[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

Oleg Fayans ofayans at redhat.com
Tue Oct 25 08:24:25 UTC 2016 

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array 
of strings because it just does not work otherwise. Some quote escaping 
gets screwed probably, but the system returns "Error 
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the 
command is executed using the standard array-based approach

The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
==================================== test session starts 
====================================
platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

================================ 2 passed in 948.44 seconds 
=================================


On 10/21/2016 10:54 AM, Oleg Fayans wrote:
> Added one more test, resolved the pep8 issues
>
> On 10/19/2016 12:32 PM, Oleg Fayans wrote:
>> Hi Martin,
>>
>> As you suggested, I've extended the
>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
>> in idoverrides.
>> The integration part still needs some polishing in the part related to
>> user lookup by cert
>>
>> On 10/14/2016 03:57 PM, Martin Babinsky wrote:
>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote:
>>>> So, did I understand correctly, that there would be 2 patches: one
>>>> containing test for basic idoverrides functionality without
>>>> AD-integration, and the second one - with AD-integration and an sssd
>>>> check, correct?
>>>> I guess, the
>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
>>>>
>>>>
>>>>
>>>> might be a good candidate for the first one, I only have to change the
>>>> filename to test_idviews.py, right?
>>>>
>>>
>>> Oleg, we already have XMLRPC tests for idoverrides:
>>>
>>> ipatests/test_xmlrpc/test_idviews_plugin.py
>>>
>>> Is there any particular reason why not to extend them with add
>>> cert/remove cert operations?
>>>
>>> Even better, you can extend
>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
>>> same set of tests on idoverrideuser objects.
>>>
>>> Or am I missing something?
>>>
>>>> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>>>>> Hi Martin,
>>>>>>
>>>>>> The file was renamed. Did I understand correctly that for now we are
>>>>>> leaving the test as is and are planning to extend it later?
>>>>>
>>>>> I would like to have there SSSD check involved, please use what Summit
>>>>> recommends. No new test cases.
>>>>>
>>>>> And this can be done by separate patch, I want to have API/CLI
>>>>> certificate override tests for non-AD idview (extending current
>>>>> tests I
>>>>> posted in this thread)
>>>>>
>>>>> Martin^2
>>>>>>
>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>>>>
>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>
>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>> 1)
>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you will
>>>>>>>>>>>> not be
>>>>>>>>>>>> able to set up certificates to ID override which does not
>>>>>>>>>>>> exist.
>>>>>>>>>>>>
>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD users,
>>>>>>>>>>>> so using
>>>>>>>>>>>> some other view and then assign certificate for a ID
>>>>>>>>>>>> override in
>>>>>>>>>>>> that
>>>>>>>>>>>> one.
>>>>>>>>>>>>
>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>>>>>>> feature with proper output validation.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> How can be this tested with SSSD?
>>>>>>>>>> You need to log into the system with a certificate...
>>>>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>>>>> there any
>>>>>>>>> cmdline util which allows us to test certificate against AD user?
>>>>>>>>
>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should
>>>>>>>> return the ssh key derived from the public key in the certificate.
>>>>>>>> This
>>>>>>>> should work for certificate stored in AD as well as for overrides.
>>>>>>>>
>>>>>>>> You can also you the DBus lookup by certificate as described in
>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> .
>>>>>>>>
>>>>>>>> HTH
>>>>>>>>
>>>>>>>> bye,
>>>>>>>> Sumit
>>>>>>>
>>>>>>> Thank you Alexander and Summit for hints.
>>>>>>>
>>>>>>> Oleg I realized we don't have any other idviews integration tests
>>>>>>>
>>>>>>> So I propose to rename test file you are adding to
>>>>>>> test_idviews.py. We
>>>>>>> can add more testcases for idviews there later
>>>>>>>
>>>>>>> Martin^2
>>>>>>>>> Martin^2
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ofayans-0049.2-Added-interface-to-certutil.patch
Type: text/x-patch
Size: 1165 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161025/d23ad8c7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ofayans-0050.6-Automated-test-for-certs-in-idoverrides-feature.patch
Type: text/x-patch
Size: 7931 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161025/d23ad8c7/attachment-0001.bin>

More information about the Freeipa-devel mailing list