[Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains
Martin Babinsky
mbabinsk at redhat.com
Mon Jul 18 16:09:18 UTC 2016
On 07/14/2016 03:39 PM, Lenka Doudova wrote:
>
>
> On 07/13/2016 06:04 PM, Martin Babinsky wrote:
>> On 07/01/2016 04:45 PM, Lenka Doudova wrote:
>>>
>>>
>>> On 07/01/2016 03:04 PM, Martin Babinsky wrote:
>>>> On 07/01/2016 11:13 AM, Lenka Doudova wrote:
>>>>> And, of course, a patch file :)
>>>>>
>>>>>
>>>>> On 07/01/2016 11:09 AM, Lenka Doudova wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> here's patch with basic test suite for support of UPN.
>>>>>>
>>>>>> Note: it needs to be applied on top of my patch 0025.2 (or later, if
>>>>>> there's will be more fixes to that patch).
>>>>>>
>>>>>>
>>>>>> Lenka
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Hi Lenka,
>>>>
>>>> test data such as usernames, etc. should be stored either in separate
>>>> resource files or at least as class attributes like this:
>>>>
>>>> diff --git a/ipatests/test_integration/test_trust.py
>>>> b/ipatests/test_integration/test_trust.py
>>>> index e8fdc6b..86ba7cc 100644
>>>> --- a/ipatests/test_integration/test_trust.py
>>>> +++ b/ipatests/test_integration/test_trust.py
>>>> @@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
>>>> """
>>>> Test support of UPN for trusted domains
>>>> """
>>>> + upn_suffix = 'UPNsuffix.com'
>>>> + upn_username = 'upnuser'
>>>> + upn_princ = '{}@{}'.format(upn_username, upn_suffix)
>>>> + upn_password = 'Secret123456'
>>>> +
>>>> def test_upn_in_nonposix_trust(self):
>>>> """ Check that UPN is listed as trust attribute """
>>>> result = self.master.run_command(['ipa', 'trust-show',
>>>> self.ad_domain,
>>>> '--all', '--raw'])
>>>>
>>>> - assert "ipantadditionalsuffixes: UPNsuffix.com" in
>>>> result.stdout_text
>>>> + assert ("ipantadditionalsuffixes:
>>>> {}".format(self.upn_suffix) in
>>>> + result.stdout_text)
>>>>
>>>> def test_upn_user_resolution_in_nonposix_trust(self):
>>>> """ Check that user with UPN can be resolved """
>>>> - upnuser = 'upnuser at UPNsuffix.com'
>>>> - result = self.master.run_command(['getent', 'passwd',
>>>> upnuser])
>>>> + result = self.master.run_command(['getent', 'passwd',
>>>> self.upn_princ])
>>>>
>>>> # result will contain AD domain, not UPN
>>>> - upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN
>>>> User:/:$".format(
>>>> - self.ad_domain)
>>>> + upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
>>>> + self.upn_username, self.ad_domain)
>>>> assert re.search(upnuser_regex, result.stdout_text)
>>>>
>>>> def test_upn_user_authentication(self):
>>>> """ Check that AD user with UPN can authenticate in IPA """
>>>> self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
>>>> - self.master.run_command(['kinit', '-C', '-E',
>>>> 'upnuser at UPNsuffix.com'],
>>>> - stdin_text='Secret123456')
>>>> + self.master.run_command(['kinit', '-C', '-E', self.upn_princ],
>>>> + stdin_text=self.upn_password)
>>>>
>>>> otherwise LGTM.
>>>>
>>> Thanks for review, fixed patch attached.
>>>
>>> Few notes:
>>> 1. mbabinsky's suggestion to store testdata as class attributes or
>>> separate resource file: I decided to use the class attribute approach.
>>> The separate resource file is a nice idea, which I have already put on
>>> my "to do" list - there's a lot of hardcoded stuff in the trust tests,
>>> even in the original ones (before my patches), so when there's time I'll
>>> work on a way how to dynamically provide this data as test configuration
>>> 2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the
>>> getent command, since according to mbasti the alternative would not work
>>> in CI.
>>>
>>> Lenka
>>
>> Hi Lenka,
>>
>> I am not sure 'test_all_trustdomains_found' should be run as a part of
>> this test suite. Maybe yes, I'm not sure.
>>
>> Also I would add a 60 second sleep after KDC restart in
>> 'test_upn_user_authentication' so that MS-PAC cache gets refreshed
>> before trying to kinit as enterprise principal.
>>
>> Two of the tests fail on my setup but that is probably due to
>> https://fedorahosted.org/freeipa/ticket/6082 .
>>
> Hi,
>
> the "test_all_trustdomains_found" method is inherited from parent class,
> and I believe it cannot hurt to have it there.
> I added the sleep as you requested.
> I also tried to run the tests with two way trust and since everything
> was fine then, the failures you experienced are really most likely due
> to the oddjob issue you linked. Of course the patch still contains tests
> with one way trusts, so until the oddjob issue is solved, the tests will
> probably fail, and should be fine once the fix is provided.
>
> Fixed patch attached.
> Lenka
Yes I think that the failing tests are due to bugs in trust, not the
test code. ACK.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list