Updated patch is attached,

There were a few more packages I had to install to get CI running for Debian, should we had these to the makefile?

root@sssd2:~# apt-get python-openssl 

dpkg -i http://ftp.us.debian.org/debian/pool/main/n/nss-wrapper/libnss-wrapper_1.1.2-1_amd64.deb
dpkg -i http://security.kali.org/pool/main/l/linux/linux-libc-dev_3.16.7-ckt20-1+deb8u4_amd64.deb



Below are test runs against Debian and Fedora


    fakeroot /usr/bin/python2 /usr/bin/py.test -v --tb=native  .
============================================================================== test session starts ===============================================================================
platform linux2 -- Python 2.7.9 -- py-1.4.25 -- pytest-2.6.3 -- /usr/bin/python2
collected 73 items

ent_test.py::test_assert_passwd_by_name PASSED
ent_test.py::test_assert_passwd_by_uid PASSED
ent_test.py::test_assert_passwd_list PASSED
ent_test.py::test_assert_each_passwd_by_name PASSED
ent_test.py::test_assert_each_passwd_by_uid PASSED
ent_test.py::test_assert_each_passwd_with_name PASSED
ent_test.py::test_assert_each_passwd_with_uid PASSED
ent_test.py::test_assert_passwd PASSED
ent_test.py::test_group_member_matching PASSED
ent_test.py::test_assert_group_by_name PASSED
ent_test.py::test_assert_group_by_gid PASSED
ent_test.py::test_assert_group_list PASSED
ent_test.py::test_assert_each_group_by_name PASSED
ent_test.py::test_assert_each_group_by_gid PASSED
ent_test.py::test_assert_each_group_with_name PASSED
ent_test.py::test_assert_each_group_with_gid PASSED
ent_test.py::test_assert_group PASSED
ldap_local_override_test.py::test_simple_user_override PASSED
ldap_local_override_test.py::test_root_user_override PASSED
ldap_local_override_test.py::test_replace_user_override PASSED
ldap_local_override_test.py::test_remove_user_override PASSED
ldap_local_override_test.py::test_imp_exp_user_override PASSED
ldap_local_override_test.py::test_show_user_override PASSED
ldap_local_override_test.py::test_find_user_override PASSED
ldap_local_override_test.py::test_simple_group_override PASSED
ldap_local_override_test.py::test_root_group_override PASSED
ldap_local_override_test.py::test_replace_group_override PASSED
ldap_local_override_test.py::test_remove_group_override PASSED
ldap_local_override_test.py::test_imp_exp_group_override PASSED
ldap_local_override_test.py::test_regr_2802_override PASSED
ldap_local_override_test.py::test_regr_2757_override PASSED
ldap_local_override_test.py::test_regr_2790_override PASSED
ldap_test.py::test_regression_ticket2163 PASSED
ldap_test.py::test_sanity_rfc2307 PASSED
ldap_test.py::test_sanity_rfc2307_bis PASSED
ldap_test.py::test_refresh_after_cleanup_task PASSED
ldap_test.py::test_add_remove_user PASSED
ldap_test.py::test_add_remove_group_rfc2307 PASSED
ldap_test.py::test_add_remove_group_rfc2307_bis PASSED
ldap_test.py::test_add_remove_membership_rfc2307 PASSED
ldap_test.py::test_add_remove_membership_rfc2307_bis PASSED
ldap_test.py::test_override_homedir PASSED
ldap_test.py::test_fallback_homedir PASSED
ldap_test.py::test_override_shell PASSED
ldap_test.py::test_shell_fallback PASSED
ldap_test.py::test_default_shell PASSED
ldap_test.py::test_vetoed_shells PASSED
test_local_domain.py::test_wrong_LC_ALL PASSED
test_memory_cache.py::test_getpwnam PASSED
test_memory_cache.py::test_getpwnam_with_mc PASSED
test_memory_cache.py::test_getgrnam_simple PASSED
test_memory_cache.py::test_getgrnam_simple_with_mc PASSED
test_memory_cache.py::test_getgrnam_membership PASSED
test_memory_cache.py::test_getgrnam_membership_with_mc PASSED
test_memory_cache.py::test_initgroups PASSED
test_memory_cache.py::test_initgroups_with_mc PASSED
test_memory_cache.py::test_initgroups_fqname_with_mc PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc1 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc2 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc3 PASSED
test_memory_cache.py::test_invalidation_of_gids_after_initgroups PASSED
test_memory_cache.py::test_initgroups_without_change_in_membership PASSED
test_memory_cache.py::test_invalidate_user_before_stop PASSED
test_memory_cache.py::test_invalidate_user_after_stop PASSED
test_memory_cache.py::test_invalidate_users_before_stop PASSED
test_memory_cache.py::test_invalidate_users_after_stop PASSED
test_memory_cache.py::test_invalidate_group_before_stop PASSED
test_memory_cache.py::test_invalidate_group_after_stop PASSED
test_memory_cache.py::test_invalidate_groups_before_stop PASSED
test_memory_cache.py::test_invalidate_groups_after_stop PASSED
test_memory_cache.py::test_invalidate_everything_before_stop PASSED
test_memory_cache.py::test_invalidate_everything_after_stop PASSED
test_memory_cache.py::test_removed_mc PASSED

========================================================================== 73 passed in 203.82 seconds ===========================================================================
rm -f /tmp/sssd-intg.zncqC9vY/var/log/sssd/*
make[1]: Leaving directory '/root/sssd/x86_64/intg/bld/src/tests/intg'
root@sssd2:~/sssd/x86_64# cat /etc/debian_version
8.3







cd "/root/sssd.git/x86_64/../src/tests/intg"; \
nss_wrapper=$(pkg-config --libs nss_wrapper); \
uid_wrapper=$(pkg-config --libs uid_wrapper); \
PATH="$(dirname -- /usr/sbin/slapd):$PATH" \
PATH="/tmp/sssd-intg.icQ2aGpF/sbin:/tmp/sssd-intg.icQ2aGpF/bin:$PATH" \
PATH="/root/sssd.git/x86_64/intg/bld/src/tests/intg:/root/sssd.git/x86_64/../src/tests/intg:$PATH" \
PYTHONPATH="/root/sssd.git/x86_64/intg/bld/src/tests/intg:/root/sssd.git/x86_64/../src/tests/intg" \
LDB_MODULES_PATH="/tmp/sssd-intg.icQ2aGpF/lib/ldb" \
LD_PRELOAD="$nss_wrapper $uid_wrapper" \
NSS_WRAPPER_PASSWD="/root/sssd.git/x86_64/intg/bld/src/tests/intg/passwd" \
NSS_WRAPPER_GROUP="/root/sssd.git/x86_64/intg/bld/src/tests/intg/group" \
NSS_WRAPPER_MODULE_SO_PATH="/tmp/sssd-intg.icQ2aGpF/lib/libnss_sss.so.2" \
NSS_WRAPPER_MODULE_FN_PREFIX="sss" \
UID_WRAPPER=1 \
UID_WRAPPER_ROOT=1 \
    fakeroot /usr/bin/python2 /usr/bin/py.test -v --tb=native  .
============================================================================== test session starts ===============================================================================
platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 -- /usr/bin/python2
rootdir: /root/sssd.git/src/tests/intg, inifile:
collected 73 items

ent_test.py::test_assert_passwd_by_name PASSED
ent_test.py::test_assert_passwd_by_uid PASSED
ent_test.py::test_assert_passwd_list PASSED
ent_test.py::test_assert_each_passwd_by_name PASSED
ent_test.py::test_assert_each_passwd_by_uid PASSED
ent_test.py::test_assert_each_passwd_with_name PASSED
ent_test.py::test_assert_each_passwd_with_uid PASSED
ent_test.py::test_assert_passwd PASSED
ent_test.py::test_group_member_matching PASSED
ent_test.py::test_assert_group_by_name PASSED
ent_test.py::test_assert_group_by_gid PASSED
ent_test.py::test_assert_group_list PASSED
ent_test.py::test_assert_each_group_by_name PASSED
ent_test.py::test_assert_each_group_by_gid PASSED
ent_test.py::test_assert_each_group_with_name PASSED
ent_test.py::test_assert_each_group_with_gid PASSED
ent_test.py::test_assert_group PASSED
ldap_local_override_test.py::test_simple_user_override PASSED
ldap_local_override_test.py::test_root_user_override PASSED
ldap_local_override_test.py::test_replace_user_override PASSED
ldap_local_override_test.py::test_remove_user_override PASSED
ldap_local_override_test.py::test_imp_exp_user_override PASSED
ldap_local_override_test.py::test_show_user_override PASSED
ldap_local_override_test.py::test_find_user_override PASSED
ldap_local_override_test.py::test_simple_group_override PASSED
ldap_local_override_test.py::test_root_group_override PASSED
ldap_local_override_test.py::test_replace_group_override PASSED
ldap_local_override_test.py::test_remove_group_override PASSED
ldap_local_override_test.py::test_imp_exp_group_override PASSED
ldap_local_override_test.py::test_regr_2802_override PASSED
ldap_local_override_test.py::test_regr_2757_override PASSED
ldap_local_override_test.py::test_regr_2790_override PASSED
ldap_test.py::test_regression_ticket2163 PASSED
ldap_test.py::test_sanity_rfc2307 PASSED
ldap_test.py::test_sanity_rfc2307_bis PASSED
ldap_test.py::test_refresh_after_cleanup_task PASSED
ldap_test.py::test_add_remove_user PASSED
ldap_test.py::test_add_remove_group_rfc2307 PASSED
ldap_test.py::test_add_remove_group_rfc2307_bis PASSED
ldap_test.py::test_add_remove_membership_rfc2307 PASSED
ldap_test.py::test_add_remove_membership_rfc2307_bis PASSED
ldap_test.py::test_override_homedir PASSED
ldap_test.py::test_fallback_homedir PASSED
ldap_test.py::test_override_shell PASSED
ldap_test.py::test_shell_fallback PASSED
ldap_test.py::test_default_shell PASSED
ldap_test.py::test_vetoed_shells PASSED
test_local_domain.py::test_wrong_LC_ALL PASSED
test_memory_cache.py::test_getpwnam PASSED
test_memory_cache.py::test_getpwnam_with_mc PASSED
test_memory_cache.py::test_getgrnam_simple PASSED
test_memory_cache.py::test_getgrnam_simple_with_mc PASSED
test_memory_cache.py::test_getgrnam_membership PASSED
test_memory_cache.py::test_getgrnam_membership_with_mc PASSED
test_memory_cache.py::test_initgroups PASSED
test_memory_cache.py::test_initgroups_with_mc PASSED
test_memory_cache.py::test_initgroups_fqname_with_mc PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc1 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc2 PASSED
test_memory_cache.py::test_initgroups_case_insensitive_with_mc3 PASSED
test_memory_cache.py::test_invalidation_of_gids_after_initgroups PASSED
test_memory_cache.py::test_initgroups_without_change_in_membership PASSED
test_memory_cache.py::test_invalidate_user_before_stop PASSED
test_memory_cache.py::test_invalidate_user_after_stop PASSED
test_memory_cache.py::test_invalidate_users_before_stop PASSED
test_memory_cache.py::test_invalidate_users_after_stop PASSED
test_memory_cache.py::test_invalidate_group_before_stop PASSED
test_memory_cache.py::test_invalidate_group_after_stop PASSED
test_memory_cache.py::test_invalidate_groups_before_stop PASSED
test_memory_cache.py::test_invalidate_groups_after_stop PASSED
test_memory_cache.py::test_invalidate_everything_before_stop PASSED
test_memory_cache.py::test_invalidate_everything_after_stop PASSED
test_memory_cache.py::test_removed_mc PASSED

========================================================================== 73 passed in 206.11 seconds ===========================================================================
rm -f /tmp/sssd-intg.icQ2aGpF/var/log/sssd/*
make[1]: Leaving directory '/root/sssd.git/x86_64/intg/bld/src/tests/intg'
[root@sssd1 x86_64]# cat /etc/fedora-release
Fedora release 23 (Twenty Three)


On 2/29/16 3:18 AM, Jakub Hrozek wrote:
On Sun, Feb 28, 2016 at 08:19:57PM -0500, Dan Lavu wrote:
I've made most of the the suggested changes but I'm going to take sometime
and get the test running on Debian as well (Mostly to find out if /etc/pki
is a Red Hat thing or not). Fedora and Debian are the only distros we are
testing/supporting against correct?
Yes, we support RHEL >= 6, Fedora (all supported versions) and Debian
Testing.

Also wondering if the ci setup issue I'm
seeing applies to apt.

Dan


On 2/26/16 5:53 AM, Jakub Hrozek wrote:
On Thu, Feb 25, 2016 at 05:18:09PM -0500, Dan Lavu wrote:
Here is a patch for https://fedorahosted.org/sssd/ticket/2820

First real patch... criticisms to for what I need to improve on are welcome,
including concepts that I should learn, thanks.
Thanks a lot for the patch!

See my comments inline:

From 529adb3e0d763a8ee9ba9b4c5b13f933d723e8de Mon Sep 17 00:00:00 2001
From: Dan Lavu <dlavu@redhat.com>
Date: Fri, 5 Feb 2016 08:51:07 -0500
Subject: [PATCH] Adding SSL encryption to integration tests.

---
 src/tests/intg/ca.py          | 166 ++++++++++++++++++++++++++++++++++++++++++
 src/tests/intg/ds_openldap.py |  14 ++++
 2 files changed, 180 insertions(+)
 create mode 100644 src/tests/intg/ca.py

diff --git a/src/tests/intg/ca.py b/src/tests/intg/ca.py
new file mode 100644
index 0000000000000000000000000000000000000000..a44a92e5d5053338dabd7d8d82d2b1d50ec7594e
--- /dev/null
+++ b/src/tests/intg/ca.py
@@ -0,0 +1,166 @@
+#
+# SSSD LOCAL domain tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Dan Lavu <dan@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from OpenSSL import crypto
+from os.path import exists, join
+
+import socket
+import os
+import fnmatch
+
+
+class CA:
It would be nice to use the new-style classes, so class CA(object)

+    """CA Class"""
+
+    def __init__(self, subject=None, country=None, state=None,
+                 city=None, organization=None, unit=None, config_dir=None):
+        if subject is None:
+            self.subject = socket.gethostname()
+        if country is None:
+            self.country = 'US'
+        if state is None:
+            self.state = 'NC'
+        if city is None:
+            self.city = 'Raleigh'
+        if organization is None:
+            self.organization = 'Red Hat'
+        if unit is None:
+            self.unit = 'SSSD'
+        if config_dir is None:
+            self.config_dir = '/etc/pki'
/etc/pki is not writable unless you're root. We should store the certs
in another directory writable by any user. Maybe this is something
Nikolai (CC) could help us with, I know we use fakeroot to set up the
directory structure, but I'm fuzzy on the details, so I don't know
myself which part of the tests we should exactly touch..

Also, does the /etc/pki path exists on Debian and other distributions or
is it Red Hat-centric?

When we have this done, hopefully we can remove the use of
'ldap_auth_disable_tls_never_use_in_production' from our tests?


+
+        self.hostname = socket.gethostname()
This is maybe something to fix in a later iteration of the patch, but I
wonder if it was useful to override the hostname to something else than
what gethostname() reports. Not sure at the moment..

+        self.csr_dir = self.config_dir + '/CA/newcerts'
+        self.key_dir = self.config_dir + '/tls/private'
+        self.cert_dir = self.config_dir + '/tls/certs'
+
+        self.index = int(1000)
+
+
+    def setup(self):
+        """Setup CA using OpenSSL"""
+        cacert = socket.gethostname() + '-ca.crt'
+        cakey = socket.gethostname() + '-ca.key'
Instead of using socket.gethostname(), maybe using self.hostname would
be better here (and elsewhere) ?

+
+        if not exists(join(self.cert_dir, cacert)) or not exists(join(self.key_dir, cakey)):
+            key = crypto.PKey()
+            key.generate_key(crypto.TYPE_RSA, 2048)
+
+            ca = crypto.X509()
+            ca.get_subject().C = self.country
+            ca.get_subject().ST = self.state
+            ca.get_subject().L = self.city
+            ca.get_subject().O = self.organization
+            ca.get_subject().OU = self.unit
+            ca.get_subject().CN = self.subject
+            ca.set_serial_number(self.index)
+            ca.gmtime_adj_notBefore(0)
+            ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
+            ca.set_issuer(ca.get_subject())
+            ca.set_pubkey(key)
+            ca.sign(key, 'sha1')