From 3f4fc3d9806adc092d9c8aaf1832a265fa3a61f3 Mon Sep 17 00:00:00 2001 From: Sergey Orlov Date: Apr 02 2019 13:53:41 +0000 Subject: ipatests: refactor test_trust.py Tests in test_trust.py were organized in ten classes, one for each trust type, requiring ten cycles of ipaserver installation/uninstallation and the full test run lasted for about 5500 seconds. There is no need in reinstallation of ipaserver between establishing different types of trust. I moved all tests to sinle class, preserving test logic. Additional changes: * TestEnforcedPosixADTrust was totally removed as it was duplicate of TestPosixADTrust * code of repeated checks was moved to methods * A task was cretated for cleaning up DNS configuration changes made for establishing trust Related to https://pagure.io/freeipa/issue/7889 Reviewed-By: Alexander Bokovoy --- diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index c1e7800..8146d7c 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -557,6 +557,7 @@ def install_adtrust(host): def disable_dnssec_validation(host): + backup_file(host, paths.NAMED_CONF) named_conf = host.get_file_contents(paths.NAMED_CONF) named_conf = re.sub(br'dnssec-validation\s*yes;', b'dnssec-validation no;', named_conf) @@ -564,29 +565,34 @@ def disable_dnssec_validation(host): restart_named(host) -def configure_dns_for_trust(master, ad): - """ - This configures DNS on IPA master according to the relationship of the - IPA's and AD's domains. - """ +def restore_dnssec_validation(host): + restore_files(host) + restart_named(host) + - def is_subdomain(subdomain, domain): - subdomain_unpacked = subdomain.split('.') - domain_unpacked = domain.split('.') +def is_subdomain(subdomain, domain): + subdomain_unpacked = subdomain.split('.') + domain_unpacked = domain.split('.') - subdomain_unpacked.reverse() - domain_unpacked.reverse() + subdomain_unpacked.reverse() + domain_unpacked.reverse() - subdomain = False + subdomain = False - if len(subdomain_unpacked) > len(domain_unpacked): - subdomain = True + if len(subdomain_unpacked) > len(domain_unpacked): + subdomain = True - for subdomain_segment, domain_segment in zip(subdomain_unpacked, - domain_unpacked): - subdomain = subdomain and subdomain_segment == domain_segment + for subdomain_segment, domain_segment in zip(subdomain_unpacked, + domain_unpacked): + subdomain = subdomain and subdomain_segment == domain_segment - return subdomain + return subdomain + +def configure_dns_for_trust(master, ad): + """ + This configures DNS on IPA master according to the relationship of the + IPA's and AD's domains. + """ kinit_admin(master) @@ -610,6 +616,23 @@ def configure_dns_for_trust(master, ad): ]) +def unconfigure_dns_for_trust(master, ad): + """ + This undoes changes made by configure_dns_for_trust + """ + kinit_admin(master) + if is_subdomain(ad.domain.name, master.domain.name): + master.run_command(['ipa', 'dnsrecord-del', master.domain.name, + '%s.%s' % (ad.shortname, ad.netbios), + '--a-rec', ad.ip]) + master.run_command(['ipa', 'dnsrecord-del', master.domain.name, + ad.netbios, + '--ns-rec', '%s.%s' % (ad.shortname, ad.netbios)]) + else: + master.run_command(['ipa', 'dnsforwardzone-del', ad.domain.name]) + restore_dnssec_validation(master) + + def establish_trust_with_ad(master, ad_domain, extra_args=()): """ Establishes trust with Active Directory. Trust type is detected depending diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index 9f4c502..ed4c25e 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -1,21 +1,4 @@ -# Authors: -# Tomas Babej -# -# Copyright (C) 2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright (C) 2019 FreeIPA Contributors see COPYING for license from __future__ import absolute_import @@ -24,45 +7,38 @@ import unittest from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks -from ipaplatform.paths import paths -class ADTrustBase(IntegrationTest): - """Provides common checks for the AD trust integration testing.""" - +class TestTrust(IntegrationTest): topology = 'line' num_ad_domains = 1 num_ad_subdomains = 1 num_ad_treedomains = 1 + upn_suffix = 'UPNsuffix.com' + upn_username = 'upnuser' + upn_name = 'UPN User' + upn_principal = '{}@{}'.format(upn_username, upn_suffix) + upn_password = 'Secret123456' + @classmethod def install(cls, mh): if not cls.master.transport.file_exists('/usr/bin/rpcclient'): raise unittest.SkipTest("Package samba-client not available " - "on {}".format(cls.master.hostname)) - super(ADTrustBase, cls).install(mh) - cls.ad = cls.ads[0] + "on {}".format(cls.master.hostname)) + super(TestTrust, cls).install(mh) + cls.ad = cls.ads[0] # pylint: disable=no-member cls.ad_domain = cls.ad.domain.name - cls.install_adtrust() + tasks.install_adtrust(cls.master) cls.check_sid_generation() - cls.child_ad = cls.ad_subdomains[0] + cls.child_ad = cls.ad_subdomains[0] # pylint: disable=no-member cls.ad_subdomain = cls.child_ad.domain.name - cls.tree_ad = cls.ad_treedomains[0] + cls.tree_ad = cls.ad_treedomains[0] # pylint: disable=no-member cls.ad_treedomain = cls.tree_ad.domain.name - cls.configure_dns_and_time() - - @classmethod - def install_adtrust(cls): - """Test adtrust support installation""" - - tasks.install_adtrust(cls.master) - @classmethod def check_sid_generation(cls): - """Test SID generation""" - command = ['ipa', 'user-show', 'admin', '--all', '--raw'] # TODO: remove duplicate definition and import from common module @@ -74,72 +50,52 @@ class ADTrustBase(IntegrationTest): tasks.run_repeatedly(cls.master, command, test=lambda x: re.search(stdout_re, x)) - @classmethod - def configure_dns_and_time(cls): - tasks.configure_dns_for_trust(cls.master, cls.ad) - tasks.sync_time(cls.master, cls.ad) + def configure_dns_and_time(self, ad_host): + tasks.configure_dns_for_trust(self.master, ad_host) + tasks.sync_time(self.master, ad_host) + + def check_trustdomains(self, realm, expected_ad_domains): + """Check that ipa trustdomain-find lists all expected domains""" + result = self.master.run_command(['ipa', 'trustdomain-find', realm]) + for domain in expected_ad_domains: + expected_text = 'Domain name: %s\n' % domain + assert expected_text in result.stdout_text + expected_text = ("Number of entries returned %s\n" % + len(expected_ad_domains)) + assert expected_text in result.stdout_text + + def check_range_properties(self, realm, expected_type, expected_size): + """Check the properties of the created range""" + range_name = realm.upper() + '_id_range' + result = self.master.run_command(['ipa', 'idrange-show', range_name, + '--all', '--raw']) + expected_text = 'ipaidrangesize: %s\n' % expected_size + assert expected_text in result.stdout_text + expected_text = 'iparangetype: %s\n' % expected_type + assert expected_text in result.stdout_text + + def remove_trust(self, ad): + tasks.remove_trust_with_ad(self.master, ad.domain.name) + tasks.unconfigure_dns_for_trust(self.master, ad) + tasks.clear_sssd_cache(self.master) - def test_establish_trust(self): - """Tests establishing trust with Active Directory""" + # Tests for non-posix AD trust - tasks.establish_trust_with_ad(self.master, self.ad_domain, + def test_establish_nonposix_trust(self): + self.configure_dns_and_time(self.ad) + tasks.establish_trust_with_ad( + self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) - def test_all_trustdomains_found(self): - """ - Tests that all trustdomains can be found. - """ - result = self.master.run_command(['ipa', - 'trustdomain-find', - self.ad_domain]) - - # Check that all trustdomains appear in the result - assert self.ad_domain in result.stdout_text - assert self.ad_subdomain in result.stdout_text - assert "Number of entries returned 2" in result.stdout_text - - -class ADTrustSubdomainBase(ADTrustBase): - """ - Base class for tests involving subdomains of trusted forests - """ - - @classmethod - def configure_dns_and_time(cls): - tasks.configure_dns_for_trust(cls.master, cls.child_ad) - tasks.sync_time(cls.master, cls.child_ad) - - -class ADTrustTreedomainBase(ADTrustBase): - """ - Base class for tests involving tree root domains of trusted forests - """ - - @classmethod - def configure_dns_and_time(cls): - tasks.configure_dns_for_trust(cls.master, cls.tree_ad) - tasks.sync_time(cls.master, cls.tree_ad) - - -class TestBasicADTrust(ADTrustBase): - """Basic Integration test for Active Directory""" + def test_trustdomains_found_in_nonposix_trust(self): + self.check_trustdomains( + self.ad_domain, [self.ad_domain, self.ad_subdomain]) def test_range_properties_in_nonposix_trust(self): - """Check the properties of the created range""" - - range_name = self.ad_domain.upper() + '_id_range' - result = self.master.run_command(['ipa', 'idrange-show', range_name, - '--all', '--raw']) - - iparangetype_regex = r'ipaRangeType: ipa-ad-trust' - iparangesize_regex = r'ipaIDRangeSize: 200000' - - assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE) - assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE) + self.check_range_properties(self.ad_domain, 'ipa-ad-trust', 200000) def test_user_gid_uid_resolution_in_nonposix_trust(self): """Check that user has SID-generated UID""" - # Using domain name since it is lowercased realm name for AD domains testuser = 'testuser@%s' % self.ad_domain result = self.master.run_command(['getent', 'passwd', testuser]) @@ -151,9 +107,10 @@ class TestBasicADTrust(ADTrustBase): % (re.escape(self.ad_domain), re.escape(self.ad_domain)) - assert re.search(testuser_regex, result.stdout_text) + assert re.search( + testuser_regex, result.stdout_text), result.stdout_text - def test_ipauser_authentication(self): + def test_ipauser_authentication_with_nonposix_trust(self): ipauser = u'tuser' original_passwd = 'Secret123' new_passwd = 'userPasswd123' @@ -168,42 +125,61 @@ class TestBasicADTrust(ADTrustBase): self.master) # try to kinit as ipauser - self.master.run_command( - ['kinit', '-E', '{0}@{1}'.format(ipauser, - self.master.domain.name)], + self.master.run_command([ + 'kinit', '-E', '{0}@{1}'.format(ipauser, self.master.domain.name)], stdin_text=new_passwd) - def test_remove_nonposix_trust(self): - tasks.remove_trust_with_ad(self.master, self.ad_domain) - tasks.clear_sssd_cache(self.master) + # Tests for UPN suffixes + def test_upn_in_nonposix_trust(self): + """Check that UPN is listed as trust attribute""" + result = self.master.run_command(['ipa', 'trust-show', self.ad_domain, + '--all', '--raw']) -class TestPosixADTrust(ADTrustBase): - """Integration test for Active Directory with POSIX support""" + assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in + result.stdout_text) - def test_establish_trust(self): - tasks.establish_trust_with_ad( - self.master, self.ad_domain, - extra_args=['--range-type', 'ipa-ad-trust-posix'] + def test_upn_user_resolution_in_nonposix_trust(self): + """Check that user with UPN can be resolved""" + result = self.master.run_command(['getent', 'passwd', + self.upn_principal]) + + # result will contain AD domain, not UPN + upnuser_regex = ( + r"^{}@{}:\*:(\d+):(\d+):{}:/home/{}/{}:/bin/sh$".format( + self.upn_username, self.ad_domain, self.upn_name, + self.ad_domain, self.upn_username) ) + assert re.search(upnuser_regex, result.stdout_text), result.stdout_text - def test_range_properties_in_posix_trust(self): - # Check the properties of the created range + def test_upn_user_authentication_in_nonposix_trust(self): + """ Check that AD user with UPN can authenticate in IPA """ + self.master.run_command(['kinit', '-C', '-E', self.upn_principal], + stdin_text=self.upn_password) + + def test_remove_nonposix_trust(self): + self.remove_trust(self.ad) - range_name = self.ad_domain.upper() + '_id_range' + # Tests for posix AD trust - result = self.master.run_command(['ipa', 'idrange-show', range_name, - '--all', '--raw']) + def test_establish_posix_trust(self): + self.configure_dns_and_time(self.ad) + tasks.establish_trust_with_ad( + self.master, self.ad_domain, + extra_args=['--range-type', 'ipa-ad-trust-posix']) - # Check the range type and size - iparangetype_regex = r'ipaRangeType: ipa-ad-trust-posix' - iparangesize_regex = r'ipaIDRangeSize: 200000' + def test_trustdomains_found_in_posix_trust(self): + """Tests that all trustdomains can be found.""" + self.check_trustdomains( + self.ad_domain, [self.ad_domain, self.ad_subdomain]) - assert re.search(iparangetype_regex, result.stdout_text, re.IGNORECASE) - assert re.search(iparangesize_regex, result.stdout_text, re.IGNORECASE) + def test_range_properties_in_posix_trust(self): + """Check the properties of the created range""" + self.check_range_properties(self.ad_domain, 'ipa-ad-trust-posix', + 200000) def test_user_uid_gid_resolution_in_posix_trust(self): - # Check that user has AD-defined UID + """Check that user has AD-defined UID""" # Using domain name since it is lowercased realm name for AD domains testuser = 'testuser@%s' % self.ad_domain @@ -216,7 +192,7 @@ class TestPosixADTrust(ADTrustBase): assert testuser_stdout in result.stdout_text def test_user_without_posix_attributes_not_visible(self): - # Check that user has AD-defined UID + """Check that user has AD-defined UID""" # Using domain name since it is lowercased realm name for AD domains nonposixuser = 'nonposixuser@%s' % self.ad_domain @@ -226,29 +202,10 @@ class TestPosixADTrust(ADTrustBase): # Getent exits with 2 for non-existent user assert result.returncode == 2 - def test_remove_trust_with_posix_attributes(self): - tasks.remove_trust_with_ad(self.master, self.ad_domain) - tasks.clear_sssd_cache(self.master) - - -class TestEnforcedPosixADTrust(TestPosixADTrust): - """ - This test is intented to copycat PosixADTrust, since enforcing the POSIX - trust type should not make a difference. - """ - """Re-difene method from test_establish_trust_with_posix_attributes - to test_establish_trust. win server 2016 no more have support for MFU/NIS, - so autodetection doesn't work""" - - def test_establish_trust(self): - tasks.establish_trust_with_ad(self.master, self.ad_domain, - extra_args=['--range-type', 'ipa-ad-trust-posix']) + def test_remove_posix_trust(self): + self.remove_trust(self.ad) - -class TestInvalidRangeTypes(ADTrustBase): - """ - Tests invalid values being put into trust-add command. - """ + # Tests for handling invalid trust types def test_invalid_range_types(self): @@ -258,40 +215,38 @@ class TestInvalidRangeTypes(ADTrustBase): 'random-invalid', 're@ll%ybad12!'] - for range_type in invalid_range_types: - tasks.kinit_admin(self.master) - - result = self.master.run_command( - ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin', - 'Administrator', '--range-type', range_type, '--password'], - raiseonerr=False, - stdin_text=self.master.config.ad_admin_password) + self.configure_dns_and_time(self.ad) + try: + for range_type in invalid_range_types: + tasks.kinit_admin(self.master) - # The trust-add command is supposed to fail - assert result.returncode == 1 + result = self.master.run_command( + ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, + '--admin', 'Administrator', + '--range-type', range_type, '--password'], + raiseonerr=False, + stdin_text=self.master.config.ad_admin_password) + # The trust-add command is supposed to fail + assert result.returncode == 1 + assert "ERROR: invalid 'range_type'" in result.stderr_text + finally: + tasks.unconfigure_dns_for_trust(self.master, self.ad) -class TestExternalTrustWithSubdomain(ADTrustSubdomainBase): - """ - Test establishing external trust with subdomain - """ + # Tests for external trust with AD subdomain - def test_establish_trust(self): - """ Tests establishing external trust with Active Directory """ + def test_establish_external_subdomain_trust(self): + self.configure_dns_and_time(self.child_ad) tasks.establish_trust_with_ad( self.master, self.ad_subdomain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - def test_all_trustdomains_found(self): - """ Test that only one trustdomain is found """ - result = self.master.run_command(['ipa', 'trustdomain-find', - self.ad_subdomain]) - - assert self.ad_subdomain in result.stdout_text - assert "Number of entries returned 1" in result.stdout_text + def test_trustdomains_found_in_external_subdomain_trust(self): + self.check_trustdomains( + self.ad_subdomain, [self.ad_subdomain]) - def test_user_gid_uid_resolution_in_nonposix_trust(self): - """ Check that user has SID-generated UID """ + def test_user_gid_uid_resolution_in_external_subdomain_trust(self): + """Check that user has SID-generated UID""" testuser = 'subdomaintestuser@{0}'.format(self.ad_subdomain) result = self.master.run_command(['getent', 'passwd', testuser]) @@ -303,62 +258,43 @@ class TestExternalTrustWithSubdomain(ADTrustSubdomainBase): assert re.search(testuser_regex, result.stdout_text) - def test_remove_nonposix_trust(self): - tasks.remove_trust_with_ad(self.master, self.ad_subdomain) - tasks.clear_sssd_cache(self.master) - + def test_remove_external_subdomain_trust(self): + self.remove_trust(self.child_ad) -class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase): - """ - Tests that a non-external trust to a subdomain cannot be established - """ - def test_establish_trust(self): - """ Tests establishing non-external trust with Active Directory """ - self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, - 'HTTP/%s' % self.master.hostname]) - self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) - self.master.run_command(['kdestroy', '-A']) - - tasks.kinit_admin(self.master) - self.master.run_command(['klist']) - self.master.run_command(['smbcontrol', 'all', 'debug', '100']) - - result = self.master.run_command([ - 'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' - ], stdin_text=self.master.config.ad_admin_password, - raiseonerr=False) + # Tests for non-external trust with AD subdomain - assert result != 0 - assert ("Domain '{0}' is not a root domain".format( - self.ad_subdomain) in result.stderr_text) + def test_establish_nonexternal_subdomain_trust(self): + self.configure_dns_and_time(self.child_ad) + try: + tasks.kinit_admin(self.master) - def test_all_trustdomains_found(self): - raise unittest.SkipTest( - 'Test case unapplicable, present for inheritance reason only') + result = self.master.run_command([ + 'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, + '--admin', + 'Administrator', '--password', '--range-type', 'ipa-ad-trust' + ], stdin_text=self.master.config.ad_admin_password, + raiseonerr=False) + assert result != 0 + assert ("Domain '{0}' is not a root domain".format( + self.ad_subdomain) in result.stderr_text) + finally: + tasks.unconfigure_dns_for_trust(self.master, self.child_ad) -class TestExternalTrustWithTreedomain(ADTrustTreedomainBase): - """ - Test establishing external trust with tree root domain - """ + # Tests for external trust with tree domain - def test_establish_trust(self): - """ Tests establishing external trust with Active Directory """ + def test_establish_external_treedomain_trust(self): + self.configure_dns_and_time(self.tree_ad) tasks.establish_trust_with_ad( self.master, self.ad_treedomain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - def test_all_trustdomains_found(self): - """ Test that only one trustdomain is found """ - result = self.master.run_command(['ipa', 'trustdomain-find', - self.ad_treedomain]) - - assert self.ad_treedomain in result.stdout_text - assert "Number of entries returned 1" in result.stdout_text + def test_trustdomains_found_in_external_treedomain_trust(self): + self.check_trustdomains( + self.ad_treedomain, [self.ad_treedomain]) - def test_user_gid_uid_resolution_in_nonposix_trust(self): - """ Check that user has SID-generated UID """ + def test_user_gid_uid_resolution_in_external_treedomain_trust(self): + """Check that user has SID-generated UID""" testuser = 'treetestuser@{0}'.format(self.ad_treedomain) result = self.master.run_command(['getent', 'passwd', testuser]) @@ -368,107 +304,42 @@ class TestExternalTrustWithTreedomain(ADTrustTreedomainBase): re.escape(self.ad_treedomain), re.escape(self.ad_treedomain))) - assert re.search(testuser_regex, result.stdout_text) - - def test_remove_nonposix_trust(self): - tasks.remove_trust_with_ad(self.master, self.ad_treedomain) - tasks.clear_sssd_cache(self.master) + assert re.search( + testuser_regex, result.stdout_text), result.stdout_text + def test_remove_external_treedomain_trust(self): + self.remove_trust(self.tree_ad) -class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase): - """ - Tests that a non-external trust to a tree root domain cannot be established - """ - def test_establish_trust(self): - """ Tests establishing non-external trust with Active Directory """ - self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, - 'HTTP/%s' % self.master.hostname]) - self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) - self.master.run_command(['kdestroy', '-A']) - - tasks.kinit_admin(self.master) - self.master.run_command(['klist']) - self.master.run_command(['smbcontrol', 'all', 'debug', '100']) - - result = self.master.run_command([ - 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' - ], stdin_text=self.master.config.ad_admin_password, - raiseonerr=False) + # Test for non-external trust with tree domain - assert result != 0 - assert ("Domain '{0}' is not a root domain".format( - self.ad_treedomain) in result.stderr_text) + def test_establish_nonexternal_treedomain_trust(self): + self.configure_dns_and_time(self.tree_ad) + try: + tasks.kinit_admin(self.master) - def test_all_trustdomains_found(self): - raise unittest.SkipTest( - 'Test case unapplicable, present for inheritance reason only') + result = self.master.run_command([ + 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, + '--admin', + 'Administrator', '--password', '--range-type', 'ipa-ad-trust' + ], stdin_text=self.master.config.ad_admin_password, + raiseonerr=False) + assert result != 0 + assert ("Domain '{0}' is not a root domain".format( + self.ad_treedomain) in result.stderr_text) + finally: + tasks.unconfigure_dns_for_trust(self.master, self.tree_ad) -class TestExternalTrustWithRootDomain(ADTrustBase): - """ - Test establishing external trust with root domain - Main purpose of this test is to verify that subdomains are not - associated with the external trust, hence all tests are skipped - if no subdomain is specified. - """ + # Tests for external trust with root domain - def test_establish_trust(self): - """ Tests establishing external trust with Active Directory """ + def test_establish_external_rootdomain_trust(self): + self.configure_dns_and_time(self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True']) - def test_all_trustdomains_found(self): - """ Test that only one trustdomain is found """ - result = self.master.run_command(['ipa', 'trustdomain-find', - self.ad_domain]) - - assert self.ad_domain in result.stdout_text - assert "Number of entries returned 1" in result.stdout_text + def test_trustdomains_found_in_external_rootdomain_trust(self): + self.check_trustdomains(self.ad_domain, [self.ad_domain]) - def test_remove_nonposix_trust(self): - tasks.remove_trust_with_ad(self.master, self.ad_domain) - tasks.clear_sssd_cache(self.master) - - -class TestTrustWithUPN(ADTrustBase): - """ - Test support of UPN for trusted domains - """ - - upn_suffix = 'UPNsuffix.com' - upn_username = 'upnuser' - upn_name = 'UPN User' - upn_principal = '{}@{}'.format(upn_username, upn_suffix) - upn_password = 'Secret123456' - - def test_upn_in_nonposix_trust(self): - """ Check that UPN is listed as trust attribute """ - result = self.master.run_command(['ipa', 'trust-show', self.ad_domain, - '--all', '--raw']) - - assert ("ipantadditionalsuffixes: {}".format(self.upn_suffix) in - result.stdout_text) - - def test_upn_user_resolution_in_nonposix_trust(self): - """ Check that user with UPN can be resolved """ - result = self.master.run_command(['getent', 'passwd', - self.upn_principal]) - - # result will contain AD domain, not UPN - upnuser_regex = ( - r"^{}@{}:\*:(\d+):(\d+):{}:/home/{}/{}:/bin/sh$".format( - self.upn_username, self.ad_domain, self.upn_name, - self.ad_domain, self.upn_username) - ) - assert re.search(upnuser_regex, result.stdout_text) - - def test_upn_user_authentication(self): - """ Check that AD user with UPN can authenticate in IPA """ - self.master.run_command(['kinit', '-C', '-E', self.upn_principal], - stdin_text=self.upn_password) - - def test_remove_nonposix_trust(self): - tasks.remove_trust_with_ad(self.master, self.ad_domain) - tasks.clear_sssd_cache(self.master) + def test_remove_external_rootdomain_trust(self): + self.remove_trust(self.ad)