ipatests: Add AD integration test case

Part of: https://fedorahosted.org/freeipa/ticket/3834

1 files changed, 188 insertions, 0 deletions

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
new file mode 100644
index 00000000..c5167301
--- /dev/null
+++ b/ipatests/test_integration/test_trust.py
@@ -0,0 +1,188 @@
+# Authors:
+#   Tomas Babej <tbabej@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+from ipatests.test_integration import util
+
+
+class ADTrustBase(IntegrationTest):
+    """Provides common checks for the AD trust integration testing."""
+
+    topology = 'line'
+    num_ad_domains = 1
+
+    @classmethod
+    def install(cls):
+        super(ADTrustBase, cls).install()
+        cls.ad = cls.ad_domains[0].ads[0]
+        cls.install_adtrust()
+        cls.check_sid_generation()
+        cls.configure_dns_and_time()
+
+    @classmethod
+    def install_adtrust(cls):
+        """Test adtrust support installation"""
+
+        tasks.install_adtrust(cls.master)
+
+    @classmethod
+    def check_sid_generation(cls):
+        """Test SID generation"""
+
+        command = ['ipa', 'user-show', 'admin', '--all', '--raw']
+
+        # TODO: remove duplicate definition and import from common module
+        _sid_identifier_authority = '(0x[0-9a-f]{1,12}|[0-9]{1,10})'
+        sid_regex = 'S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s'\
+                    % dict(idauth=_sid_identifier_authority)
+        stdout_re = re.escape('  ipaNTSecurityIdentifier: ') + sid_regex
+
+        util.run_repeatedly(cls.master, command,
+                            test=lambda x: re.search(stdout_re, x))
+
+    @classmethod
+    def configure_dns_and_time(cls):
+        tasks.configure_dns_for_trust(cls.master, cls.ad)
+        tasks.sync_time(cls.master, cls.ad)
+
+
+class TestBasicADTrust(ADTrustBase):
+    """Basic Integration test for Active Directory"""
+
+    def test_establish_trust(self):
+        """Tests establishing trust with Active Directory"""
+
+        tasks.establish_trust_with_ad(self.master, self.ad,
+            extra_args=['--range-type', 'ipa-ad-trust'])
+
+    def test_range_properties_in_nonposix_trust(self):
+        """Check the properties of the created range"""
+
+        range_name = self.ad.domain.name.upper() + '_id_range'
+        result = self.master.run_command(['ipa', 'idrange-show', range_name,
+                                          '--all', '--raw'])
+        assert "  ipaRangeType: ipa-ad-trust" in result.stdout_text
+        assert "  ipaIDRangeSize: 200000" in result.stdout_text
+
+    def test_user_gid_uid_resolution_in_nonposix_trust(self):
+        """Check that user has SID-generated UID"""
+
+        testuser = 'testuser@%s' % self.ad.domain.realm
+        result = self.master.run_command(['getent', 'passwd', testuser])
+
+        # This regex checks that Test User does not have UID 10042 nor belongs
+        # to the group with GID 10047
+        testuser_regex = "^testuser@%s:\*:(?!10042)(\d+):(?!10047)(\d+):"\
+                         "Test User:/home/testuser:/bin/sh$"\
+                         % re.escape(self.ad.domain.name)
+
+        assert re.search(testuser_regex, result.stdout_text)
+
+    def test_remove_nonposix_trust(self):
+        tasks.remove_trust_with_ad(self.master, self.ad)
+        tasks.clear_sssd_cache(self.master)
+
+
+class TestPosixADTrust(ADTrustBase):
+    """Integration test for Active Directory with POSIX support"""
+
+    def test_establish_trust_with_posix_attributes(self):
+        # Not specifying the --range-type directly, it should be detected
+        tasks.establish_trust_with_ad(self.master, self.ad)
+
+    def test_range_properties_in_posix_trust(self):
+        # Check the properties of the created range
+
+        range_name = self.ad.domain.name.upper() + '_id_range'
+
+        result = self.master.run_command(['ipa', 'idrange-show', range_name,
+                                          '--all', '--raw'])
+
+        # Check the range type and size
+        assert "  ipaRangeType: ipa-ad-trust-posix" in result.stdout_text
+        assert "  ipaIDRangeSize: 200000" in result.stdout_text
+
+    def test_user_uid_gid_resolution_in_posix_trust(self):
+        # Check that user has AD-defined UID
+
+        testuser = 'testuser@%s' % self.ad.domain.realm
+        result = self.master.run_command(['getent', 'passwd', testuser])
+
+        testuser_stdout = "testuser@%s:*:10042:10047:"\
+                          "Test User:/home/testuser:/bin/sh"\
+                          % self.ad.domain.name
+
+        assert testuser_stdout in result.stdout_text
+
+    def test_user_without_posix_attributes_not_visible(self):
+        # Check that user has AD-defined UID
+
+        nonposixuser = 'nonposixuser@%s' % self.ad.domain.realm
+        result = self.master.run_command(['getent', 'passwd', nonposixuser],
+                                         raiseonerr=False)
+
+        # Getent exits with 2 for non-existent user
+        assert result.returncode == 2
+
+    def test_remove_trust_with_posix_attributes(self):
+        tasks.remove_trust_with_ad(self.master, self.ad)
+        tasks.clear_sssd_cache(self.master)
+
+
+class TestEnforcedPosixADTrust(TestPosixADTrust):
+    """
+    This test is intented to copycat PosixADTrust, since enforcing the POSIX
+    trust type should not make a difference.
+    """
+
+    def test_establish_trust_with_posix_attributes(self):
+        tasks.establish_trust_with_ad(self.master, self.ad,
+            extra_args=['--range-type', 'ipa-ad-trust-posix'])
+
+
+class TestInvalidRangeTypes(ADTrustBase):
+    """
+    Tests invalid values being put into trust-add command.
+    """
+
+    def test_invalid_range_types(self):
+
+        invalid_range_types = ['ipa-local',
+                               'ipa-ad-winsync',
+                               'ipa-ipa-trust',
+                               'random-invalid',
+                               're@ll%ybad12!']
+
+        for range_type in invalid_range_types:
+            tasks.kinit_admin(self.master)
+
+            result = self.master.run_command(
+                               ['ipa', 'trust-add',
+                               '--type', 'ad', self.ad.domain.name,
+                               '--admin', 'Administrator',
+                               '--range-type', range_type,
+                               '--password'],
+                               raiseonerr=False,
+                               stdin_text=self.master.config.ad_admin_password)
+
+            # The trust-add command is supposed to fail
+            assert result.returncode == 1