[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream-next] 86 commits: Fix Python dependencies

Timo Aaltonen gitlab at salsa.debian.org
Mon May 21 08:02:35 BST 2018 

Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / freeipa


Commits:
b7be4cf2 by Christian Heimes at 2018-04-12T09:33:02+02:00
Fix Python dependencies

Fix typo in dependencies and require release of python-ldap.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
afc0d4b6 by Christian Heimes at 2018-04-12T20:29:35+02:00
Add nsds5ReplicaReleaseTimeout to replica config

The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.

See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5041b13f by Felipe Barreto at 2018-04-13T10:30:51+02:00
Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09

Commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 should not be pushed,
because it was not the intention to add a new test to .freeipa-pr-ci.
This commits reverts its change.

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
7c8fd563 by Fraser Tweedale at 2018-04-16T12:16:40+02:00
Fix upgrade (update_replica_config) in single master mode

Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade
step that add an attribute to a replica config entry.  The entry
only exists after a replica has been added, so upgrade was broken
for standalone server.  Catch and suppress the NotFound error.

Related to: https://pagure.io/freeipa/issue/7488

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e16ea525 by Alexander Bokovoy at 2018-04-17T08:18:17+02:00
upgrade: treat duplicate entry when updating as not an error

When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.

Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1dbc6ded by Alexander Bokovoy at 2018-04-17T08:49:34+02:00
replication: support error messages from 389-ds 1.3.5 or later

389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".

Change the check_repl_update() to handle both formats.

Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
64ffd117 by Alexander Bokovoy at 2018-04-17T14:28:45+02:00
install: validate AD trust-related options in installers

We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.

Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
692a9931 by Tibor Dudlák at 2018-04-17T16:25:12+02:00
Fix format string passed to pytest-multihost

Integration trust test suit failed with error trying to
start chronyd because of bad formating of passed string

See: https://pagure.io/python-pytest-multihost/issue/15
Resolves: https://pagure.io/freeipa/issue/7487
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d4dd2b1c by Ganna Kaihorodova at 2018-04-18T09:31:02+02:00
Fix for integration tests dns_locations

Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore

https://pagure.io/freeipa/issue/7499

Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
b43c2f8a by Petr Vobornik at 2018-04-19T12:11:26+02:00
webui: refresh complex pages after modification

Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.

This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.

https://pagure.io/freeipa/issue/5776

Reviewed-By: Felipe Volpone <felipevolpone at gmail.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
105d7d7f by Varun Mylaraiah at 2018-04-19T12:59:09+02:00
WebUI tests: Extend user group tests with more scenarios

1) Extended webui group automation test with below scenarios
	Scenarios
	 *Add user group with invalid names
	 *Add multiple groups records at one shot
	 *Select and delete multiple records
	 *Find and delete records etc...
2) Improved add_record method to support additional use cases:
	 *confirm by additional buttons: 'Add', 'Add and add another', 'Add and Edit,' 'Cancel'
	 *add multiple records in one call (uses 'Add and add another' behavior)

https://pagure.io/freeipa/issue/7485

Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
1a6e3601 by Varun Mylaraiah at 2018-04-19T12:59:09+02:00
Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags

Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
a7b18372 by Fraser Tweedale at 2018-04-19T08:57:53-04:00
certprofile: reject config with multiple profileIds

In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID.  This leads to:

- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)

To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0f859335 by Fraser Tweedale at 2018-04-19T08:57:53-04:00
certprofile: add tests for config profileId scenarios

Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:

- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2de1aa27 by Alexander Bokovoy at 2018-04-19T08:59:45-04:00
ACL: Allow hosts to remove services they manage

Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b5bdd07b by Stanislav Laznicka at 2018-04-20T09:43:37+02:00
Add absolute_import future imports

Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
41352ef9 by Rob Crittenden at 2018-04-20T08:51:37-04:00
Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c

Only certutil creates files in the local directory. Changing the
directory for pk12util breaks ipa-server-certinstall if the
PKCS#12 file is not passed in as an absolute path.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>

- - - - -
138ae4ab by Rob Crittenden at 2018-04-20T08:51:37-04:00
ipa-server-certinstall failing, unknown option realm

The option realm was being passed in instead of realm_name.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>

- - - - -
3384147c by Rob Crittenden at 2018-04-20T08:51:37-04:00
Some PKCS#12 errors are reported with full path names

This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>

- - - - -
4919bd9d by Rob Crittenden at 2018-04-20T08:51:37-04:00
Remove xfail from CALes test test_http_intermediate_ca

The full chain is not required by mod_ssl.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>

- - - - -
6c4635e7 by Anuja More at 2018-04-24T11:20:08+02:00
Adding test-cases for ipa-cacert-manage

    File     :  ipatests/test_integration/test_external_ca.py

    Scenario1:  Manual renew external CA cert with invalid file
                when ipa-server is installed with external-ca
                and renew with invalid cert file the renewal
                should fail.

    Scenario2:  install CA cert manually
                Install ipa-server. Create rootCA, using
                ipa-cacert-manage install option install
                new cert from RootCA

Signed-off-by: Anuja More <amore at redhat.com>

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9d73e4a0 by Rob Crittenden at 2018-04-25T08:23:47+02:00
Allow dot as a valid character in an selinux identity name

Both of these are legal: unconfined_u and unconfined.u

https://pagure.io/freeipa/issue/7510

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
5165afd5 by Ganna Kaihorodova at 2018-04-25T11:52:32+02:00
Fix trust tests for Posix Support

Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type

https://pagure.io/freeipa/issue/7508

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
07be3306 by amitkuma at 2018-04-25T12:06:09+02:00
RFE: ipa client should setup openldap for GSSAPI

The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA.  It currently sets:
URI
BASE
TLS_CACERT

This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI

Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ad2eb3d0 by Christian Heimes at 2018-04-25T12:14:23+02:00
CA replica PKCS12 workaround for SQL NSSDB

CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
04e1ae7b by Christian Heimes at 2018-04-25T12:14:23+02:00
Require 389-ds-base >= 1.4.0.8-1

1.4.0.8-1 contains a bug fix for an error in SASL connection handling.

See: https://pagure.io/389-ds-base/issue/49639
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
236fa61e by Christian Heimes at 2018-04-25T13:58:11+02:00
Create users in server-common pre hook

The ipaapi user was created in the server package but referenced by a
config file in the server-common package. The server-common package can
be installed without the server package. This caused an error

   Unknown user 'ipaapi'

with systemd-tmpfiles --create. The users are now created in the
server-common package.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>

- - - - -
13b9608d by Christian Heimes at 2018-04-25T14:02:29+02:00
Add augeas dependency to client package

Commit 5d9c749e830819e0e12bdd9388b6b0c2542cf906 add dependency on augeas
Python package, but freeipa.spec was not updated. The python[23]-ipaclient
packages now correctly depend on python[23]-augeas.

Fixes: https://pagure.io/freeipa/issue/7512
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
53f87ee5 by Fraser Tweedale at 2018-04-25T14:41:12+02:00
py3: fix csrgen error handling

csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3.  Fix the error
handling.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7633d62d by Fraser Tweedale at 2018-04-25T14:41:12+02:00
csrgen: support initialising OpenSSL adaptor with key object

As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0ac1d3ea by Fraser Tweedale at 2018-04-25T14:41:12+02:00
csrgen: drive-by docstring

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
852618fd by Fraser Tweedale at 2018-04-25T14:41:12+02:00
csrgen: fix when attribute shortname is lower case

OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute.  This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").

Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *).  If that fails, upper-case the type string and try
again.

Add some tests for the required behaviour.

Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9d838210 by Felipe Barreto at 2018-04-25T15:53:58-03:00
Adding GSSPROXY_CONF to be backed up on ipa-backup

Without GSSPROXY_CONF being backed up, we would get this error
"ipa: ERROR: No valid Negotiate header in server response"
when running any ipa command after a backup restore.

This commit also fixes the tests:
- TestBackupAndRestore::test_full_backup_and_restore
- TesttBackupAndRestore::test_full_backup_and_restore_with_selinux_booleans_off

https://pagure.io/freeipa/issue/7473

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
415578a1 by Felipe Barreto at 2018-04-25T15:53:58-03:00
Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users

The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.

Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2d5245ce by Florence Blanc-Renaud at 2018-04-26T08:31:08+02:00
ipa-advise config-server-for-smart-card-auth: use mod-ssl

ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.

The fix replaces references to nss.conf with ssl.conf.

https://pagure.io/freeipa/issue/7515

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
84e60e5f by Stanislav Laznicka at 2018-04-26T14:30:06+02:00
Fix typo in ipa-getkeytab --help

Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
994f71ac by Christian Heimes at 2018-04-26T21:19:53+02:00
Use single Custodia instance in installers

Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.

In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.

Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.

Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
fc371b65 by Thierry Bordaz at 2018-04-27T10:26:26+02:00
Hardening of topology plugin to prevent erronous deletion of a replica agreement

When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.

https://pagure.io/freeipa/issue/7461

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1df1786b by Florence Blanc-Renaud at 2018-04-27T14:01:33+02:00
Migration from authconfig to authselect

The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration

Fixes:
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c36bd383 by Florence Blanc-Renaud at 2018-04-27T14:01:33+02:00
New tests for authselect migration

Add new test for client and server installation when authselect tool
is used instead of authconfig

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e4424645 by Florence Blanc-Renaud at 2018-04-27T14:01:33+02:00
Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a

Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8fe5f8d2 by Florence Blanc-Renaud at 2018-04-27T14:01:33+02:00
ipa-advise: adapt config-client-for-smart-card-auth to authselect

ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
00a8d00e by Varun Mylaraiah at 2018-04-27T14:08:04+02:00
WebUI tests: Extend netgroup tests with more scenarios

Extended webui group automation test with below scenarios
Scenarios
 *add netgroup with invalid names
 *add and delete records in various scenarios
 *verify button's action in various scenarios.

https://pagure.io/freeipa/issue/7505

Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>

- - - - -
e16a76ad by Michal Reznik at 2018-04-27T14:19:59+02:00
ui_tests: extend test_user suite

Extend WebUI test_user suite with the following test cases:

test_add_user_special
test_user_misc
test_ssh_keys
test_add_delete_undo_reset
test_disable_delete_admin
test_login_without_username

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
e43cfaeb by Michal Reznik at 2018-04-27T14:19:59+02:00
ui_driver: extension and modifications related to test_user

In this patch we tune login() in order to test login without
username.

Then we add edit_multivalued and undo_multivalued to test "undo"
and "reset" buttons.

Also there is a new boolean "negative" in mod_record() to switch
button assertion.

Later ssh_key methods were fine-tuned a little to add more keys,
delete all of them and to extend their usage to hosts and id views.

Lastly new method assert_value_checked() was introduced to assert
whether a particular record is checked.

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
61dc15e5 by Michal Reznik at 2018-04-27T14:19:59+02:00
ui_tests: introduce new test_misc cases file

By this commit we introduce new test_misc cases file to
test various miscellaneous cases that do not fit to other suites.

In this cases that "version" is present in profile`s "about".

https://pagure.io/freeipa/issue/7507

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
51b9a82f by Anuja More at 2018-04-27T18:06:36+02:00
Adding test-cases for ipa-cacert-manage

Scenario1:	Setup external CA1 and install ipa-server with CA1.
     		Setup exteranal CA2 and renew ipa-server with CA2.
		Get information to compare CA change for ca1 and CA2
     		it should show different Issuer between install
		and renewal.

Scenario2:	Renew CA Cert on Replica using ipa-cacert-manage
		verify that replica is caRenewalMaster

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2d6d768d by Alexander Bokovoy at 2018-04-28T08:44:25+02:00
idoverrideuser-add: allow adding ssh key in web ui

CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.

Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.

Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3d30cf60 by Rob Crittenden at 2018-04-28T09:06:21+02:00
Update project metadata in ipasetup.py.in

Point mailing list to lists.fedorahosted.org
Use HTTPS for all URLs
Drop Solaris and Unix from platforms

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6856a9f4 by Rob Crittenden at 2018-04-28T09:07:28+02:00
Log service start/stop/restart message

It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.

https://pagure.io/freeipa/issue/7436

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
792adebf by Robbie Harwood at 2018-04-28T16:35:16+02:00
Enable SPAKE support using krb5.conf.d snippet

Because krb5 silently ignores unrecognized options, this is safe on
all versions.  It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.

Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
73c3495d by Christian Heimes at 2018-04-28T16:35:16+02:00
Use shutil to copy file

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d5e5bd50 by Stanislav Laznicka at 2018-04-30T11:04:35+02:00
Add absolute_import to test_authselect

This is to keep backward compatibility with Python 2

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3c66e388 by Christian Heimes at 2018-04-30T14:13:40+02:00
Compatibility with pytest 3.4

The nose_compat plugin uses internal pytest APIs to suspend and resume
the capture manager. In pytest 3.4, the internal APIs have changed and a
public API was added.

The fix is required to run integration tests under Fedora 28.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a4418963 by Christian Heimes at 2018-04-30T19:39:52+02:00
Remove contrib/nssciphersuite

The directory contained a script to generate mod_nss configuration
snippet. Since FreeIPA moved to mod_ssl, it is no longer of use.

Fixes: https://pagure.io/freeipa/issue/5673
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
c925b44f by Christian Heimes at 2018-04-30T20:42:00+02:00
Load certificate files as binary data

In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.

certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.

Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
6659392a by Fraser Tweedale at 2018-05-02T11:15:49+02:00
install: fix reported external CA configuration

The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.

Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.

The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2.  This could confuse the administrator.  Fix
the message.

Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0653d2a1 by Rob Crittenden at 2018-05-02T11:18:04+02:00
Validate the Directory Manager password before starting restore

The password was only indirectly validated when trying to
disable replication agreements for the restoration.

https://pagure.io/freeipa/issue/7136

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ae6c8d2c by Rob Crittenden at 2018-05-02T14:12:11+02:00
Handle whitespace, add separator to regex in set_directive_lines

We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.

For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).

https://pagure.io/freeipa/issue/7490

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
e16e5cd0 by Rob Crittenden at 2018-05-02T14:12:11+02:00
Use a regex in installutils.get_directive instead of line splitting

This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.

https://pagure.io/freeipa/issue/7490

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5929d5d8 by Tibor Dudlák at 2018-05-02T16:44:54-04:00
Use temporary pid file for chronyd -q task

chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
606af69b by Christian Heimes at 2018-05-03T08:36:51+02:00
Make ipatests' create_external_ca a script

The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.

Usage:

   ipa-server-install --external-ca ...
   python3 -m ipatests.create_external_ca
   ipa-server-install --external-cert-file=/tmp/rootca.pem \
       --external-cert-file=/tmp/ipaca.pem

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
ce3819c3 by Robbie Harwood at 2018-05-03T10:18:29+02:00
Move krb5 snippet into freeipa-client-common

Also move /usr/share/ipa into freeipa-common by necessity.

https://pagure.io/freeipa/issue/7524

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
1c1089c4 by Christian Heimes at 2018-05-03T14:25:36+02:00
ipa-client package needs sssd-tool

Commit ccec8c6c4193a204428b7ba0f93dac6f0eb26020 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.

See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
63a5feb1 by Florence Blanc-Renaud at 2018-05-03T16:39:58+02:00
authselect test: skip test if authselect is not available

Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
aa64ef03 by Florence Blanc-Renaud at 2018-05-03T16:39:58+02:00
authselect migration: use stable interface to query current config

The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir

It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1adc941d by Alexander Bokovoy at 2018-05-03T16:44:57+02:00
group-del: add a warning to logs when password policy could not be removed

When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.

This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.

Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.

Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
648d7c0d by Rob Crittenden at 2018-05-03T17:34:45+02:00
Disable message about log in ipa-backup if IPA is not configured

Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.

For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.

In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.

https://pagure.io/freeipa/issue/6843

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
880d9b41 by Christian Heimes at 2018-05-04T12:03:43+02:00
Require nss with fix for nickname bug

nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.

Partly revert commit ad2eb3d09b8336008d7f04c3d134c707530d9eb6 with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.

See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>

- - - - -
573f1322 by Rob Crittenden at 2018-05-04T16:08:47-03:00
Fix certificate retrieval in ipa-replica-prepare for DL0

The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.

https://pagure.io/freeipa/issue/7469

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
c17ba11c by Christian Heimes at 2018-05-07T16:21:10+02:00
Require Dogtag 10.6.1

Dogtag 10.6.1 contains fixes for external CA support.

See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5e4da703 by Christian Heimes at 2018-05-07T16:21:10+02:00
Only run subset of external CA tests

All tests are taking over an hour to execute, which is too long for
PR-CI.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
49b4a057 by Christian Heimes at 2018-05-07T16:22:10+02:00
Create missing /etc/httpd/alias for ipasession.key

The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.

Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.

See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2a58fe6a by Christian Heimes at 2018-05-07T16:23:04+02:00
Revert "Validate the Directory Manager password"

This reverts commit 0653d2a17e67a32c9adcca8145afa231f228b855. The commit
broke full ipa-restore.

See: https://pagure.io/freeipa/issue/7469
See: https://pagure.io/freeipa/issue/7535
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9e8fb94e by Alexander Bokovoy at 2018-05-08T16:39:22-04:00
service: allow creating services without a host to manage them

Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e6428657 by Alexander Bokovoy at 2018-05-08T16:39:22-04:00
group: allow services as members of groups

Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
392f44a3 by Stanislav Laznicka at 2018-05-10T10:03:02+02:00
mod_ssl: add SSLVerifyDepth for external CA installs

mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a885f07d by Stanislav Laznicka at 2018-05-10T10:05:22+02:00
Allow user administrator to change user homedir

https://pagure.io/freeipa/issue/7427

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8a8b641c by Felipe Barreto at 2018-05-10T16:52:42-03:00
Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs

This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
23c23a3c by Felipe Barreto at 2018-05-10T16:52:42-03:00
Fixing tests on TestReplicaManageDel

This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0

Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ef3f0851 by Michal Reznik at 2018-05-15T12:56:03+02:00
ui_tests: checkbox click fix

We check a box with clicking on label by default however sometimes
when a label is too short (1-2 letters) we are hitting an issue
that the checkbox obscures the label.

https://pagure.io/freeipa/issue/7547

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
897f1cda by Michal Reznik at 2018-05-15T12:57:26+02:00
ui_tests: improve "field_validation" method

Often when trying to check e.g. required field we pass the
method another element as parent in order to narrow down a scope
for validation. This way we can just pass "field" name to make the
process easier.

https://pagure.io/freeipa/issue/7546

Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
8328a555 by Rob Crittenden at 2018-05-15T14:13:35-04:00
Update 4.7 translations

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7c5ee4e8 by Petr Vobornik at 2018-05-15T14:15:34-04:00
server-del do not return early if CA renewal master cannot be changed

Early return prevented adding last warning message in the method:
   "Ignoring these warnings and proceeding with removal"

And thus `check_master_removal` in `test_server_del` did not work.

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
60e992ca by Petr Vobornik at 2018-05-15T14:15:34-04:00
Fix test_server_del::TestLastServices

The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.

Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
  DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master

https://pagure.io/freeipa/issue/7517

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
021b2f6e by Rob Crittenden at 2018-05-15T14:56:52-04:00
Become IPA 4.6.90.pre2

- - - - -


30 changed files:

- .freeipa-pr-ci.yaml
- ACI.txt
- API.txt
- VERSION.m4
- client/ipa-getkeytab.c
- contrib/Makefile.am
- − contrib/nssciphersuite/README.txt
- − contrib/nssciphersuite/nssciphersuite.py
- daemons/ipa-slapi-plugins/topology/topology_post.c
- freeipa.spec.in
- install/migration/migration.py
- install/share/Makefile.am
- + install/share/freeipa.template
- install/share/kdc.conf.template
- install/share/wsgi.py
- install/tools/ipa-ca-install
- install/tools/man/ipa-backup.1
- install/ui/src/freeipa/group.js
- install/ui/src/freeipa/host.js
- install/ui/src/freeipa/idviews.js
- install/ui/src/freeipa/service.js
- install/ui/src/freeipa/user.js
- install/updates/20-aci.update
- install/wsgi/plugins.py
- ipaclient/csrgen.py
- ipaclient/csrgen_ffi.py
- ipaclient/install/client.py
- ipaclient/install/ipa_certupdate.py
- ipaclient/install/ipa_client_install.py
- ipaclient/install/ipadiscovery.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/1b320ac3e7ab763d932512f2c497288711bc09e8...021b2f6e97fcb4e7390d871faaa28a9d6ab8bfe5

---
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/1b320ac3e7ab763d932512f2c497288711bc09e8...021b2f6e97fcb4e7390d871faaa28a9d6ab8bfe5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180521/9616b379/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list