[Freeipa-devel] [PATCH 0026][Tests] RFE: Support UPN for trusted domains

Martin Basti mbasti at redhat.com
Tue Jul 19 11:31:55 UTC 2016 


On 18.07.2016 18:09, Martin Babinsky wrote:
> On 07/14/2016 03:39 PM, Lenka Doudova wrote:
>>
>>
>> On 07/13/2016 06:04 PM, Martin Babinsky wrote:
>>> On 07/01/2016 04:45 PM, Lenka Doudova wrote:
>>>>
>>>>
>>>> On 07/01/2016 03:04 PM, Martin Babinsky wrote:
>>>>> On 07/01/2016 11:13 AM, Lenka Doudova wrote:
>>>>>> And, of course, a patch file :)
>>>>>>
>>>>>>
>>>>>> On 07/01/2016 11:09 AM, Lenka Doudova wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> here's patch with basic test suite for support of UPN.
>>>>>>>
>>>>>>> Note: it needs to be applied on top of my patch 0025.2 (or 
>>>>>>> later, if
>>>>>>> there's will be more fixes to that patch).
>>>>>>>
>>>>>>>
>>>>>>> Lenka
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi Lenka,
>>>>>
>>>>> test data such as usernames, etc. should be stored either in separate
>>>>> resource files or at least as class attributes like this:
>>>>>
>>>>> diff --git a/ipatests/test_integration/test_trust.py
>>>>> b/ipatests/test_integration/test_trust.py
>>>>> index e8fdc6b..86ba7cc 100644
>>>>> --- a/ipatests/test_integration/test_trust.py
>>>>> +++ b/ipatests/test_integration/test_trust.py
>>>>> @@ -394,28 +394,33 @@ class TestTrustWithUPN(ADTrustBase):
>>>>>      """
>>>>>      Test support of UPN for trusted domains
>>>>>      """
>>>>> +    upn_suffix = 'UPNsuffix.com'
>>>>> +    upn_username = 'upnuser'
>>>>> +    upn_princ = '{}@{}'.format(upn_username, upn_suffix)
>>>>> +    upn_password = 'Secret123456'
>>>>> +
>>>>>      def test_upn_in_nonposix_trust(self):
>>>>>          """ Check that UPN is listed as trust attribute """
>>>>>          result = self.master.run_command(['ipa', 'trust-show',
>>>>> self.ad_domain,
>>>>>                                            '--all', '--raw'])
>>>>>
>>>>> -        assert "ipantadditionalsuffixes: UPNsuffix.com" in
>>>>> result.stdout_text
>>>>> +        assert ("ipantadditionalsuffixes:
>>>>> {}".format(self.upn_suffix) in
>>>>> +                result.stdout_text)
>>>>>
>>>>>      def test_upn_user_resolution_in_nonposix_trust(self):
>>>>>          """ Check that user with UPN can be resolved """
>>>>> -        upnuser = 'upnuser at UPNsuffix.com'
>>>>> -        result = self.master.run_command(['getent', 'passwd',
>>>>> upnuser])
>>>>> +        result = self.master.run_command(['getent', 'passwd',
>>>>> self.upn_princ])
>>>>>
>>>>>          # result will contain AD domain, not UPN
>>>>> -        upnuser_regex = "^upnuser@{0}:\*:(\d+):(\d+):UPN
>>>>> User:/:$".format(
>>>>> -            self.ad_domain)
>>>>> +        upnuser_regex = "^{}@{}:\*:(\d+):(\d+):UPN User:/:$".format(
>>>>> +            self.upn_username, self.ad_domain)
>>>>>          assert re.search(upnuser_regex, result.stdout_text)
>>>>>
>>>>>      def test_upn_user_authentication(self):
>>>>>          """ Check that AD user with UPN can authenticate in IPA """
>>>>>          self.master.run_command(['systemctl', 'restart', 'krb5kdc'])
>>>>> -        self.master.run_command(['kinit', '-C', '-E',
>>>>> 'upnuser at UPNsuffix.com'],
>>>>> - stdin_text='Secret123456')
>>>>> +        self.master.run_command(['kinit', '-C', '-E', 
>>>>> self.upn_princ],
>>>>> + stdin_text=self.upn_password)
>>>>>
>>>>> otherwise LGTM.
>>>>>
>>>> Thanks for review, fixed patch attached.
>>>>
>>>> Few notes:
>>>> 1. mbabinsky's suggestion to store testdata as class attributes or
>>>> separate resource file: I decided to use the class attribute approach.
>>>> The separate resource file is a nice idea, which I have already put on
>>>> my "to do" list - there's a lot of hardcoded stuff in the trust tests,
>>>> even in the original ones (before my patches), so when there's time 
>>>> I'll
>>>> work on a way how to dynamically provide this data as test 
>>>> configuration
>>>> 2. previous discussion about getent vs. pwd.getpwnam(): I'll leave the
>>>> getent command, since according to mbasti the alternative would not 
>>>> work
>>>> in CI.
>>>>
>>>> Lenka
>>>
>>> Hi Lenka,
>>>
>>> I am not sure 'test_all_trustdomains_found' should be run as a part of
>>> this test suite. Maybe yes, I'm not sure.
>>>
>>> Also I would add a 60 second sleep after KDC restart in
>>> 'test_upn_user_authentication' so that MS-PAC cache gets refreshed
>>> before trying to kinit as enterprise principal.
>>>
>>> Two of the tests fail on my setup but that is probably due to
>>> https://fedorahosted.org/freeipa/ticket/6082 .
>>>
>> Hi,
>>
>> the "test_all_trustdomains_found" method is inherited from parent class,
>> and I believe it cannot hurt to have it there.
>> I added the sleep as you requested.
>> I also tried to run the tests with two way trust and since everything
>> was fine then, the failures you experienced are really most likely due
>> to the oddjob issue you linked. Of course the patch still contains tests
>> with one way trusts, so until the oddjob issue is solved, the tests will
>> probably fail, and should be fine once the fix is provided.
>>
>> Fixed patch attached.
>> Lenka
>
> Yes I think that the failing tests are due to bugs in trust, not the 
> test code. ACK.
>

New ticket created for tests https://fedorahosted.org/freeipa/ticket/6094

Pushed to master: 6a072f3c5c114747c190d0c309a8d53dd8e46394

More information about the Freeipa-devel mailing list