#7889 test_integration/test_trust.py need improvement
Closed: fixed 4 years ago by sorlov. Opened 5 years ago by sorlov.

Multiple issues found in trust tests, will update

Issues with tests:
1) trust can be established only in the environment with external DNS server with DNSSEC support, which contains A records for Windows servers and SRV records for AD services.
It is rather complicated to create such setup (and it is not documented). This happens due to not creating dns forwarder for AD domain.
2) (Not broken, but strange) Tests expect that in the config file all three AD instances are located in one domain.hosts object. Because of that, to find domain name of AD machines we split and join hostname (lines 51 and 59 at test_trust.py) instead of using host.domain.name property provided by pytest_multihost plugin. I think every AD machine must be in its own domain in test config (as domain names are different indeed).
3) Tests fail randomly when trying to synchronize time before establishing trust (at least in vagrant). I've read that windows time server can have very big jitter value and chronyd must be invoked with maxlag and maxdistance options (need do investigate)
4) TestExternalTrustWithRootDomain is mistakenly inherited from ADTrustSubdomainBase instead of ADTrustBase. So external trust with subdomain is checked twice.
5) ADTrustBase.test_all_trustdomains_found expects that after establishing trust with forest root domain ipa trustdomain-find will show all three domains. I think this is wrong, it should only retrieve root domain and its subdomain, but not the other tree domain. I suspect the test could pass with invalid test configuration, when domain.hosts.*.name field contained value without dot at end. in this case multihost plugin constructs hostname from first part of name and the value of domain.name. And as all AD machines are in same domain object (see 2), we actually three times check that root domain is visible in output.
6) Test module contains 10 test classes. Each class requires ipa server setup/teardown. This results in tests running for about 1.5 hours. But there is nothing in those tests that require reinstalling ipa server when changing trust type and target. If we add simple cleanup (ipa trust-del, remove sssd keytab), we could place all tests in one class and run them in under 20 minutes. The better option would be to create module-level fixture for topolgy installation/uninstallation (similar to IntegrationTest.install/uninstall methods) but I think it is too much for the scope of this task.
7) Time on ipa master is synchronized with AD after ipa-server installation. This can (and sometimes does in my setup) lead to ipa certificat being not yet valid.


Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.3
- Issue tagged with: tests

5 years ago

Need to update test documentation:
1. Each AD machine must reside in its own domain object of multihost configuration
2. Add proper description of test objects that must be created on AD machines, possibly provide powershell snippet

master:

  • cc1fb2f Revert "Tests: Remove DNS configuration from trust tests"
  • 3e01d26 ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
  • 14f27d2 ipatests: disable bind dns validation when preparing to establish AD trust
  • 1d0a612 ipatests: in test_trust.py fix parent class
  • e8955cc ipatests: fix expectations of ipa trust-find output for trust with root domain
  • 03e2693 ipatests: relax requirements for time server quality
  • 35a4642 ipatests: allow AD hosts to be placed in separate domain config objects
  • 94a6cb1 ipatests: adapt test_trust.py for changes in multihost fixture
  • c819716 ipatests: refactor test_trust.py

ipa-4-7:

  • 9a1b754 Revert "Tests: Remove DNS configuration from trust tests"
  • d3b6f2a ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
  • 2c3d425 ipatests: disable bind dns validation when preparing to establish AD trust
  • 81f8fbd ipatests: in test_trust.py fix parent class
  • 1547f9d ipatests: fix expectations of ipa trust-find output for trust with root domain
  • 4d51875 ipatests: relax requirements for time server quality
  • cfa2e39 ipatests: allow AD hosts to be placed in separate domain config objects
  • 37ef3bd ipatests: adapt test_trust.py for changes in multihost fixture
  • 3f4fc3d ipatests: refactor test_trust.py

ipa-4-6:

  • d1f7db8 Revert "Tests: Remove DNS configuration from trust tests"
  • fc9634d ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
  • e8460e4 ipatests: disable bind dns validation when preparing to establish AD trust
  • 07a471d ipatests: in test_trust.py fix parent class
  • a37d20b ipatests: fix expectations of ipa trust-find output for trust with root domain
  • 1797516 ipatests: allow AD hosts to be placed in separate domain config objects
  • 1fa1003 ipatests: adapt test_trust.py for changes in multihost fixture
  • bb40cd8 ipatests: refactor test_trust.py

Metadata Update from @sorlov:
- Custom field affects_doc adjusted to on
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.

Metadata