[0].ads[0]
>> +
>> +        cls.legacy_client = cls.host_by_role(cls.legacy_client_role)
>> +        cls.prepare_host(cls.legacy_client)
>> +        tasks.apply_common_fixes(cls.legacy_client)
>> +
>> +        for f in cls.backup_files:
>> +            tasks.backup_file(cls.legacy_client, f)
>> +
>> +    def test_remove_trust_with_posix_attributes(self):
>> +        pass
>> +
>> +    def test_apply_advice(self):
>> +        # Obtain the advice from the server
>> +        tasks.kinit_admin(self.master)
>> +        result = self.master.run_command(['ipa-advise', 
>> self.advice_id])
>> +        advice = result.stdout_text
>> +
>> +        # Apply the advice on the legacy client
>> +        self.legacy_client.put_file_contents('/root/advice.sh', advice)
>> +        result = self.legacy_client.run_command(['bash', '-x', '-e',
>> + '/root/advice.sh'])
>> +
>> +        assert result.returncode == 0
>> +
>> +        # Restart SSHD to load new PAM configuration
>> +        self.legacy_client.run_command(['/sbin/service', 'sshd', 
>> 'restart'])
> At least for openssh you don't need to restart sshd when changing PAM
> configuration. Due to privilege separation all authentication always
> happens in a new process and PAM stack initialized there.
>

Even so, this shouldn't hurt. Since we're working with legacy clients / 
different platforms / old package versions,
I'd rather make as few assumptions as possible.

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

More information about the Freeipa-devel mailing list