[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

Oleg Fayans ofayans at redhat.com
Tue Nov 8 16:23:47 UTC 2016 

Never give up pinging :)

On 11/03/2016 12:43 PM, Martin Basti wrote:
> LGTM
>
>
> On 03.11.2016 09:42, Oleg Fayans wrote:
>> One more ping for review
>>
>> On 10/27/2016 02:21 PM, Oleg Fayans wrote:
>>> ping for review
>>>
>>> On 10/25/2016 10:24 AM, Oleg Fayans wrote:
>>>> Integration part of the tests is ready. 2 tests:
>>>>
>>>> 1. Adds a cert to idoverride of a windows user
>>>> 2. sssd part - looks up user by his certificate using dbus-sssd
>>>>
>>>> Second and third dbus call are executed as a string insted of as array
>>>> of strings because it just does not work otherwise. Some quote escaping
>>>> gets screwed probably, but the system returns "Error
>>>> org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the
>>>> command is executed using the standard array-based approach
>>>>
>>>> The run looks like this:
>>>>
>>>> bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
>>>> WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
>>>> Permission denied: 'lextab.py'
>>>> WARNING: yacc table file version is out of date
>>>> WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
>>>> denied: 'yacctab.py'
>>>> ==================================== test session starts
>>>> ====================================
>>>> platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
>>>> plugins: sourceorder-0.5, multihost-1.0
>>>> collected 2 items
>>>>
>>>> test_integration/test_idviews.py ..
>>>>
>>>> ================================ 2 passed in 948.44 seconds
>>>> =================================
>>>>
>>>>
>>>> On 10/21/2016 10:54 AM, Oleg Fayans wrote:
>>>>> Added one more test, resolved the pep8 issues
>>>>>
>>>>> On 10/19/2016 12:32 PM, Oleg Fayans wrote:
>>>>>> Hi Martin,
>>>>>>
>>>>>> As you suggested, I've extended the
>>>>>> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for
>>>>>> certs
>>>>>> in idoverrides.
>>>>>> The integration part still needs some polishing in the part
>>>>>> related to
>>>>>> user lookup by cert
>>>>>>
>>>>>> On 10/14/2016 03:57 PM, Martin Babinsky wrote:
>>>>>>> On 10/14/2016 03:48 PM, Oleg Fayans wrote:
>>>>>>>> So, did I understand correctly, that there would be 2 patches: one
>>>>>>>> containing test for basic idoverrides functionality without
>>>>>>>> AD-integration, and the second one - with AD-integration and an
>>>>>>>> sssd
>>>>>>>> check, correct?
>>>>>>>> I guess, the
>>>>>>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> might be a good candidate for the first one, I only have to change
>>>>>>>> the
>>>>>>>> filename to test_idviews.py, right?
>>>>>>>>
>>>>>>>
>>>>>>> Oleg, we already have XMLRPC tests for idoverrides:
>>>>>>>
>>>>>>> ipatests/test_xmlrpc/test_idviews_plugin.py
>>>>>>>
>>>>>>> Is there any particular reason why not to extend them with add
>>>>>>> cert/remove cert operations?
>>>>>>>
>>>>>>> Even better, you can extend
>>>>>>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing
>>>>>>> the
>>>>>>> same set of tests on idoverrideuser objects.
>>>>>>>
>>>>>>> Or am I missing something?
>>>>>>>
>>>>>>>> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>>>>>>>>> Hi Martin,
>>>>>>>>>>
>>>>>>>>>> The file was renamed. Did I understand correctly that for now we
>>>>>>>>>> are
>>>>>>>>>> leaving the test as is and are planning to extend it later?
>>>>>>>>>
>>>>>>>>> I would like to have there SSSD check involved, please use what
>>>>>>>>> Summit
>>>>>>>>> recommends. No new test cases.
>>>>>>>>>
>>>>>>>>> And this can be done by separate patch, I want to have API/CLI
>>>>>>>>> certificate override tests for non-AD idview (extending current
>>>>>>>>> tests I
>>>>>>>>> posted in this thread)
>>>>>>>>>
>>>>>>>>> Martin^2
>>>>>>>>>>
>>>>>>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>>>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>>>>>>> 1)
>>>>>>>>>>>>>>>>> I still don't see the reason why AD trust is needed.
>>>>>>>>>>>>>>>>> Default
>>>>>>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you
>>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>>> not be
>>>>>>>>>>>>>>>> able to set up certificates to ID override which does not
>>>>>>>>>>>>>>>> exist.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD
>>>>>>>>>>>>>>>> users,
>>>>>>>>>>>>>>>> so using
>>>>>>>>>>>>>>>> some other view and then assign certificate for a ID
>>>>>>>>>>>>>>>> override in
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> one.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for
>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>> feature with proper output validation.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How can be this tested with SSSD?
>>>>>>>>>>>>>> You need to log into the system with a certificate...
>>>>>>>>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>>>>>>>>> there any
>>>>>>>>>>>>> cmdline util which allows us to test certificate against AD
>>>>>>>>>>>>> user?
>>>>>>>>>>>>
>>>>>>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which
>>>>>>>>>>>> should
>>>>>>>>>>>> return the ssh key derived from the public key in the
>>>>>>>>>>>> certificate.
>>>>>>>>>>>> This
>>>>>>>>>>>> should work for certificate stored in AD as well as for
>>>>>>>>>>>> overrides.
>>>>>>>>>>>>
>>>>>>>>>>>> You can also you the DBus lookup by certificate as described in
>>>>>>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> .
>>>>>>>>>>>>
>>>>>>>>>>>> HTH
>>>>>>>>>>>>
>>>>>>>>>>>> bye,
>>>>>>>>>>>> Sumit
>>>>>>>>>>>
>>>>>>>>>>> Thank you Alexander and Summit for hints.
>>>>>>>>>>>
>>>>>>>>>>> Oleg I realized we don't have any other idviews integration
>>>>>>>>>>> tests
>>>>>>>>>>>
>>>>>>>>>>> So I propose to rename test file you are adding to
>>>>>>>>>>> test_idviews.py. We
>>>>>>>>>>> can add more testcases for idviews there later
>>>>>>>>>>>
>>>>>>>>>>> Martin^2
>>>>>>>>>>>>> Martin^2
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>>>>>>> Contribute to FreeIPA:
>>>>>>>>>>>>> http://www.freeipa.org/page/Contribute/Code
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

More information about the Freeipa-devel mailing list