ipatests: add test for kdcproxy handling reply split to several TCP packets #4614
Conversation
wladich
commented
Apr 29, 2020
wladich
commented
wladich
added
ipa-4-6
| @@ -0,0 +1,30 @@ | |||
| # | |||
There was a problem hiding this comment.
pytest fixtures are usually stored in a conftest.py, which is auto-imported by pytest.
There was a problem hiding this comment.
This approach is applicable for fixtures which are applicable for all tests. Here this fixture is specific to a particular set of tests, so IMO its better to have this in that test class's install class method.
There was a problem hiding this comment.
This is ipa_ad_trust fixture. It can be used to establish trust between IPA and AD when no special options are required. So this fixture could be used in this module, in test_smb, test_sssd and any new test suite which needs to setup trust.
There was a problem hiding this comment.
@wladich
Still this fixture servers the trust scenario only.
I think we can move this fixture to a shared file(e.g pytest_ipa/integreation/tasks.py) and can import/use where ever necessary.
There was a problem hiding this comment.
@kaleemsiddiqu Please see comment #4614 (comment)
Personally I do not have any preference where to store this small fixture - in a separate file or in conftest or somewhere else.
There was a problem hiding this comment.
I only want to say that scope of fixtures defined in conftest.py is very large and applies to almost every tests and thats when we should define it. IMO ipa_trust_ad does not fit that case. Its upto you and @tiran to decide, i just shared my opinion.
| ['OUTPUT', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT'], | ||
| ['OUTPUT', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT'], | ||
| ['OUTPUT', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']] | ||
| Firewall(self.client).prepend_passthrough_rules(fw_rules_allow) |
There was a problem hiding this comment.
Is it necessary to create a new firewall object for every function call?
| @pytest.mark.usefixtures('restrict_network_for_client', | ||
| 'client_use_kdcproxy') | ||
| def test_ipa_user_login_on_client_with_kdcproxy(self, users): |
There was a problem hiding this comment.
Please use follow black's and PEP-8's formatting style:
@pytest.mark.usefixtures(
'restrict_network_for_client',
'client_use_kdcproxy'
)
def test_ipa_user_login_on_client_with_kdcproxy(self, users):
There was a problem hiding this comment.
Could you please point which pep-8 style rule you are referring to?
And https://www.freeipa.org/page/Python_Coding_Style does not seem to mention any other rules...
There was a problem hiding this comment.
It's black code style, https://github.com/psf/black#the-black-code-style
There was a problem hiding this comment.
I tried to use black utility with new code and it heavily reformatted the code, not only the mentioned lines. One of the changes is making lines longer then 79 chars which violates current code style.
But even with "-l 79" the changes are huge.
So could you please clarify, is the use of black formater now agreed and enforced for the FreeIPA project? I see it is not mentioned in https://www.freeipa.org/page/Python_Coding_Style, neither it is being checked by PR-CI.
wladich
force-pushed
the
kdcproxy-ad-test
branch
2 times, most recently
from
a7f0723
to
8ab71ab
Compare
|
@wladich, please, increase the timeout argument, I suspect that the reason jobs are picked by multiple runners is related to that. |
1 similar comment
|
@wladich, please, increase the timeout argument, I suspect that the reason jobs are picked by multiple runners is related to that. |
ipatests/conftest.py
Outdated
|
|
||
|
|
||
| @pytest.fixture(scope='class') | ||
| def ipa_ad_trust(mh): |
There was a problem hiding this comment.
This fixture only applies to integration tests and depends on the multihost mh fixture. Please move it to ipatests/pytest_ipa/integration/__init__.py.
|
Tests fail at ipa-server-install: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d7be85da-9942-11ea-b3a3-fa163e168469 |
|
Rerunning the tests to check that they still pass after freeipa/freeipa-pr-ci@7c6f67e |
This is a workaround for https://pagure.io/freeipa/issue/6523: when ipa-client-install is called with --server option, dns_lookup_realm and dns_lookup_kdc options in kreb5.conf are set to "false" preventing libkrb5 from discovering AD realm. This function changes those values to "true".
Similar to kinit_admin, this allows to check for error values returned by kinit.
The fixture enables us to setup and cleanup trust between IPA master and AD root with single line of code. It also handles configuring clients to be able to accept logins of AD users.
…ackets This is a regression test for the bug in python-kdcproxy mentioned in latchset/kdcproxy#44 When the reply from AD is split into several TCP packets the kdc proxy software cannot handle it and returns a false error message indicating it cannot contact the KDC server. This could be observed as login failures of AD user on IPA clients when: * IPA client was configured to use kdcproxy to communicate with AD * kdcproxy used TCP to communicate with AD * response from AD to kdcproxy was split into several packets This patch also refactors and improves existing tests: * switch to using pytest fixtures for test setup and cleanup steps to make them isolated and reusable * simulate a much more restricted network environment: instead of blocking single 88 port we now block all outgoing traffic except few essential ports * add basic tests for using kdcproxy to communicate between IPA client and AD DC.
The test fails with older versions of kdcproxy as the related bug was fixed in 0.4.2: latchset/kdcproxy#44
the new tests require ad AD instance
freeipa-pr-ci
added
the
needs rebase
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
wladich
added
postponed
and removed
needs review
