Gc azure tests #22
Open
Gc azure tests #22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Part of: https://pagure.io/freeipa/issue/8142 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This will first check ipa-getkeytab quiet mode, then it will check ipa-getkeytab server name, then it will check different type of encryptions Signed-off-by: Jayesh <jgarg@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This also exercises the Authentication Indicator Kerberos ticket policy options by testing a otp indicator type. Related: https://pagure.io/freeipa/issue/8001 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test was failing in nightly_PR for ipa-4.7 As https://pagure.io/SSSD/sssd/issue/3978 is not available on fedora-29 Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Test on replica for ipa-ca-install with options --no-host-dns,--skip-schema-check,done changes in ipatests/pytest_ipa/integration/tasks.py because wants to pass few arguments to install_ca method Signed-off-by: Jayesh <jgarg@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Jayesh Garg <jgarg@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This forces PR-CI to update the packages instead of using the versions already included in the vagrant image. Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
…y" to default dnszone* output Displaying "Dynamic Update" and "Bind update policy" by default when 'ipa dnszone-show/find' are used would make client dns update failures easier to diagnose, so display them. Fixes: https://pagure.io/freeipa/issue/7938 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
… dnszone* output Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy" can be displayed by default in many DNS commands' output. Related to: https://pagure.io/freeipa/issue/7938 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa commands are used by an Active Directory user that does not have any idoverride-user set, they return the following error message which can be misleading: $ kinit aduser@ADDOMAIN.COM $ ipa ping ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error The fix properly handles ACIError exception received when creating the context, and now the following message can be seen: $ kinit aduser@ADDOMAIN.COM $ ipa ping ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized with the following log in /var/log/httpd/error_log: ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials Fixes: https://pagure.io/freeipa/issue/8163 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This checks that valid/invalid inputs for subtypes of authentication indicator kerberos ticket policy options. Signed-off-by: Anuja More <amore@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The tests for backup_and_restore check that the ipa-backup command compresses the tar file AFTER restarting IPA services by reading the output and looking for a pattern with "gzip" before "Starting IPA service." As the tar file name is randomly created, it sometimes happen that the name contains gzip and in this case the test wrongly assumes that the gzip cmd was called. The fix makes a stricter comparison, looking for /bin/gzip. Fixes: https://pagure.io/freeipa/issue/8170 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`client` is not intended to be modified as a parameter of the AS check function. Fixes an "incompatible pointer type" compiler warning. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`vals` is often leaked during early exit. Refactor function to use a single exit path to prevent this. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages to stderr. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The re.Pattern class was introduced in Python 3.7. Use duck-typing to distinguish between str and re pattern object. Fixes: https://pagure.io/freeipa/issue/8179 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The test suite test_winsyncmigrate was missing in nightly definitions because CI was lacking configuration needed for establishing winsync agreement: the Certificate Authority needs to be configured on Windows AD instance. Now that PR-CI is updated to include said changes, we can start executing this test suite. It is not reasonable to add it to gating as this suite is time consuming just like other tests requiring provisioning of AD instances. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.
The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:
$ contrib/lite-setup.py master.ipa.example
$ source ~/.ipa/activate.sh
(ipaenv) $ kinit username
(ipaenv) $ make lite-server
IPA server UI is available on http://localhost:8888/ipa/
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Rename job titles to match their test suites and how they are defined in nightly yamls. Issue : freeipa/freeipa-pr-ci#336 Signed-off-by: Gaurav Talreja <gtalreja@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Before removing a CA re-verify all the other CAs to ensure that the chain is not broken. Provide a force option to handle cases where the CA is expired or verification fails for some other reason, or you really just want them gone. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will allow for CA certificates to be dropped from the list of certificates. It also allows for the trust flags to be updated when an existing cert is dropped and re-added. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This tests the following cases: - deletion without nickname (expect fail) - deletion with an unknown nickname (expect fail) - deletion of IPA CA (expect fail) - deletion of a root CA needed by a subCA (expect fail) - deletion of a root CA needed by a subCA with --force (ok) - deletion of a subca (ok) As a side-effect this also tests install by installing the LE root and a sub-ca. The sub-ca expires in 2021 but I tested in the future the ipa-cacert-manage install doesn't do date validation so for now this is ok. https://pagure.io/freeipa/issue/8124 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Commit 49cf5ec fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Check that ipa-client-samba tool reports specific properties of domains: name, netbios name, sid and id range Related to https://pagure.io/freeipa/issue/8149 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed. Issue : freeipa/freeipa-pr-ci#336 Signed-off-by: Gaurav Talreja <gtalreja@redhat.com> Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18), krb5 removed this flag, and always accepts aliases. Related-to: https://pagure.io/freeipa/issue/7879 Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Provide stubs for backward compatibility. DAL 8.0 was released with krb5-1.18, which is part of Fedora 32+. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Global Catalog is read-only. As result, we map any successfully authenticated SASL user to a DN of an object assigned read-only rights. Both full-qualified and name-only SASL mappings are required.
Global Catalog is read-only. We grant read-only access to a majority of objects in the GC tree to ldap:///all but the only object that will be allowed to access it is controlled by the SASL mapping to uid=read-only-principal,cn=configuration,$SUFFIX.
Remove (objectclass=*) target filter.
Two SASL mappings for fully qualified and non-fully qualified names can be combined into the one that works for both IPA and trusted AD users.
- make ipa-server-install work even if samba-client is not installed currently ipa-server-install calls gc code to check if it needs to be uninstalled, and it creates a dependency on samba. Move the import so that there is no dependency on installation. - make ipa-gc-install check that ad trust is installed
At the end of the global catalog install, update the DNS records with SRV records for the global catalog: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs _ldap._tcp.gc._msdcs _gc._tcp.Default-First-Site-Name._sites _gc._tcp
At the end of the global catalog install, the --populate option allows to copy the users and groups from IdM to the GC.
AD is performing a search using showInAdvancedViewOnly attribute when looking for users/groups over the trust. This attribute is needed in the schema in order to add an ACI allowing its use.
The foreign security principals will be stored in this container in the GC.
When a group is copied from 389-ds instance to the global catalog, its groupType attribute depends on its type: - posix groups are mapped to a security group/global - external groups are mapped to a security group/domain-local - non posix groups are mapped to a distribution group/global
The transformation library builds a SID for each user/group from the value of ipantsecurityidentifier, but some entries don't contain this attribute (for instance the non-posix groups). For these entries, the SID is created from the ipauniqueid and a special SID prefix S-1-738065- (ASCII codes of IPA concatenated) .
In order to avoid later circular dependency.
LDAPUpdate is currently able to connect only to 389-DS instance. Modify the code to allow connection to a different instance, based on its instance name / serverid.
1/ When the uninstaller is called but there is no GC, a scary message is printed. Modify the message so that it reflects the status with no need to raise any alarm. 2/ If the uninstaller is called on a node where the main 389ds instance has already been uninstalled, trap the exception so that GC uninstaller proceeds anyway.
abbra
force-pushed
the
gc-azure-tests
branch
from
6dca5ba to
cca3e73
Compare
maven:3.5 module stream is enabled by default but contains non-installable slf4j package which makes Dogtag not-installable: sh-5.0# dnf install freeipa-server-trust-ad Last metadata expiration check: 0:07:47 ago on Tue Feb 11 08:31:39 2020. Error: Problem: package pki-ca-10.7.3-6.fc32.noarch requires pki-server = 10.7.3, but none of the providers can be installed - package pki-server-10.7.3-6.fc32.noarch requires tomcatjss >= 7.4.1, but none of the providers can be installed - package freeipa-server-4.8.4-6.fc32.x86_64 requires pki-ca >= 10.7.3-1, but none of the providers can be installed - package tomcatjss-7.4.1-3.fc32.noarch requires slf4j-jdk14, but none of the providers can be installed - package freeipa-server-trust-ad-4.8.4-6.fc32.x86_64 requires freeipa-server = 4.8.4-6.fc32, but none of the providers can be installed - package slf4j-jdk14-1.7.30-1.fc32.noarch requires mvn(org.slf4j:slf4j-api) = 1.7.30, but none of the providers can be installed - conflicting requests - package slf4j-1.7.30-1.fc32.noarch is excluded (try to add '--skip-broken' to skip uninstallable packages)
In containers, use FILE-based ccache for simple tests
NTP detection fails in Azure Pipeline-run containers. Do not set up NTP by default.
This reverts commit d77bc94.
abbra
force-pushed
the
gc-azure-tests
branch
from
1bffa31 to
3e316b8
Compare
This reverts commit d19ae28.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on freeipa/freeipa@master...stanislavlevin:azure_integration_tests, experiment with building multi-container environment for testing GC in Azure Pipelines.
Steps to be done: