<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5431dd9706253ea7cd75f62f5cd387bbf25ac878">5431dd97</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2019-12-14T11:52:38-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Improve test_commands reliability
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/21fb038c9bdfa05fa96ac2a0fc6f4cc1e74ce916">21fb038c</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2019-12-15T13:27:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Adding auto COPR builds
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c2cef7063315766d893b275185b422be3f3c019">2c2cef70</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2019-12-16T21:37:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/011734279c37ca1e9a013694525563b4e77ace78">01173427</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2019-12-16T18:31:03-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Skip test_sss_ssh_authorizedkeys method
Temporarily skipping test due to unknown time-outs happening regularly.
Issue: https://pagure.io/freeipa/issue/8151
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44fca092ead0316084d68917032e28e5cbb20ad4">44fca092</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2019-12-17T14:37:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: assert_error: allow regexp match
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d833b5ba607f79a495e0245722e8ccef7cefbd7a">d833b5ba</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2019-12-17T14:37:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix test regressions caused by certificate validation changes
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages. Update the
error message assertions to get these tests going again.
Part of: https://pagure.io/freeipa/issue/8142
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/71a4d574bd94eda3cb7490a2254ce764fe9bcdb1">71a4d574</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2019-12-17T15:19:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: filter_users should be applied correctly.
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a8b52eaf3cf56c90e3d94fdef0b9e426052634ea">a8b52eaf</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-12-18T18:44:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/acbd90d9fb16e76964d36b3d6e8e542a30631172">acbd90d9</a></strong>
<div>
<span>by Jayesh Garg</span>
<i>at 2019-12-19T14:47:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test if ipactl starts services stopped by systemctl
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.
Signed-off-by: Jayesh Garg <jgarg@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/25310105da0540eb84b6d0ee4c30649750583703">25310105</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2019-12-20T14:47:54+11:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for certinstall with notBefore in the future
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/27a6920d50e5d63afbfc198e64885a2cd3fadc48">27a6920d</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2019-12-20T18:47:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add integration test for otp kerberos ticket policy.
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/631054a1c9aff849378278f99722a8711d6bacf3">631054a1</a></strong>
<div>
<span>by Jayesh</span>
<i>at 2019-12-21T21:39:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2b19749a3769bbac5f11aa901bf6291b6240dddb">2b19749a</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2019-12-23T13:08:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix fedora version for xfail for sssd test
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29
Signed-off-by: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e3cff5d152fc36802f7ddfcd0730696e154d1b4c">e3cff5d1</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-01-06T10:58:27-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.
Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/578bdce292c142b7fca6e237ccb3f5cec641e618">578bdce2</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-01-06T10:58:27-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.
Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e1ff95fc618f22886b505a8dbfdfa7651e1a3b9b">e1ff95fc</a></strong>
<div>
<span>by Jayesh</span>
<i>at 2020-01-07T11:58:29+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test for ipa-ca-install on replica
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4db18be5467c0b8f7633b281c724f469f907e573">4db18be5</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-01-13T13:08:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/acbbc52999f8c7694d549b709bc8caea801dc94c">acbbc529</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-01-13T16:39:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add xmlrpc test with input validation check for kerberos ticket policy.
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.
Signed-off-by: Anuja More <amore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3d7d58d8214f3c899c0afd1a3a6a6678f38b7b39">3d7d58d8</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-01-13T13:41:53-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1b7cf51e292b917a18ec7959708cb62ceddd44b7">1b7cf51e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-01-15T09:54:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix backup and restore
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."
As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.
The fix makes a stricter comparison, looking for /bin/gzip.
Fixes: https://pagure.io/freeipa/issue/8170
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/86a8d9480aa402f885c72ccbcfeeb2bac488f268">86a8d948</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-01-16T08:46:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/01c1b270cd83ab6573dc0a502ac37d0182503c3d">01c1b270</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-01-16T08:46:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6bdd6b3d265ffc2f437e2a69707978758c2efdd8">6bdd6b3d</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-01-16T08:46:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4fe1f7701a616c17167f75e1e81f3a479a2ee50f">4fe1f770</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-01-17T17:21:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e9ed8e78454f12fcfc3d0484dd36995cbef65961">e9ed8e78</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-01-23T09:06:07-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make assert_error compatible with Python 3.6
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/72e1b135b3862a16df4e8b5a1a7c2bbfcd5b08c9">72e1b135</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-01-24T16:36:32+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test_winsyncmigrate suite to nightly runs
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/37f81cc566cc37a47b7d1b0d900a53273eae01ac">37f81cc5</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-01-28T14:45:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7d81a3458c266a1e0c4baa07717aac110c435e59">7d81a345</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-01-28T14:45:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/78827db1aa561613d3fb40f39525f7e8fcae2b98">78827db1</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-01-28T14:45:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for ipa-cacert-manage delete command
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)
As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b5513660cb73ee685e09c4f84634ac9d1fa792d">4b551366</a></strong>
<div>
<span>by Fraser Tweedale</span>
<i>at 2020-01-30T20:04:44+11:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/577dd1e47a092cf7e4527707111d28297bb58f53">577dd1e4</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-01-30T16:08:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add check for output contents of ipa-client-samba
Check that ipa-client-samba tool reports specific properties of domains:
name, netbios name, sid and id range
Related to https://pagure.io/freeipa/issue/8149
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/875769c7c0a66a217a152b7c8cb064c3ceabf541">875769c7</a></strong>
<div>
<span>by Gaurav Talreja</span>
<i>at 2020-01-31T14:34:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Normalize test definations titles
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d97cfd72721ed2f7e77f5c397a0ca7b389ea6d72">d97cfd72</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-02-01T10:09:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/089c47e212ac077dcd27bc60013d7ac7bf2270ee">089c47e2</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-02-01T10:09:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support DAL version 8.0
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/196350444ccab2b99e86accf7eb19ff8327a1e95">19635044</a></strong>
<div>
<span>by Robbie Harwood</span>
<i>at 2020-02-01T10:09:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/99a920cb69e213d211a6ff9622950e81c3e71c8d">99a920cb</a></strong>
<div>
<span>by Isaac Boukris</span>
<i>at 2020-02-02T09:10:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0806c1582b2f1dfaf04eb2e8fa222c190e24d818">0806c158</a></strong>
<div>
<span>by Isaac Boukris</span>
<i>at 2020-02-02T09:10:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix legacy S4U2Proxy in DAL v8 support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4d7eac93b0249d6f4081bb4857079875afa21423">4d7eac93</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-02-04T10:46:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">After mounting "Unspecified GSS failure" should not be in logs.
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.
This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a6dae4843c2fbaba984bf6bd3add6e2b62b1f59f">a6dae484</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-02-05T10:06:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tier-1 test for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7a45cd179f846920ffa91df7f28f21e7de09f328">7a45cd17</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-02-05T10:06:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Nightly definition for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/664eed7d0885791a3b16ad082d56f9a14682673e">664eed7d</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-02-05T14:19:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Fix 'Button is not displayed' exception
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.
Ticket: https://pagure.io/freeipa/issue/8169
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/59593194d3eaf646ae757b88dc8a9231c21301c2">59593194</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-02-05T14:49:39-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: Bump template version
This new image has SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4e1d27c22a90d579a9019829f8ffd0bed51c2e5f">4e1d27c2</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2020-02-06T14:12:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI tests: Fix broken reference to parent facet in table record check
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).
Ticket: https://pagure.io/freeipa/issue/8157
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8e527507c0971ed1a8468e10246232491b1ef36c">8e527507</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-02-12T09:41:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix modify_sssd_conf()
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/14dbf04148c6284b176eca34aa70df4bef09b857">14dbf041</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-02-12T15:16:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2cd67d5a9a22c009f050e493d4b3e2882dbfd81f">2cd67d5a</a></strong>
<div>
<span>by Sumedh Sidhaye</span>
<i>at 2020-02-13T09:12:08-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added a test to check if ipa host-find --pkey-only does not return SSH public key
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87bc31464b6133af9befd412af54403665c22628">87bc3146</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/356f907fc255ab3a9f93ff2808646b92a6652aec">356f907f</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pytest: Migrate unittest/nose to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3659b46d6aeea06b4875860ec69a9215afcbdd91">3659b46d</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pytest: Warn about unittest/nose/xunit tests
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f4e2acd1333f0f3d88da81d3fda80e85c9c418c2">f4e2acd1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update Azure Pipelines to use Fedora 31
nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.
[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot
Co-authored-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/294694ad69fa909e2f699cb2dad0f36b966a246f">294694ad</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Properly kill gpg-agent
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.
This results in an error like:
```
================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...
> os.unlink(entry.name, dir_fd=topfd)
E FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'
/usr/lib64/python3.7/shutil.py:450: FileNotFoundError
```
The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5939c90752db9da1adaf8c0bfe6bec3d6c1e2ad6">5939c907</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Teach Pylint how to handle request.context
With Astroid change [0] a inference for builtin containers
was improved. This means that all the elements of such containers
will be inferred if they are not Python constants (previously
ignored).
This change introduces several issues, one of them is a volatile
error exposed at multi-job Pylinting, but could be guaranteed
produced at single-job mode as:
```
PYTHONPATH=. /usr/bin/python3 -m pylint --rcfile=./pylintrc \
--load-plugins pylint_plugins ipaserver/plugins/dns.py ipalib/request.py
ipalib/request.py:76: [E1101(no-member), destroy_context] Instance of 'bool' has no 'disconnect' member)
-----------------------------------
Your code has been rated at 9.97/10
```
Or even adding 'context.some_attr = True' into ipalib/request.py.
It's should be treated as no one member of `context`'s attrs is a
`Connection` instance and has `destroy_context` member.
To tell Pylint that there are such members the corresponding
transformation is added.
[0] https://github.com/PyCQA/astroid/commit/79d5a3a7
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3460db4ee7c7ce6c9a639a644a39c4df09ce31ac">3460db4e</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Synchronize pylint plugin to ipatests code
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6f48848562f4e9ab9584154fd85e6ad1ac331ecd">6f488485</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Clean up comment
I added a comment in @d0b420f6d, later, on refactoring in
@c6769ad12 I forgot to remove it. So, it is just a clean up.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/44a59ff39a3f481e90043e546c892c9108231d67">44a59ff3</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-13T15:39:34-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">lint: Make Pylint-2.4 happy again
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/936e27f75961c67e619ecfa641e256ce80662d68">936e27f7</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-02-14T09:24:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0ff0ab85a8b1d90fb94e09bdbb3e9eeeb11d191a">0ff0ab85</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-02-14T09:27:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test_trust suite to nightly runs
The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6332aed9ba67e2ee759a9d988ba92139486469d4">6332aed9</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-02-14T17:38:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.
Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7ae804c726970ae467a7f76efa21bae40405551d">7ae804c7</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-02-14T17:38:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: make sure ipa-client-automount reverts sssd.conf
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c35c066a6d7b7a493e22a4af3043d5d2a72133d4">c35c066a</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-16T12:13:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Allow zero-length arguments
Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.
For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
'--norc',
'--noprofile',
'-c',
'--',
"/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
'--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']
Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.
So, a short-termed solution is the quotting of zero-length arguments.
Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b240b54bb4ff160851c7681914eb210934ae2abc">b240b54b</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-02-16T12:15:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove dependency on custodia package
ipa-server no longer use any files and features from the custodia
package. The python3-custodia package provides all Custodia features for
ipa-custodia.service.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2ade60ac63ff9a626ae1ec17196121fe694ee212">2ade60ac</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-02-16T12:17:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dnsrecord: Treat empty list arguments correctly
dnsrecord_del fails when one of the record arguments is an empty list:
AttrValueNotFound("AAAA record does not contain 'None'",)
The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].
The patch maps None to empty list.
Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/30b8c8b9985a5eb41e700b80fd03f95548e45fba">30b8c8b9</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-02-17T16:40:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kdb: make sure audit_as_req callback signature change is preserved
audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.
Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4eb48492b354ecc30ffe1dd9654dcc0e0e833d64">4eb48492</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-02-17T16:40:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2d0da2f9aff2e6256ae9f43838ca24335381e7e8">2d0da2f9</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-02-17T16:49:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update topology for test_integration/test_sssd.py
Added changes in topology for test_sssd.py
As in test it needs client also.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/985c99fc7ad6fdd30d428d099e006b1a0836a87d">985c99fc</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-02-17T16:49:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name
If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.
Related to: https://bugzilla.redhat.com/1746951
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f356d5734662d0a20f06702353b2f10f29b9f55d">f356d573</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-02-18T22:30:55-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't fully quality the FQDN in ssbrowser.html for Chrome
The trailing dot causes it to not function as expected, remove
it from the example.
https://pagure.io/freeipa/issue/8201
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4b8081e6c0a745451ff314f7a42d5ff344ac327">d4b8081e</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-02-19T17:49:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: SSSD should fetch external groups without any limit.
When there are more external groups than default limit, then
SSSD should fetch all groups.
Related : https://pagure.io/SSSD/sssd/issue/4058
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3ced5532576779ee7bb2e7f15ff4b5039ba4daba">3ced5532</a></strong>
<div>
<span>by Kaleemullah Siddiqui</span>
<i>at 2020-02-19T17:52:47+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests for backup-restore when pkg required is missing
Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore
https://pagure.io/freeipa/issue/7630
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/61577c851e81beabc65e5b96603b88e9f7ec973b">61577c85</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-02-20T10:50:18-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test AES SHA 256 and 384 Kerberos enctypes enabled
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eaf9e79c8000118317527caad4cf6aa521fd0028">eaf9e79c</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-02-24T15:50:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test if certmonger reads the token in HSM
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.
related : https://pagure.io/certmonger/issue/125
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84ae778c8731b0934e011155b668acbb97d775c2">84ae778c</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-02-24T15:50:42-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add certmonger wait_for_request that uses run_command
Add a little utility function to get the certmonger status
of a request id on a particular host and wait until it is either
failed on the CA or issued (or times out).
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8b5dc6a29e5e1893f9ec864bdde1f769ad6efc39">8b5dc6a2</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2020-02-25T15:34:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels
The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8a5bfaba83da700bed29fc82ef1d280bfabb8379">8a5bfaba</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-02-26T08:01:52+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Part2: Don't fully quality the FQDN in ssbrowser.html for Chrome
The web page ssbrowser.html is displayed when the browser doesn't
enable javascript. When js is enabled, the content is taken from
ipaserver/plugins/internal.py.
The commit e4966f9 fixed a string in ssbrowser.html but did not
fix the corresponding string in ipaserver/plugins/internal.py,
resulting in a different page depending on javascript enabled/not
enabled.
This commit makes both contents consistent.
Fixes: https://pagure.io/freeipa/issue/8201
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/11d145300dcd1b9b986f259efa57eddcca9b2e32">11d14530</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Allow to not provide tests to be ignored
As for now, a list of tests which will be ignored by Pytest is
mandatory. But actually, a list of tests to run is explicitly set
in yaml config. And thus, 'ignore' list should be an optional field.
This simplifies tests definitions to drop extra stuff.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6a6e3f2339c5773f051aaea08922f6853ef5942d">6a6e3f23</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Allow SSH for Docker environments
IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d33b7d61fc8e012ecfd0354a6d3431301a66d768">d33b7d61</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Allow to run integration tests
Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.
This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.
New Azure IPA tests workflow:
+ 1) Azure generate jobs using Matrix strategy
2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ c) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ d) launch IPA tests on tests' controller
e) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
f) publish regular system logs as artifacts
[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/198cd506592c8dc078e7956a42d0d4e0342cf86d">198cd506</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Make it possible to configure distro-specific stuff
This allows to run IPA tests on Azure using any distro.
To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
a) which Docker image to use to build IPA packages (rpm, deb, etc.)
b) how to prepare Build environment
c) how to build IPA packages
d) how to prepare environment to run Tox tests
e) how to prepare environment to run WebUI unittests
f) which base Docker image to use to build the new image to run
IPA tests within it
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2988f5f30c9379f8ac7cbfc56af382f2779479cf">2988f5f3</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">yamllint: Lint all the YAML files
For now, a list of YAML files' paths is hardcoded (even after
globbing) into Makefile.am. Moreover, Azure templates are not
checked at all until Azure triggered.
With this change, the list of YAMLs is populated automatically
on yamllinting.
Jinja templates are not parseable by a regular yaml module, to
skip such the YAML_TEMPLATE_FILES is utilized.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/685d902ca4cf10c8c440036016c2dd3e05d76222">685d902c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Don't collect twice systemd_journal.log
This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/245a9dc93f086b685b09984ea4a3395b93fd5789">245a9dc9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Add support for testing multi IPA environments
Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.
Next examples are for 'master-only' topologies.
Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.
Concurrency results for TestInstallMaster:
------------------------------------------
| job concurrency | time/jobs |
------------------------------------------
| 5 | 40/5 |
| 4 | 34/4 |
| 3 | 25/3 |
| 2 | 19/2 |
| 1 | 17/1 |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.
But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.
Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
| job concurrency | time | jobs used | jobs free |
------------------------------------------------------------------
| 5 | 40 | 4 | 6 |
| 4 | 34 | 5 | 5 |
| 3 | 25 | 7 | 3 |
| 2 | 19 | 10 | 0 |
| 1 | 34 | 20 | 0 |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.
New Azure IPA tests workflow:
+ 1) generate-matrix.py script generates JSON from user's YAML [0]
2) Azure generate jobs using Matrix strategy
3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) GNU 'parallel' launch each IPA environment in parallel:
+ 1) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ 2) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ 3) launch IPA tests on tests' controller
c) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
d) publish regular system logs as artifacts
[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3fff86757cfc7a78db33801e3c75e208b01660f7">3fff8675</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Run Pylint over Azure Python scripts
> Pylint is a tool that checks for errors in Python code, tries to enforce a
> coding standard and looks for code smells. It can also look for certain type
> errors, it can recommend suggestions about how particular blocks can be
> refactored and can offer you details about the code's complexity.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0fbdb1357ca3e861bba14d21ceb6e2a6e753a14c">0fbdb135</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Sync Gating definitions to current PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4e6e0c88bb2831b65c1a5a6f1f4a7f09c0b112cf">4e6e0c88</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Preliminary check for provided limits
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4b2cdeef29094dd6b3e4f485993ad5f69c8d84b5">4b2cdeef</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Free Docker resources after usage
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ec21ecc5c6677f9e87fc8ffa5652645469865230">ec21ecc5</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Skip tests requiring external DNS
An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1fe5c04cdd2f5f998f92debc7f3f46f2807ddc88">1fe5c04c</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Rebalance tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8fd1eacfb5c49738f9a26124cfa7a2423244637b">8fd1eacf</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-02-26T13:07:55+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Azure: Report elapsed time
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/12d6864b6dc30155414e2483f7634684ccc9ee3e">12d6864b</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-02-26T15:34:34-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix div-by-zero when svc weight is 0 for all masters in location
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.
Implement the following rules:
1. If all masters have weight == 0 then all are equally
weighted.
2. If any masters have weight == 0 then they have an
extremely small chance of being chosen, percentage is
0.1.
3. Otherwise it's percentage change is based on the sum of
the weights of non-zero masters.
https://pagure.io/freeipa/issue/8135
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c1660a4c023a28cdad40720fd91d7e57870b4808">c1660a4c</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2020-03-01T15:24:43-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prci: update fedora used for testing ipa-4-8
* Add nightly definitions to test with latest and previous versions of
Fedora (30 and 31)
* Update gating and temp_commit to use the latest Fedora (31)
* Update templates used to include updated packages
Boxes used:
* https://app.vagrantup.com/freeipa/boxes/ci-ipa-4-8-f31/versions/0.0.3
* https://app.vagrantup.com/freeipa/boxes/ci-ipa-4-8-f30/versions/0.0.4
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/3fbbd02b0e8bc5e4f196e8d26ecfa8c989dadabb">3fbbd02b</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-03-03T13:59:17-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test if server installer lock Bind9 recursion
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well
related : https://pagure.io/freeipa/issue/8079
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dcdcbe37f42a219541716938fd34ac1df7d8170c">dcdcbe37</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-03-04T13:11:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: Added test when 2FA prompting configurations is set.
Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/66154f8bf79584b8fa6792e3d2ca534900dfa481">66154f8b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-06T08:34:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Privilege: add a helper checking if a principal has a given privilege
server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5edc674e7262ce4506c40b8c066207f9e5f55c33">5edc674e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-06T08:34:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4afd6e5e07061dde6e30b5352668bdf23cd6dedd">4afd6e5e</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-06T08:34:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Thanks to sorlov for the nightly test definitions and new test.
Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4ca100999b691c22ff63154edd32af0e8040ef1f">4ca10099</a></strong>
<div>
<span>by Vit Mojzis</span>
<i>at 2020-03-06T08:35:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add freeipa-selinux subpackage
Add freeipa-selinux subpackage containing selinux policy for FreeIPA
server. This policy module will override the distribution policy.
Policy files where extracted from
https://github.com/fedora-selinux/selinux-policy
See Independent policy project guidelines for more details about
shipping custom SELinux policy.
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18ce2033c04aed2c4a34f61b9ee3642b01f53017">18ce2033</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-03-06T08:35:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Integrate SELinux policy into build system
Hook up the new policy to autoconf and automake.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bb6a5a5d9f850bde9b8d81c2dd51d41263c22cd4">bb6a5a5d</a></strong>
<div>
<span>by Vit Mojzis</span>
<i>at 2020-03-06T08:35:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: move BUILD_SELINUX_POLICY definition
BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.
Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/96565414b3fd1e2c946b21f205a3ac3c4b5bad0c">96565414</a></strong>
<div>
<span>by Vit Mojzis</span>
<i>at 2020-03-06T08:35:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: Remove obsolete memcached access
Drop memcached_stream_connect access since memcached is no longer used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c444f7a35ada0dcb4f565557b7c71f3644fdd446">c444f7a3</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-06T08:37:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix TestSubCAkeyReplication
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9cb8984112ff31721b71dcdd4febcc23c2641691">9cb89841</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-10T17:41:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: update docstring to reflect changes in FileBackup.restore()
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5ff9b6e2a506c3ef1179655ae2d2e479005ec99e">5ff9b6e2</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-10T17:41:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: replace utility for editing sssd.conf
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`
This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
early
* has convenient interface for simple options modification,
both in domain and service sections
* allows sophisticated modifications through SSSDConfig object
Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/32584ed34f466e8f474e22d778e3e964d0fcd2c4">32584ed3</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-10T17:41:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: use remote_sssd_config to modify sssd.conf
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a1695722125674204b6e880b6ac652d78b783c88">a1695722</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-10T17:41:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: remove invalid parameter from sssd.conf
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/21c923c4cf21f30f20ec4b21c488db6f6fa92b67">21c923c4</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-11T09:36:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing
When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/df0df14bf31dba5800747aa08824b24b8be41eab">df0df14b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-11T09:36:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux policy: add the right context for org.freeipa.server.trust-enable-agent
This commit sets the system_u:object_r:ipa_helper_exec_t:s0 context to the
oddjob script org.freeipa.server.trust-enable-agent.
Without this context, oddjob cannot launch the command
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent
when ipa-adtrust-install --add-agents is run with SElinux enforcing.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1deb1010b245df6c363c5655f9a548bdf4dbc040">1deb1010</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-03-12T07:50:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tighten permissions on PKI proxy configuration
As we need to store credentials for AJP protocol comminucation,
ensure only root can read the configuration file.
Related: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d4d8b98c3588b212db6a26610e690cccb3af84ca">d4d8b98c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-03-12T07:50:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Secure AJP connector between Dogtag and Apache proxy
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.
For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
Fixes: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d8d9198ce1ddfd44eb7c0268c397359e6239fca">5d8d9198</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-03-12T07:56:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move wait_for_request() method to tasks.py
Moved the method so that it can be used by other modules too
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/937fb1d9518c54bf9c05bc0b7d6f43b29971eb3c">937fb1d9</a></strong>
<div>
<span>by Mohammad Rizwan Yusuf</span>
<i>at 2020-03-12T07:56:42+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test if getcert creates cacert file with -F option
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.
related: https://pagure.io/freeipa/issue/8105
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/87e0d82dd4409cdecaacee1fa27d27033aa65f7a">87e0d82d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-03-12T10:00:35+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleanup SELinux policy
* Remove FC for /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains. The
file has been moved to oddjobs/ subdirectory a long time ago.
* Simplify FC for oddjob scripts. All com.redhat.idm.* and org.freeipa.*
scripts are labeled as ipa_helper_exec_t.
* use miscfiles_read_generic_certs() instead of deprecated
miscfiles_read_certs() to address the warning:
```
Warning: miscfiles_read_certs() has been deprecated, please use miscfiles_read_generic_certs() instead.
```
(Also add org.freeipa.server.trust-enable-agent to .gitignore)
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/59bd2fec85a49ff75fbcad05cfd5a641a67c5d56">59bd2fec</a></strong>
<div>
<span>by sumenon</span>
<i>at 2020-03-12T23:17:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: check that ipa-healthcheck warns if no dna range is set
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.
Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f36b8697a1d7dcf0f698147b3791c8ed338863d7">f36b8697</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2020-03-12T23:17:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move execution of ipa-healthcheck to a separate function
This removes a lot of duplication and simplifies the test
code.
It returns the command returncode and the JSON data (if any)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/23993f58e1da98e537b03b9274d91308cbc63a6c">23993f58</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup..
The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.
Fixes: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5716c3b78f43391d2ab7b4b1fd672135f3b55bdb">5716c3b7</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6cb3b11a61d5b9b7df93130188c7feef83398090">6cb3b11a</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">With opendnssec 2, read the zone list from file
With OpenDNSSEC 1.4, the code was using the command
$ ods-ksmutil zonelist export
which printed the zonelist as XML in its output.
With OpenDNSSEC 2, the code is using the command
$ ods-enforcer zonelist export
which prints a message instead:
"Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
The code needs to extract the zonelist file name and read the XML
from the file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fc4ccfa5c3a7ecd7c9e5539595e0440965d62336">fc4ccfa5</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support OpenDNSSEC 2.1: new ods-signer protocol
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.
The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).
With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import
The command ods-ksmutil notify must be replace with ods-enforce flush.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/598c55cc0dc884aa780ac2dc2f3adfd8299e6ea0">598c55cc</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DnsSecMaster migration: move the call to zonelist export later
When migrating the DNSSec Master to a replica, the setup of
opendnssec is re-using the database and needs to call zonelist
export.
With opendnssec 1.4 this call is done with ods-ksmutil while
opendnssec 2.1 uses ods-enforcer that communicates with
odsenforcerd that is not started yet.
Move the call after ods-enforcerd is started.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/799ebc8be681165e622778848a9b2989434a29dd">799ebc8b</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2020-03-13T07:42:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">opendnssec2.1 support: move all ods tasks to specific file
Move all the routines run_ods* from tasks to _ods14 or _ods21 module
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1d416a5a5ceaaf3fff9df423cea9114f1918aad2">1d416a5a</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-13T11:22:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: provide docstrings instead of imporperly placed comments
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/40fd96f27d2512212ac99fff9ace0fef1f5a57d4">40fd96f2</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2020-03-13T11:22:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add test for SSSD updating expired cache items
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.
Related to: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8d6a609d6e55dc11b4768ee54da46393228660f9">8d6a609d</a></strong>
<div>
<span>by François Cami</span>
<i>at 2020-03-16T09:29:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-restore: restart services at the end
When IPA was not installed on the restore target host, and
when httpd was already running, "ipactl stop" does not stop
httpd. "ipactl start" at the end of the restore tool will
therefore not restart httpd either.
Calling "ipactl restart" at the end of the restore fixes the
issue, and as an added bonus, makes sure IPA can restart itself
properly.
Fixes: https://pagure.io/freeipa/issue/8226
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5df2f5d856f15c6283644a00004fad5873eb1671">5df2f5d8</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2020-03-16T13:27:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: Take the ownership over '/usr/libexec/ipa/custodia'
Ideally, an every file on system has to have an owner.
'/usr/libexec/ipa/custodia' directory was added recently, but:
```
[root@dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia/ipa-custodia-dmldap
freeipa-server-4.8.4-2.fc31.x86_64
[root@dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia
file /usr/libexec/ipa/custodia is not owned by any package
```
ALTLinux build system warns about files or directories which were
'created' during a package installation but haven't an owner. So,
after the resyncing spec file to upstream's one my build fails.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e4a611aee8ca839c59798210b56e65f21a24e965">e4a611ae</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2020-03-17T08:48:52+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c3053e287b8d29da40ef9c36fbe8915f616f8501">c3053e28</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-03-17T10:58:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/a9922639f3541fe25cadbba79a94de7ada29c7f3">a9922639</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2020-03-17T10:58:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b598982520891d2907070101c8953019613a4694">b5989825</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-03-17T11:00:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add more contributor emails to the mailmap
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1af953680ba95d7a9da382e05f373375d1e6a35d">1af95368</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-03-17T11:00:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add new contributors to the list
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5f49e6d1aaab56f8dd72e991f16ff575b7f4c9ee">5f49e6d1</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2020-03-17T11:00:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.8.5
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#eae40b507f9c3502accc6d7f8a39c9a7d9936b6f">
<span class="new-file">
+
.copr/Makefile
</span>
</a>
</li>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#d0e9cb1fab10296d90ef8e144f981f659bbd59ad">
.mailmap
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d7ed7e35d7791778850754d99281016a9bacb652">
Contributors.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#e4eba71132ec40f9516ea0fa207f3b4601f7e665">
client/ipa-join.c
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#d805817179e0c32b5f17229eae03defa6e20e212">
daemons/dnssec/ipa-ods-exporter.in
</a>
</li>
<li class="file-stats">
<a href="#3eb9dc527a6ed01c562c17b86c77e1526e13b464">
daemons/ipa-kdb/README
</a>
</li>
<li class="file-stats">
<a href="#c353f68be99056278f9117d02e4294a759188b14">
daemons/ipa-kdb/ipa_kdb.c
</a>
</li>
<li class="file-stats">
<a href="#4776aa1d1d01bef820f34e6c2aa41644aa3f18df">
daemons/ipa-kdb/ipa_kdb.h
</a>
</li>
<li class="file-stats">
<a href="#163f907433032ad32eedd2e072fc66f074948585">
daemons/ipa-kdb/ipa_kdb_audit_as.c
</a>
</li>
<li class="file-stats">
<a href="#d530f0d03a978b8c8549b635cb950845e8dd1f7d">
daemons/ipa-kdb/ipa_kdb_certauth.c
</a>
</li>
<li class="file-stats">
<a href="#1d425595ea8a5a85f3b1f5486032a0dc5592315b">
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
</a>
</li>
<li class="file-stats">
<a href="#5cd6be5f06d1be10ed72f46efdd12433a8fda6c0">
daemons/ipa-kdb/ipa_kdb_principals.c
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#26a797a94d52b579fdb3f0e47eef683e2dcbe577">
install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
</a>
</li>
<li class="file-stats">
<a href="#c32ba1af32ff9e189fea8d2ff29cfa8bf2e7fd50">
install/html/ssbrowser.html
</a>
</li>
<li class="file-stats">
<a href="#317d5117b7a6a9410053ff8493993b87d6c4524d">
install/oddjob/Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#3c46a39118cce98a03102abb5becda4e7b53086e">
install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
</a>
</li>
<li class="file-stats">
<a href="#60c30bc8bd93774bf5c836f7331469e37d37fd3b">
<span class="new-file">
+
install/oddjob/org.freeipa.server.trust-enable-agent.in
</span>
</a>
</li>
<li class="file-stats">
<a href="#4717e316b0dd2917fef40802a37184e66a0f1d41">
install/share/dns.ldif
</a>
</li>
<li class="file-stats">
<a href="#9ede2f0441433794e764955016789115ebf56bd8">
install/share/ipa-pki-proxy.conf.template
</a>
</li>
<li class="file-stats">
<a href="#12d8651fe7b1eb1cbaee518b4019bac4d78a683f">
install/share/opendnssec_conf.template
</a>
</li>
<li class="file-stats">
<a href="#026f64c9f78ecdf4cf6aafb61693b0888559ccbd">
install/tools/ipa-adtrust-install.in
</a>
</li>
<li class="file-stats">
<a href="#a3213f0226815cb51345eef6eb18b9c52bf77f44">
install/tools/man/ipa-cacert-manage.1
</a>
</li>
<li class="file-stats">
<a href="#329faa1842a3be230ac2c000edba7af288aeb2de">
install/updates/40-dns.update
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/83db8ab1754b52cd6143e0f01e520bbc9e9ff454...5f49e6d1aaab56f8dd72e991f16ff575b7f4c9ee">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>