[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

Fri Oct 14 13:57:50 UTC 2016

On 10/14/2016 03:48 PM, Oleg Fayans wrote:
> So, did I understand correctly, that there would be 2 patches: one
> containing test for basic idoverrides functionality without
> AD-integration, and the second one - with AD-integration and an sssd
> check, correct?
> I guess, the
> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
> might be a good candidate for the first one, I only have to change the
> filename to test_idviews.py, right?
>

Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add 
cert/remove cert operations?

Even better, you can extend 
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the 
same set of tests on idoverrideuser objects.

Or am I missing something?

> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>
>>
>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>> Hi Martin,
>>>
>>> The file was renamed. Did I understand correctly that for now we are
>>> leaving the test as is and are planning to extend it later?
>>
>> I would like to have there SSSD check involved, please use what Summit
>> recommends. No new test cases.
>>
>> And this can be done by separate patch, I want to have API/CLI
>> certificate override tests for non-AD idview (extending current tests I
>> posted in this thread)
>>
>> Martin^2
>>>
>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>
>>>>
>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>
>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>
>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>> 1)
>>>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>> You cannot add non-AD user to 'default trust view', so you will
>>>>>>>>> not be
>>>>>>>>> able to set up certificates to ID override which does not exist.
>>>>>>>>>
>>>>>>>>> For non-'default trust view' you can add both IPA and AD users,
>>>>>>>>> so using
>>>>>>>>> some other view and then assign certificate for a ID override in
>>>>>>>>> that
>>>>>>>>> one.
>>>>>>>>>
>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>>>> feature with proper output validation.
>>>>>>>>
>>>>>>>>
>>>>>>>> How can be this tested with SSSD?
>>>>>>> You need to log into the system with a certificate...
>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>> there any
>>>>>> cmdline util which allows us to test certificate against AD user?
>>>>>
>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should
>>>>> return the ssh key derived from the public key in the certificate.
>>>>> This
>>>>> should work for certificate stored in AD as well as for overrides.
>>>>>
>>>>> You can also you the DBus lookup by certificate as described in
>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>>>> .
>>>>>
>>>>> HTH
>>>>>
>>>>> bye,
>>>>> Sumit
>>>>
>>>> Thank you Alexander and Summit for hints.
>>>>
>>>> Oleg I realized we don't have any other idviews integration tests
>>>>
>>>> So I propose to rename test file you are adding to test_idviews.py. We
>>>> can add more testcases for idviews there later
>>>>
>>>> Martin^2
>>>>>> Martin^2
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>>>
>>>
>>>
>>>
>>
>>
>>
>

-- 
Martin^3 Babinsky