-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tests: Add support for IPA IPA Trust #7517
base: master
Are you sure you want to change the base?
Tests: Add support for IPA IPA Trust #7517
Conversation
596880a
to
fd8ef2f
Compare
8abd754
to
644678a
Compare
d92d5a9
to
c2ef19c
Compare
Hi, I added blocked label since I think we should not merge it until new IPA is released. We should also add conditional skip based on feature detection. |
c2ef19c
to
38cf052
Compare
Updated |
38cf052
to
f32ac30
Compare
f32ac30
to
7a3115d
Compare
7a3115d
to
d9f952d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Passing,
============================= test session starts ==============================
collecting ...
Selected tests will use the following hosts:
client: client.test
ad: dc.ad.test
samba: dc.samba.test
ipa: master.ipa.test
ipa: master2.ipa2.test
collected 586 items / 580 deselected / 6 selected
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-samba)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-samba) PASSED [ 16%]PASSED [ 33%]PASSED [ 50%]PASSED [ 66%]PASSED [ 83%]PASSED [100%]
================ 6 passed, 580 deselected in 574.83s (0:09:34) =================
Process finished with exit code 0
Some minor changes but it looks good, thank you Justin
:customerscenario: True | ||
""" | ||
client.sssd.clear(db=True, memcache=True, logs=True) | ||
client.sssd.restart() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have updated the method, you can merge 105-106 with client.sssd.restart(clean=True)
, applies to line 79-80 as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
username = trusted.admin_fqn | ||
|
||
id_user = client.tools.id(username) | ||
assert id_user is not None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you provide an error message please, assert id_user is not None, "User is not found!"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
|
||
id_user = client.tools.id(username) | ||
assert id_user is not None | ||
assert id_user.user.name == username |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, Username does not match!
All the assertions, line, 86,87,119 and 120
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
d9f952d
to
8d0e39f
Compare
config: | ||
client: | ||
ipa_domain: ipa2.test | ||
krb5_keytab: /enrollment/ipa2.test.keytab |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is most probably wrong as there is no code to enroll client to ipa2 in SSSD/sssd-ci-containers#106
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if we plan to add any enrollment of systems into IPA2 domain. If not, can this whole part be removed?
config:
client:
ipa_domain: ipa2.test
krb5_keytab: /enrollment/ipa2.test.keytab
ldap_krb5_keytab: /enrollment/ipa2.test.keytab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I don't think we need to enroll tests into ipa2.
@@ -60,3 +61,58 @@ def test_ipa_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvid | |||
status = ipa.sssctl.domain_status(trusted.domain, online=True) | |||
assert "online status: offline" not in status.stdout.lower(), "AD domain went offline!" | |||
assert "online status: online" in status.stdout.lower(), "AD domain was not online!" | |||
|
|||
|
|||
@pytest.mark.importance("low") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have at least on test that will cover ipa-ipa trust feature that is high or critical to land in the gating.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to ask @danlavu to take care of this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm writing a test for ipa - adtrust, we should be able to parameterize it. https://github.com/SSSD/sssd/pull/7779/files , basic auth.
""" | ||
:title: Basic IPA-IPA Trust lookup on IPA server | ||
:setup: | ||
1. Restart SSSD and clear cache on IPA server |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These tests should have requirement matching the RHEL-XXX jira name to link the test to requirement that will be created in polarion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added @pytest.mark.ticket(jira="RHEL-14752")
to the 2 newly added tests.
|
||
|
||
@pytest.mark.importance("low") | ||
@pytest.mark.topology(KnownTopologyGroup.AnyIPATrust) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be a pytest.ticket linking to relevant jiras.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added @pytest.mark.ticket(jira="RHEL-14752")
to the 2 newly added tests.
assert id_user.user.name == username, "Username does not match" | ||
|
||
|
||
@pytest.mark.importance("low") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like importance medium to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
# Resolve group | ||
groupname = trusted.fqn("admins") | ||
|
||
getent_group = client.tools.getent.group(groupname) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would move this before all of the asserts so we can see if group resolution works when something fails for user resolution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
|
||
getent_group = client.tools.getent.group(groupname) | ||
assert getent_group is not None | ||
assert getent_group.name == groupname |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am missing a testcase that will authenticate (su, ssh) as a normal user from the trusted domain.
(possibly parametrized for short username and fqn.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to ask @danlavu to take care of this.
|
||
id_user = client.tools.id(username) | ||
assert id_user is not None, "Trusted admin user not found" | ||
assert id_user.user.name == username, "Username does not match" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should check group membership for the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline.
8d0e39f
to
af145e8
Compare
af145e8
to
a55729e
Compare
Add tests for new IPA Trust topologies in SSSD test framework.
Linked PRs:
SSSD/sssd-ci-containers#106
SSSD/sssd-test-framework#119