Tests: Add support for IPA IPA Trust #7517
Conversation
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
596880a to
fd8ef2f
Compare
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
2 times, most recently
from
8abd754 to
644678a
Compare
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
4 times, most recently
from
d92d5a9 to
c2ef19c
Compare
|
Hi, I added blocked label since I think we should not merge it until new IPA is released. We should also add conditional skip based on feature detection. |
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
c2ef19c to
38cf052
Compare
|
Updated |
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
38cf052 to
f32ac30
Compare
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
f32ac30 to
7a3115d
Compare
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
7a3115d to
d9f952d
Compare
There was a problem hiding this comment.
Passing,
============================= test session starts ==============================
collecting ...
Selected tests will use the following hosts:
client: client.test
ad: dc.ad.test
samba: dc.samba.test
ipa: master.ipa.test
ipa: master2.ipa2.test
collected 586 items / 580 deselected / 6 selected
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ad)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_trusted_user (ipa-trust-ipa)
tests/test_ipa_trusts.py::test_ipa_trusts__lookup_group_without_sid (ipa-trust-samba)
tests/test_ipa_trusts.py::test_ipa_trusts__ipa_master_lookup_trusted_user (ipa-trust-samba) PASSED [ 16%]PASSED [ 33%]PASSED [ 50%]PASSED [ 66%]PASSED [ 83%]PASSED [100%]
================ 6 passed, 580 deselected in 574.83s (0:09:34) =================
Process finished with exit code 0
Some minor changes but it looks good, thank you Justin
| :customerscenario: True | ||
| """ | ||
| client.sssd.clear(db=True, memcache=True, logs=True) | ||
| client.sssd.restart() |
There was a problem hiding this comment.
We have updated the method, you can merge 105-106 with client.sssd.restart(clean=True) , applies to line 79-80 as well.
| username = trusted.admin_fqn | ||
|
|
||
| id_user = client.tools.id(username) | ||
| assert id_user is not None |
There was a problem hiding this comment.
Can you provide an error message please, assert id_user is not None, "User is not found!"
|
|
||
| id_user = client.tools.id(username) | ||
| assert id_user is not None | ||
| assert id_user.user.name == username |
There was a problem hiding this comment.
Same, Username does not match!
All the assertions, line, 86,87,119 and 120
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
d9f952d to
8d0e39f
Compare
| config: | ||
| client: | ||
| ipa_domain: ipa2.test | ||
| krb5_keytab: /enrollment/ipa2.test.keytab |
There was a problem hiding this comment.
This is most probably wrong as there is no code to enroll client to ipa2 in SSSD/sssd-ci-containers#106
There was a problem hiding this comment.
I don't know if we plan to add any enrollment of systems into IPA2 domain. If not, can this whole part be removed?
config:
client:
ipa_domain: ipa2.test
krb5_keytab: /enrollment/ipa2.test.keytab
ldap_krb5_keytab: /enrollment/ipa2.test.keytab
There was a problem hiding this comment.
No, I don't think we need to enroll tests into ipa2.
| @@ -60,3 +61,58 @@ def test_ipa_trusts__lookup_group_without_sid(ipa: IPA, trusted: GenericADProvid | |||
| status = ipa.sssctl.domain_status(trusted.domain, online=True) | |||
| assert "online status: offline" not in status.stdout.lower(), "AD domain went offline!" | |||
| assert "online status: online" in status.stdout.lower(), "AD domain was not online!" | |||
|
|
|||
|
|
|||
| @pytest.mark.importance("low") | |||
There was a problem hiding this comment.
We should have at least on test that will cover ipa-ipa trust feature that is high or critical to land in the gating.
There was a problem hiding this comment.
I would like to ask @danlavu to take care of this.
There was a problem hiding this comment.
I'm writing a test for ipa - adtrust, we should be able to parameterize it. https://github.com/SSSD/sssd/pull/7779/files , basic auth.
| """ | ||
| :title: Basic IPA-IPA Trust lookup on IPA server | ||
| :setup: | ||
| 1. Restart SSSD and clear cache on IPA server |
There was a problem hiding this comment.
These tests should have requirement matching the RHEL-XXX jira name to link the test to requirement that will be created in polarion.
There was a problem hiding this comment.
Added @pytest.mark.ticket(jira="RHEL-14752") to the 2 newly added tests.
|
|
||
|
|
||
| @pytest.mark.importance("low") | ||
| @pytest.mark.topology(KnownTopologyGroup.AnyIPATrust) |
There was a problem hiding this comment.
There should be a pytest.ticket linking to relevant jiras.
There was a problem hiding this comment.
Added @pytest.mark.ticket(jira="RHEL-14752") to the 2 newly added tests.
| assert id_user.user.name == username, "Username does not match" | ||
|
|
||
|
|
||
| @pytest.mark.importance("low") |
There was a problem hiding this comment.
This looks like importance medium to me.
| # Resolve group | ||
| groupname = trusted.fqn("admins") | ||
|
|
||
| getent_group = client.tools.getent.group(groupname) |
There was a problem hiding this comment.
I would move this before all of the asserts so we can see if group resolution works when something fails for user resolution.
|
|
||
| getent_group = client.tools.getent.group(groupname) | ||
| assert getent_group is not None | ||
| assert getent_group.name == groupname |
There was a problem hiding this comment.
I am missing a testcase that will authenticate (su, ssh) as a normal user from the trusted domain.
(possibly parametrized for short username and fqn.)
There was a problem hiding this comment.
I would like to ask @danlavu to take care of this.
|
|
||
| id_user = client.tools.id(username) | ||
| assert id_user is not None, "Trusted admin user not found" | ||
| assert id_user.user.name == username, "Username does not match" |
There was a problem hiding this comment.
We should check group membership for the user.
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
8d0e39f to
af145e8
Compare
justin-stephenson
force-pushed
the
ipa_ipa_trust_tests
branch
from
af145e8 to
a55729e
Compare
Add tests for new IPA Trust topologies in SSSD test framework.
Linked PRs:
SSSD/sssd-ci-containers#106
SSSD/sssd-test-framework#119