[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

Martin Basti mbasti at redhat.com
Thu Nov 3 11:43:09 UTC 2016 

LGTM


On 03.11.2016 09:42, Oleg Fayans wrote:
> One more ping for review
>
> On 10/27/2016 02:21 PM, Oleg Fayans wrote:
>> ping for review
>>
>> On 10/25/2016 10:24 AM, Oleg Fayans wrote:
>>> Integration part of the tests is ready. 2 tests:
>>>
>>> 1. Adds a cert to idoverride of a windows user
>>> 2. sssd part - looks up user by his certificate using dbus-sssd
>>>
>>> Second and third dbus call are executed as a string insted of as array
>>> of strings because it just does not work otherwise. Some quote escaping
>>> gets screwed probably, but the system returns "Error
>>> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
>>> command is executed using the standard array-based approach
>>>
>>> The run looks like this:
>>>
>>> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
>>> Permission denied: 'lextab.py'
>>> WARNING: yacc table file version is out of date
>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
>>> denied: 'yacctab.py'
>>> ==================================== test session starts
>>> ====================================
>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
>>> plugins: sourceorder-0.5, multihost-1.0
>>> collected 2 items
>>>
>>> test_integration/test_idviews.py ..
>>>
>>> ================================ 2 passed in 948.44 seconds
>>> =================================
>>>
>>>
>>> On 10/21/2016 10:54 AM, Oleg Fayans wrote:
>>>> Added one more test, resolved the pep8 issues
>>>>
>>>> On 10/19/2016 12:32 PM, Oleg Fayans wrote:
>>>>> Hi Martin,
>>>>>
>>>>> As you suggested, I've extended the
>>>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
>>>>> certs
>>>>> in idoverrides.
>>>>> The integration part still needs some polishing in the part 
>>>>> related to
>>>>> user lookup by cert
>>>>>
>>>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote:
>>>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote:
>>>>>>> So, did I understand correctly, that there would be 2 patches: one
>>>>>>> containing test for basic idoverrides functionality without
>>>>>>> AD-integration, and the second one - with AD-integration and an 
>>>>>>> sssd
>>>>>>> check, correct?
>>>>>>> I guess, the
>>>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> might be a good candidate for the first one, I only have to change
>>>>>>> the
>>>>>>> filename to test_idviews.py, right?
>>>>>>>
>>>>>>
>>>>>> Oleg, we already have XMLRPC tests for idoverrides:
>>>>>>
>>>>>> ipatests/test_xmlrpc/test_idviews_plugin.py
>>>>>>
>>>>>> Is there any particular reason why not to extend them with add
>>>>>> cert/remove cert operations?
>>>>>>
>>>>>> Even better, you can extend
>>>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing 
>>>>>> the
>>>>>> same set of tests on idoverrideuser objects.
>>>>>>
>>>>>> Or am I missing something?
>>>>>>
>>>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>>>>>>>> Hi Martin,
>>>>>>>>>
>>>>>>>>> The file was renamed. Did I understand correctly that for now we
>>>>>>>>> are
>>>>>>>>> leaving the test as is and are planning to extend it later?
>>>>>>>>
>>>>>>>> I would like to have there SSSD check involved, please use what
>>>>>>>> Summit
>>>>>>>> recommends. No new test cases.
>>>>>>>>
>>>>>>>> And this can be done by separate patch, I want to have API/CLI
>>>>>>>> certificate override tests for non-AD idview (extending current
>>>>>>>> tests I
>>>>>>>> posted in this thread)
>>>>>>>>
>>>>>>>> Martin^2
>>>>>>>>>
>>>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>>>>> 1)
>>>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed. 
>>>>>>>>>>>>>>>> Default
>>>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you
>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>> not be
>>>>>>>>>>>>>>> able to set up certificates to ID override which does not
>>>>>>>>>>>>>>> exist.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD
>>>>>>>>>>>>>>> users,
>>>>>>>>>>>>>>> so using
>>>>>>>>>>>>>>> some other view and then assign certificate for a ID
>>>>>>>>>>>>>>> override in
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> one.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for 
>>>>>>>>>>>>>> this
>>>>>>>>>>>>>> feature with proper output validation.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> How can be this tested with SSSD?
>>>>>>>>>>>>> You need to log into the system with a certificate...
>>>>>>>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>>>>>>>> there any
>>>>>>>>>>>> cmdline util which allows us to test certificate against AD
>>>>>>>>>>>> user?
>>>>>>>>>>>
>>>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which
>>>>>>>>>>> should
>>>>>>>>>>> return the ssh key derived from the public key in the
>>>>>>>>>>> certificate.
>>>>>>>>>>> This
>>>>>>>>>>> should work for certificate stored in AD as well as for
>>>>>>>>>>> overrides.
>>>>>>>>>>>
>>>>>>>>>>> You can also you the DBus lookup by certificate as described in
>>>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate 
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> .
>>>>>>>>>>>
>>>>>>>>>>> HTH
>>>>>>>>>>>
>>>>>>>>>>> bye,
>>>>>>>>>>> Sumit
>>>>>>>>>>
>>>>>>>>>> Thank you Alexander and Summit for hints.
>>>>>>>>>>
>>>>>>>>>> Oleg I realized we don't have any other idviews integration 
>>>>>>>>>> tests
>>>>>>>>>>
>>>>>>>>>> So I propose to rename test file you are adding to
>>>>>>>>>> test_idviews.py. We
>>>>>>>>>> can add more testcases for idviews there later
>>>>>>>>>>
>>>>>>>>>> Martin^2
>>>>>>>>>>>> Martin^2
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>>>>> Contribute to FreeIPA:
>>>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>

More information about the Freeipa-devel mailing list