[Freeipa-devel] [PATCH 0128] ipatests: Add integration tests for legacy clients
Tomas Babej
tbabej at redhat.com
Fri Nov 1 12:47:33 UTC 2013
On 11/01/2013 12:35 PM, Alexander Bokovoy wrote:
> On Fri, 01 Nov 2013, Tomas Babej wrote:
>
>> Hi,
>>
>> This implements the test cases for legacy clients using SSSD,
>> nss-ldap and nss-pam-ldapd.
>>
>> Part of: https://fedorahosted.org/freeipa/ticket/3833
>>
>> --
>> Tomas Babej
>> Associate Software Engeneer | Red Hat | Identity Management
>> RHCE | Brno Site | IRC: tbabej | freeipa.org
>>
>>
>
>> From c68d67d6502c576d23e50838be54c0fe7c343c95 Mon Sep 17 00:00:00 2001
>> From: Tomas Babej <tbabej at redhat.com>
>> Date: Wed, 30 Oct 2013 16:52:25 +0100
>> Subject: [PATCH] ipatests: Add integration tests for legacy clients
>>
>> Part of: https://fedorahosted.org/freeipa/ticket/3833
>> ---
>> ipatests/test_integration/test_legacy_clients.py | 271
>> +++++++++++++++++++++++
>> 1 file changed, 271 insertions(+)
>> create mode 100644 ipatests/test_integration/test_legacy_clients.py
>>
>> diff --git a/ipatests/test_integration/test_legacy_clients.py
>> b/ipatests/test_integration/test_legacy_clients.py
>> new file mode 100644
>> index
>> 0000000000000000000000000000000000000000..d0b1fd20a4ef21811e418e88bb7d45194fd230d1
>> --- /dev/null
>> +++ b/ipatests/test_integration/test_legacy_clients.py
>> @@ -0,0 +1,271 @@
>> +# Authors:
>> +# Tomas Babej <tbabej at redhat.com>
>> +#
>> +# Copyright (C) 2013 Red Hat
>> +# see file 'COPYING' for use and warranty information
>> +#
>> +# This program is free software; you can redistribute it and/or modify
>> +# it under the terms of the GNU General Public License as published by
>> +# the Free Software Foundation, either version 3 of the License, or
>> +# (at your option) any later version.
>> +#
>> +# This program is distributed in the hope that it will be useful,
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> +# GNU General Public License for more details.
>> +#
>> +# You should have received a copy of the GNU General Public License
>> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
>> +
>> +import re
>> +
>> +import nose
>> +
>> +from ipatests.test_integration import tasks
>> +
>> +# the 'as' part is a workaround around Nose agressive execution of
>> Test classes
>> +from ipatests.test_integration import test_trust as trust_tests
>
> Can you explain what does this 'agressive execution' mean?
>
>
This was done to make Nose not execute the imported test class (since it
starts with Test prefix).
It was necessary to import whole module under a different name.
>> +class BaseTestLegacyClient(trust_tests.TestEnforcedPosixADTrust):
>> + """
>> + Tests legacy client support.
>> + """
>> +
>> + advice_id = None
>> + legacy_client_role = None
>> + backup_files = ['/etc/sysconfig/authconfig',
>> + '/etc/pam.d',
>> + '/etc/openldap/cacerts',
>> + '/etc/openldap/ldap.conf',
>> + '/etc/nsswitch.conf',
>> + '/etc/sssd/sssd.conf']
>> +
>> + @classmethod
>> + def setup_class(cls):
>> + super(BaseTestLegacyClient, cls).setup_class()
>> + cls.ad = cls.ad_domains[0].ads[0]
>> +
>> + cls.legacy_client = cls.host_by_role(cls.legacy_client_role)
>> + cls.prepare_host(cls.legacy_client)
>> + tasks.apply_common_fixes(cls.legacy_client)
>> +
>> + for f in cls.backup_files:
>> + tasks.backup_file(cls.legacy_client, f)
>> +
>> + def test_remove_trust_with_posix_attributes(self):
>> + pass
>> +
>> + def test_apply_advice(self):
>> + # Obtain the advice from the server
>> + tasks.kinit_admin(self.master)
>> + result = self.master.run_command(['ipa-advise',
>> self.advice_id])
>> + advice = result.stdout_text
>> +
>> + # Apply the advice on the legacy client
>> + self.legacy_client.put_file_contents('/root/advice.sh', advice)
>> + result = self.legacy_client.run_command(['bash', '-x', '-e',
>> + '/root/advice.sh'])
>> +
>> + assert result.returncode == 0
>> +
>> + # Restart SSHD to load new PAM configuration
>> + self.legacy_client.run_command(['/sbin/service', 'sshd',
>> 'restart'])
> At least for openssh you don't need to restart sshd when changing PAM
> configuration. Due to privilege separation all authentication always
> happens in a new process and PAM stack initialized there.
>
Even so, this shouldn't hurt. Since we're working with legacy clients /
different platforms / old package versions,
I'd rather make as few assumptions as possible.
--
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org
More information about the Freeipa-devel
mailing list