[Freeipa-devel] INFO: CA ACL test and kerberos usage in functional tests

Milan Kubík mkubik at redhat.com
Thu Sep 10 16:13:09 UTC 2015 

Hi list,

before my PTO, I was trying to write a functional test for CA ACLs with 
the tracker along all other acceptance/functional tests.

I wasn't successful, the approach doesn't seem to work for CA ACLs as 
they have specific requirements for kerberos credentials
that none of my attempts were able to met. I have tried several 
approaches and the memo I got out of this is that currently, there
seems to be no way how to conveniently run a test that changes the user 
identity during the functional test (xmlrpc tests).

I haven't had much time to write an integration test that should solve 
these problems with changing identity.

The approaches I have tried include, in no particular order:

* switch the default ccache to the identity desired, before calls made 
on an API object
     - in case of FILE ccache, moving it back and forth
     - in case of kernel keyring, using kswitch

* instantiating another API instance in the process running the test, 
while the other ccache is active
     - the API object internals seem to prevent this as there is still a 
lot of shared state between the API instances

* running the command supposed to have different identity as a 
subprocess after switching the identity
     - this attempt seemed to have inherited the opened connection to 
the backend from the parent python process,
       creating a conflict during the client bootstrap

* injecting the KRB5CCNAME environment variable with second identity 
into the python process
     - the API instance doesn't seem to be affected by this value half 
of the times.
     - randomly, the new credentials are used, breaking all the things.

Unable to change the user during the test, the code I wrote for this 
wasn't doing what I intended it to do
because the admin user used in the tests overrides all CA ACLs.

The patches implement the CA ACL tracker and, at the moment, one simple 
test. This can (and will) be extended
to full CRUD test that will be run as a part of the acceptance suite, 
while functional test will be written as an integration test.

I include the code that doesn't work as an example of what will be in 
the integration test.

The patch 0013 needs to be applied after the certprofile tracker patch 
(0008).

Cheers,
Milan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0012-ipatests-add-fuzzy-instances-for-CA-ACL-DN-and-RDN.patch
Type: text/x-patch
Size: 1096 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150910/8e789c6c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0013-ipatests-Add-initial-CAACLTracker-implementation.patch
Type: text/x-patch
Size: 12251 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150910/8e789c6c/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkubik-0014-tests-add-test-to-check-the-default-ACL.patch
Type: text/x-patch
Size: 1289 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150910/8e789c6c/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noapply-ipatests-CA-ACL-and-cert-profile-functional-test.patch
Type: text/x-patch
Size: 8149 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150910/8e789c6c/attachment-0003.bin>

More information about the Freeipa-devel mailing list