[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 407 commits: Bump to IPA 4.11

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Oct 18 15:19:14 BST 2023



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa


Commits:
9819058d by Antonio Torres at 2022-06-29T17:07:59+02:00
Bump to IPA 4.11

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
52782b55 by Armando Neto at 2022-06-29T21:24:04-03:00
ipatests: update rawhide template

Python packages updated to include latest `pytest-html`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/467

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
22d1392a by Rob Crittenden at 2022-06-30T08:34:28-04:00
Only calculate LDAP password grace when the password is expired

The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
2e11247c by Sumedh Sidhaye at 2022-07-02T18:34:16+02:00
Added a check while removing 'cert_dir'. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory.

Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.

Pagure Issue: https://pagure.io/freeipa/issue/9179

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
03e91395 by Iker Pedrosa at 2022-07-05T09:46:17+02:00
ipatests: definitions for SSSD COPR nightly

Defined the tests that will be executed for SSSD's COPR nightly.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7a40948d by Fraser Tweedale at 2022-07-05T14:26:52+02:00
BUILD.txt: remove redundant dnf-builddep option

-b and --best are the same option (see dnf(8)).  Remove -b and keep
--best, because --best is more descriptive.

Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
cb0ce1bd by Fraser Tweedale at 2022-07-05T14:29:27+02:00
man: add --skip-mem-check to man pages

Document the --skip-mem-check flag in the ipa-server-install(1) and
ipa-replica-install(1) man pages.

Related: https://pagure.io/freeipa/issue/8404

Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f8da5bfb by Fraser Tweedale at 2022-07-05T14:29:27+02:00
install: suggest --skip-mem-check when mem check fails

In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.

Related: https://pagure.io/freeipa/issue/8404

Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e8d34361 by Florence Blanc-Renaud at 2022-07-12T10:15:21+02:00
ipatests: fix SSSD nightly definition

The nightly test test_external_idp requires a topology
with 2 replicas. Fix the definition in nightly_latest_sssd.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
436c9d85 by Armando Neto at 2022-07-12T11:38:17-03:00
webui: Do not allow empty pagination size

Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.

Fixes: https://pagure.io/freeipa/issue/9192

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
dc73813b by Rob Crittenden at 2022-07-15T16:59:15+02:00
Warn for permissions with read/write/search/compare and no attrs

An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3237ade3 by David Pascual at 2022-07-15T17:09:17+02:00
ipatests: Checker script for prci definitions

This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0e8bde31 by Stanislav Levin at 2022-07-26T12:36:41-04:00
ap: Raise dbus timeout

With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.

https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd094e38 by Stanislav Levin at 2022-07-26T12:36:41-04:00
ap: Disable azure's security daemon

This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8542fd30 by Stanislav Levin at 2022-07-26T12:36:41-04:00
ap: Rearrange overloaded jobs

With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e9b232fc by Stanislav Levin at 2022-07-26T12:36:41-04:00
ap: Constrain supported docutils

New Sphinx 5.1.0 (Released: Jul 24, 2022) bumped supported docutils
to 0.19:
https://github.com/sphinx-doc/sphinx/pull/10656

But m2r2 doesn't support it yet:
https://github.com/CrossNox/m2r2/issues/52

Thereby, docutils must be constrained to < 0.19.

This should be fixed by m2r2 and after they do it the restriction
can be removed.

Fixes: https://pagure.io/freeipa/issue/9208
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fc5de821 by Erik at 2022-07-27T13:34:07+02:00
ipatests: healthcheck: test if system is FIPS enabled

Test if FIPS is enabled and the check exists.

Related: https://pagure.io/freeipa/issue/8951

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4105fee2 by Rob Crittenden at 2022-08-01T09:24:40-04:00
Disabling gracelimit does not prevent LDAP binds

Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.

Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.

Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.

Fixes: https://pagure.io/freeipa/issue/9206

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
e3e7c98a by Sudhir Menon at 2022-08-01T09:28:30-04:00
ipatests: ipa-client-install --subid adds entry in nsswitch.conf

This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry

subid: nss
Related: https://pagure.io/freeipa/issue/9159

Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files

gating.yaml
nightly_latest.yaml
nightly_latest_selinux.yaml
nightly_latest_testing.yaml
nightly_previous.yaml
nightly_rawhide.yaml

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8297b749 by David Pascual at 2022-08-01T09:34:42-04:00
ipatest: fix prci checker target masked return code & add pylint

In the yamllint target of makefile, prci_checker result was being masked by echo statement.
Aditionally, prci_checker script has been added to the list of Python sources to be Pylinted.

Addressing comments of recently merged PR:
https://github.com/freeipa/freeipa/pull/6301#discussion_r923163970
https://github.com/freeipa/freeipa/pull/6301#issuecomment-1187037261

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
bf4c5126 by Sudhir Menon at 2022-08-03T09:33:42+02:00
ipatests: WebUI: do not allow subid range deletion

This testcase checks that subid added by user admin
cannot be deleted.

Related: https://pagure.io/freeipa/issue/9150

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
6033d495 by Sumedh Sidhaye at 2022-08-04T13:26:00-04:00
Additional tests for RSN v3

New Tests include
TestRSNPKIConfig
TestRSNVault

The new tests are just extending existing classes to be run
with random serial numbers enabled

The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`

Added nightly definitions

Related Ticket: https://pagure.io/freeipa/issue/2016

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
42b2607a by Carla Martinez at 2022-08-05T16:30:18+02:00
webui: Allow grace login limit

There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:

   `ipa pwpolicy-mod --gracelimit=2 global_policy`

Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)

Fixes: https://pagure.io/freeipa/issue/9211

Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ccb012b4 by Florence Blanc-Renaud at 2022-08-08T09:53:25+02:00
ipatests: fix the topology for rawhide/test_subids

The test test_integration/test_subids.py::TestSubordinateId
needs a master and a client but the yaml definition for rawhide
and sssd is currently using master_1repl. Replace with
master_1repl_1client to fulfill the requirement.

Fixes: https://pagure.io/freeipa/issue/9217
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
4ae9c78f by Florence Blanc-Renaud at 2022-08-08T09:53:25+02:00
azure tests: disable TestInstallDNSSECFirst

The test TestInstallDNSSECFirst is failing because of one of its
dependencies (the most likely suspect is the update of openssl-pkcs11).
Disable the test from azure gating until the issue is solved.

Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
8a415ff9 by Florence Blanc-Renaud at 2022-08-16T08:39:06+02:00
check_repl_update: in progress is a boolean

With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.

Replace with direct boolean comparison.

Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
45b351f8 by Rob Crittenden at 2022-08-16T08:51:31+02:00
upgrades: Don't restart the CA on ACME and profile schema change

There are currently three sets of CA schema changes applied
in ipa-server-upgrade:

* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema

None of these require a restart of the CA to be supported.

There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.

https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.

Related: https://pagure.io/freeipa/issue/9204

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
54d32fcd by Florence Blanc-Renaud at 2022-08-16T13:07:03+02:00
ipatests: Fix expected object classes

Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.

Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
21091c2b by Florence Blanc-Renaud at 2022-08-16T13:07:03+02:00
gitignore: add install/oddjob/org.freeipa.server.config-enable-sid

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
77803587 by Thomas Woerner at 2022-08-16T13:49:40+02:00
DNSResolver: Fix use of nameservers with ports

IPA DNS zone and forwardzone commands allow to use nameservers with ports
as "SERVER_IP port PORT_NUMBER". bind is supporting this syntax, but the
Resolver in dnspython that is used to verify the list of forwarders
(nameservers) is only allowing to have IP addresses in this list. With
dnspython version 2.20 there is a new validator in dns.resolver.BaseResolver
that ensures this.

Refs:
- https://bind9.readthedocs.io/en/v9_18_4/reference.html#zone-statement-grammar
- https://github.com/rthalley/dnspython/blob/master/dns/resolver.py#L1094

ipapython/dnsutil.DNSResolver derives from dns.resolver.Resolver. The setter
for nameservers has been overloaded in the DNSResolver class to split out
the port numbers into the nameserver_ports dict { SERVER_IP: PORT_NUMBER }.
After the setter for nameservers succeeded, nameserver_ports is set.
nameserver_ports is used in the resolve() method of dns.resolver.Resolver.

Additional tests have been added to verify that nameservers and also
nameserver_ports are properly set and also valid.

Fixes: https://pagure.io/freeipa/issue/9158

Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b6587d33 by Rob Crittenden at 2022-08-18T17:51:20-04:00
doc: Update LDAP grace period design with default values

New group password policies will get -1 (unlimited) on creation
by default.

Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c8955a4d by Rob Crittenden at 2022-08-18T17:51:20-04:00
Set default gracelimit on group password policies to -1

This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0468cc60 by Rob Crittenden at 2022-08-18T17:51:20-04:00
Set default on group pwpolicy with no grace limit in upgrade

If an existing group policy lacks a password grace limit
update it to -1 on upgrade.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5a225dea by Scott Poore at 2022-08-19T09:47:41+02:00
ipatests: Rename create_quarkus to create_keycloak

The module installs and configures a Keycloak server and
not just the Quarkus Java framework.  So, renaming to better
reflect what the module is used for.

Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
06183a06 by Endi S. Dewata at 2022-08-19T10:19:10+02:00
Remove pki_restart_configured_instance

The pki_restart_configured_instance param is no longer used
by pkispawn so it has been removed.

https://github.com/dogtagpki/pki/blob/master/docs/changes/v11.3.0/Server-Changes.adoc

Signed-off-by: Endi S. Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2ae316d4 by Alexander Bokovoy at 2022-08-29T17:30:22+02:00
fix canonicalization issue in Web UI

When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.

Fix it by doing two things:

 - force use of canonicalization of an enterprise principal on server
   side, not just specifying that the principal is an enterprise one;

 - recognize that a principal in the whoami()-returned object can have
   aliases and the principal returned by the server in the JSON response
   may be one of those aliases.

Fixes: https://pagure.io/freeipa/issue/9226

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
ad8f90f8 by Alexander Bokovoy at 2022-08-29T17:34:20+02:00
ipa-otpd: initialize local pointers and handle gcc 10

oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).

Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.

Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.

Fixes: https://pagure.io/freeipa/issue/9230

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
fa853018 by Jesse Sandberg at 2022-08-29T18:28:42+02:00
Fix ipa-ccache-sweeper activation timer and clean up service file

Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed

Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg at netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
090d4f9e by Carla Martinez at 2022-08-30T16:07:42+02:00
Set pkeys in test_selinuxusermap.py::test_misc::delete_record

The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.

The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.

Fixes: https://pagure.io/freeipa/issue/9161

Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
94835d19 by Stanislav Levin at 2022-09-19T14:15:36-04:00
x509: Replace removed register_interface with subclassing

python-cryptography 38.0 removed `register_interface` decorator:
pyca/cryptography at f70e334a52fdf5bd1ad42460efb78d989f8535d9

Backward compatibility:
Cryptography haven't changed the interface of `Certificate` since it was
first used by IPA (4.6.0) till cryptography 38.0.

cryptography 38.0 (pyca/cryptography at c1b7307a3e4ef9cd246feae88178afba7389405c)
added `tbs_precertificate_bytes` attribute.

Fixes: https://pagure.io/freeipa/issue/9160
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
36591995 by Rob Crittenden at 2022-09-20T14:51:56-04:00
Fix upper bound of password policy grace limit

It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.

Fixes: https://pagure.io/freeipa/issue/9243

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
a4da0172 by Scott Poore at 2022-09-20T14:54:04-04:00
ipatests: add Keycloak Bridge test

Add test code for new bridge server (ipa-tuura) and Keycloak plugin.

Add uninstall functions for create_keycloak.py so that the tests can
be run repeatedly.

Fixes: https://pagure.io/freeipa/issue/9227
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
04c2b069 by Scott Poore at 2022-09-20T14:54:04-04:00
ipatests: add prci definitions for test_sso jobs

Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
926680ff by Carla Martinez at 2022-09-21T10:45:32+02:00
webui: Show 'Sudo order' column

In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.

Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7aeb9e58 by Florence Blanc-Renaud at 2022-09-23T09:49:06+02:00
ipa-cacert-manage prune: remove all expired certs

ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.

To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.

Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9d9d925b by Rob Crittenden at 2022-09-26T08:48:42+02:00
Defer creating the final krb5.conf on clients

A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.

If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.

This was seen in performance testing of how many simultaneous
client enrollments are possible.

Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.

https://pagure.io/freeipa/issue/9228

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f1b2d8ab by Florence Blanc-Renaud at 2022-09-29T07:58:44-04:00
ipa otptoken-sync: return error when sync fails

The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.

- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.

- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.

The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.

Fixes: https://pagure.io/freeipa/issue/9248

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
59db0faf by Florence Blanc-Renaud at 2022-09-29T07:58:44-04:00
ipatests: add negative test for otptoken-sync

Scenario:  call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens

The test expects a return code = 1.

Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c74c701c by Carla Martinez at 2022-09-29T14:23:44+02:00
Set 'idnssoaserial' to deprecated

A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.

This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
b326b4af by Carla Martinez at 2022-09-29T14:23:44+02:00
ipatest: Remove warning message for 'idnssoaserial'

The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.

Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
a3b4b476 by Carla Martinez at 2022-09-29T14:23:44+02:00
webui: Set 'SOA serial' field as read-only

On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
55ef0008 by Carla Martinez at 2022-09-29T14:23:44+02:00
Update API and VERSION

The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
dbec885c by Rob Crittenden at 2022-09-29T16:40:19-04:00
Move client certificate request after krb5.conf is created

The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.

This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.

Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.

Fixes: https://pagure.io/freeipa/issue/9246

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
cca7a7cd by Florence Blanc-Renaud at 2022-09-30T15:15:50+02:00
ipa man page: format the EXAMPLES section

The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.

Add .TP (tagged, indented paragraph) before each example.

Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ac2c3de8 by Weblate at 2022-10-02T12:07:20+03:00
Update translation files

Updated by "Update LINGUAS file" hook in Weblate.

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
41855787 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 7.7% (362 of 4672 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3c7fe6c4 by Weblate at 2022-10-02T12:07:20+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a0e0d57a by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 98.5% (4671 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5cc8e5b8 by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 99.4% (4713 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b9f94620 by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4739 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31ba6aa5 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 10.9% (520 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dd345aac by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 15.5% (736 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
706faddf by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 15.6% (742 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0ab38702 by Ricky Tigg at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 15.6% (743 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fd985ae4 by Piotr Drąg at 2022-10-02T12:07:20+03:00
Translated using Weblate (Polish)

Currently translated at 9.5% (452 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e39ccf59 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 15.9% (754 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e7623b4f by Ricky Tigg at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 16.0% (762 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
feb94b3a by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 16.1% (764 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
386e5116 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 16.7% (794 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8b1eb488 by Weblate at 2022-10-02T12:07:20+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cf338b5b by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4739 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7fc89bc0 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 16.9% (804 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c7ba8f5f by Andika Triwidada at 2022-10-02T12:07:20+03:00
Translated using Weblate (Indonesian)

Currently translated at 6.8% (323 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
581dfddc by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.2% (816 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f680614b by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.5% (832 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
35f58c9a by Piotr Drąg at 2022-10-02T12:07:20+03:00
Translated using Weblate (Polish)

Currently translated at 9.5% (453 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ab652aa1 by Ricky Tigg at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.5% (833 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cd702b54 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.7% (840 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e92b8478 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.7% (842 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f3c9a25 by Weblate at 2022-10-02T12:07:20+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0f2d2d36 by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4741 of 4741 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ea95f0dd by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.8% (845 of 4741 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b2cdddea by Temuri Doghonadze at 2022-10-02T12:07:20+03:00
Added translation using Weblate (Georgian)

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1d1b31a2 by Weblate at 2022-10-02T12:07:20+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7a82bc09 by Yuri Chornoivan at 2022-10-02T12:07:20+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4818 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e20e1a44 by Jan Kuparinen at 2022-10-02T12:07:20+03:00
Translated using Weblate (Finnish)

Currently translated at 17.6% (848 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
097615c3 by Temuri Doghonadze at 2022-10-02T12:07:20+03:00
Translated using Weblate (Georgian)

Currently translated at 6.9% (333 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d12908ff by Temuri Doghonadze at 2022-10-02T12:07:20+03:00
Translated using Weblate (Georgian)

Currently translated at 7.6% (368 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2ee7fcdf by Temuri Doghonadze at 2022-10-02T12:07:20+03:00
Translated using Weblate (Georgian)

Currently translated at 8.3% (401 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e9d59088 by 김인수 at 2022-10-02T12:07:20+03:00
Added translation using Weblate (Korean)

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
526b5165 by 김인수 at 2022-10-02T12:07:20+03:00
Translated using Weblate (Korean)

Currently translated at 2.0% (99 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a2a70ab7 by 김인수 at 2022-10-02T12:07:20+03:00
Translated using Weblate (Korean)

Currently translated at 2.2% (108 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6e6a0718 by 김인수 at 2022-10-02T12:07:20+03:00
Translated using Weblate (Korean)

Currently translated at 2.9% (140 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
76152e03 by Alexander Bokovoy at 2022-10-02T12:07:20+03:00
Remove empty translation for 'si' which breaks linter

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
43fcfe45 by Florence Blanc-Renaud at 2022-10-04T13:47:48+02:00
Tests: test on f37 and f36

Fedora 37 beta is now available, move the testing pipelines to
- fedora 37 for the _latest definitions
- fedora 36 for the _previous definition

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
4a4f7e76 by Florence Blanc-Renaud at 2022-10-04T13:47:48+02:00
ipatests: mark xfail tests using sssctl domain-status

In fedora 37+, sssctl domain-status is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.

Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
96cf293f by Florence Blanc-Renaud at 2022-10-04T13:47:48+02:00
ipatests: mark xfail tests using dnssec

In fedora 37+, the signing of DNS zones is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.

Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
f0c26fe0 by Alexey Tikhonov at 2022-10-04T14:01:56+02:00
extdom: internal functions should be static

Fixes following compilation warnings:
```
ipa_extdom_common.c:109:5: warning: no previous prototype for ‘__nss_to_err’ [-Wmissing-prototypes]
  109 | int __nss_to_err(enum nss_status errcode)
      |     ^~~~~~~~~~~~
ipa_extdom_common.c:738:5: warning: no previous prototype for ‘pack_ber_name_list’ [-Wmissing-prototypes]
  738 | int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
      |     ^~~~~~~~~~~~~~~~~~
```

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
b381acb3 by Alexey Tikhonov at 2022-10-04T14:01:56+02:00
extdom: make sure result doesn't miss domain part

This is required to ensure that only objects from requested domain
are returned.

Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
147123e6 by Alexey Tikhonov at 2022-10-04T14:01:56+02:00
extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
d4fa80b2 by Stanislav Levin at 2022-10-06T10:22:26+02:00
ipapython: Support openldap 2.6

While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.

Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.

Thanks @abbra!

Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0ce3ab36 by Sumit Bose at 2022-10-07T17:02:43+02:00
ipa-kdb: do not fail if certmap rule cannot be added

Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.

This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d33a2523 by Viacheslav Sychov at 2022-10-10T09:48:55+02:00
fix: Handle /proc/1/sched missing error

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
22022ae2 by Alexander Bokovoy at 2022-10-10T09:50:39+02:00
ipaclient: do not set TLS CA options in ldap.conf anymore

OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:

	branches 2.5 and later:
	commit 4962dd6083ae0fe722eb23a618ad39e47611429b
	Author: Howard Guo <hguo at suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

	branch 2.4:
	commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
	Author: Howard Guo <hguo at suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.

There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.

RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.

Fixes: https://pagure.io/freeipa/issue/9258

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
42f73ea6 by Sumedh Sidhaye at 2022-10-12T12:01:27+02:00
With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.

Previously the message was:

"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

but now the message is:

\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

PBKDF2_SHA256 has been replaced with PBKDF2-SHA512

Pagure: https://pagure.io/freeipa/issue/9238

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
7b855c60 by Nikola Knazekova at 2022-10-17T15:57:10+02:00
Exclude installed policy module file from RPM verification

selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Fixes: https://pagure.io/freeipa/issue/9254

Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
715ee82e by Anuja More at 2022-10-18T07:03:29+02:00
ipatests : Test query to AD specific attributes is successful.

Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.

Related : https://pagure.io/freeipa/issue/9127

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
06780f4d by Florence Blanc-Renaud at 2022-10-19T09:49:04-04:00
webui tests: fix test_subid suite

The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.

2nd issue: a given record has to be selected in
order to check that there is no "delete" button.

Fixes: https://pagure.io/freeipa/issue/9214

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
899530bd by Scott Poore at 2022-10-20T08:48:53-04:00
ipatests: add keycloak user login to ipa test

Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.

create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main

test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user

tasks.py:
- add set_user_password to only set password for ipa users

Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fbda6ea4 by Florence Blanc-Renaud at 2022-10-20T15:42:05-04:00
Spec file: bump the selinux-policy version

selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test at IPA.TEST instead of admin principal.

The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107

Bump the selinux-policy version to install the fix.

Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5e759098 by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20

Make sure both krb5 pre 1.20 and 1.20 or later would call into the same
PAC generation code while driven by different API callbacks from the
krb5 KDB interface.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c1582bd3 by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: add krb5 1.20 support

Add basic krb5 1.20 integration without RBCD support. RBCD will come in
a separate series.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a9018da9 by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: handle cross-realm TGT entries when generating PAC

For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.

Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e86807b5 by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: handle empty S4U proxy in allowed_to_delegate

With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.

This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0c67f0e6 by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: fix PAC requester check

PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ce05e5fd by Alexander Bokovoy at 2022-11-02T11:03:04+02:00
ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c62e5d7a by Scott Poore at 2022-11-03T10:55:32+01:00
ipatests: xfail test_ipa_login_with_sso_user

There is a crash occurring that causes Keycloak to be unable to
communicate with ipa-tuura on the bridge server (replica0).  This is
much more prevalent in Fedora 37 so we need to xfail that test case
until the crash is resolved.

Related: https://pagure.io/freeipa/issue/9264

Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
38728dd5 by Endi S. Dewata at 2022-11-03T15:18:30-04:00
Explicitly use legacy ID generators by default

The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.

Signed-off-by: Endi S. Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
815f1839 by Erik Belko at 2022-11-09T14:53:16+01:00
ipatests: test for root using admin password in webUI

Check if there is no infinite loop caused by this
combination of user and password

Related: https://pagure.io/freeipa/issue/9226

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
d6a643b7 by Erik Belko at 2022-11-10T09:30:15+01:00
ipatests: Add test for grace login limit

Test user and pwpolicy entity for grace login limit setting.

Related: https://pagure.io/freeipa/issue/9211

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
21d99b45 by Alexander Bokovoy at 2022-11-14T10:12:42-05:00
ipa-kdb: for delegation check, use different error codes before and after krb5 1.20

With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.

Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b76bb195 by Carla Martinez at 2022-11-15T13:04:22+01:00
webui: Add label name to 'Certificates' section

For testing purposes and uniformity, the
'Certificates' label (located under
'Active users' settings ) should also have
'name' attribute, like seen in other parts of the WebUI.

Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
746a036c by Mohammad Rizwan at 2022-11-15T13:04:22+01:00
ipatests: Test newly added certificate lable

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
f15da104 by Carla Martinez at 2022-11-15T13:04:22+01:00
webui: Add name to 'Certificates' table

For testing purposes and uniformity, the 'Certificates'
table generated after a new certificate is added should
also have the 'name' attribute to be able to access its
value.

Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
dbebed2e by Christian Heimes at 2022-11-16T14:32:05+02:00
Add PKINIT support to ipa-client-install

The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c6a16a7e by Pavel Březina at 2022-11-16T14:44:13-05:00
docs: add security section to idp

Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
988cb5a5 by Antonio Torres at 2022-11-16T14:46:17-05:00
doc: generate API Reference

Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4caa5ca5 by Antonio Torres at 2022-11-16T14:46:17-05:00
Add basic API usage guide

Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
83161913 by Rob Crittenden at 2022-11-16T14:47:53-05:00
Support tokens and optional password files when opening an NSS db

Each token in an NSS database is likely to have its own
password/PIN. This allows the password to be set per token
available in the PKI password file.

This is necessary for HSM devices where the password is necessary
to access information about the private key (e.g. presence)

This may mean that to see all certificates in a given NSS database
one will need multiple instances of the NSSDatabase class, one for
each desired token (include None for the native token).

https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4a2c7b31 by Rob Crittenden at 2022-11-16T14:50:22-05:00
Pass the curl write callback by name instead of address

This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.

Also change to a static function and pre-declare it to quiet a
compile-time warning.

https://pagure.io/freeipa/issue/9274

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a7b58b3c by Rob Crittenden at 2022-11-18T16:05:31-05:00
doc: Design for HSM support

Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
dface55b by Florence Blanc-Renaud at 2022-11-21T14:24:17+01:00
Spec file: bump bind version on f37+

On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.

Fixes: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d9ecb12d by Florence Blanc-Renaud at 2022-11-21T14:24:17+01:00
ipatests: re-enable dnssec tests

On fedora 37+ the dnssec tests were broken. The tests
launched for each pull request were disabled or marked
as xfail.
With the bump of bind version, they should now succeed
and can be re-enabled.

Related: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
93548f25 by Francisco Trivino at 2022-11-21T10:41:10-05:00
Vault: fix interoperability issues with older RHEL systems

AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5a23d8ec by Florence Blanc-Renaud at 2022-11-22T08:49:09+01:00
spec file: bump sssd version

Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.

No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.

Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
29012bb3 by Florence Blanc-Renaud at 2022-11-22T08:49:09+01:00
ipatests: remove xfail for tests using sssctl domain-status

The tests calling sssctl domain-status were marked xfail
because of SSSD issue #6331. Now that the issue is fixed
and freeipa bumped sssd required version, remove the xfail
annotation.

Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3d6d7e9f by Florence Blanc-Renaud at 2022-11-22T11:45:27+01:00
ipatests: update vagrant boxes

Use new versions of vagrant boxes:
ci-master-f36 0.0.8
ci-master-f37 0.0.2
ci-master-frawhide 0.8.2

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
673d2b82 by Julien Rische at 2022-11-23T20:00:17+01:00
Generate CNAMEs for TXT+URI location krb records

The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.

This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.

Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.

Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b928e5da by Antonio Torres at 2022-11-24T16:26:42+01:00
Update translations to FreeIPA master state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
b39d8b93 by Antonio Torres at 2022-11-24T16:30:09+01:00
Update contributors list

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
35876b4e by Florence Blanc-Renaud at 2022-11-25T10:38:56+01:00
API reference: update vault doc

Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).

Related: https://pagure.io/freeipa/issue/9259

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
04aae0ee by Florence Blanc-Renaud at 2022-11-25T10:38:56+01:00
API reference: update dnszone_add generated doc

Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)

Related: https://pagure.io/freeipa/issue/9249

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e1fd9ebb by Alexander Bokovoy at 2022-11-28T10:29:03+01:00
updates: fix memberManager ACI to allow managers from a specified group

The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.

Remove old ACI and add a full one during upgrade step.

Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f43dab3b by Florence Blanc-Renaud at 2022-12-01T11:06:41+01:00
webui tests: fix assertion in test_subid.py

The test wants to check the error related to an
exception obtained inside a "with pytest.raises" instruction.
The object is an ExceptionInfo and offers a match method
to check the content of the string representation.
Use this match() method instead of str(excinfo) which now
returns
'<ExceptionInfo NoSuchElementException() tblen=10>'

Fixes: https://pagure.io/freeipa/issue/9282

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
bb74832f by Christian Heimes at 2022-12-01T18:05:28-05:00
ipa-certupdate: Update client certs before KDC/HTTPd restart

Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs.
`ipa-certupdate` now updates the file before it restarts HTTPd.

Fixes: https://pagure.io/freeipa/issue/9285
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ab8b1fa6 by Florence Blanc-Renaud at 2022-12-02T10:17:04+01:00
PRCI: update memory reqs for each topology

The memory requirements are defined in the vagrant templates in
https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles

They have been updated and the corresponding values must be
kept consistent in the topologies for PRCI.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
0a4506ba by Antonio Torres at 2022-12-02T10:28:58+01:00
API doc: add basic user management guide

Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
827dc9af by Florence Blanc-Renaud at 2022-12-02T11:32:51+01:00
Spec file: ipa-client depends on krb5-pkinit-openssl

Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.

Fixes: https://pagure.io/freeipa/issue/9290

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f3721a8 by Florence Blanc-Renaud at 2022-12-14T11:26:17+01:00
ipatests: xfail on all fedora for test_ipa_login_with_sso_user

With the new fedora36 vagrant image, the test is also failing.
Mark xfail for all fedora versions.
Related: https://pagure.io/freeipa/issue/9264

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Scott Poore <spoore at redhat.com>

- - - - -
b0ba5208 by Sudhir Menon at 2022-12-19T08:06:52+01:00
Fixes: ipa-otpd at .service: deprecated syslog setting

This patch updates the deprecated syslog setting i.e
StandardError=syslog with StandardError=journal

Pagure: https://pagure.io/freeipa/issue/9279
Ref: https://github.com/systemd/systemd/pull/15812

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b8947b82 by Florence Blanc-Renaud at 2022-12-19T15:38:05+01:00
ipatests: update the fake fips mode expected message

The test ipatests/test_integration/test_fips.py is faking
FIPS mode and calls "openssl md5" to ensure the algo is
not available in the fake FIPS mode.

The error message has been updated with openssl-3.0.5-5.
In the past the command used to return:
$ openssl md5 /dev/null
Error setting digest
140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147:

And now it returns:
$ openssl md5 /dev/null
Error setting digest
00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:

To be compatible with all versions, only check the common part:
Error setting digest

Mark the test as xfail since installation is currently not working.

Related: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6bd9d156 by Florence Blanc-Renaud at 2022-12-19T15:38:05+01:00
cert utilities: MAC verification is incompatible with FIPS mode

The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
17a5d5bf by Florence Blanc-Renaud at 2022-12-19T15:38:05+01:00
FIPS setup: fix typo filtering camellia encryption

The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.

Fix the typo (camelia vs camellia) in order to filter properly.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
be21caba by Florence Blanc-Renaud at 2022-12-19T15:38:05+01:00
Spec file: bump krb5_kdb_version on rawhide

fedora 38 now uses krb5 1.20.1 which provides
krb5_kdb_version 9.0 instead of 8.0

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
25c00d0d by Florence Blanc-Renaud at 2022-12-20T14:54:28+01:00
ipatests: update the xfail annotation for test_number_of_zones

The test is failing on fedora 36+, update and simplify the
xfail condition.

Related: https://pagure.io/freeipa/issue/9135

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
232b5a9d by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
azure tests: move to fedora 37

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
cad06382 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: remove unneeded disable=unused-private-member

pylint fixed issue https://github.com/PyCQA/pylint/issues/4756
and we don't need anymore to disable this check.

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
12067297 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: remove useless suppression

The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a9c1c81a by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable redefined-slots-in-subclass

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
2011d1a3 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable used-before-assignment

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
d1f16120 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: replace deprecated distutils module

PEP 632 deprecates the distutils module. Replace
- distutils.spawn.find_executable with shutil.which
- distutils.log with logging

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
be7f0a6e by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable modified-iterating-list

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
8cd9ddfd by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: remove arguments-renamed warnings

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
d6d8319e by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable using-constant-test

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
02688574 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable unnecessary-dunder-call message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
18fd4481 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: globally disable unnecessary-lambda-assignment message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
139038c5 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable missing-timeout message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
2268ef4e by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: fix implicit-str-concat

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
8e7e48dc by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: fix duplicate-value

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
6518855c by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: fix deprecated-class SafeConfigParser

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
372a5dc6 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable invalid-sequence-index

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
79153655 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable unhashable-member

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
8fad897e by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: globally disable useless-object-inheritance

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
fdd3dd29 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: fix consider-iterating-dictionary

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
416c210f by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable comparison-of-constants

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a4102b99 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: fix comparison-of-constants

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
fa4b0540 by Florence Blanc-Renaud at 2023-01-10T08:30:58+01:00
pylint: disable deprecated-module message

Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a1a3b90c by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Lint in single process mode

There are several known problems with multiprocess mode.
For example, https://github.com/PyCQA/pylint/issues/3232.

In other words the lint result depends on the number of jobs.
The most correct report is expected for single process.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
deaec9b3 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: More allowed C extensions

Fixes:
```
[E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree'
[E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur'
```

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
ccdc94b0 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Replace deprecated extension-pkg-whitelist

`extension-pkg-whitelist` is deprecated in favour of
`extension-pkg-allow-list` since Pylint 2.7.3:
https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
4352bd5a by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix cyclic-import

Most of `cyclic-import` issues reported by Pylint are false-positive
and they are already handled in the code, but several ones are the
actual errors.

Fixes: https://pagure.io/freeipa/issue/9232
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a8dd0709 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Replace deprecated pipes

`pipes` module is deprecated as of Python 3.11.
https://docs.python.org/3/library/pipes.html#module-pipes:
> Deprecated since version 3.11, will be removed in version 3.13: The
  pipes module is deprecated (see PEP 594 for details).

IPA code used only `quote` function from `pipes` that in turn is
the alias for `shlex.quote` since Python 3.3:
https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0e033152 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix used-before-assignment

> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
24db4dc8 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix modified-iterating-list

https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html:
> Emitted when items are added or removed to a list being iterated
through. Doing so can result in unexpected behaviour, that is why it is
preferred to use a copy of the list.

https://docs.python.org/3/tutorial/controlflow.html#for-statements:
> Code that modifies a collection while iterating over that same
collection can be tricky to get right. Instead, it is usually more
straight-forward to loop over a copy of the collection or to create a
new collection

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
bf3083c3 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix unnecessary-lambda-assignment

https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html:
> Used when a lambda expression is assigned to variable rather than
defining a standard function with the "def" keyword.

https://peps.python.org/pep-0008/#programming-recommendations:
> Always use a def statement instead of an assignment statement that
binds a lambda expression directly to an identifier:
def f(x): return 2*x
f = lambda x: 2*x
The first form means that the name of the resulting function object is
specifically ‘f’ instead of the generic ‘<lambda>’. This is more useful
for tracebacks and string representations in general. The use of the
assignment statement eliminates the sole benefit a lambda expression can
offer over an explicit def statement (i.e. that it can be embedded
inside a larger expression)

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
c523e858 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix unhashable-member

https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html:
> Emitted when a dict key or set member is not hashable (i.e. doesn't
define __hash__ method).

https://docs.python.org/3/library/stdtypes.html#dict.update:
> Update the dictionary with the key/value pairs from other, overwriting
existing keys. Return None.
update() accepts either another dictionary object or an iterable of
key/value pairs (as tuples or other iterables of length two). If keyword
arguments are specified, the dictionary is then updated with those
key/value pairs: d.update(red=1, blue=2).

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
b8480549 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Fix useless-object-inheritance

https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html:
> Used when a class inherit from object, which under python3 is
implicit, hence can be safely removed from bases.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
691b5d21 by Stanislav Levin at 2023-01-10T08:30:58+01:00
pylint: Replace deprecated cgi module

https://docs.python.org/3/library/cgi.html#module-cgi:
> Deprecated since version 3.11, will be removed in version 3.13: The
cgi module is deprecated (see PEP 594 for details and alternatives).

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
5419864c by Florence Blanc-Renaud at 2023-01-11T09:13:48+01:00
ipatests: mark test_smb as xfail

Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.

Related: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
97330785 by Florence Blanc-Renaud at 2023-01-13T18:06:21-05:00
server install: remove error log about missing bkup file

The client installer code can be called in 3 different ways:
- from ipa-client-install CLI
- from ipa-replica-install CLI if the client is not already installed
- from ipa-server-install

In the last case, the client installer is called with
options.on_master=True
As a result, it's skipping the part that is creating the krb5
configuration:
    if not options.on_master:
        nolog = tuple()
        configure_krb5_conf(...)

The configure_krb5_conf method is the place where the krb5.conf file is
backup'ed with the extention ".ipabkp". For a master installation, this
code is not called and the ipabkp file does not exist => delete raises
an error.

When delete fails because the file does not exist, no need to log an
error message.

Fixes: https://pagure.io/freeipa/issue/9306
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
36cba23f by Florence Blanc-Renaud at 2023-01-17T08:21:56+01:00
Tests: force key type in ACME tests

PKI can issue ACME certs only when the key type is rsa.

With version 2.0.0, certbot defaults to ecdsa key type,
and this causes test failures.
For now, force rsa when requesting an ACME certificate.
This change can be reverted when PKI fixes the issue
on their side (https://github.com/dogtagpki/pki/issues/4273)

Related: https://pagure.io/freeipa/issue/9298
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ad052184 by Florence Blanc-Renaud at 2023-01-17T15:51:25+01:00
Installer: create RID base before domain object

The installer is currently creating the samba domain object
before it adds the RID base and secondary RID base. As a consequence,
there is a window during which the sidgen plugin is active but
unable to generate SIDs (it requires the samba domain object to
find the domain SID and RID base to know where to start from).
There is no direct impact except the error log of 389ds that reports
ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.

This fix configures the RID base and secondary RID base before the
domain object is created, thus removing this window.

Fixes: https://pagure.io/freeipa/issue/9309
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1611d545 by Filip Dvorak at 2023-01-19T16:15:11+01:00
ipa tests: Add LANG before kinit command to fix issue with locale settings

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
4eba0481 by Lenz Grimmer at 2023-01-22T11:39:12+01:00
doc: Fix incorrect URL format

Replaced URL in Markdown Format with the proper reStructuredText markup
in file doc/workshop/12-external-idp-support.rst

Signed-off-by: Lenz Grimmer <lenz.grimmer at percona.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f44bde9e by Antonio Torres at 2023-01-24T09:54:54+01:00
API doc: validate generated reference

Extend 'makeapi --validate' to validate API Reference files too. If
differences are found between the generated and stored docs the
validation fails. This command is executed in our Azure pipelines, so
every time a developer opens a PR but forgets to update the API
Reference, the CI will fail.

Fixes: https://pagure.io/freeipa/issue/9287
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6ab93f8b by Florence Blanc-Renaud at 2023-01-24T16:50:31+01:00
Spec file: unify with RHEL9 spec

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
295b4e23 by Florence Blanc-Renaud at 2023-01-24T16:50:31+01:00
Spec file: use %autosetup instead of %setup

This change fixes rpminspect issues reported when building
for RHEL, like the following one:

Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.

Waiver Authorization: Anyone

Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file.  It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros.  You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section).  The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file.  So Patch47
is applied with a %patch47 macro.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
07975b52 by Florence Blanc-Renaud at 2023-01-25T15:23:29+01:00
trust-add: handle missing msSFU30MaxGidNumber

When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.

msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.

To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.

Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5d9f5903 by Rob Crittenden at 2023-01-26T17:31:26-05:00
doc: Design for certificate pruning

This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
203b7d1c by Stanislav Levin at 2023-01-30T15:26:24-05:00
ipatests: healthcheck: Handle missing fips-mode-setup

freeipa-healthcheck prechecks existance of `fips-mode-setup` and
reports if it's missing:
> "fips": "missing /bin/fips-mode-setup"

Fixes: https://pagure.io/freeipa/issue/9315
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a5c99a6b by Stanislav Levin at 2023-01-31T09:57:24-05:00
spec: Drop no longer used build dependency on paste

With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced
with `werkzeug`.

https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
  github. Patches are accepted to keep it on life support, but for the
  most part, please consider using other options.

Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bf9797f2 by Rob Crittenden at 2023-02-01T11:00:57+01:00
tests: Add ipa_ca_name checking to DNS system records

freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.

Related: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6897ad99 by Rob Crittenden at 2023-02-01T11:00:57+01:00
tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck

freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.

Fixes: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2996cc8e by Stanislav Levin at 2023-02-01T17:49:43+01:00
tests: Configure DNSResolver as platform agnostic resolver

Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver`
unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf`
or this file may not contain any configured name servers.

`TestDNSResolver` unit tests check only customized `nameservers`
property and should not depend on existence of `/etc/resolv.conf`.

Resolver accepts `configure` option.
https://dnspython.readthedocs.io/en/latest/resolver-class.html :
> configure, a bool. If True (the default), the resolver instance is
  configured in the normal fashion for the operating system the resolver
  is running on. (I.e. by reading a /etc/resolv.conf file on POSIX
  systems and from the registry on Windows systems.)

Fixes: https://pagure.io/freeipa/issue/9319
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5154f8e6 by Florence Blanc-Renaud at 2023-02-02T07:33:36+01:00
automember-rebuild: add a notice about high CPU usage

The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.

Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
78298fd4 by Rob Crittenden at 2023-02-02T07:36:16+01:00
ipa-acme-manage: add certificate/request pruning management

Configures PKI to remove expired certificates and non-resolved
requests on a schedule.

This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.

Random Serial Numbers v3 must be enabled for this to work.

Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.

Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.

A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.

The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.

No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.

Fixes: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden rcritten at redhat.com
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7d1d91fc by Rob Crittenden at 2023-02-02T07:36:16+01:00
doc: add the --run command for manual job execution

A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.

Import the IPA CA chain for manual execution.

Also fix up some $ -> # to indicate root is needed.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
07927b21 by David Pascual at 2023-02-03T08:29:46-05:00
ipatests: fix (prci_checker) duplicated check & error return code

Fix 1: timeout field was being checked twice and did not return fail code on error

Fix 2: Tool did not return error code on single file check unsuccessful run

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
414b5fe3 by Rob Crittenden at 2023-02-04T17:10:51+01:00
tests: add wrapper around ACME RSNv3 test

This test is located outside of the TestACMEPrune because
it enables RSNv3 while the server installed by TestACME doesn't.

It still needs a wrapper to enforce a version of PKI that
supports pruning because that is checked first in the tool.
Re-ordering that wouldn't be a good user experience.

https://pagure.io/freeipa/issue/9322

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
53f7a44c by Antonio Torres at 2023-02-07T13:37:20-05:00
API doc: add note about ipa show-mappings to usage guide

As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a2667b24 by Antonio Torres at 2023-02-08T14:20:38-05:00
API doc: add usage guides for groups, HBAC and sudo rules

Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
614d3bd9 by Chris Kelley at 2023-02-09T10:22:07-05:00
Check that CADogtagCertsConfigCheck can handle cert renewal

Renewal causes two certs to have the same nickname. Dogtag is
patched to allow for N certs with the same nickname, and this test
is to verify that CADogtagCertsConfigCheck still passes.

Related: https://github.com/dogtagpki/pki/pull/4285
Signed-off-by: Chris Kelley <ckelley at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
724c8314 by Rob Crittenden at 2023-02-09T13:28:23-05:00
Fix setting values of 0 in ACME pruning

Replace comparisons of "if value" with "if value is not None"
in order to handle 0.

Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.

Also indicate that the search time limit is in seconds.

Fixes: https://pagure.io/freeipa/issue/9325

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
c38546d0 by Rob Crittenden at 2023-02-09T14:24:14-05:00
Wipe the ipa-ca DNS record when updating system records

If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.

This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.

Fixes: https://pagure.io/freeipa/issue/9195

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0c32ebf8 by Alexander Bokovoy at 2023-02-09T14:29:38-05:00
ipa-kdb: PAC consistency checker needs to handle child domains as well

When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0b762d2b by Anuja More at 2023-02-09T14:29:38-05:00
Add test for SSH with GSSAPI auth.

Added test for aduser with GSSAPI authentication.

Related : https://pagure.io/freeipa/issue/9316

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
828f6e7c by Mohammad Rizwan at 2023-02-13T14:30:05-05:00
ipatests: tests for certificate pruning

1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8d925464 by Anuja More at 2023-02-15T08:26:44+01:00
PRCI: update test_trust.py for nightly pipelines.

test_integration/test_trust.py is divided into two parts.
1: class TestTrust
2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5c35405e by Stanislav Levin at 2023-02-17T09:44:53+01:00
tests: webui: Allow file access from files in tests

https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
  override for developers who need the old behavior for testing.

Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a7e13f97 by Stanislav Levin at 2023-02-17T09:44:53+01:00
tests: webui: Load qunit only once

webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html

>> Error: Error: QUnit has already been defined.
>>     at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2

>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>>     at <anonymous>:175:24
>>     at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>>     at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>>     at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>>     at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>>     at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>>     at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>>     at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```

Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
  dojo.require will simply return if the package is already loaded.

See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8d634d8a by Stanislav Levin at 2023-02-17T09:44:53+01:00
AP: webui: List installed nodejs packages

It's helpful for debugging regressions.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
64fa6b72 by Stanislav Levin at 2023-02-17T09:44:53+01:00
tests: webui: Update vendored qunit

Updated qunit to latest supported version from
https://code.jquery.com/qunit.

See https://qunitjs.com/intro/#release-channels for details.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b0636c54 by David Pascual at 2023-02-18T09:02:27+01:00
doc: Use case examples for PR-CI checker tool

This document showcases common usecases for the user to
interact with the PR-CI checker tool.

Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6a809ff5 by mbhalodi at 2023-02-18T09:04:20+01:00
ipatests: ensure that ipa automember-rebuild prints a warning

ipa automember-rebuild now prints a warning about CPU usage.
Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
50d40b5a by Rob Crittenden at 2023-02-20T10:43:17+01:00
doc: Update pruning design with implement enable/disable options

Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.

So --enable=TRUE to --enable and --enable=FALSE to --disable

Fixes: https://pagure.io/freeipa/issue/9323

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e76b219c by Mohammad Rizwan at 2023-02-21T15:19:02+01:00
ipatests: fix tests in TestACMEPrune

When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.

Second fix is related to mismatch of confing setting and corresponding
assert.

Third fix is related to extending time by 60 minutes to properly
expire the certs.

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
14a3d85a by mbhalodi at 2023-02-22T09:16:30+01:00
ipatests: WebUI - ensure that ipa automember-rebuild prints a warning

ipa automember-rebuild now prints a warning about CPU usage
in the WebUI. Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
9ee16e8a by Florence Blanc-Renaud at 2023-02-22T15:47:26+01:00
ipatests: increase timeout for test_acme

The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.

Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).

Also create a separate job for the new test TestACMEPrune.

Fixes: https://pagure.io/freeipa/issue/9324

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
074c2f54 by Christian Heimes at 2023-02-28T17:23:02-05:00
Don't block when kinit_pkinit() fails

Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.

`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.

Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
02b0e46b by Rafael Guterres Jeffman at 2023-03-02T05:03:41+01:00
Migrated to SPDX license.

According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.

[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1

Fixes: https://pagure.io/freeipa/issue/9342

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
14205991 by Stanislav Levin at 2023-03-02T10:06:04-05:00
dns: Fix support for dnspython 1.1x

`nameservers` was transformed into the property in dnspython 2:
https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74

This causes
> AttributeError: type object 'Resolver' has no attribute 'nameservers'
on the previous dnspython 1.1x.

Fixes: https://pagure.io/freeipa/issue/9339
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
16b39771 by Carla Martinez at 2023-03-02T15:25:44-05:00
Update 'Auth indicators' doc string

The doc string located in the 'Authentication
indicators' ('Services' settings page) was
missing the usage explanation for the 'ipd'
checkbox option.

Fixes: https://pagure.io/freeipa/issue/9338
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
2aeb963f by Thorsten Scherf at 2023-03-03T05:08:02+01:00
external-idp: change idp server name to reference name

When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5dba2aa4 by Florence Blanc-Renaud at 2023-03-14T09:39:17+01:00
ipatests: adapt for new automembership fixup behavior

The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.

Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
35c36f9b by Anuja More at 2023-03-14T13:49:09+01:00
ipatests: Test ipa-advise is not failing with error.

The ipa-advise command should not fail
with error in command.

Related: https://pagure.io/freeipa/issue/6044

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>

- - - - -
4acd9fe9 by Erik Belko at 2023-03-15T09:45:08+01:00
ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario

Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286

Also added some generally helpful functions to tasks.py

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
779aa6bc by Alexander Bokovoy at 2023-03-21T16:54:28+01:00
Don't fail if optional RPM macros file is missing

With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
ebac8f6f by Alexander Bokovoy at 2023-03-21T16:54:28+01:00
Use system-wide chromium for webui tests

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
3f9d9b26 by Alexander Bokovoy at 2023-03-21T16:54:28+01:00
Fix tox in Azure CI

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
1cca6098 by Anuja More at 2023-03-22T16:52:49+01:00
ipatests: Test that non admin user can search hbac rule.

Related : https://pagure.io/freeipa/issue/5130

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
05279ef4 by Antonio Torres at 2023-03-23T10:12:44+01:00
ipaserver: deepcopy objectclasses list from IPA config

We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.

Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
07fe8775 by Florence Blanc-Renaud at 2023-03-24T09:28:43+01:00
ipatests: increase timeout for test_trust

The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
d32c640d by Stanislav Levin at 2023-03-24T11:49:23+01:00
fastlint: Correct concatenation of file lists

`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.

Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments

Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3721bca6 by Alexander Bokovoy at 2023-03-29T10:45:07+02:00
ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by

Added in Python Cryptography 40.0
Thanks to @tiran for the code

Fixes: https://pagure.io/freeipa/issue/9355

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
c553e3ce by Antonio Torres at 2023-03-29T10:53:25+02:00
doc: allow notes on Param API Reference pages

The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a59f6e00 by Jarl Gullberg at 2023-04-03T16:58:27-04:00
install: Fix missing dyndb keytab directive

bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.

This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.

Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5a0eed0b by Jarl Gullberg at 2023-04-04T09:35:49-04:00
ipaplatform/debian: fix path to ldap.so

bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.

This fixes the default path to use the appropriate location in its
multiarch-qualified path.

Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com>

- - - - -
4119e4e7 by mbhalodi at 2023-04-04T16:11:32+02:00
ipatests: add missing automember-cli tests

Revisit the bash tests and port the valid
tests to upstream.

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
68c113f0 by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
Ignore empty modification error in case cifs/.. principal already added

Constrained delegation target may already be configured by default.

Related: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9b777390 by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
test_xmlrpc: adopt to automember plugin message changes in 389-ds

Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
adc9609f by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only

Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.

Related: https://pagure.io/freeipa/issue/5444

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b035ac8e by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
doc: add design document for Kerberos constrained delegation

FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.

Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.

This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4239b77a by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
IPA API changes to support RBCD

IPA API commands to manage RBCD access controls.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f78dc0b1 by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
kdb: implement RBCD handling in KDB driver

Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.

The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.

The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd5b189a by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
RBCD: add basic test for RBCD handling

Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.

Run RBCD check when the rule exists and when the rule is removed.

Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
667b82a8 by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
doc/designs/rbcd.md: add usage examples

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0bf0b2d2 by Alexander Bokovoy at 2023-04-05T14:55:22-04:00
doc/designs/rbcd.md: document use of S-1-18-* SIDs

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
88d8534e by Antonio Torres at 2023-04-06T08:56:35+02:00
Extend API documentation

This includes:

* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
  permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dc8590ef by mbhalodi at 2023-04-12T15:10:04+02:00
ipatests: Test for sequence processing failures with server context

1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.

Related: https://pagure.io/freeipa/issue/9349

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
3bba254c by Florence Blanc-Renaud at 2023-04-17T16:44:57+02:00
ipatests: mark known failures for autoprivategroup

Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
903c8f9d by Christian Heimes at 2023-04-17T15:15:09-04:00
Speed up installer by restarting DS after DNA plugin

DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.

DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.

Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0d72a6cf by Todd Zullinger at 2023-04-18T08:32:54+02:00
spec: verify upstream source signature

Per the Fedora packaging guidelines¹.

The GPG key was generated using details found on the wiki².  The
following commands can be used to fetch the signing key via fingerprint
and extract it:

    fpr=0E63D716D76AC080A4A33513F40800B6298EB963
    gpg --keyserver keys.openpgp.org --receive-keys $fpr
    gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc

¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4f9e6b1b by Todd Zullinger at 2023-04-18T08:32:54+02:00
spec: silence krb5 pkgconf errors in %krb5_base_version

Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:

    Package krb5 was not found in the pkg-config search path.
    Perhaps you should add the directory containing `krb5.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'krb5', required by 'virtual:world', not found

`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build.  It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ba845b23 by Michal Polovka at 2023-04-19T21:46:14+02:00
ipatest: loginscreen: do not use hardcoded password

Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.

https://pagure.io/freeipa/issue/9226

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Erik Belko <ebelko at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2b2f10c2 by Rob Crittenden at 2023-04-26T14:21:33-04:00
Enforce sizelimit in cert-find

The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.

A value of 0 will retain old behavior and return all certificates.

The default value is the LDAP searchsizelimit.

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
191880bc by Rob Crittenden at 2023-04-26T14:21:33-04:00
Use the OpenSSL certificate parser in cert-find

cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136

The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.

It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.

Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.

pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

CLI times from before and after:

original:

-------------------------------
Number of entries returned 5011
-------------------------------
real    0m21.155s
user    0m0.835s
sys     0m0.159s

using OpenSSL:

real    0m5.747s
user    0m0.864s
sys     0m0.148s

OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests.  See ipaserver/wsgi.py for the gory details.

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
a83ae635 by Timo Aaltonen at 2023-04-27T08:52:51+02:00
Drop duplicate includedir from krb5.conf

SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.

Add also a dependency on sssd-krb5 for freeipa-client.

https://pagure.io/freeipa/issue/9267

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd22bd25 by Sudhir Menon at 2023-04-28T16:08:56+02:00
ipatests: ipa-adtrust-install command test scenarios

This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.

test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
fd0fd487 by Rafael Guterres Jeffman at 2023-04-28T10:11:30-04:00
Fix "no entry" condition when searching PAC info

Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.

Fixes: https://pagure.io/freeipa/issue/9368

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1f30cc65 by Florence Blanc-Renaud at 2023-04-28T10:12:46-04:00
cert_find: fix call with --all

When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cfc02333 by Stanislav Levin at 2023-04-28T13:20:30-04:00
ipasphinx: Correct import of progress_message for Sphinx 6.1.0+

Pylint reports false-negative result for Sphinx 6.1.0+:

```
************* Module ipasphinx.ipabase
ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util')
```

Actually `sphinx.util.progress_message` is still available in Sphinx 6.1
but it's deprecated and will be removed in 8.0:
https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis

Related change:
https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab

Fixes: https://pagure.io/freeipa/issue/9361
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ef0ae496 by mbhalodi at 2023-05-02T20:40:01+02:00
ipatests: add remove automember condition tests

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e0c4f83a by Alexander Bokovoy at 2023-05-03T18:21:12+02:00
Change doc theme to 'book'

RTD theam is not compatible with Sphinx 7.0+
https://github.com/readthedocs/readthedocs.org/issues/10279

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
c7ef94c6 by Florence Blanc-Renaud at 2023-05-04T08:33:53+02:00
Nightly test: add +15min for test_ipahealthcheck

The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.

Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
2c41b49b by Florence Blanc-Renaud at 2023-05-04T13:37:58+02:00
spec file: force nodejs < 20 on fedora < 39

On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.

Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.

Fixes: https://pagure.io/freeipa/issue/9374

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f66160fd by s1341 at 2023-05-04T14:58:15+02:00
ipaplatform: add initial nixos support

Fixes: https://pagure.io/freeipa/issue/9299
Signed-off-by: Shmarya Rubenstein <github at shmarya.net>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c8c05289 by Florence Blanc-Renaud at 2023-05-05T14:17:18-04:00
idview: improve performance of idview-show

The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser at ad.test.

The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.

Fixes: https://pagure.io/freeipa/issue/9372

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
72cc53a2 by Florence Blanc-Renaud at 2023-05-09T18:05:24+02:00
Tests: test on f37 and f38

Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
abf1dc55 by Michal Polovka at 2023-05-16T13:00:57+02:00
ipatests: commands: Wait for the SSSD to become available

Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.

Fixes: https://pagure.io/freeipa/issue/9377

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
9e806164 by Rob Crittenden at 2023-05-16T13:09:56+02:00
Return the <Message> value cert-find failures from the CA

If a cert-find fails on the CA side we get a Message tag
containing a string describing the failure plus the java stack
trace. Pull out the first part of the message as defined by the
first colon and include that in the error message returned to
the user.

The new message will appear as:

$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)

vs the old generic message:

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)

This can be reproduced by setting nssizelimit to 100 on the
pkidbuser. The internal PKI search returns err=4 but the CA
tries to convert all values into certificates and it fails. The
value needs to be high enough that the CA can start but low
enough that you don't have to create hundreds of certificates
to demonstrate the issue.

https://pagure.io/freeipa/issue/9369

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
72dccd82 by Florence Blanc-Renaud at 2023-05-16T13:12:12+02:00
azure tests: move to fedora 38

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2eb4cdb6 by Mohammad Rizwan at 2023-05-17T18:12:27+02:00
ipatests: wait for sssd-kcm to settle after date change

In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.

Hence run kinit command repeatedly untill things get settle.

This patch removes the sleep and adds tasks.run_repeatedly()
method instead.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
eec46800 by Antonio Torres at 2023-05-19T09:58:02+02:00
Update translations to FreeIPA master state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
479a24f2 by Antonio Torres at 2023-05-19T10:03:15+02:00
Update contributors list

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
7b0ad59f by Florence Blanc-Renaud at 2023-05-22T20:22:59+02:00
user or group name: explain the supported format

The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
da65cc35 by Jerry James at 2023-05-23T09:26:58-04:00
Change fontawesome-fonts requires to match fontawesome 4.x

fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.

This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.

Signed-off-by: Jerry James <loganjerry at gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9cd5f49c by Julien Rische at 2023-05-24T13:20:38+02:00
kdb: Use krb5_pac_full_sign_compat() when available

In November 2022, Microsoft introduced a new PAC signature type called
"extended KDC signature" (or "full PAC checksum"). This new PAC
signature will be required by default by Active Directory in July 2023
for S4U requests, and opt-out will no longer be possible after October
2023.

Support for this new signature type was added to MIT krb5, but it relies
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
the code generating extended KDC signatures cannot be backported as it
is without backporting the full new KDB API code too. This would have
too much impact to be done.

As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
8 will include a downstream-only update adding the
krb5_pac_full_sign_compat() function, which can be used in combination
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.

Fixes: https://pagure.io/freeipa/issue/9373
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3f1b373c by Julien Rische at 2023-05-24T13:20:38+02:00
Tolerate absence of PAC ticket signature depending of server capabilities

Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.

However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.

This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.

On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.

This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.

This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.

For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.

Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.

Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
545a363d by Julien Rische at 2023-05-24T13:20:38+02:00
Filter out constrained delegation ACL from KDB entry

Commit f78dc0b163 was missing an exception for the constrained
delegation ACL TL data type during the principal entry update operation.
This ACL is not meant to be stored as encoded data in krbExtraData.

Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8eeba00c by Rob Crittenden at 2023-05-24T13:29:35+02:00
Mention in ipa-client-install that nscd is disabled

Also warn that similar services may also need to be disabled.
An example is an nscd replacement named unscd.

Fixes: https://pagure.io/freeipa/issue/9086

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
359e1a3d by Florence Blanc-Renaud at 2023-05-24T15:50:56-04:00
ACME tests: fix issue_and_expire_acme_cert method

The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.

Fixes: https://pagure.io/freeipa/issue/9383

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
2be07242 by Florence Blanc-Renaud at 2023-05-31T09:17:25+02:00
PRCI: update rawhide box

Update the rawhide Vagrant box to 0.8.3
(built May 26 2023 using fedora-39)

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a1ed0ff7 by Rob Crittenden at 2023-05-31T09:21:48+02:00
Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3

Only three remaining scripts used this form, two of which are
for developers only and not shipped.

The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.

Fixes: https://pagure.io/freeipa/issue/8941

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
a213253b by Rob Crittenden at 2023-05-31T09:24:55+02:00
Don't allow a group to be converted to POSIX and external

This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.

Fixes: https://pagure.io/freeipa/issue/8990

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
574517cb by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Design for passkey support

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
af569508 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
New schema for Passkey mappings

Add attributetypes and objectclasses for Passkey config object
and Passkey mappings.

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4bd1be9e by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
API: add new commands for ipa passkeyconfig-show | mod

Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a21214cb by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
API: add new commands for passkey mappings

- ipa user-add-passkey
- ipa user-remove-passkey
- ipa stageuser-add-passkey
- ipa stageuser-remove-passkey

Fixes: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ae3c281a by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
XMLRPC tests: test new passkey commands

Add tests for:
 ipa passkeyconfig-show
 ipa passkeyconfig-mod
 ipa user-add-passkey LOGIN PASSKEY
 ipa user-remove-passkey LOGIN PASSKEY
 ipa stageuser-add-passkey LOGIN PASSKEY
 ipa stageuser-remove-passkey LOGIN PASSKEY

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7911b246 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
CLI: add support for passkey authentication type

Add a new authentication type for Passkey in the following commands:

ipa user-add --user-auth-type=AUTHTYPE
ipa user-mod --user-auth-type=AUTHTYPE
ipa config-mod --user-auth-type=AUTHTYPE
ipa service-add --auth-ind=AUTHTYPE
ipa service-mod --auth-ind=AUTHTYPE
ipa host-add --auth-ind=AUTHTYPE
ipa host-mod --auth-ind=AUTHTYPE
ipa krbtpolicy-mod --passkey-maxlife=INT --passkey-maxrenew=INT

Fixes: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a7d90c1e by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
XMLRPC tests: add new tests for passkey auth type

Add tests for the new passkey authentication type
(ipa user-*, ipa config-mod)
Add tests for the new passkey authentication indicator
(ipa service-*, ipa host-*)
Add tests for the new krbtpolicy parameters
(ipa krbtpolicy-mod --passkey-maxlife=INT --passkeymaxrenew=INT)

Related: ipatests/test_xmlrpc/test_user_plugin.py
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f8580cae by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
WebUI: add support for passkey auth type and auth indicator

Add new checkbox value "Passkey" for authentication type
(user page, config page)
Add new checkbox value "Passkey" for authentication indicator
(service page, host page)
Add new fields for Passkey krbptpolicy (max life, max renew)

Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d207f6bf by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
WebUI tests: add test for krbtpolicy passkey maxlife/maxrenew

Add a new test ensuring that it is possible to modify
the krbt policy settings related to passkey authentication
(max life and max renew)

Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
56e17974 by Alexander Bokovoy at 2023-06-01T08:20:37+02:00
ipa-kdb: initial support for passkeys

- added passkey detection based on the presence of ipaPassKey attribute
  in the LDAP entry of the principal
- added 'passkey' authentication indicator
- added support for enforcing KDC policy based on the 'passkey'
  indicator

Fixes: https://pagure.io/freeipa/issue/9263
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f0da62f by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey: add support for discoverable credentials

Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c58e4830 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey support: show the passkey in webui

Display the passkey value for user or stageuser
in the user details page
Allow addition/removal of a passkey

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
510f806a by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
WebUI: improve passkey display

The passkey is a long string and not user-friendly.
Instead of showing the whole passkey in the webui, only show
the id part and a string for discoverable or server-side passkey.

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c016e271 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey: add "passkey configuration" to webui

Add a "Passkey configuration" subtab in the "Policy" tab,
showing the settings for passkeyconfig.

Related: https://pagure.io/freeipa/issue/9261

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b650783a by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey: extract the passkey from stdout

SSSD's command passkey_child was previously using stderr to
print the following messages:
PIN required.
Please touch the device.
but switched to stdout instead in the commit
https://github.com/SSSD/sssd/commit/6b0d175f8fad63c9c41e0b990c4a5632e96cc3f7

Stdout was used only for displaying the generated passkey.

This means that ipa user-add-passkey --register now must read
stdout line by line and print only the messages that the user
needs to see (all lines except the one containing the passkey).

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9963dcdd by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey: update the API doc

Include changes related to passkey auth indicators.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0075c8b8 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
passkeyconfig: require-user-verification is a boolean

ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c0f71b05 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
passkey: adjust selinux security context for passkey_child

SSSD ships passkey_child binary in /usr/libexec/sssd and
it needs the same security context as /usr/libexec/sssd/oidc_child
(ipa_otpd_exec_t type).

Add the context in the SELinux policy provided by IPA.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2169438

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
14526c50 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Webui tests: fix test failure

Fix translation issues in webui unit tests

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31b70ee3 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Passkey: add a weak dependency on sssd-passkey

The package sssd-passkey provides the executable
/usr/libexec/sssd/passkey_child
which is not mandatory but recommended.

Add a weak dependency from ipa client package on sssd-passkey.

TBD: when a new version of sssd is released with passkey
support, bump the SSSD version.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9caea320 by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: suppress "function declaration isn't a prototype" warning

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e7a69b3d by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: make add_krad_attr_to_set() public

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
62e28e42 by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: make auth_type_is(), get_string() and get_string_array() public

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a02fd530 by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: make get_krad_attr_from_packet() public

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b252988d by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: add support for passkey authentication

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8d12d497 by Sumit Bose at 2023-06-01T08:20:37+02:00
ipa-otpd: add passkey_child_debug_level option

By setting passkey_child_debug_level in default.conf the debug level for
the passkey_child helper utility can be set.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e5c292cd by Alexander Bokovoy at 2023-06-01T08:20:37+02:00
doc/designs: update link to SSSD passkey design page

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
665227e4 by Florence Blanc-Renaud at 2023-06-01T08:20:37+02:00
Spec file: bump SSSD version for passkey support

SSSD 2.9.0 provides support for passkey in rawhide.
Note that f37 and f38 ship 2.9.0 without the passkey feature
but this is not an issue as IPA has a "Recommends: sssd-passkey"
definition, not a "Requires:"

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e0acc51f by Iker Pedrosa at 2023-06-01T08:20:37+02:00
Passkey design: fix user verification

User verification is a boolean attribute.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
957d67ac by Iker Pedrosa at 2023-06-01T08:20:37+02:00
Passkey design: user verification clarification

User verification clarification regarding PIN prompt.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
105b0337 by Iker Pedrosa at 2023-06-01T08:20:37+02:00
Passkey design: add second sssd design page

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e00f457f by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

>From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums.  If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer.  This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------

Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.

Fixes: https://pagure.io/freeipa/issue/9124

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
4ef8258d by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipa-kdb: protect against context corruption

Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.

Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.

Do not call any free() call because the whole context is corrupted as
tests do show.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
03897d8a by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipa-kdb: postpone ticket checksum configuration

Postpone ticket checksum configuration after KDB module was initialized.
This, in practice, should now happen when a master key is retrieved.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
d551e853 by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipa-kdb: process out of realm server lookup during S4U

Kerberos principal aliases lookup had a long-standing TODO item to
support server referrals for host-based aliases. This commit implements
server referrals for hosts belonging to trusted domains. The use-case is
a part of S4U processing in a two-way trust when an IPA service requests
a ticket to a host in a trusted domain (e.g. service on AD DC). In such
situation, the server principal in TGS request will be a normal principal
in our domain and KDC needs to respond with a server referral. This
referral can be issued by a KDB driver or by the KDC itself, using
'domain_realms' section of krb5.conf. Since KDB knows all suffixes
associated with the trusted domains, implement the logic there.

Fixes: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
9cdf010c by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipa-kdb: skip verification of PAC full checksum

MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.

This should have no functional difference.

Related: https://pagure.io/freeipa/issue/9371

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
18bf495c by Alexander Bokovoy at 2023-06-01T11:10:21+02:00
ipalib/x509.py: Add signature_algorithm_parameters

Python-cryptography 41.0.0 new abstract method.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
3a706e86 by Alexander Bokovoy at 2023-06-02T13:04:14+02:00
ipa-kdb: be compatible with krb5 1.19 when checking for server referral

Related: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
107f5f2d by Florence Blanc-Renaud at 2023-06-05T09:41:14+02:00
ipatest: remove xfail from test_smb

test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.

Remove the xfail.

Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
1aea1cc2 by Florence Blanc-Renaud at 2023-06-07T09:53:07+02:00
webuitests: close notification which hides Add button

The webui test test_service.py::test_service::test_arbitrary_certificates
randomly fails.
The test is creating a new service then navigates to the Service page
and clicks on the Add Certificate button.
The notification area may still be present and hide the button, with
the message "Service successfully added".
Close all notifications before navigating to the Service page.

Fixes: https://pagure.io/freeipa/issue/9389
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
c2bce952 by Rob Crittenden at 2023-06-08T16:04:24-04:00
Don't allow the FQDN to match the domain on server installs

Without this the installation is successful but the DNS
records will not work. With --setup-dns there will be no
A record for the host (only an NS record) and the PTR record
will point to the domain name.

Fixes: https://pagure.io/freeipa/issue/9003

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d7a27a24 by Anuja More at 2023-06-09T10:04:20+02:00
ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf

SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Test checks that krb5.conf does not include
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.

Related: https://pagure.io/freeipa/issue/9267

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2a605c5d by Rob Crittenden at 2023-06-16T11:15:48-04:00
Revert "Use the OpenSSL certificate parser in cert-find"

This reverts commit 191880bc9f77c3e8a3cecc82e6eea33ab5ad03e4.

The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.

Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8a250201 by Rob Crittenden at 2023-06-16T11:15:48-04:00
Revert "cert_find: fix call with --all"

This reverts commit 1f30cc65276a532e7288217f216b72a2b0628c8f.

The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.

Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
fa3a69f9 by Rob Crittenden at 2023-06-16T11:15:48-04:00
Use the python-cryptography parser directly in cert-find

cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814

Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.

The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.

CLI times from before and after searching for all certs:

original:

-------------------------------
Number of entries returned 5038
-------------------------------
real    0m15.507s
user    0m0.828s
sys     0m0.241s

using cryptography:

real    0m4.037s
user    0m0.816s
sys     0m0.193s

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
794b2c32 by Florence Blanc-Renaud at 2023-06-16T15:19:10-04:00
User and groups: rename with --setattr must check format

There are 2 possible methods to rename users and groups:
- either use ipa user|group-mod oldname --rename newname
- or use settattr:
   ipa user-mod oldname --setattr uid=newname
   ipa group-mod oldname --setattr cn=newname

The first method validates the new name but the second method
doesn't. Add a validation to make both methods consistent

Fixes: https://pagure.io/freeipa/issue/9396

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ae6549ff by Florence Blanc-Renaud at 2023-06-16T15:19:10-04:00
xmlrpc tests: add test renaming user or group with setattr

Add a new test renaming user or group using --setattr.
The new name must be validated and invalid names must be
refused.

Related: https://pagure.io/freeipa/issue/9396

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0472067c by Florence Blanc-Renaud at 2023-06-21T08:48:07+02:00
Upgrade: add PKI drop-in file if missing

During the installation of IPA server, the installer adds a drop-in
file in /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf
that ensures the CA is reachable before the start command returns.
If the file is missing (for instance because the server was installed
with an old version before this drop-in was created), the upgrade
should add the file.

Fixes: https://pagure.io/freeipa/issue/9381

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d76f8fce by Florence Blanc-Renaud at 2023-06-21T08:48:07+02:00
Integration test: add a test for upgrade and PKI drop-in file

Add an upgrade test with the following scenario:
- remove PKI drop-in file (to simulate an upgrade from an old
version)
- remove caECServerCertWithSCT profile from LDAP
- launch the ipa-server-upgrade command
- check that the upgrade added the file

Related: https://pagure.io/freeipa/issue/9381

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
143c3eb1 by Florence Blanc-Renaud at 2023-06-21T20:50:59+02:00
Upgrade: fix replica agreement

The upgrade checks the replication agreements to ensure that
some attributes are excluded from replication. The agreements
are stored in entries like
cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
but those entries are managed by the replication topology plugin
and should not be updated directly. The consequence is that the update
of the attributes fails and ipa-server-update prints an error message:

Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
to perform: Entry and attributes are managed by topology plugin.No direct
modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.

The upgrade continues but the replication is not excluding
passwordgraceusertime.

Instead of editing the agreements, perform the modifications on
the topology segments.

Fixes: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ac78a84f by Florence Blanc-Renaud at 2023-06-21T20:50:59+02:00
Integration tests: add a test to ipa-server-upgrade

Add an integration test ensuring that the upgrade
properly updates the attributes to be excluded from
replication.

Related: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
67a33e5a by Florence Blanc-Renaud at 2023-06-21T21:08:17+02:00
Uninstaller: uninstall PKI before shutting down services

The uninstaller is stopping all the services before
calling pkidestroy to uninstall the CA.
With PKI 11.4+ this sequence fails as pkidestroy tries
to connect to PKI server in order to unregister from the
security domain. The error interrupts the full completion
of pkidestroy, is logged but doesn't make ipa uninstallation
fail.
The issue is that trying to re-install later on would fail because
pkidestroy did not completely uninstall the CA.

To avoid this, call pkidestroy before shutting down the services.
Also add an uninstall_check method that restarts IPA if it is
not running, and use pkidestroy --force to make sure that PKI
is uninstalled even if restart failed.

Fixes: https://pagure.io/freeipa/issue/9330

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6c84ae5c by Florence Blanc-Renaud at 2023-06-21T21:08:17+02:00
Detection of PKI subsystem

In order to know if ca/kra is installed locally, the code
is calling pki-server subsystem-show _subsystem_
and ensures that "Enabled: True" is in the output.

If a subsystem fails to start, the command returns
"Enabled: False" but it doesn't mean that the subsystem
is not installed, it just means that it is not active
right now.
Same output if the subsystem has been disabled with
pki-server subsystem-disable _subsystem_.

The correct way to check if a subsystem is installed is to
ensure that subsystem-show does not exit on error and
contains "Enabled: ", whatever the value.

Related: https://pagure.io/freeipa/issue/9330

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f1ed46eb by Rob Crittenden at 2023-06-22T14:45:59-04:00
Differentiate location meaning between host and server

A host uses Location (nshostlocation) as an optional hint where
a host may phsyically be located (e.g. Lab 2). This will result in
an attribute in the host entry like:
nshostlocation: Lab 2

A server uses location (ipalocation) to identify which DNS location
the server is part of (e.g. prague). This will result in an attribute
in the server entry like:
ipalocation: idnsname=prague,cn=locations,cn=etc,dc=example,dc=test

They are completely different animals.

https://pagure.io/freeipa/issue/9317

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
8de6405b by Florence Blanc-Renaud at 2023-06-28T09:10:51+02:00
tests: fix backup-restore scenario with replica

The test TestBackupAndRestoreWithReplica is simulating a
master crash in order to check the behavior after ipa-restore.

Since commit 67a33e5, the uninstaller restarts the services in
order to unregister the server from PKI security domain. An
indirect consequence is that master/replica communication is re-
established and operations removing entries (done by the uninstaller)
are replicated to the replica.
This means that the scenario does not really simulate a server crash.

To make sure that no replication happens during this "crash", stop
the replica first, then uninstall the master, and finally restart
the replica before calling the ipa-restore command on the master.

Fixes: https://pagure.io/freeipa/issue/9404

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ce9346e7 by Florence Blanc-Renaud at 2023-06-28T09:28:19+02:00
ipatests: use dnf download to download pkgs

The tasks.download_packages method is using
dnf install --downloaddir PATH --downloadonly
but the option --downloaddir does not exist any more with
dnf5 that is shipped in rawhide.

An alternative is to use
dnf download
which downloads to the current directory. This alternative
works for both dnf and dnf5.

Fixes: https://pagure.io/freeipa/issue/9399

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7060e3a0 by Florence Blanc-Renaud at 2023-06-28T17:28:41+02:00
OTP: fix data type to avoid endianness issue

When 389-ds process an OTP authentication, the ipa-pwd-extop
plugin reads a buffer to extract the authentication type.
The type is stored in an int but the data is a ber_tag_t.

On big endian machines the type cast does not cause any issue
but on s390x the buffer that should return 128 is seen as 0.

As a consequence, the plugin considers that the method is not
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.

The fix is simple and consists in using the right type
(ber_tag_t is an unsigned long).

Fixes: https://pagure.io/freeipa/issue/9402

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4a3e3efb by Erik Belko at 2023-07-04T15:49:04+02:00
test: add tests for descriptive error message in ipa user-add

Add tests for renaming existing user and group with invalid name or only numeric name,
add numeric-only stage user, rename some functions and fix indentation
Related: https://pagure.io/freeipa/issue/9378

Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
00c0a62a by Mohammad Rizwan at 2023-07-05T14:48:52-04:00
ipatests: enable firewall rule for http service on acme client

when system hardning done i.e in case of STIG, sometimes http challanges
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
the communication.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d2ed490f by Miro Hrončok at 2023-07-19T08:27:30+02:00
Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

Based on upstream freeipa rawhide patch by Miro Hrončok

See https://github.com/python/cpython/pull/94224#issuecomment-1621097418

Fixes: https://pagure.io/freeipa/issue/9409

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Miro Hroncok <miro at hroncok.cz>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f57a7dbf by Florence Blanc-Renaud at 2023-07-19T16:59:25-04:00
User plugin: improve error related to non existing idp

The user and stageuser commands return the following error
when the user is created/updated with a non existing idp:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: no such entry

The error is not descriptive enough and has been modified to
display instead:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: External IdP configuration dummy not found

Fixes: https://pagure.io/freeipa/issue/9416

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7517e2ce by Florence Blanc-Renaud at 2023-07-19T16:59:25-04:00
xmlrpc tests: add a test for user plugin with non-existing idp

Add new tests checking the error returned for
ipa user-add ... --idp nonexistingidp
ipa user-mod ... --idp nonexistingidp
ipa stageuser-add ... --idp nonexistingidp
ipa stageuser-mod ... --idp nonexistingidp

The expected error message is:
ipa: ERROR: External IdP configuration nonexistingidp not found

Related: https://pagure.io/freeipa/issue/9416

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a78c47b2 by Rafael Guterres Jeffman at 2023-07-25T09:48:37-04:00
selinux: Update SELinux policy

SELinux local policies updated due to AVCs found in upstream tests:

- ipa-dnskey_t: dev_read_sysfs
- ipa_ods_exporter_t: dev_read_sysfs
- ipa_helper_t: dev_read_sysfs
- ipa_custodia_t: allow setopt self:tcp_socket

Fixes: https://pagure.io/freeipa/issue/9386

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fcad9c9a by Simon Nussbaum at 2023-07-26T09:01:37-04:00
component: mail_from_realname config setting added to IPA-EPN

Adding mail_from_realname setting to configuration so that the real name of the sender of the password expiration notification can be customized. This addition does not affect existing configurations.

Fixes: https://pagure.io/freeipa/issue/9336

Signed-off-by: Simon Nussbaum <simon.nussbaum at adfinis.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7c5ee21a by Florence Blanc-Renaud at 2023-07-28T08:03:55+02:00
ipatests: update expected cksum for epn.conf

The test test_epn.py::TestEPN::test_EPN_config_file ensures that
/etc/ipa/epn.conf is installed and compares its checksum with an
expected value.
Commit fcad9c9 has changed the content of the file and the cksum
must be updated to reflect the new content.

Fixes: https://pagure.io/freeipa/issue/9419

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
089907b4 by Rob Crittenden at 2023-07-31T18:04:40+02:00
Fix memory leak in the OTP last token plugin

Three memory leaks are addressed:

1. String values retrieved from the pblock need to be manually
freed.

2. The list of objectclasses retreived from the pblock need to be
freed.

3. Internal search results need to be freed.

Fixes: https://pagure.io/freeipa/issue/9403

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c84c59c6 by Julien Rische at 2023-08-01T13:31:09+02:00
ipa-kdb: fix error handling of is_master_host()

Adding proper error handling to the is_master_host() function to allow
it to make the difference between the absence of a master host object
and a connection failure. This will keep the krb5kdc daemon from
continuing to run with a NULL LDAP context.

Fixes: https://pagure.io/freeipa/issue/9422

Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
69e43974 by Alexander Bokovoy at 2023-08-01T13:41:59+02:00
idp: when adding an IdP allow to override IdP options

Use of 'ipa idp-add --provider' was supposed to allow override scope and
other IdP options. The defaults are provided by the IdP template and
were actually not overridden. Fix this.

Fixes: https://pagure.io/freeipa/issue/9421
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
dea35922 by Rob Crittenden at 2023-08-01T13:47:56+02:00
Prevent the admin user from being deleted

admin is required for trust operations

Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.

Fixes: https://pagure.io/freeipa/issue/8878

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e49ec104 by Florence Blanc-Renaud at 2023-08-08T12:53:09+02:00
ipatests: update expected webui msg for admin deletion

The deletion of the admin is now forbidden (even if it is
not the last member of the admins group) and the error
message has changed from "admin cannot be deleted or
disabled because it is the last member of group admins"
to " user admin cannot be deleted/modified: privileged user".

Update the expected message in the webui test.

Related: https://pagure.io/freeipa/issue/8878

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bbb53a12 by Mohammad Rizwan at 2023-08-09T18:28:52+02:00
ipatests: remove fixture call and wait to get things settle

system date moved in order to expire the certs. Sometime it
is observed that subsequent operation fails with 500 error for CA,
hence restart the services after moving date and wait for sometime
to get things settle.

Also the tests was calling fixture which is not required for it, hence
removed it as well.

Fixes: https://pagure.io/freeipa/issue/9348

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
09497d2d by Alexander Bokovoy at 2023-08-09T18:31:03+02:00
python 3.12: utcnow function is deprecated

The following warning is displayed on a system running with Python 3.12:
-------------------
/usr/lib/python3.12/site-packages/ipalib/rpc.py:925: DeprecationWarning:
datetime.utcnow() is deprecated and scheduled for removal in a future
version. Use timezone-aware objects to represent datetimes in UTC:
datetime.now(datetime.UTC).

  timestamp=datetime.datetime.utcnow())
-------------------

Fixes: https://pagure.io/freeipa/issue/9425
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8173e5df by Alexander Bokovoy at 2023-08-09T18:31:03+02:00
ipa-epn: don't use too general exception

When modifying ipa-epn code, a warning was issued:

--------------
Python 3.11.4 (main, Jun  7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)]
************* Module ipaclient.install.ipa_epn
ipaclient/install/ipa_epn.py:89: [W0719(broad-exception-raised), drop_privileges] Raising too general exception: Exception)
--------------

Use 'RequiresRoot' exception class and clarify the message:
    ipalib.errors.RequiresRoot: Cannot drop privileges!

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
cfc4f47a by Endi S. Dewata at 2023-08-11T09:56:33+02:00
Remove unused subsystem.count

The subsystem.count param has actually been removed since
PKI 10.10 so it doesn't need to be set in renew_ca_cert.in.

Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7233944e by Endi S. Dewata at 2023-08-11T09:57:31+02:00
Add pki_share_dbuser_dn for CA

In the future the default value for pki_share_dbuser_dn might
change. To ensure that CA and KRA in IPA will use the same
database user, the pki_share_dbuser_dn needs to be defined
for CA to match the same param for KRA.

Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a9ee2ade by Endi S. Dewata at 2023-08-11T09:58:17+02:00
Remove non-existent default pki_cert_chain_path

In the future pkispawn will validate all path params so the
default value for pki_cert_chain_path needs to be removed
since it points to a non-existent file. When the param is
actually used (e.g. for installing with an external CA)
CAInstance.__spawn_instance() will configure the param to
point to the actual cert chain.

Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8e142bc1 by Sudhir Menon at 2023-08-14T09:55:42+02:00
ipatests: idm api related tests.

IDM API related tests are automated in the
above PR
Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6f5fe80d by Florence Blanc-Renaud at 2023-08-14T09:58:05+02:00
ipatests: fix test_topology

The test TestTopologyOptions::test_add_remove_segment is
randomly failing downstream. Test scenario:
- create a line topology master <-> repl1 <-> repl2
- create user on master
- wait for repl success on master
- check that the user is seen on repl2

The test waits for replication to complete on the master but
it should also wait for the replication to complete on repl1
before checking the user presence on repl2.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
33c2740d by Endi S. Dewata at 2023-08-15T12:00:09-04:00
Remove default values for pki_ca_signing_*_path

In the future pkispawn will validate all path params so the
default values for pki_ca_signing_csr_path and
pki_ca_signing_cert_path need to be removed since they point
to non-existent files. When the params are actually used for
installing an external CA, CAInstance.__spawn_instance()
will initialize them with the correct paths.

Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a6f01115 by Florence Blanc-Renaud at 2023-08-16T11:33:32+02:00
ipatests: fixture can produce IndexError

The fixture issue_and_expire_acme_cert returns a function
that fills the hosts array. If the function is not called in
the test (for instance because a test is skipped, as in
TestACMEPrune::test_prune_cert_search_size_limit), hosts = []
and hosts[0] raises an IndexError.

Fix the fixture to check first that hosts is not empty.

Related: https://pagure.io/freeipa/issue/9348

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
7796b7b9 by Florence Blanc-Renaud at 2023-08-16T14:43:55+02:00
Installer: activate nss and pam services in sssd.conf

If there is already a sssd.conf file before the installer is
executed, the nss and pam services may not be enabled by the
installer. This happens for instance if the machine is hardened
for STIG and sssd.conf does not define services=... in the
[sssd] section.

The consequence is that trust cannot be established with an AD
domain.

The installer must enable nss and pam services even if there is
a pre-existing sssd.conf file.

Fixes: https://pagure.io/freeipa/issue/9427

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
59e68f79 by Florence Blanc-Renaud at 2023-08-17T14:28:26+02:00
ipa-epn: include timezone info

ipa-epn is using timezone-aware timestamps for "now"
but converts krbpasswordexpiration attribute into
a naive datetime object that is missing the tzinfo.

It is not possible to substract timezone aware and
naive values. Convert krbpasswordexpiration attribute
into an UTC value before doing the substration.

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0f16b72b by Florence Blanc-Renaud at 2023-08-17T14:28:26+02:00
ipa-cert-fix: use timezone-aware datetime

ipa-cert-fix compares the current datetime with the
value obtained from a cert.not_valid_after.
With the fix for #9425, not_valid_after is timezone
aware and cannot be compared to a naive datetime.

Make the datetime "now" timezone aware.
Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
33549183 by Florence Blanc-Renaud at 2023-08-17T14:28:26+02:00
ipa-server-guard: make the lock timezone aware

ipa-server-guard reads a lock file in order to
check if the lock is still taken by comparing
the stored value, for instance:
expire = 20230810155452589311
with the current datetime.

The expire value needs to be timezone-aware in
order to be compared with "now" which is also tz aware.

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
82b129fe by Rafael Guterres Jeffman at 2023-08-21T10:41:57+02:00
Fix typo in "Subordinate ID Selfservice User" role

The description of "Subordinate ID Selfservice User" role had
'subordiante' instead of 'subordinate'.

This patch corrects the default value and adds a replace to fix
existing deployments.

Related: https://pagure.io/freeipa/issue/9418

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
d98d5e47 by Rob Crittenden at 2023-08-21T10:49:06+02:00
Remove all references to deleted indirect map from parent map

An attempt to do this was already coded but the wrong
argument was used. It was passing in the location name and
not the map name so the map wouldn't be completely removed.

Include a test to verify that the map is gone after removing
it by calling automountlocation-tofiles which will fail if the
map wasn't properly removed.

Fixes: https://pagure.io/freeipa/issue/9397

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
73c8aa4d by Antonio Torres at 2023-08-21T14:55:59+02:00
Update translations to FreeIPA master state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
d5ae5e18 by Antonio Torres at 2023-08-21T14:57:34+02:00
Update list of contributors

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
ef955c90 by Alexander Bokovoy at 2023-08-21T16:28:04+02:00
support more DateTime attributes in LDAP searches in IPA API

LDAPSearch class constructs a filter from a set of attributes and their
values passed in by the command. During this construction process a
limited set of attributes gets converted to a special form, the rest is
simply taken as a string and escaped according to LDAP rules.

This means DateTime class would simply be converted to string using
str(DateTime) and that uses default formatting method. For LDAP we need
to apply a specific formatting method instead.

Following LDAP attributes now handled as datetime.datetime:

 ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113730.3.8.16.1.3  NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
 ( 2.16.840.1.113730.3.8.16.1.4  NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')

Fixes: https://pagure.io/freeipa/issue/9395

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
cb351476 by Antonio Torres at 2023-08-21T16:45:13+02:00
Become IPA 4.11.0beta1

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
4b1c5a5a by Antonio Torres at 2023-08-21T16:55:10+02:00
Back to git snapshots

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
b13b8fbb by Mohammad Rizwan at 2023-08-24T11:12:56-04:00
ipatests: accommodate DST in ACME cert expiry

There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.

Fix is to use 90days+2hours to expire the cert.

Fixes: https://pagure.io/freeipa/issue/9428

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0b870694 by Rob Crittenden at 2023-08-28T13:40:39-04:00
Use the PKI REST API wherever possible instead of XML

The XML API is already deprecated and will be removed in some
future release.

All but the updateCRL API has an equivalent in REST. The upstream
dogtag project documents most of the API at
https://github.com/dogtagpki/pki/wiki/REST-API . I say most
because not every API includes sample input/output. The
pki ca-cert command is a good substitute for seeing how the API
is used by their own tooling.

This changes no pre-existing conventions. All serial numbers are
converted to decimal prior to transmission and are treated as
strings to avoid previous limitations with sizing (which would
have been exacerbated by random serial numbers).

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
37b433d4 by Rob Crittenden at 2023-08-28T13:40:39-04:00
Adjust test to handle revocation reason REMOVE_FROM_CRL

The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.

This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.

So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f16b6e3e by Florence Blanc-Renaud at 2023-09-01T13:20:34-04:00
idp: add the ipaidpuser objectclass when needed

The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.

Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3f874eec by Viktor Ashirov at 2023-09-11T09:17:41+02:00
BDB tuning should be applied only when BDB backend is used

389DS supports BDB and LMDB backends. FreeIPA installation fails with
LMDB backend since it tries to apply tuning for BDB backend.

Instead, tuning for BDB should be applied only when 389DS uses BDB
backend.

Fixes: https://pagure.io/freeipa/issue/9435

Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
47463294 by Antonio Torres at 2023-09-11T17:52:31+02:00
ipatests: rename 'ipatuura' directory to 'scim' in bridge tests

A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app
to 'scim'. Change it in IPA side as well to fix tests.

[1]: https://github.com/freeipa/ipa-tuura/commit/f12592cea496818af782f953e0e9643c9ea440b5

Fixes: https://pagure.io/freeipa/issue/9447

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
fc9b527d by Alexander Bokovoy at 2023-09-12T13:36:17+02:00
updates: add ACIs for RBCD self-management

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>

- - - - -
f7422b78 by Alexandra Nikandrova at 2023-09-13T11:23:59+02:00
doc: typo in basic_usage.md

Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
d62be1da by Alexander Bokovoy at 2023-09-14T13:08:29+02:00
ipa-client-install: enable SELinux for SSSD

For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.

Fixes: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
2220f723 by Alexander Bokovoy at 2023-09-14T13:08:29+02:00
Restore selinux states if they exist at uninstall time

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
54a251bc by Rob Crittenden at 2023-09-15T13:53:12+02:00
Configure affinity during server installation

Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.

When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:

 - existing server value in /etc/ipa/default.conf
 - the chosen CA host if the server doesn't provide one
 - the chosen KRA host if the server doesn't provide one

This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.

In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.

For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.

Fixes: https://pagure.io/freeipa/issue/9289

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
169f9abb by Rob Crittenden at 2023-09-15T13:53:12+02:00
Don't assume KRB5CCNAME is in the environment in replica install

The replica install was unilaterally removing KRB5CCNAME from
os.environ in some cases. Instead check first to see if it is
present and only remove in that case.

Fixes: https://pagure.io/freeipa/issue/9446

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
637ccae0 by Alexander Bokovoy at 2023-09-19T08:05:42+02:00
Allow ipa-otpd to access USB devices for passkeys

Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.

Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bc9385d1 by Christian Heimes at 2023-09-19T13:46:10+02:00
Use find_spec() in meta importer

The `find_module()` method of meta importers has been deprecated for a
long time. Python 3.12 no longer falls back to `find_module()`.

See: https://docs.python.org/3.12/whatsnew/3.12.html#removed
Related: https://pagure.io/freeipa/issue/9437
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
9c10d7ee by Mohammad Rizwan at 2023-09-19T13:48:07+02:00
ipatests: restart ipa services after moving date

When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.

Fixes: https://pagure.io/freeipa/issue/9379

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
fd01b234 by Francisco Trivino at 2023-09-26T16:48:39+02:00
Workshop: fix broken Sphinx cross-references.

Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.

This commit introduces explicit targets and references to ensure that
the pages are correctly linked.

Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
305912e4 by Alexander Bokovoy at 2023-10-02T17:39:50-04:00
Use datetime.timezone.utc instead of newer datetime.UTC alias

datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC

datetime.timezone.utc was present since Python 3.2.

Since RHEL 9 is using Python 3.9, use more compatible variant.

Fixes: https://pagure.io/freeipa/issue/9454

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ed094e11 by Christian Heimes at 2023-10-02T17:40:57-04:00
Add context manager to ipalib.API

`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.

```python
import ipalib

with ipalib.api as api:
    api.Commands.ping()
```

See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cb14a30a by Florence Blanc-Renaud at 2023-10-02T17:44:23-04:00
Covscan issues: deadcode and Use after free

Covscan detected an unused value in ipa_kdb_principals.c
and a use-after-free in ipa-print-pac.c.

Fixes: https://pagure.io/freeipa/issue/9431

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f35d168f by Antonio Torres at 2023-10-03T14:40:40+02:00
Update translations to FreeIPA ipa-4-11 state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
50c555c5 by Antonio Torres at 2023-10-03T14:43:19+02:00
Update contributors list

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
63f5e576 by Antonio Torres at 2023-10-03T14:45:56+02:00
Become IPA 4.11.0

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -


30 changed files:

- .gitignore
- .wheelconstraints.in
- ACI.txt
- API.txt
- BUILD.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/ipa-join.c
- client/man/default.conf.5
- client/man/epn.conf.5
- client/man/ipa-client-install.1
- client/man/ipa.1
- client/share/epn.conf
- configure.ac
- contrib/lite-server.py
- contrib/lite-setup.py
- daemons/dnssec/ipa-dnskeysyncd.in
- daemons/ipa-kdb/ipa-print-pac.c
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_certauth.c
- daemons/ipa-kdb/ipa_kdb_common.c
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_mspac_private.h
- daemons/ipa-kdb/ipa_kdb_mspac_v6.c
- daemons/ipa-kdb/ipa_kdb_mspac_v9.c
- daemons/ipa-kdb/ipa_kdb_principals.c


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2fd9cbbe4492ec5dec06c36ce315c43120ef5fca...63f5e576856d339a408c170461604f271cd03a5d

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2fd9cbbe4492ec5dec06c36ce315c43120ef5fca...63f5e576856d339a408c170461604f271cd03a5d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20231018/8fc91bf4/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list