summaryrefslogtreecommitdiffstats
path: root/ipatests
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove "Request Certificate with SubjectAltName" permissionFraser Tweedale2016-12-211-1/+1
| | | | | | | | | | | | | | | | | | subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. Fixes: https://fedorahosted.org/freeipa/ticket/6526 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove named-pkcs11 workarounds from DNSSEC tests.Petr Spacek2016-12-191-82/+0
| | | | | | | | | | As far as I can tell the tests are passing for some time in Jenkins so maybe a bug in some underlying component was fixed. Let's remove workarounds to make tests actually test real setups. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add a basic test suite for `kadmin.local` interfaceMartin Babinsky2016-12-161-0/+125
| | | | | | | | | | This small integration suite tests some basic operations using kadmin.local interface on services in both kerberos and services subtree. https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} ↵David Kupka2016-12-144-2/+58
| | | | | | | | | | | --all Result of {host,service}-{find,show} commands with option '--all' always contains krbpwpolicyreference attributes. https://fedorahosted.org/freeipa/ticket/6561 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Add options to write lightweight CA cert or chain to fileFraser Tweedale2016-12-122-7/+41
| | | | | | | | | | | | | | Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Test: uniqueness of certificate renewal masterOleg Fayans2016-12-081-0/+42
| | | | | | | https://fedorahosted.org/freeipa/ticket/6504 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* cert-request: match names against principal aliasesFraser Tweedale2016-12-061-12/+73
| | | | | | | | | | | | | | | Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Fetch correct exception in IPA_CONFDIR testChristian Heimes2016-12-051-2/+1
| | | | | | | fixes c2934aaa Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use env var IPA_CONFDIR to get confdirChristian Heimes2016-12-022-2/+44
| | | | | | | | | | | | | The environment variable IPA_CONFDIR overrides the default confdir path. The value of the environment variable must be an absolute path to an existing directory. The new variable makes it much simpler to use the 'ipa' command and ipalib with a local configuration directory. Some scripts (e.g. servers, installers, and upgrades) set the confdir explicitly and do not support the env var. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove import of ipaplatform.paths from test_ipalibChristian Heimes2016-12-021-5/+4
| | | | | | | | | ipalib's env bootstrapping uses hard-coded defaults, too. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove BIN_FALSE and BIN_TRUEChristian Heimes2016-12-021-4/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Test: basic kerberos over http functionalityOleg Fayans2016-11-301-0/+58
| | | | | | https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Test: made kinit_admin a returning functionOleg Fayans2016-11-301-2/+2
| | | | | | | In some cases we need to check the result of kinit and print out the error message. Therefore we need it to return the result. Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Adjustments for setup requirementsChristian Heimes2016-11-301-9/+9
| | | | | | | | | | | | | | * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enhance __repr__ method of PrincipalMartin Babinsky2016-11-301-0/+2
| | | | | | | | | | | | `__repr__` now returns more descriptive string containing the actual principal name while keeping the ability to reconstruct the object from it. This makes principal names visible in debug logs, easing troubleshooting a bit. https://fedorahosted.org/freeipa/ticket/6505 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* tests: Added basic tests for certs in idoverridesOleg Fayans2016-11-291-0/+82
| | | | | | | https://fedorahosted.org/freeipa/ticket/6412 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Created idview trackerOleg Fayans2016-11-291-0/+116
| | | | | | | | | Needed for basic certs in idoverrides tests https://fedorahosted.org/freeipa/ticket/6412 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* ipautil: move kinit functions to ipalib.installJan Cholasta2016-11-291-3/+2
| | | | | | | | | | | kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipapython: move dnssec, p11helper and secrets to ipaserverJan Cholasta2016-11-293-4/+4
| | | | | | | | | | | The dnssec and secrets subpackages and the p11helper module depend on ipaplatform. Move them to ipaserver as they are used only on the server. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Improve the robustness FreeIPA's i18n module and its testsMartin Babinsky2016-11-282-7/+32
| | | | | | | | | | | | | Prevent false positive errors reported by `ipatests/i18n.py` and `ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the environment. Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve the robustness. https://fedorahosted.org/freeipa/ticket/6512 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix Python 3 bugs discovered by pylintChristian Heimes2016-11-255-7/+16
| | | | | | | | | | | | In Python 3 exception instances no longer have a message attribute. For most exceptions, str(e) or string formatting give the same result. Fix some renamed modules, module members and functions. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Python3 pylint fixesChristian Heimes2016-11-251-1/+1
| | | | | | | | | | | Sprinkle 'pylint disable' comments over the code base to silence a bunch of pylint warnings on Python 3. All silenced warnings are harmless and not bugs. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add main guards to a couple of Python scriptsChristian Heimes2016-11-241-12/+0
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: integrate translation system tests againPetr Spacek2016-11-221-1/+4
| | | | | | | | | | | | | | | | | The Makefile test targets were lost when gettextize infrastructure was introduced. Now it is re-added in its modernized form which counts with generated .pot files. ipatests/i18n.py is now explicitly setting character encoding in files it generates. According to gettext manual chapter "Filling in the Header Entry" the Content-Type header is language-specific so it does not make sense to fill it in in .pot file. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* tests: Mark 389-ds acceptance testsDavid Kupka2016-11-222-0/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* tests: Mark Dogtag acceptance testsDavid Kupka2016-11-222-0/+2
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython and ipatest no longer require lxmlChristian Heimes2016-11-171-1/+0
| | | | | | | Commits 64af88fe and 9fbd29cc have removed dependency on lxml. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Port ipapython.dnssec.odsmgr to xml.etreeChristian Heimes2016-11-161-0/+41
| | | | | | | | | | The module ipapython.dnssec.odsmgr is the only module in ipalib, ipaclient, ipapython and ipaplatform that uses lxml.etree. https://fedorahosted.org/freeipa/ticket/6469 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add install requirements to Python packagesChristian Heimes2016-11-161-1/+24
| | | | | | | https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: remove incorrect use of MAINTAINERCLEANFILESPetr Spacek2016-11-161-4/+0
| | | | | | | | | | | | | Automake manual section 13 What Gets Cleaned says that make maintainer-clean should not remove files necessary for subsequent runs of ./configure. It practically means that all usage of MAINTAINERCLEANFILES were incorrect so I've removed them. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Document make_delete_command method in UserTrackerLenka Doudova2016-11-151-3/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/6485 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Tests: Providing trust tests with tree root domainLenka Doudova2016-11-152-15/+97
| | | | | | https://fedorahosted.org/freeipa/ticket/6347 Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
* Test for installing rules with service principalsOleg Fayans2016-11-141-0/+82
| | | | | | https://fedorahosted.org/freeipa/ticket/6481 Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
* Test: integration tests for certs in idoverrides featureOleg Fayans2016-11-141-0/+156
| | | | | | https://fedorahosted.org/freeipa/ticket/6005 Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
* Added interface to certutilOleg Fayans2016-11-141-0/+7
| | | | | | Added generic method to run certutil with arbitrary set of paramenters Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
* ipatests: Fix assert_deepequal outside of pytest processMilan Kubík2016-11-141-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/6420 Reviewed-By: Martin Basti <mbasti@redhat.com>
* TESTS: Update group type namePavel Vomacka2016-11-141-1/+1
| | | | | | | | | As the group type has been changed from 'normal' to 'nonposix' we need to update this information also in tests. https://fedorahosted.org/freeipa/ticket/6334 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Tests: Verify that validity info is present in cert-show and cert-find commandLenka Doudova2016-11-141-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/6419 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Tests: Provide AD cleanup for legacy client testsLenka Doudova2016-11-141-0/+4
| | | | | | | | Providing cleanup of trust information from AD machines for legacy client tests. https://fedorahosted.org/freeipa/ticket/6396 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Tests: Provide AD cleanup for trust testsLenka Doudova2016-11-142-0/+14
| | | | | | | | Providing cleanup of trust information from AD machines for trusts tests. https://fedorahosted.org/freeipa/ticket/6396 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Refactor installer code requesting certificatesFlorence Blanc-Renaud2016-11-101-0/+1
| | | | | | | | | | | | | | | | | | | | - Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA agent cert, using the temp cert created during pkispawn. The cert request is now processed through certmonger, and the helper arguments are restored once the agent cert is obtained. - Modify the installer code creating HTTP and LDAP certificates to use certmonger's IPA helper with temporary parameters (calling dogtag-submit instead of ipa-submit) - Clean-up for the integration tests: sometimes ipa renewal.lock is not released during ipa-server-uninstall. Make sure that the file is removed to allow future installations. https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Automated ipa-replica-manage del testsOleg Fayans2016-11-101-0/+72
| | | | | Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* tests: Automated clean-ruv subcommand testsOleg Fayans2016-11-101-0/+71
| | | | | | | https://fedorahosted.org/freeipa/ticket/6451 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* x509: use python-cryptography to process certsFraser Tweedale2016-11-103-52/+26
| | | | | | | | | | | | | | | | | Update x509.load_certificate and related functions to return python-cryptography ``Certificate`` objects. Update the call sites accordingly, including removal of NSS initialisation code. Also update GeneralName parsing code to return python-cryptography GeneralName values, for consistency with other code that processes GeneralNames. The new function, `get_san_general_names`, and associated helper functions, can be removed when python-cryptography provides a way to deal with unrecognised critical extensions. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* pkcs10: use python-cryptography for CSR processingFraser Tweedale2016-11-101-39/+54
| | | | | | | | | | Update ``ipalib.pkcs10`` module to use python-cryptography for CSR processing instead of NSS. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* dn: support conversion from python-cryptography NameFraser Tweedale2016-11-101-2/+21
| | | | | | | | | | | | The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* test_ipagetkeytab: use system-wide IPA CA cert location in testsMartin Babinsky2016-11-091-1/+2
| | | | | | | | | Since /etc/ipa/ca.crt should be always present on the test runner, we should use it in bind method tests and not rely on its presence in user conf dir. https://fedorahosted.org/freeipa/ticket/6409 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Build: do not compress manual pages at install timePetr Spacek2016-11-091-3/+0
| | | | | | | | | | | | | | | | | | | At the time of this writting https://fedoraproject.org/wiki/Packaging:Guidelines#Manpages says this: When installing man pages, note that they should be installed uncompressed as the build system will compress them as needed. The compression method may change, so it is important to reference the pages in the %files section with a pattern that takes this into account: %{_mandir}/man1/foo.1* Removing the compression also allows to remove several install-data-hook targets from Makefile.am files. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Build: fix distribution of static files for web UIPetr Spacek2016-11-091-0/+2
| | | | | | | | | | | | | | | | Static files from Git which are not touched by the build system have to be explicitly listed in Makefile.am so they get into tarball. EXTRA_DIST lists whole sub-directories with static files. This is not ideal but we do not have enough time to fix it properly. Dojo builder patch files were renames to shorten their name. The original names were exceeding autotools length limit. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Build: fix man page distributionPetr Spacek2016-11-091-1/+1
| | | | | | | | | | By default automake does not distribute man pages. This marks then with dist_ prefix to force their distribution in tarball. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-23 09:58:34 +0000