-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipatests: add test for kdcproxy handling reply split to several TCP packets #4614
Conversation
wladich
commented
Apr 29, 2020
@@ -0,0 +1,30 @@ | |||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pytest fixtures are usually stored in a conftest.py
, which is auto-imported by pytest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is applicable for fixtures which are applicable for all tests. Here this fixture is specific to a particular set of tests, so IMO its better to have this in that test class's install class method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is ipa_ad_trust fixture. It can be used to establish trust between IPA and AD when no special options are required. So this fixture could be used in this module, in test_smb, test_sssd and any new test suite which needs to setup trust.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wladich
Still this fixture servers the trust scenario only.
I think we can move this fixture to a shared file(e.g pytest_ipa/integreation/tasks.py) and can import/use where ever necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kaleemsiddiqu Please see comment #4614 (comment)
Personally I do not have any preference where to store this small fixture - in a separate file or in conftest or somewhere else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only want to say that scope of fixtures defined in conftest.py is very large and applies to almost every tests and thats when we should define it. IMO ipa_trust_ad does not fit that case. Its upto you and @tiran to decide, i just shared my opinion.
['OUTPUT', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT'], | ||
['OUTPUT', '-p', 'tcp', '--dport', '443', '-j', 'ACCEPT'], | ||
['OUTPUT', '-p', 'tcp', '--sport', '22', '-j', 'ACCEPT']] | ||
Firewall(self.client).prepend_passthrough_rules(fw_rules_allow) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to create a new firewall object for every function call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
definitely not, fixing.
@pytest.mark.usefixtures('restrict_network_for_client', | ||
'client_use_kdcproxy') | ||
def test_ipa_user_login_on_client_with_kdcproxy(self, users): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use follow black's and PEP-8's formatting style:
@pytest.mark.usefixtures(
'restrict_network_for_client',
'client_use_kdcproxy'
)
def test_ipa_user_login_on_client_with_kdcproxy(self, users):
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please point which pep-8 style rule you are referring to?
And https://www.freeipa.org/page/Python_Coding_Style does not seem to mention any other rules...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's black code style, https://github.com/psf/black#the-black-code-style
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to use black utility with new code and it heavily reformatted the code, not only the mentioned lines. One of the changes is making lines longer then 79 chars which violates current code style.
But even with "-l 79" the changes are huge.
So could you please clarify, is the use of black formater now agreed and enforced for the FreeIPA project? I see it is not mentioned in https://www.freeipa.org/page/Python_Coding_Style, neither it is being checked by PR-CI.
a7f0723
to
8ab71ab
Compare
@wladich, please, increase the timeout argument, I suspect that the reason jobs are picked by multiple runners is related to that. |
1 similar comment
@wladich, please, increase the timeout argument, I suspect that the reason jobs are picked by multiple runners is related to that. |
ipatests/conftest.py
Outdated
|
||
|
||
@pytest.fixture(scope='class') | ||
def ipa_ad_trust(mh): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fixture only applies to integration tests and depends on the multihost mh
fixture. Please move it to ipatests/pytest_ipa/integration/__init__.py
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tiran
fixed
Tests fail at ipa-server-install: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/d7be85da-9942-11ea-b3a3-fa163e168469 |
Rerunning the tests to check that they still pass after freeipa/freeipa-pr-ci@7c6f67e |
This is a workaround for https://pagure.io/freeipa/issue/6523: when ipa-client-install is called with --server option, dns_lookup_realm and dns_lookup_kdc options in kreb5.conf are set to "false" preventing libkrb5 from discovering AD realm. This function changes those values to "true".
Similar to kinit_admin, this allows to check for error values returned by kinit.
The fixture enables us to setup and cleanup trust between IPA master and AD root with single line of code. It also handles configuring clients to be able to accept logins of AD users.
…ackets This is a regression test for the bug in python-kdcproxy mentioned in latchset/kdcproxy#44 When the reply from AD is split into several TCP packets the kdc proxy software cannot handle it and returns a false error message indicating it cannot contact the KDC server. This could be observed as login failures of AD user on IPA clients when: * IPA client was configured to use kdcproxy to communicate with AD * kdcproxy used TCP to communicate with AD * response from AD to kdcproxy was split into several packets This patch also refactors and improves existing tests: * switch to using pytest fixtures for test setup and cleanup steps to make them isolated and reusable * simulate a much more restricted network environment: instead of blocking single 88 port we now block all outgoing traffic except few essential ports * add basic tests for using kdcproxy to communicate between IPA client and AD DC.
The test fails with older versions of kdcproxy as the related bug was fixed in 0.4.2: latchset/kdcproxy#44
the new tests require ad AD instance
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |