[Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test
Oleg Fayans
ofayans at redhat.com
Fri Oct 21 08:54:19 UTC 2016
Added one more test, resolved the pep8 issues
On 10/19/2016 12:32 PM, Oleg Fayans wrote:
> Hi Martin,
>
> As you suggested, I've extended the
> test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
> in idoverrides.
> The integration part still needs some polishing in the part related to
> user lookup by cert
>
> On 10/14/2016 03:57 PM, Martin Babinsky wrote:
>> On 10/14/2016 03:48 PM, Oleg Fayans wrote:
>>> So, did I understand correctly, that there would be 2 patches: one
>>> containing test for basic idoverrides functionality without
>>> AD-integration, and the second one - with AD-integration and an sssd
>>> check, correct?
>>> I guess, the
>>> freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch
>>>
>>>
>>> might be a good candidate for the first one, I only have to change the
>>> filename to test_idviews.py, right?
>>>
>>
>> Oleg, we already have XMLRPC tests for idoverrides:
>>
>> ipatests/test_xmlrpc/test_idviews_plugin.py
>>
>> Is there any particular reason why not to extend them with add
>> cert/remove cert operations?
>>
>> Even better, you can extend
>> `ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
>> same set of tests on idoverrideuser objects.
>>
>> Or am I missing something?
>>
>>> On 09/15/2016 10:32 AM, Martin Basti wrote:
>>>>
>>>>
>>>> On 15.09.2016 10:10, Oleg Fayans wrote:
>>>>> Hi Martin,
>>>>>
>>>>> The file was renamed. Did I understand correctly that for now we are
>>>>> leaving the test as is and are planning to extend it later?
>>>>
>>>> I would like to have there SSSD check involved, please use what Summit
>>>> recommends. No new test cases.
>>>>
>>>> And this can be done by separate patch, I want to have API/CLI
>>>> certificate override tests for non-AD idview (extending current tests I
>>>> posted in this thread)
>>>>
>>>> Martin^2
>>>>>
>>>>> On 09/15/2016 09:49 AM, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 14.09.2016 18:53, Sumit Bose wrote:
>>>>>>> On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
>>>>>>>>
>>>>>>>> On 14.09.2016 17:53, Alexander Bokovoy wrote:
>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>
>>>>>>>>>> On 14.09.2016 17:41, Alexander Bokovoy wrote:
>>>>>>>>>>> On Wed, 14 Sep 2016, Martin Basti wrote:
>>>>>>>>>>>> 1)
>>>>>>>>>>>> I still don't see the reason why AD trust is needed. Default
>>>>>>>>>>>> trust ID view is added just by ipa-adtrust-install, adding
>>>>>>>>>>>> trust is not needed for current implementation. You don't
>>>>>>>>>>>> need AD for this, IDviews is generic feature not just for
>>>>>>>>>>>> AD. Is that user configured on AD side?
>>>>>>>>>>> You cannot add non-AD user to 'default trust view', so you will
>>>>>>>>>>> not be
>>>>>>>>>>> able to set up certificates to ID override which does not exist.
>>>>>>>>>>>
>>>>>>>>>>> For non-'default trust view' you can add both IPA and AD users,
>>>>>>>>>>> so using
>>>>>>>>>>> some other view and then assign certificate for a ID override in
>>>>>>>>>>> that
>>>>>>>>>>> one.
>>>>>>>>>>>
>>>>>>>>>> Ok then, but anyway I would like to see API/CLI tests for this
>>>>>>>>>> feature with proper output validation.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> How can be this tested with SSSD?
>>>>>>>>> You need to log into the system with a certificate...
>>>>>>>> Is this possible from test? We are logged remotely as root, is
>>>>>>>> there any
>>>>>>>> cmdline util which allows us to test certificate against AD user?
>>>>>>>
>>>>>>> You can use 'sss_ssh_authorizedkeys aduser at ad.domain' which should
>>>>>>> return the ssh key derived from the public key in the certificate.
>>>>>>> This
>>>>>>> should work for certificate stored in AD as well as for overrides.
>>>>>>>
>>>>>>> You can also you the DBus lookup by certificate as described in
>>>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate
>>>>>>>
>>>>>>>
>>>>>>> .
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>> bye,
>>>>>>> Sumit
>>>>>>
>>>>>> Thank you Alexander and Summit for hints.
>>>>>>
>>>>>> Oleg I realized we don't have any other idviews integration tests
>>>>>>
>>>>>> So I propose to rename test file you are adding to
>>>>>> test_idviews.py. We
>>>>>> can add more testcases for idviews there later
>>>>>>
>>>>>> Martin^2
>>>>>>>> Martin^2
>>>>>>>>
>>>>>>>> --
>>>>>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-ofayans-0089.1-tests-Added-basic-tests-for-certs-in-idoverrides.patch
Type: text/x-patch
Size: 4380 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161021/3f5311ce/attachment.bin>
More information about the Freeipa-devel
mailing list