From c199ca31cfa241207a28e3af01cc9a602935b410 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Tue, 12 Jan 2021 19:53:59 +0100
Subject: [PATCH 1/2] ipatests: rewrite test for requests routing to
 subordinate suffixes

The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
  actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
  from checking original issue in case AD domain name did not match this
  hard coded value
* Invocation of commands on AD controller was failing in some environments

Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions

Related to https://pagure.io/freeipa/issue/8554

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipatests/test_integration/test_trust.py | 104 +++++++++++++-----------
 1 file changed, 56 insertions(+), 48 deletions(-)

diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index a335c780eff..63f88040486 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -246,57 +246,65 @@ def test_upn_user_authentication_in_nonposix_trust(self):
         self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
                                 stdin_text=self.upn_password)
 
-    def test_remove_nonposix_trust(self):
-        self.remove_trust(self.ad)
-        tasks.unconfigure_dns_for_trust(self.master, self.ad)
-
     # Test with AD trust defining subordinate suffixes
     def test_subordinate_suffix(self):
-        """Test subordinate UPN Suffixes"""
-        tasks.configure_dns_for_trust(self.master, self.ad)
-        tasks.establish_trust_with_ad(
-            self.master, self.ad_domain,
-            extra_args=['--range-type', 'ipa-ad-trust'])
-        # Clear all UPN Suffixes
-        ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
-        self.ad.run_command(["powershell", "-c", ps_cmd])
-        result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
-        assert (
-            "ipantadditionalsuffixes: {}".format(self.upn_suffix)
-            not in result.stdout_text
-        )
-        # Run Get-ADForest
-        ps_cmd1 = "Get-ADForest"
-        self.ad.run_command(["powershell", "-c", ps_cmd1])
-        # Add new UPN for AD
-        ps_cmd2 = (
-            'Get-ADForest | Set-ADForest -UPNSuffixes '
-            '@{add="new.ad.test", "upn.dom"}'
-        )
-        self.ad.run_command(["powershell", "-c", ps_cmd2])
-        self.ad.run_command(["powershell", "-c", ps_cmd1])
-        self.master.run_command(
-            ["ipa", "trust-fetch-domains", self.ad_domain],
-            raiseonerr=False)
-        self.master.run_command(["ipa", "trust-show", self.ad_domain])
-        # Set UPN for the aduser
-        ps_cmd3 = (
-            'set-aduser -UserPrincipalName '
-            'Administrator@new.ad.test -Identity Administrator'
-        )
-        self.ad.run_command(["powershell", "-c", ps_cmd3])
-        # kinit to IPA using AD user Administrator@new.ad.test
-        result = self.master.run_command(
-            ["getent", "passwd", "Administrator@new.ad.test"]
-        )
-        assert result.returncode == 0
-        self.master.run_command(
-            ["kinit", "-E", "Administrator@new.ad.test"],
-            stdin_text="Secret123",
-        )
-        tasks.kdestroy_all(self.master)
+        """Test subordinate UPN suffixes routing.
+
+        Given an AD domain ad.test with additional UPN suffix suffix.ad.test
+        check that requests from IPA for suffix.ad.test
+        are properly routed to ad.test.
 
-    def test_remove_subordinate_suffixes_trust(self):
+        This is a regression test for https://pagure.io/freeipa/issue/8554
+        """
+
+        # Create subordinate UPN suffix
+        subordinate_suffix = 'test_subdomain.' + self.ad_domain
+        self.ad.run_command([
+            'powershell', '-c',
+            'Set-ADForest -Identity {} -UPNSuffixes @{{add="{}"}}'.format(
+                self.ad_domain, subordinate_suffix)])
+        try:
+            # Verify UPN suffix is created
+            cmd = ('Get-ADForest -Identity {} '
+                   '| Select-Object -Property UPNSuffixes'
+                   .format(self.ad_domain))
+            res = self.ad.run_command(['powershell', '-c', cmd])
+            assert subordinate_suffix in res.stdout_text
+
+            # Verify IPA does not receive subordinate suffix from AD
+            self.master.run_command(
+                ['ipa', 'trust-fetch-domains', self.ad_domain],
+                ok_returncode=1)
+            res = self.master.run_command(
+                ['ipa', 'trust-show', self.ad_domain])
+            assert subordinate_suffix not in res.stdout_text
+
+            # Set UPN for the AD user
+            upn = 'testuser@' + subordinate_suffix
+            cmd = 'Set-Aduser -UserPrincipalName {} -Identity testuser'.format(
+                upn)
+            self.ad.run_command(['powershell', '-c', cmd])
+
+            # Check user resolution
+            res = self.master.run_command(['getent', 'passwd', upn])
+            expected_regex = (
+                r'^testuser@{domain}:\*:(\d+):(\d+):'
+                r'Test User:/home/{domain}/testuser:{shell}$'
+                .format(domain=re.escape(self.ad_domain),
+                        shell=self.default_shell))
+            assert re.search(expected_regex, res.stdout_text)
+
+            # Check user authentication
+            self.master.run_command(
+                ['kinit', '-E', upn], stdin_text='Secret123')
+        finally:
+            # cleanup
+            tasks.kdestroy_all(self.master)
+            cmd = ('Set-ADForest -Identity {} -UPNSuffixes @{{Remove="{}"}}'
+                   .format(self.ad_domain, subordinate_suffix))
+            self.ad.run_command(['powershell', '-c', cmd])
+
+    def test_remove_nonposix_trust(self):
         self.remove_trust(self.ad)
         tasks.unconfigure_dns_for_trust(self.master, self.ad)
 

From 00237547cf78350a9f1347db5271dfde2b81c73f Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Fri, 29 Jan 2021 17:01:52 +0100
Subject: [PATCH 2/2] temp commit

---
 .freeipa-pr-ci.yaml                        |  2 +-
 ipatests/prci_definitions/temp_commit.yaml | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..80656690080 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index 0d9d9b09d5e..bbf2ed950ae 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
         timeout: 1800
         topology: *build
 
-  fedora-latest-ipa-4-8/temp_commit:
+  fedora-latest-ipa-4-8/test_trust:
     requires: [fedora-latest-ipa-4-8/build]
     priority: 50
     job:
-      class: RunPytest
+      class: RunADTests
       args:
         build_url: '{fedora-latest-ipa-4-8/build_url}'
-        test_suite: test_integration/test_REPLACEME.py
+        test_suite: test_integration/test_trust.py
         template: *ci-ipa-4-8-latest
-        timeout: 3600
-        topology: *master_1repl_1client
+        timeout: 9000
+        topology: *adroot_adchild_adtree_master_1client