From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001

From: Sumedh Sidhaye <ssidhaye@redhat.com>

Date: Fri, 14 Jan 2022 19:55:13 +0530

Subject: [PATCH] Added test automation for SHA384withRSA CSR support

Scenario 1:

Setup master with --ca-signing-algorithm=SHA384withRSA

Run certutil and check Signing Algorithm

Scenario 2:

Setup a master

Stop services

Modify default.params.signingAlg in CS.cfg

Restart services

Resubmit cert (Resubmitted cert should have new Algorithm)

Pagure Link: https://pagure.io/freeipa/issue/8906

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Antonio Torres <antorres@redhat.com>

---

 .../test_integration/test_installation.py     | 63 +++++++++++++++++++

 1 file changed, 63 insertions(+)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py

index 0947241ae..f2d372c0c 100644

--- a/ipatests/test_integration/test_installation.py

+++ b/ipatests/test_integration/test_installation.py

@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks

 from ipatests.pytest_ipa.integration.env_config import get_global_config

 from ipatests.test_integration.base import IntegrationTest

 from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup

+from ipatests.test_integration.test_cert import get_certmonger_fs_id

 from ipaplatform import services

@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):

         tasks.install_replica(

             self.master, self.replicas[0], setup_ca=False, setup_dns=False

         )

+

+

+class TestInstallwithSHA384withRSA(IntegrationTest):

+    num_replicas = 0

+

+    def test_install_master_withalgo_sha384withrsa(self, server_cleanup):

+        tasks.install_master(

+            self.master,

+            extra_args=['--ca-signing-algorithm=SHA384withRSA'],

+        )

+

+        # check Signing Algorithm post installation

+        dashed_domain = self.master.domain.realm.replace(".", '-')

+        cmd_args = ['certutil', '-L', '-d',

+                    '/etc/dirsrv/slapd-{}/'.format(dashed_domain),

+                    '-n', 'Server-Cert']

+        result = self.master.run_command(cmd_args)

+        assert 'SHA-384 With RSA Encryption' in result.stdout_text

+

+    def test_install_master_modify_existing(self, server_cleanup):

+        """

+        Setup a master

+        Stop services

+        Modify default.params.signingAlg in CS.cfg

+        Restart services

+        Resubmit cert (Resubmitted cert should have new Algorithm)

+        """

+        tasks.install_master(self.master)

+        self.master.run_command(['ipactl', 'stop'])

+        cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,

+                                                       encoding='utf-8')

+        new_lines = []

+        replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"

+        ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"

+        for line in cs_cfg_content.split('\n'):

+            if line.startswith('ca.signing.defaultSigningAlgorithm'):

+                new_lines.append(replace_str)

+            elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):

+                new_lines.append(ocsp_rep_str)

+            else:

+                new_lines.append(line)

+        self.master.put_file_contents(paths.CA_CS_CFG_PATH,

+                                      '\n'.join(new_lines))

+        self.master.run_command(['ipactl', 'start'])

+

+        cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]

+        result = self.master.run_command(cmd)

+        request_id = get_certmonger_fs_id(result.stdout_text)

+

+        # resubmit RA Agent cert

+        cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]

+        self.master.run_command(cmd)

+

+        tasks.wait_for_certmonger_status(self.master,

+                                         ('CA_WORKING', 'MONITORING'),

+                                         request_id)

+

+        cmd_args = ['openssl', 'x509', '-in',

+                    paths.RA_AGENT_PEM, '-noout', '-text']

+        result = self.master.run_command(cmd_args)

+        assert_str = 'Signature Algorithm: sha384WithRSAEncryption'

+        assert assert_str in result.stdout_text

-- 

2.34.1

From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001

From: Sumedh Sidhaye <ssidhaye@redhat.com>

Date: Thu, 25 Nov 2021 17:48:20 +0530

Subject: [PATCH] Extend test to see if replica is not shown when running

 `ipa-replica-manage list -v <FQDN>`

Related: https://pagure.io/freeipa/issue/8605

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

 ipatests/test_integration/test_simple_replication.py | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py

index 8de385144..17092a499 100644

--- a/ipatests/test_integration/test_simple_replication.py

+++ b/ipatests/test_integration/test_simple_replication.py

@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):

         # has to be run with --force, there is no --unattended

         self.master.run_command(['ipa-replica-manage', 'del',

                                  self.replicas[0].hostname, '--force'])

-        result = self.master.run_command(['ipa-replica-manage', 'list'])

+        result = self.master.run_command(

+            ['ipa-replica-manage', 'list', '-v', self.master.hostname])

         assert self.replicas[0].hostname not in result.stdout_text

-- 

2.34.1

From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Fri, 26 Nov 2021 12:11:21 +0530

Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica

 teardown

Fixture `expire_certs` moves date back after renewing the certs.

This is causing the ipa-replica to fail. This fix first uninstalls

the server then moves back the date.

Fixes: https://pagure.io/freeipa/issue/9052

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

 ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py

index 39904d5de..5b56054b4 100644

--- a/ipatests/test_integration/test_ipa_cert_fix.py

+++ b/ipatests/test_integration/test_ipa_cert_fix.py

@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):

             setup_dns=False, extra_args=['--no-ntp']

         )

+    @classmethod

+    def uninstall(cls, mh):

+        # Uninstall method is empty as the uninstallation is done in

+        # the fixture

+        pass

+

     @pytest.fixture

     def expire_certs(self):

         # move system date to expire certs

@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):

         yield

         # move date back on replica and master

-        for host in self.master, self.replicas[0]:

+        for host in self.replicas[0], self.master:

+            tasks.uninstall_master(host)

             tasks.move_date(host, 'start', '-3years-1days')

     def test_renew_expired_cert_replica(self, expire_certs):

-- 

2.34.1

From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001

From: Anuja More <amore@redhat.com>

Date: Mon, 13 Dec 2021 17:37:05 +0530

Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.

related : https://pagure.io/freeipa/issue/8962

Signed-off-by: Anuja More <amore@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

 ipatests/test_integration/test_installation.py | 13 +++++++++++++

 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py

index 95cfaad54..0947241ae 100644

--- a/ipatests/test_integration/test_installation.py

+++ b/ipatests/test_integration/test_installation.py

@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):

         )

         assert "nsslapd-db-locks" not in result.stdout_text

+    def test_nsslapd_sizelimit(self):

+        """ Test for default value of nsslapd-sizelimit.

+

+        Related : https://pagure.io/freeipa/issue/8962

+        """

+        result = tasks.ldapsearch_dm(

+            self.master,

+            "cn=config",

+            ["nsslapd-sizelimit"],

+            scope="base"

+        )

+        assert "nsslapd-sizelimit: 100000" in result.stdout_text

+

     def test_admin_root_alias_CVE_2020_10747(self):

         # Test for CVE-2020-10747 fix

         # https://bugzilla.redhat.com/show_bug.cgi?id=1810160

-- 

2.34.1

From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Thu, 25 Nov 2021 13:10:05 +0530

Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to

 segfault

When empty cert request is submitted to certmonger, it goes to

segfault. This fix test that if something like this happens,

certmonger should gracefuly handle it

and some PEP8 fixes

related: https://pagure.io/certmonger/issue/191

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

---

 ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-

 1 file changed, 78 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py

index 5ffb8c608..0518d7954 100644

--- a/ipatests/test_integration/test_cert.py

+++ b/ipatests/test_integration/test_cert.py

@@ -14,6 +14,7 @@ import random

 import re

 import string

 import time

+import textwrap

 from ipaplatform.paths import paths

 from ipapython.dn import DN

@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):

         tasks.kinit_admin(self.master)

         tasks.user_add(self.master, user)

-        for id in (0,1):

+        for id in (0, 1):

             csr_file = f'{id}.csr'

             key_file = f'{id}.key'

             cert_file = f'{id}.crt'

@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):

         error_msg = 'ipa: ERROR: The certificate for ' \

                     '{} is not available on this server.'.format(lwca)

         assert error_msg in result.stderr_text

+

+    def test_certmonger_empty_cert_not_segfault(self):

+        """Test empty cert request doesn't force certmonger to segfault

+

+        Test scenario:

+        create a cert request file in /var/lib/certmonger/requests which is

+        missing most of the required information, and ask request a new

+        certificate to certmonger. The wrong request file should not make

+        certmonger crash.

+

+        related: https://pagure.io/certmonger/issue/191

+        """

+        empty_cert_req_content = textwrap.dedent("""

+        id=dogtag-ipa-renew-agent

+        key_type=UNSPECIFIED

+        key_gen_type=UNSPECIFIED

+        key_size=0

+        key_gen_size=0

+        key_next_type=UNSPECIFIED

+        key_next_gen_type=UNSPECIFIED

+        key_next_size=0

+        key_next_gen_size=0

+        key_preserve=0

+        key_storage_type=NONE

+        key_perms=0

+        key_requested_count=0

+        key_issued_count=0

+        cert_storage_type=FILE

+        cert_perms=0

+        cert_is_ca=0

+        cert_ca_path_length=0

+        cert_no_ocsp_check=0

+        last_need_notify_check=19700101000000

+        last_need_enroll_check=19700101000000

+        template_is_ca=0

+        template_ca_path_length=-1

+        template_no_ocsp_check=0

+        state=NEED_KEY_PAIR

+        autorenew=0

+        monitor=0

+        submitted=19700101000000

+        """)

+        # stop certmonger service

+        self.master.run_command(['systemctl', 'stop', 'certmonger'])

+

+        # place an empty cert request file to certmonger request dir

+        self.master.put_file_contents(

+            os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),

+            empty_cert_req_content

+        )

+

+        # start certmonger, it should not fail

+        self.master.run_command(['systemctl', 'start', 'certmonger'])

+

+        # request a new cert, should succeed and certmonger doesn't goes

+        # to segfault

+        result = self.master.run_command([

+            "ipa-getcert", "request",

+            "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),

+            "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),

+        ])

+        request_id = re.findall(r'\d+', result.stdout_text)

+

+        # check if certificate is in MONITORING state

+        status = tasks.wait_for_request(self.master, request_id[0], 50)

+        assert status == "MONITORING"

+

+        self.master.run_command(

+            ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]

+        )

+        self.master.run_command([

+            'rm', '-rf',

+            os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),

+            os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),

+            os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')

+        ])

-- 

2.34.1

From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001

From: Anuja More <amore@redhat.com>

Date: Mon, 6 Dec 2021 20:50:01 +0530

Subject: [PATCH] ipatests: webui: Tests for subordinate ids.

Added web-ui tests to verify where operations

using subordinate ids are working as expected.

Related : https://pagure.io/freeipa/issue/8361

Signed-off-by: Anuja More <amore@redhat.com>

Reviewed-By: Michal Polovka <mpolovka@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

 ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++

 ipatests/test_webui/ui_driver.py  |  28 ++++++

 2 files changed, 169 insertions(+)

 create mode 100644 ipatests/test_webui/test_subid.py

diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py

new file mode 100644

index 000000000..26decdba0

--- /dev/null

+++ b/ipatests/test_webui/test_subid.py

@@ -0,0 +1,141 @@

+

+"""

+Tests for subordinateid.

+"""

+

+from ipatests.test_webui.ui_driver import UI_driver

+import ipatests.test_webui.data_config as config_data

+import ipatests.test_webui.data_user as user_data

+from ipatests.test_webui.ui_driver import screenshot

+import re

+

+

+class test_subid(UI_driver):

+

+    def add_user(self, pkey, name, surname):

+        self.add_record('user', {

+            'pkey': pkey,

+            'add': [

+                ('textbox', 'uid', pkey),

+                ('textbox', 'givenname', name),

+                ('textbox', 'sn', surname),

+            ]

+        })

+

+    def set_default_subid(self):

+        self.navigate_to_entity(config_data.ENTITY)

+        self.check_option('ipauserdefaultsubordinateid', 'checked')

+        self.facet_button_click('save')

+

+    def get_user_count(self, user_pkey):

+        self.navigate_to_entity('subid', facet='search')

+        self.apply_search_filter(user_pkey)

+        self.wait_for_request()

+        return self.get_rows()

+

+    @screenshot

+    def test_set_defaultsubid(self):

+        """

+        Test to verify that enable/disable is working for

+        adding subids to new users.

+        """

+        self.init_app()

+        self.add_record(user_data.ENTITY, user_data.DATA2)

+        self.navigate_to_entity(config_data.ENTITY)

+        # test subid can be enabled/disabled.

+        self.set_default_subid()

+        assert self.get_field_checked('ipauserdefaultsubordinateid')

+        self.set_default_subid()

+        assert not self.get_field_checked('ipauserdefaultsubordinateid')

+

+    @screenshot

+    def test_user_defaultsubid(self):

+        """

+        Test to verify that subid is generated for new user.

+        """

+        self.init_app()

+        user_pkey = "some-user"

+

+        self.set_default_subid()

+        assert self.get_field_checked('ipauserdefaultsubordinateid')

+

+        before_count = self.get_user_count(user_pkey)

+        assert len(before_count) == 0

+

+        self.add_user(user_pkey, 'Some', 'User')

+        after_count = self.get_user_count(user_pkey)

+        assert len(after_count) == 1

+

+    @screenshot

+    def test_user_subid_mod_desc(self):

+        """

+        Test to verify that auto-assigned subid description is modified.

+        """

+        self.init_app()

+        self.navigate_to_record("some-user")

+        self.switch_to_facet('memberof_subid')

+        rows = self.get_rows()

+        self.navigate_to_row_record(rows[-1])

+        self.fill_textbox("description", "some-user-subid-desc")

+        self.facet_button_click('save')

+

+    @screenshot

+    def test_admin_subid(self):

+        """

+        Test to verify that subid range is created with owner admin.

+        """

+        self.init_app()

+        self.navigate_to_entity('subid', facet='search')

+        self.facet_button_click('add')

+        self.select_combobox('ipaowner', 'admin')

+        self.dialog_button_click('add')

+        self.wait(0.3)

+        self.assert_no_error_dialog()

+

+    @screenshot

+    def test_admin_subid_negative(self):

+        """

+        Test to verify that readding the subid fails with error.

+        """

+        self.init_app()

+        self.navigate_to_entity('subid', facet='search')

+        self.facet_button_click('add')

+        self.select_combobox('ipaowner', 'admin')

+        self.dialog_button_click('add')

+        self.wait(0.3)

+        err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')

+        text = self.get_text('.modal-body div p', err_dialog)

+        text = text.strip()

+        pattern = r'Subordinate id with with name .* already exists.'

+        assert re.search(pattern, text) is not None

+        self.close_all_dialogs()

+

+    @screenshot

+    def test_user_subid_add(self):

+        """

+        Test to verify that subid range is created for given user.

+        """

+        self.init_app()

+        self.navigate_to_entity('subid', facet='search')

+        before_count = self.get_rows()

+        self.facet_button_click('add')

+        self.select_combobox('ipaowner', user_data.PKEY2)

+        self.dialog_button_click('add')

+        self.wait(0.3)

+        self.assert_no_error_dialog()

+        after_count = self.get_rows()

+        assert len(before_count) < len(after_count)

+

+    @screenshot

+    def test_subid_del(self):

+        """

+        Test to remove subordinate id for given user.

+        """

+        self.init_app()

+        self.navigate_to_entity('subid', facet='search')

+        user_uid = self.get_record_pkey("some-user", "ipaowner",

+                                        table_name="ipauniqueid")

+        before_count = self.get_rows()

+        self.delete_record(user_uid, table_name="ipauniqueid")

+        after_count = self.get_rows()

+        assert len(before_count) > len(after_count)

diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py

index 46fd512ae..77fd74e49 100644

--- a/ipatests/test_webui/ui_driver.py

+++ b/ipatests/test_webui/ui_driver.py

@@ -1151,6 +1151,34 @@ class UI_driver:

                 return row

         return None

+    def get_row_by_column_value(self, key, column_name, parent=None,

+                                table_name=None):

+        """

+        Get the first matched row element of a search table with given key

+        matched against selected column. None if not found

+        """

+        rows = self.get_rows(parent, table_name)

+        s = "td div[name='%s']" % column_name

+        for row in rows:

+            has = self.find(s, By.CSS_SELECTOR, row)

+            if has.text == key:

+                return row

+        return None

+

+    def get_record_pkey(self, key, column, parent=None, table_name=None):

+        """

+        Get record pkey if value of column is known

+        """

+        row = self.get_row_by_column_value(key,

+                                           column_name=column,

+                                           parent=parent,

+                                           table_name=table_name)

+        val = None

+        if row:

+            el = self.find("td input", By.CSS_SELECTOR, row)

+            val = el.get_attribute("value")

+        return val

+

     def navigate_to_row_record(self, row, pkey_column=None):

         """

         Navigate to record by clicking on a link.

-- 

2.34.1

From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001

From: Michal Polovka <mpolovka@redhat.com>

Date: Fri, 7 Jan 2022 12:12:26 +0100

Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML

 configuration file

FullLoader class for YAML loader was introduced in version 5.1 which

also deprecated default loader. SafeLoader, however, stays consistent

across the versions and brings added security.

This fix is necessary as PyYAML > 5.1 is not available in downstream.

Related: https://pagure.io/freeipa/issue/9009

Signed-off-by: Michal Polovka <mpolovka@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipatests/test_webui/ui_driver.py | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py

index 77fd74e49..519efee9b 100644

--- a/ipatests/test_webui/ui_driver.py

+++ b/ipatests/test_webui/ui_driver.py

@@ -192,7 +192,7 @@ class UI_driver:

         if not NO_YAML and os.path.isfile(path):

             try:

                 with open(path, 'r') as conf:

-                    cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)

+                    cls.config = yaml.safe_load(stream=conf)

             except yaml.YAMLError as e:

                 pytest.skip("Invalid Web UI config.\n%s" % e)

             except IOError as e:

-- 

2.34.1

From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Thu, 18 Nov 2021 18:43:22 +0530

Subject: [PATCH] PEP8 Fixes

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

---

 .../test_integration/test_replica_promotion.py     | 14 +++++++-------

 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py

index 1a4e9bc12..c328b1a08 100644

--- a/ipatests/test_integration/test_replica_promotion.py

+++ b/ipatests/test_integration/test_replica_promotion.py

@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):

         assert res.returncode == 1

         assert expected_err in res.stderr_text

-

     @replicas_cleanup

     def test_one_command_installation(self):

         """

@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):

         Firewall(self.replicas[0]).enable_services(["freeipa-ldap",

                                                     "freeipa-ldaps"])

         self.replicas[0].run_command(['ipa-replica-install', '-w',

-                                     self.master.config.admin_password,

-                                     '-n', self.master.domain.name,

-                                     '-r', self.master.domain.realm,

-                                     '--server', self.master.hostname,

-                                     '-U'])

+                                      self.master.config.admin_password,

+                                      '-n', self.master.domain.name,

+                                      '-r', self.master.domain.realm,

+                                      '--server', self.master.hostname,

+                                      '-U'])

         # Ensure that pkinit is properly configured, test for 7566

         result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])

         assert "PKINIT is enabled" in result.stdout_text

@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):

         result1 = client.run_command(['ipa-replica-install', '-U', '-w',

                                       self.master.config.dirman_password],

                                      raiseonerr=False)

-        assert(result1.returncode == 0), (

+        assert (result1.returncode == 0), (

             'Failed to promote the client installed with the upcase domain name')

     def test_client_rollback(self):

@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):

         assert("An error occurred while removing SSSD" not in

                result.stdout_text)

+

 class TestRenewalMaster(IntegrationTest):

     topology = 'star'

-- 

2.34.1

From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001

From: Mohammad Rizwan <myusuf@redhat.com>

Date: Thu, 18 Nov 2021 18:36:58 +0530

Subject: [PATCH] Test cases for ipa-replica-conncheck command

Following test cases would be checked:

- when called with --principal (it should then prompt for a password)

- when called with --principal / --password

- when called without principal and password but with a kerberos TGT,

  kinit admin done before calling ipa-replica-conncheck

- when called without principal and password, and without any kerberos

  TGT (it should default to principal=admin and prompt for a password)

related: https://pagure.io/freeipa/issue/9047

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>

---

 .../test_replica_promotion.py                 | 70 +++++++++++++++++++

 1 file changed, 70 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py

index b9c56f775..1a4e9bc12 100644

--- a/ipatests/test_integration/test_replica_promotion.py

+++ b/ipatests/test_integration/test_replica_promotion.py

@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):

         self.assertCARenewalMaster(master, replica.hostname)

         self.assertCARenewalMaster(replica, replica.hostname)

+    def test_replica_concheck(self):

+        """Test cases for ipa-replica-conncheck command

+

+        Following test cases would be checked:

+        - when called with --principal (it should then prompt for a password)

+        - when called with --principal / --password

+        - when called without principal and password but with a kerberos TGT,

+          kinit admin done before calling ipa-replica-conncheck

+        - when called without principal and password, and without any kerberos

+          TGT (it should default to principal=admin and prompt for a password)

+

+          related: https://pagure.io/freeipa/issue/9047

+        """

+        exp_str1 = "Connection from replica to master is OK."

+        exp_str2 = "Connection from master to replica is OK"

+        tasks.kdestroy_all(self.replicas[0])

+        # when called with --principal (it should then prompt for a password)

+        result = self.replicas[0].run_command(

+            ['ipa-replica-conncheck', '--auto-master-check',

+             '--master', self.master.hostname,

+             '-r', self.replicas[0].domain.realm,

+             '-p', self.replicas[0].config.admin_name],

+            stdin_text=self.master.config.admin_password

+        )

+        assert result.returncode == 0

+        assert (

+            exp_str1 in result.stderr_text and exp_str2 in result.stderr_text

+        )

+

+        # when called with --principal / --password

+        result = self.replicas[0].run_command([

+            'ipa-replica-conncheck', '--auto-master-check',

+            '--master', self.master.hostname,

+            '-r', self.replicas[0].domain.realm,

+            '-p', self.replicas[0].config.admin_name,

+            '-w', self.master.config.admin_password

+        ])

+        assert result.returncode == 0

+        assert (

+            exp_str1 in result.stderr_text and exp_str2 in result.stderr_text