[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 843 commits: Contributors.txt: update
Timo Aaltonen
gitlab at salsa.debian.org
Fri Sep 28 12:20:10 BST 2018
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
f38708fd by Tomas Krizek at 2017-09-01T12:38:37Z
Contributors.txt: update
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
- - - - -
ac6e4cb6 by Tomas Krizek at 2017-09-01T12:39:22Z
VERSION: set 4.6 git snapshot
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
- - - - -
45bd31b4 by Pavel Vomacka at 2017-09-05T12:07:02Z
Adds whoami DS plugin in case that plugin is missing
When first installation of IPA has been done when whoami
plugin was not enabled in DS by default and then IPA was
upgraded to newer versions, then after upgrade to IPA 4.5
WebUI stops working. This is caused by new requirement on
whoami DS plugin which is used to obtain information about
logged in entity.
This fix adds the whoami plugin during update in case that the plugin
is not enabled.
https://pagure.io/freeipa/issue/7126
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
a077c705 by Florence Blanc-Renaud at 2017-09-05T12:13:46Z
Fix ipa config-mod --ca-renewal-master
commit bddb90f38a3505a2768862d2f814c5e749a7dcde added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.
When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.
https://pagure.io/freeipa/issue/7120
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
755a5004 by Pavel Vomacka at 2017-09-07T06:08:17Z
WebUI: remove unused parameter from get_whoami_command
The batch param is not used anywhere therefore we can remove it.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a7ab63b8 by Pavel Vomacka at 2017-09-07T06:08:17Z
WebUI: Fix calling undefined method during reset passwords
When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cc5721db by Stanislav Laznicka at 2017-09-07T06:41:08Z
Travis: archive logs of py3 jobs
If something fails, only the logs of python2 jobs are currently
collected. Collect python3 logs as well.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
75e9f3ac by Stanislav Laznicka at 2017-09-08T07:30:40Z
travis: temporary workaround for Travis CI
Travis upgraded their environment but broke some deployments. Wait
for them to fix the issue with python3.
- - - - -
a765746e by Stanislav Laznicka at 2017-09-08T13:42:07Z
pylint: fix not-context-manager false positives
threading.Lock() in ipa-replica-conncheck is an alias to
thread.allocate_lock() which creates a LockType object.
This object is an actual context manager but the alias
seems to confuse pylint a bit.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
806784db by Stanislav Laznicka at 2017-09-08T13:42:07Z
csrgen: fix incorrect codec for pyasn BitString
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b57f87c9 by Stanislav Laznicka at 2017-09-08T13:42:07Z
pylint: fix no-member in schema plugin
The `module.register` member is added just a few lines
before pylint warns there's none such thing.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
216d37b7 by Stanislav Laznicka at 2017-09-08T13:42:07Z
dcerpc: refactor assess_dcerpc_exception
assess_dcerpc_exception was used in multiple places with a pre-step
which was rather common. Move this to one spot.
This also fixes pylint warning about unbalanced unpacking.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3c616d73 by Stanislav Laznicka at 2017-09-08T13:42:07Z
dcerpc: disable unbalanced-tuple-unpacking
Disable unbalanced-tuple-unpacking for RuntimeException thrown
by samba since this one should always contain two members.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7fc3a3f by Stanislav Laznicka at 2017-09-08T13:42:07Z
parameters: convert Decimal.precision to int
Explicitly convert Decimal.precision to int for unary `-` to make
sure int is passed to it.
Fixes pylint warning.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
353d4934 by Stanislav Laznicka at 2017-09-08T13:42:07Z
pylint: Iterate through dictionaries
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
33f13b6d by Stanislav Laznicka at 2017-09-08T13:42:07Z
sudocmd: fix unsupported assignment
sudocmd.get_dn() was trying to assign in an item of a tuple
which is not possible.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2701f3a by Stanislav Laznicka at 2017-09-08T13:42:07Z
pylint: make unsupported-assignment-operation check local
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae0bd124 by Stanislav Laznicka at 2017-09-08T13:42:07Z
install.util: disable no-value-for-parameter
InnerClassMeta is rather magical and seems to work as-is. There's a
reason not to always send all parameters to the methods since they
really don't have to be able to handle all the parameters all the
time.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fab589d7 by Stanislav Laznicka at 2017-09-08T13:42:07Z
pylint: disable __hash__ for some classes
pylint requires all classes implementing __eq__ to also implement
__hash__. We disable hashing for the classes that miss the ability,
should they ever be required to use it, it can be implemented then.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
82d02793 by Stanislav Laznicka at 2017-09-08T13:42:07Z
secrets: disable relative-imports for custodia
pylint is somehow confused about us importing custodia in
ipaserver.secrets.* modules, disable the check for these.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ae2473b by Stanislav Laznicka at 2017-09-08T13:42:07Z
rpcserver: don't call xmlserver.Command
xmlserver.Command does not have to be called so don't.
Fixes pylint: not-callable error.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c7f90159 by Stanislav Laznicka at 2017-09-08T13:42:07Z
Change the requirements for pylint in wheel
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
76c6ffe1 by Stanislav Laznicka at 2017-09-08T13:42:07Z
Change Travis CI container to FreeIPA-owned
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a30095b3 by Stanislav Laznicka at 2017-09-08T13:42:07Z
travis: remove "fast" from "makecache fast"
dnf makecache does not support the "fast" keyword in its
makecache subcommand in Fedora 26.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d88718ca by Tomas Krizek at 2017-09-12T08:02:06Z
prci: use f26 template for master
Switch PR CI testing of master branch to Fedora 26.
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
05acd096 by Felipe Volpone at 2017-09-12T13:46:04Z
Fixing how sssd.conf is updated when promoting a client to replica
When promoting a client to a replica we have to change sssd.conf,
deleting _srv_ part from 'ipa_server' property and setting
'ipa_server_mode' to true.
Previously, the wrong domain could be updated since the ipa_domain
variable was not being used properly.
https://pagure.io/freeipa/issue/7127
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f3097e57 by Fraser Tweedale at 2017-09-12T13:52:06Z
issue_server_cert: avoid application of str to bytes
Part of: https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
fcc2c5da by Stanislav Laznicka at 2017-09-12T13:53:54Z
pkinit: fix sorting dictionaries
Python 3 discovered this issue since dictionaries themselves don't
implement comparisons.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
16909a12 by Stanislav Laznicka at 2017-09-12T13:59:20Z
pkinit: don't fail when no pkinit servers found
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0f13e663 by Stanislav Laznicka at 2017-09-12T14:46:38Z
ldif: handle attribute names as strings
ldif.LDIFRecordList handles all attribute names as utf-8 strings
and all attribute values as bytes. If we take the attribute value
and try to search for it in the entry (= dictionary), if it contains
the attribute name as a key (which is a string), their hashes match.
However, even if hashes match, Python needs to make sure those two
are the same in case of a hash collision, so it tries to compare them.
This causes BytesWarning exception when running in strict mode
because `bytes` and `str` instances cannot be compared. KeyError
would be thrown in a non-strict mode.
Also, when later passing the attr to replace_value(), we need for it
to be `str` otherwise the modifications handler fails because it
tries to sort the attributes it's modifying but that's a bit less
poetic issue than the first one.
https://pagure.io/freeipa/issue/7129
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
be9da19d by Stanislav Laznicka at 2017-09-12T15:43:23Z
uninstall: remove deprecation warning
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
286bbb2a by Felipe Volpone at 2017-09-12T16:00:03Z
Changing idoverrideuser-* to treat objectClass case insensitively
This is import to avoid problems when migrating from olders
versions of IPA and using idoverrideuser-* commands.
https://pagure.io/freeipa/issue/7074
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c4505f08 by Stanislav Laznicka at 2017-09-13T08:38:08Z
client: fix retrieving certs from HTTP
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
09f746f5 by Fraser Tweedale at 2017-09-13T11:56:59Z
ipa-pki-retrieve-key: ensure we do not crash
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
473ddbdb by Alexander Bokovoy at 2017-09-13T14:53:32Z
dsinstance: Restore context after changing dse.ldif
Fixes https://pagure.io/freeipa/issue/7150
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
436d2de4 by Stanislav Laznicka at 2017-09-14T12:06:09Z
ldap2: don't use decode() on str instance
This was causing issues when adding/removing a CA in the
CA plugin.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8161fc4 by Stanislav Laznicka at 2017-09-14T12:06:09Z
certmap testing: fix wrong cert construction
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8be28145 by Martin Basti at 2017-09-14T12:06:09Z
py3: set samba dependencies
Set proper python3 dependencies for samba package
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
537690ae by Stanislav Laznicka at 2017-09-14T12:06:09Z
travis: run the same tests in python2/3
We missed running some tests in python3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93be966d by Florence Blanc-Renaud at 2017-09-15T06:36:22Z
Python3: Fix winsync replication agreement
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8661611d by Alexander Bokovoy at 2017-09-18T09:37:31Z
OTP import: support hash names with HMAC- prefix
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
623ec6c0 by Stanislav Laznicka at 2017-09-18T09:41:15Z
pylint: fix missing module
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
fa618129 by Rob Crittenden at 2017-09-18T09:44:08Z
Use TLS for the cert-find operation
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
62e72c2a by Rob Crittenden at 2017-09-19T06:54:20Z
Add exec to /var/lib/ipa/sysrestore for install status inquiries
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.
Relaxing permissions is is needed to run the tests as the jenkins user.
Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.
https://pagure.io/freeipa/issue/7157
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
87540fe1 by Florence Blanc-Renaud at 2017-09-19T07:34:31Z
Fix ipa-server-upgrade with server cert tracking
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
e537686b by Stanislav Laznicka at 2017-09-19T07:42:07Z
Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.
https://pagure.io/freeipa/issue/7119
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
faaba4f1 by Tomas Krizek at 2017-09-19T09:26:01Z
spec: bump python-pyasn1 to 0.3.2-2
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.
Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc47a4b8 by Alexander Bokovoy at 2017-09-19T15:33:24Z
Make sure upgrade also checks for IPv6 stack
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
5acd4840 by Stanislav Laznicka at 2017-09-20T10:58:33Z
rpc: don't decode cookie_string if it's None
This removes an ugly debug message from client installation
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
bf0b74be by Felipe Barreto at 2017-09-21T08:24:06Z
Checks if Dir Server is installed and running before IPA installation
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
b0184d10 by Petr Vobornik at 2017-09-21T08:27:14Z
browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1746ea3cb82554775a37fe43af062e8.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1746ea3cb82554775a37fe43af062e8 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
321f07de by Tomas Krizek at 2017-09-22T05:52:02Z
prci: update F26 template
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
- - - - -
ee87b66b by Fraser Tweedale at 2017-09-22T09:57:15Z
py3: fix pkcs7 file processing
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7902fc9a by Michal Reznik at 2017-09-27T09:51:20Z
test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c5afee96 by Fraser Tweedale at 2017-10-04T08:09:18Z
cli: simplify parsing of arbitrary types
Add the 'constructor' type to IPAOption to allow parsing arbitrary
types.
When using this type, supply the 'constructor' attribute with the
constructor of the type. The checker for the 'constructor' type
attempts to construct the data, returning if successful else raising
OptionValueError.
The 'knob' interface remains unchanged but now accepts arbitrary
constructors.
This feature subsumes the '_option_callback' mechanism, which has
been refactored away.
This feature also subsumes the "dn" type in IPAOption, but this
refactor is deferred.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1699cff3 by Fraser Tweedale at 2017-10-04T08:09:18Z
Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b4365e3a by Fraser Tweedale at 2017-10-04T08:09:18Z
install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fc7c684b by Fraser Tweedale at 2017-10-04T08:09:18Z
ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2207dc5c by Fraser Tweedale at 2017-10-04T08:09:18Z
certmonger: refactor 'resubmit_request' and 'modify'
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument. Perform a small refactor to
improve these functions.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
560ee3c0 by Fraser Tweedale at 2017-10-04T08:09:18Z
certmonger: add support for MS V2 template
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.
This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
29f4ec86 by Fraser Tweedale at 2017-10-04T08:09:18Z
ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d43cf35c by Fraser Tweedale at 2017-10-04T08:09:18Z
Add tests for external CA profile specifiers
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
49c0a7b4 by Fraser Tweedale at 2017-10-04T08:09:18Z
ipa-cacert-manage: handle alternative tracking request CA name
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure). `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".
To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
75a2eda8 by Fraser Tweedale at 2017-10-04T08:09:18Z
ipa-cacert-manage: avoid some duplicate string definitions
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f2b32759 by Michal Reznik at 2017-10-04T08:18:11Z
test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.
https://pagure.io/freeipa/issue/7155
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
418421d9 by Rob Crittenden at 2017-10-04T08:22:10Z
Collect group membership without a size limit
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
af1b8513 by Stanislav Laznicka at 2017-10-06T07:19:46Z
Remove the `message` attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3b5e9793 by Michal Reznik at 2017-10-06T07:22:37Z
tests_py3: decode get_file_contents() result
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().
https://pagure.io/freeipa/issue/7131
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
209bb277 by Stanislav Laznicka at 2017-10-10T08:05:37Z
travis: make tests fail if pep8 does not pass
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2a6cf38 by Michal Reznik at 2017-10-11T11:06:57Z
tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.
https://pagure.io/freeipa/issue/7124
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Milan Kubik <mkubik at redhat.com>
- - - - -
fe1aad76 by Sumit Bose at 2017-10-13T11:43:35Z
ipa-kdb: reinit trusted domain data for enterprise principals
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.
Resolves https://pagure.io/freeipa/issue/7172
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7a3da278 by Aleksei Slaikovskii at 2017-10-13T14:47:53Z
Less confusing message for PKINIT configuration during install
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
53abf010 by David Kupka at 2017-10-13T15:03:23Z
tests: Add LDAP URI to ldappasswd explicitly
Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.
https://fedorahosted.org/freeipa/ticket/6622
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
73b20975 by Florence Blanc-Renaud at 2017-10-17T08:22:39Z
ipa-server-upgrade: fix the logic for tracking certs
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d87163c2 by Florence Blanc-Renaud at 2017-10-17T08:22:39Z
ipa-server-upgrade: do not add untracked certs to the request list
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ab49dda by David Kupka at 2017-10-17T11:42:11Z
schema: Fix internal error in param-{find,show} with nonexistent object
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
38221200 by Felipe Barreto at 2017-10-17T11:42:11Z
Fixing param-{find,show} and output-{find,show} commands
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
acd72cc8 by Rob Crittenden at 2017-10-17T12:59:06Z
Use 389-ds provided method for file limits tuning
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
48dc9bb9 by Alexander Koksharov at 2017-10-17T13:59:58Z
kra-install: better warning message
User would like to see CA installation command in KRA installation
warning message.
This makes warning message similar to other installer messages where it
does suggests a command to run.
https://pagure.io/freeipa/issue/6952
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
9b8b7afe by Stanislav Laznicka at 2017-10-17T14:43:15Z
p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.
https://pagure.io/freeipa/issue/7210
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dea059d1 by Christian Heimes at 2017-10-18T10:09:57Z
Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
c8dbd0cf by Abhijeet Kasurde at 2017-10-18T10:13:55Z
tests: correct usage of hostname in logger in tasks
This fix adds correct usage of host.hostname in logger.
Fixes: https://pagure.io/freeipa/issue/7190
Signed-off-by: Abhijeet Kasurde <akasurde at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49cf5ec6 by Florence Blanc-Renaud at 2017-10-18T10:34:03Z
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.
When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.
https://pagure.io/freeipa/issue/7173
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3a041026 by Petr Čech at 2017-10-18T15:01:53Z
ipatests: Fix on logs collection
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.
This situation is not optimal because we need to see what happend
during the debbuging the tests.
So, this patch solves this situation and it adds try--finally
construction.
https://pagure.io/freeipa/issue/7214
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
a2dea5a5 by John Morris at 2017-10-18T15:55:25Z
Increase dbus client timeouts during CA install
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
051786ce by Alexander Bokovoy at 2017-10-19T14:48:58Z
ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
620f9653 by Alexander Bokovoy at 2017-10-19T14:48:58Z
ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.
This also changes semantics of force-sync by waiting until the end of
the initial replication.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fad88b35 by Aleksei Slaikovskii at 2017-10-20T08:55:49Z
ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text
This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.
https://pagure.io/freeipa/issue/7185
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
b29db07c by Christian Heimes at 2017-10-20T10:27:19Z
Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
be66eadb by Felipe Barreto at 2017-10-23T16:11:30Z
Fixing tox and pylint errors
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
be6f1a67 by Tomas Krizek at 2017-10-23T16:13:36Z
ipatests: set default 389-ds log level to 0
During integration tests, the log level of 8192 (replication debugging)
was excessive and made reading 389-ds logs very hard without providing
any useful information.
Part of: https://pagure.io/freeipa/issue/7162
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8eb1bd37 by Tomas Krizek at 2017-10-24T10:01:32Z
spec: bump 389-ds-base to 1.3.7.6-1
To avoid insidious bug during server installation on Fedora 27,
the dependency of 389-ds-base is bumped.
https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
3de30177 by Florence Blanc-Renaud at 2017-10-25T07:44:37Z
py3: fix ipa cert-request --database ...
Fix bytes vs str issues in ipa cert-request
https://pagure.io/freeipa/issue/7148
- - - - -
61dde27f by Stanislav Laznicka at 2017-10-25T07:44:37Z
csrgen_ffi: pass bytes where "char *" is required
In Python 3, "char *" corresponds to bytes rather than string.
https://pagure.io/freeipa/issue/7131
- - - - -
2b90c8a2 by Stanislav Laznicka at 2017-10-25T07:44:37Z
csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.
https://pagure.io/freeipa/issue/7131
- - - - -
c9d710a4 by Stanislav Laznicka at 2017-10-25T07:44:37Z
csrgen: update docstring for py3
https://pagure.io/freeipa/issue/7131
- - - - -
26d721e6 by Stanislav Laznicka at 2017-10-25T07:44:37Z
parameters: relax type checks
The type checks in ipalib.parameters were too strict. An object
that inherits from a type should implement its public interface.
This should allow us checking for types of objects whose class
implementations are private to a module but they implement a certain
public interface (which is typical for e.g. python-cryptography).
https://pagure.io/freeipa/issue/7131
- - - - -
61605d28 by Stanislav Laznicka at 2017-10-25T07:44:37Z
parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
- - - - -
f350b569 by Stanislav Laznicka at 2017-10-25T07:44:37Z
Add tests for CertificateSigningRequest
https://pagure.io/freeipa/issue/7131
- - - - -
0d7daf04 by Stanislav Laznicka at 2017-10-25T07:46:41Z
Remove pkcs10 module contents
This removes pkcs10 module contents and adds a warning message
about its future removal.
https://pagure.io/freeipa/issue/7131
- - - - -
03786ad9 by Stanislav Laznicka at 2017-10-25T07:46:41Z
csrgen_ffi: cast the DN value to unsigned char *
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.
https://pagure.io/freeipa/issue/7131
- - - - -
6c88eb80 by Stanislav Laznicka at 2017-10-25T07:59:28Z
travis: pep8 changes to pycodestyle
Travis CI environment changes pep8 into pycodestyle, do the
transition on our side as well
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
23a0453c by Felipe Barreto at 2017-10-25T16:30:26Z
Checks if replica-s4u2proxy.ldif should be applied
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
28802b39 by Thorsten Scherf at 2017-10-25T16:34:07Z
Add debug option to ipa-replica-manage and remove references to api_env var.
https://pagure.io/freeipa/issue/7187
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
624b34ab by Tomas Krizek at 2017-10-26T10:40:28Z
ldap: limit the retro changelog to dns subtree
The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.
Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a93592a7 by Stanislav Laznicka at 2017-10-26T10:43:47Z
PRCI: use a new template for py3 testing
The new template should allow to use python3 to run ipa-run-tests
since it provides the required dependencies for HTML test results
extraction and python3-paramiko.
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
d39456a8 by Stanislav Laznicka at 2017-10-26T10:43:47Z
ipatests: use python3 if built with python3
Change the default python version for test scripts
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
71a80264 by Stanislav Laznicka at 2017-10-26T10:43:47Z
py3: pass raw entries to LDIFWriter
LDIFWriter.unparse() expects the scalar values of the attributes
of the entries to be bytes as it applies a byte regular expression
to check whether to base64-encode the values or not. Previously,
we were passing the scalar attribute values as strings which
was breaking the LDIFWriter.unparse() exectution.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
9f8700fc by Robbie Harwood at 2017-10-26T10:46:44Z
ipa-kdb: support KDB DAL version 7.0
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68d2fa40 by Aleksei Slaikovskii at 2017-10-26T10:48:44Z
Fix TypeError while ipa-restore is restoring a backup
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
7b149b3c by Florence Blanc-Renaud at 2017-10-26T13:06:49Z
Fix ipa-replica-conncheck when called with --principal
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).
In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.
The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.
Fixes:
https://pagure.io/freeipa/issue/7221
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
aa5ad3e2 by Fraser Tweedale at 2017-10-30T09:35:01Z
Add missing space in ipa-replica-conncheck error
Fixes: https://pagure.io/freeipa/issue/7224
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
d6529731 by Rishabh Dave at 2017-10-30T09:49:13Z
ipa-ca-install: mention REPLICA_FILE as optional in help
As man page already does it, update the help text to show REPLICA_FILE
as optional.
Fixes https://pagure.io/freeipa/issue/7223
Signed-off-by: Rishabh Dave <rishabhddave at gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c9265a7b by Stanislav Laznicka at 2017-11-01T06:55:04Z
x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4cc94512 by Stanislav Laznicka at 2017-11-01T06:55:04Z
x509: remove subject_base() function
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4fc90311 by Fraser Tweedale at 2017-11-01T11:39:19Z
Remove mention of firefox plugin after CA-less install
The plugin was removed some time ago.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
260db9de by Fraser Tweedale at 2017-11-01T11:39:19Z
Remove XPI and JAR MIME types from httpd config
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin. The
plugin was removed some time ago, so remove the media type
definitions.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ebd8193 by Fraser Tweedale at 2017-11-01T11:39:19Z
CertDB: remove unused method issue_signing_cert
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3e338578 by Fraser Tweedale at 2017-11-01T11:39:19Z
Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
59802d37 by Aleksei Slaikovskii at 2017-11-01T11:46:57Z
Add a notice to restart ipa services after certs are installed
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d8b3e53c by Florence Blanc-Renaud at 2017-11-03T14:10:28Z
Py3: fix ipa-replica-conncheck
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.
Related to
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
0033e093 by Tomas Krizek at 2017-11-06T13:05:25Z
prci: add external_ca test
Add external_ca to the PR CI test suite.
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
1d190092 by Tomas Krizek at 2017-11-06T13:05:25Z
ipatests: collect logs for external_ca test suite
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
16da7c61 by Felipe Barreto at 2017-11-06T15:22:18Z
Fix log capture when running pytests_multihosts commands
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.
Previously, before commit 07229c8ff66669ba87b7d6599c3ec0d362ef2be4,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.
This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.
As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2] * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2] * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2] * Create and configure an instance of Directory Server
[[...].Host.master.cmd2] * Create and configure a Kerberos Key Distribution Center (KDC)
```
Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
59e136e8 by Michal Reznik at 2017-11-06T15:51:00Z
test_forced_client: decode get_file_contents() result
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
5e4f76b0 by Michal Reznik at 2017-11-06T15:53:14Z
test_caless: open CA cert in binary mode
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
02c1d0e8 by Michal Reznik at 2017-11-07T09:17:17Z
test_external_dns: add missing test cases
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c99b3773 by Stanislav Laznicka at 2017-11-07T15:49:36Z
Add the sub operation for fqdn index config
This should improve performance of the host-find command.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5458bb50 by Stanislav Laznicka at 2017-11-07T15:49:36Z
Add indexing to improve host-find performance
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a3009b39 by Stanislav Laznicka at 2017-11-08T06:58:46Z
caless tests: make debug log of certificates sensible
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
983234c9 by Stanislav Laznicka at 2017-11-08T06:58:46Z
caless tests: decode cert bytes in debug log
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b8437aa by Florence Blanc-Renaud at 2017-11-08T07:00:18Z
ipa-getkeytab man page: add more details about the -r option
The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.
Fixes:
https://pagure.io/freeipa/issue/7237
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9345142c by Thierry Bordaz at 2017-11-08T07:06:35Z
389-ds-base crashed as part of ipa-server-intall in ipa-uuid
Bug Description:
When adding an entry, ipa-uuid plugin may generate a unique value
for some of its attribute.
If the generated attribute is part of the RDN, the target DN
is replaced on the fly and the previous one freed.
Unfortunately, previous DN may be later used instead of
the new one.
Fix Description:
Make sure to use only the current DN of the operation
https://bugzilla.redhat.com/show_bug.cgi?id=1496226
https://pagure.io/freeipa/issue/7227
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
16a952a0 by Stanislav Laznicka at 2017-11-08T07:32:00Z
Don't allow OTP or RADIUS in FIPS mode
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f4a20831 by Florence Blanc-Renaud at 2017-11-08T14:40:35Z
Fix ipa-restore (python2)
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
905ab93c by Aleksei Slaikovskii at 2017-11-09T10:32:31Z
Prevent installation with single label domains
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b84e8be5 by Felipe Barreto at 2017-11-09T11:05:39Z
Removing replica-s4u2proxy.ldif since it's not used anymore
Since commit 23a0453c4d33271376b2156f2e2b484e8b9708c9, the
replica-s4u2proxy.ldif file it's not used anymore.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
405da071 by Felipe Barreto at 2017-11-09T11:24:03Z
Warning the user when using a loopback IP as forwarder
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.
Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Martin Basti <mbasti at redhat.com>
- - - - -
222cef1a by Abhijeet Kasurde at 2017-11-10T07:05:21Z
ipatests: Fix interactive prompt in ca_less tests
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
32c64a78 by Rob Crittenden at 2017-11-10T09:09:57Z
Fix cert-find for CA-less installations
Change eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
3ca77456 by Christian Heimes at 2017-11-10T12:18:47Z
Py3: fix fetching of tar files
pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.
https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
db313da6 by Michal Reznik at 2017-11-13T11:14:34Z
manpage: ipa-replica-conncheck - fix minor typo
Fixes minor typo "Defaults t" to "Defaults to".
https://pagure.io/freeipa/issue/7250
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c45a9895 by Tomas Krizek at 2017-11-13T12:49:51Z
ipatests: fix circular import for collect_logs
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
28f7edaa by Aleksei Slaikovskii at 2017-11-13T15:57:06Z
ipa-restore: Set umask to 0022 while restoring
When some users are setting the umask to 0027 due to security
policies ipa-restore will result not working dirsrv.
So a fix is to temporary set umask to 0022 while ipa-restore is
running.
https://pagure.io/freeipa/issue/6844
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c84b014 by Tomas Krizek at 2017-11-13T16:43:35Z
py3 spec: use proper python2 package names
Package names for python2 were updated. Changed:
dbus-python -> python2-dbus
python -> python2
python-devel -> python2-devel
python-enum34 -> python2-enum34
python-jwcrypto -> python2-jwcrypto
python-kdcproxy -> python2-kdcproxy
python-netifaces -> python2-netifaces
python-netaddr -> python2-netaddr
python-pytest-multihost -> python2-pytest-multihost
python-pytest-sourceorder -> python2-pytest-sourceorder
python-setuptools -> python2-setuptools
python-six -> python2-six
python-sssdconfig -> python2-sssdconfig
samba-python -> python2-samba
Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e203e9f8 by Tomas Krizek at 2017-11-13T16:43:35Z
py3 spec: remove python2 dependencies from freeipa-server
When building the package with for python3, use only python3
dependencies. Changed:
python -> python2 / python3
python-gssapi -> python2-gssapi / python3-gssapi
python-ldap -> python-ldap / python3-pyldap
systemd-python -> python2-systemd / python3-systemd
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49c77d77 by Tomas Krizek at 2017-11-13T16:43:35Z
py3 spec: remove python2 dependencies from server-trust-ad
Use only python3 dependencies when building server-trust-ad for python3.
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8bbeedc9 by Christian Heimes at 2017-11-13T17:10:54Z
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
48d63020 by Christian Heimes at 2017-11-15T10:06:53Z
Remove ignore_import_errors
ignore_import_errors was added in 9b534238 to build FreeIPA ACI/API with
some dependencies missing. It turns out that the import hook doesn't
play nice with other meta importers or Cython-generated code like lxml:
./makeaci: ipaserver/plugins/dogtag.py:246: ignoring ImportError: No module named lxml.re
Traceback (most recent call last):
File "./makeaci", line 134, in <module>
main(options)
File "./makeaci", line 107, in main
api.finalize()
File "ipalib/plugable.py", line 733, in finalize
self.__do_if_not_done('load_plugins')
File "ipalib/plugable.py", line 425, in __do_if_not_done
getattr(self, name)()
File "ipalib/plugable.py", line 614, in load_plugins
self.add_package(package)
File "ipalib/plugable.py", line 641, in add_package
module = importlib.import_module(name)
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "ipaserver/plugins/dogtag.py", line 246, in <module>
from lxml import etree
File "src/lxml/etree.pyx", line 93, in init lxml.etree
File "src/lxml/_elementpath.py", line 58, in init lxml._elementpath
AttributeError: 'FailedImport' object has no attribute 'compile'
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6adf4f3 by Abhijeet Kasurde at 2017-11-15T10:14:15Z
Trivial typo fix.
Fix adds correction to word 'enforce'
Signed-off-by: Abhijeet Kasurde <akasurde at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a48f6511 by Christian Heimes at 2017-11-15T13:17:24Z
Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
495b8579 by Michal Reznik at 2017-11-15T15:23:15Z
test_caless: fix TypeError on domain_level compare
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cedd52d7 by Michal Reznik at 2017-11-15T15:23:15Z
test_caless: fix http.p12 is not valid
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6a097040 by Christian Heimes at 2017-11-16T07:48:15Z
ipa-custodia: use Dogtag's alias/pwdfile.txt
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.
pwdfile.txt is created by CAInstance.create_certstore_passwdfile()
Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
38b17e1c by Christian Heimes at 2017-11-16T07:49:34Z
Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64a88d59 by Christian Heimes at 2017-11-16T07:50:58Z
Py3: Fix vault tests
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret
https://pagure.io/freeipa/issue/7033
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
00717449 by Christian Heimes at 2017-11-16T11:17:01Z
Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
443ecbc2 by Alexander Bokovoy at 2017-11-16T14:43:36Z
adtrust: filter out subdomains when defining our topology to AD
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.
Fixes https://pagure.io/freeipa/issue/6666
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
caed210b by Aleksei Slaikovskii at 2017-11-16T17:52:54Z
View plugin/command help in pager
ipa help code invokes pager if help lines length is more then
current terminal height.
https://pagure.io/freeipa/issue/7225
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
04da8562 by Pavel Vomacka at 2017-11-16T17:54:49Z
WebUI: make Domain Resolution Order writable
Objectclass which defines the Domain Resolution Order is added to
the object only after modification. Therefore before modification of
object the attributelevelrights does not contain the 'domainresolutionorder'
attribute and the WebUI evaluates field as not writable.
'w_if_no_aci' flag was designed to make writable those fields
for which we don't have attributelevelrights.
https://pagure.io/freeipa/issue/7169
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
9e640190 by Christian Heimes at 2017-11-20T16:01:59Z
Run tox tests for PyPI packages on Travis
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tomas Krizek <tkrizek at redhat.com>
- - - - -
ba037a35 by Christian Heimes at 2017-11-21T08:36:27Z
libotp: add libraries after objects
Add dependency on external libraries after dependency on internal
objects so the linker can correctly pick up all symbols.
https://pagure.io/freeipa/issue/7189
Original patch by Rob Crittenden
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e1bd827b by Christian Heimes at 2017-11-21T15:13:28Z
Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html
https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e11bb312 by Tomas Krizek at 2017-11-21T15:56:44Z
prci: start testing PRs on fedora 27
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
57787f64 by Christian Heimes at 2017-11-22T08:51:56Z
Prevent installation of Py2 and Py3 mod_wsgi
FreeIPA is either compatible with Python 2 mod_wsgi or Python 3
mod_wsgi. mod_wsgi can not coexist in the same Apache process as
mod_wsgi_python3. When both mod_wsgi and python3-mod_wsgi are installed,
the first loaded module wins and the other one is never loaded.
Add conflict on the other module to prevent installation of both
modules.
https://pagure.io/freeipa/issue/7161
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
d3a2a9be by Michal Reznik at 2017-11-22T14:19:52Z
test_vault: increase WAIT_AFTER_ARCHIVE
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.
https://pagure.io/freeipa/issue/7265
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a94ba732 by Florence Blanc-Renaud at 2017-11-23T12:29:54Z
Fix ipa-replica-install when key not protected by PIN
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.
The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
Fixes:
https://pagure.io/freeipa/issue/7274
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c468e320 by Christian Heimes at 2017-11-23T17:31:30Z
Use Python 3 on Travis
Removes Travis workaround "group: deprecated-2017Q3"
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
4af36de1 by Tomas Krizek at 2017-11-23T18:13:06Z
prci: define testing topologies
Define usable topologies for upstream integration testing in PR CI.
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
197b5ca6 by Aleksei Slaikovskii at 2017-11-23T18:18:43Z
ipalib/frontend.py output_for_cli loops optimization
Trivial fix which removes unnecessary for loops.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
191605ef by Christian Heimes at 2017-11-27T10:46:54Z
Reproducer for bug in structured dnsrecord_show
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f528a448 by Christian Heimes at 2017-11-27T10:46:54Z
Fix dict iteration bug in dnsrecord_show
In structured mode, dict size is modified by del record[attr].
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
19138c5b by Florence Blanc-Renaud at 2017-11-27T16:51:03Z
Fix ca less IPA install on fips mode
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.
The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.
Fixes:
https://pagure.io/freeipa/issue/7280
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cd80036b by Petr Čech at 2017-11-28T08:45:32Z
tests: Mark failing tests as failing
Some tests from installation suite fail.
The issues are:
* ipa-replica-install --setup-kra if first KRA in topology fails
https://pagure.io/freeipa/issue/7008
* Third KRA installation in topology fails
https://pagure.io/freeipa/issue/7220
This patch marks those tests as failing.
Signed-off-by: Petr Čech <pcech at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
4069c129 by Christian Heimes at 2017-11-28T18:43:15Z
Add workaround for pytest 3.3.0 bug
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.
See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8ec4b815 by Alexander Bokovoy at 2017-11-29T13:55:00Z
ipa-kdb: override krb5.conf when testing KDC code in cmocka
When testing KDC code in cmocka we rely on libkrb5 defaults.
libkrb5 would read /etc/krb5.conf by default and would load a KDB
module from there if it is defined for the test realm (EXAMPLE.COM).
Since EXAMPLE.COM is a common name used for test realms, make sure to
not using /etc/krb5.conf from the system. Instead, force KRB5_CONFIG to
/dev/null so that only libkrb5 compiled-in defaults are in use.
In such setup libkrb5 will attempt to load KDB driver db2 for our test
realm. db2 driver doesn't fail if its database is not available (unlike
FreeIPA's one), so it survives initialization.
As result, ipa-kdb-tests pass without unexpected breakage.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
868c7e7c by Alexander Bokovoy at 2017-11-29T13:55:00Z
travis-ci: collect logs from cmocka tests
When 'make check' is run, automake produces logs for each test to be ran.
Collect all the logs from the tests.
Also prepare the template to quickly enable use of gdb with traceback
in case a test is crashing. To use it, add LOG_COMPILE definition to
the 'make' line.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
64f4c71d by Alexander Bokovoy at 2017-11-29T13:55:00Z
test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.
To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
78ad1cfe by Alexander Bokovoy at 2017-11-30T09:38:03Z
ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
f45d72af by Christian Heimes at 2017-11-30T12:47:54Z
Update builddep command to install Python 3 and tox deps
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1ec3d54d by Michal Reznik at 2017-11-30T14:51:24Z
test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.
E.g.: unknown command 'b'ping''
https://pagure.io/freeipa/issue/7131
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
17bda0b1 by Rob Crittenden at 2017-12-04T15:29:19Z
Use the CA chain file from the RPC context
The value can be passed in the create_connection() call but
wasn't used outside that call. It already defaults to
api.env.tls_ca_cert so the context.ca_certfile should be used
instead so the caller can override the cert chain on a
per-connection basis. This may be handy in the future when
there is IPA-to-IPA trust, or for IPA-to-IPA migration.
https://pagure.io/freeipa/issue/7145
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
e8a26afb by Rob Crittenden at 2017-12-04T15:29:19Z
Add test to ensure that properties are being set in rpcclient
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
01bfe224 by Rob Crittenden at 2017-12-04T15:29:19Z
If the cafile is not present or readable then raise an exception
This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.
This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.
https://pagure.io/freeipa/issue/7145
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c1f275f9 by Christian Heimes at 2017-12-06T15:54:04Z
Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
be09823f by Christian Heimes at 2017-12-06T15:54:04Z
Skip test_rpcclient_context in client tests
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c42c440d by Fraser Tweedale at 2017-12-07T12:02:26Z
Use correct version of Python in RPM scripts
Fixes: https://pagure.io/freeipa/issue/7299
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ba411b0f by Fraser Tweedale at 2017-12-07T12:03:30Z
Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag. This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts. There is still a possibility for this
kind of failure, but the delay minimises it.
FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.
Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
891cced4 by Florence Blanc-Renaud at 2017-12-07T13:00:27Z
Improve help message for ipa trust-add --range-type
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1505922c by Christian Heimes at 2017-12-07T15:46:10Z
NSSDB: use preferred convert command
After further testing, Kai Engert proposed to use -N with -f -@ to
convert a NSSDB from DBM to SQL format.
https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql#Upgrade.2Fcompatibility_impact
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8700101d by Christian Heimes at 2017-12-07T15:55:40Z
Remove Custodia keys on uninstall
Keys are removed from disk and LDAP
https://pagure.io/freeipa/issue/7253
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3eb38443 by Fraser Tweedale at 2017-12-07T16:28:12Z
renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object. Apply to correct type.
Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
956e265f by Alexander Bokovoy at 2017-12-07T19:18:51Z
ipaserver/plugins/trust.py; fix some indenting issues
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
a57f6133 by Alexander Bokovoy at 2017-12-07T19:18:51Z
trust: detect and error out when non-AD trust with IPA domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
c19eb499 by Alexander Bokovoy at 2017-12-07T19:18:51Z
ipaserver/plugins/trust.py: pep8 compliance
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
feee70d7 by Mohammad Rizwan Yusuf at 2017-12-11T07:32:39Z
ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
`cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
may arise due to incorrect uninstall of replica or ipa server-del is
not executed on master.
related bug : https://pagure.io/freeipa/issue/7174
Fixes: https://pagure.io/freeipa/issue/7276
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
93d53e5c by Fraser Tweedale at 2017-12-11T07:35:04Z
CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install). Refactor
ipa_certupdate.CertUpdate to make it easy to do that. In
particular, make it possible to use an already-initialised API
object.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8960141a by Fraser Tweedale at 2017-12-11T07:35:04Z
ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present. This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.
Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
97942a7c by Fraser Tweedale at 2017-12-11T07:35:04Z
Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).
Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.
Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
39fdc2d2 by Fraser Tweedale at 2017-12-11T07:35:04Z
ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.
This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
29d0f867 by Michal Reznik at 2017-12-11T11:05:16Z
test_x509: test very long OID
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.
https://pagure.io/freeipa/issue/7300
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
34f73b4a by Fraser Tweedale at 2017-12-11T11:06:28Z
install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ec4620ec by Christian Heimes at 2017-12-11T14:32:45Z
Add python_requires to Python package metadata
freeIPA 4.6 and 4.7 requires Python 2.7 or >= 3.5.
https://pagure.io/freeipa/issue/7294
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
b98f9b46 by Christian Heimes at 2017-12-11T19:40:06Z
Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.
A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7fbbf668 by Christian Heimes at 2017-12-11T19:40:06Z
Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.
Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.
Fast testing execute all unit tests that do not depend on ipalib.api.
In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d7aa7945 by Rob Crittenden at 2017-12-12T11:08:35Z
Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.
This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.
The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.
Fixes: https://pagure.io/freeipa/issue/6968
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
3756dbf9 by Christian Heimes at 2017-12-12T11:53:21Z
Fix grammar in login screen
https://pagure.io/freeipa/issue/7263
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
- - - - -
ae3160fd by Christian Heimes at 2017-12-12T11:53:21Z
Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
- - - - -
dca9f849 by Christian Heimes at 2017-12-12T11:53:21Z
Address more 'to login'
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
- - - - -
b32a4aef by Christian Heimes at 2017-12-12T11:53:21Z
More log in verbs
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
- - - - -
2546ef6e by Fraser Tweedale at 2017-12-12T13:13:54Z
Prevent set_directive from clobbering other keys
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1b04718b by Fraser Tweedale at 2017-12-12T13:13:54Z
pep8: reduce line lengths in CAInstance.__enable_crl_publish
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c77f3a50 by Fraser Tweedale at 2017-12-12T13:13:54Z
installutils: refactor set_directive
To separate concerns and make it easier to test set_directive,
extract function ``set_directive_lines`` to do the line-wise
search/replace, leaving ``set_directive`` to deal with the file
handling.
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f688b5d8 by Fraser Tweedale at 2017-12-12T13:13:54Z
Add tests for installutils.set_directive
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f4001e1c by Christian Heimes at 2017-12-12T13:13:54Z
Add safe DirectiveSetter context manager
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.
The new DirectiveSetter context manager wraps everything under an easy
to use interface.
https://pagure.io/freeipa/issue/7312
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4d9d9536 by Pavel Vomacka at 2017-12-12T13:19:44Z
Extend ui_driver to support geckodriver log_path
Geckodriver automatically logs into geckodriver.log file which
is placed in the same directory from which tests are run. In case
of running tests using ipa-run-tests the current working directory is
/usr/lib/python*/site-packages/ipatests where most of users cannot
write because of priviledges.
By adding "geckodriver_log_path" into test configuration we allow to
set path where user who run tests have priviledges to write.
Config file might be seen here:
https://www.freeipa.org/page/Web_UI_Integration_Tests#Running_tests
Fixes: https://pagure.io/freeipa/issue/7311
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0e9ce73a by Fraser Tweedale at 2017-12-12T13:36:44Z
Add uniqueness constraint on CA ACL name
It is possible to add caacl entries with same "name" (cn). The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.
Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.
Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a8c8471 by Fraser Tweedale at 2017-12-12T15:07:11Z
Don't use admin cert during KRA installation
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of: https://pagure.io/freeipa/issue/7287
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d7426ccb by Christian Heimes at 2017-12-12T15:16:58Z
Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
lines.
* Remove nose dependency
I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.
https://pagure.io/freeipa/issue/7301
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
929c77c7 by Christian Heimes at 2017-12-14T13:04:19Z
Travis: Add workaround for missing IPv6 support
Latest Travis CI image lacks IPv6 address on localhost. Add some
diagnostics and skip IPv6 tests in ipa-server-install when TRAVIS is
detected.
The hack will be removed as soon as it is no longer required to pass
automated testing.
https://pagure.io/freeipa/issue/7323
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
fbb18897 by Alexander Koksharov at 2017-12-14T15:41:01Z
ensuring 389-ds plugins are enabled after install
To avoid problems caused by desabled plugins on 389-ds side
explicitly enable plugins required by IPA
https://pagure.io/freeipa/issue/7271
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68540856 by Pavel Vomacka at 2017-12-14T17:57:37Z
Update qunit.js to version 2.4.1
It provides more functions, bug fixes, but mainly better error handling
therefore it is easier to debug errors while tests are automatically
run.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b25ac88 by Pavel Vomacka at 2017-12-14T17:57:37Z
Update QUnit CSS file to 2.4.1
Update QUnit CSS to correspond with QUnit JS library
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c48ac281 by Pavel Vomacka at 2017-12-14T17:57:37Z
Add Gruntfile and package.json to ui directory
Those files are used when running WebUI unit tests from command line.
- Gruntfile specifies grunt task which can run the webui tests.
- symlink to src/freeipa/package.json where are specified npm packages
which are required for running those test.
There is only symlink to not duplicite package.json file
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c50092c3 by Pavel Vomacka at 2017-12-14T17:57:37Z
Update jsl to not warn about module in Gruntfile
Gruntfile uses module keyword which is not known by our JSLint.
Adding it into known keywords fix the warning.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c47784dc by Pavel Vomacka at 2017-12-14T17:57:37Z
Create symlink to qunit.js
Base path for all unit tests is install/ui/js. This path is also used
by PhantomJS when runnig unit tests from command line. PhantomJS then
tries to find qunit.js therefor symlink in install/ui/js is needed.
This might be automated in the future.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2dd77410 by Pavel Vomacka at 2017-12-14T17:57:37Z
Update tests
With newer QUnit the API has changed, therefor there are necesary changes
in tests. QUnit methods does not pollute global workspace they use global
QUnit object or assert object passed as argument to test method.
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
905a0abf by Pavel Vomacka at 2017-12-14T17:57:37Z
Update README about WebUI unit tests
Add information how to run tests from command line
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e89163d4 by Pavel Vomacka at 2017-12-14T17:57:37Z
Edit TravisCI conf files to run WebUI unit tests
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8aca1fe7 by Pavel Vomacka at 2017-12-14T17:57:37Z
Update jsl.conf in tests subfolder
- to know QUnit, it is global object provided by QUnit.js library
- remove not-existing test navigation_tests.js
Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0f28c7e3 by Pavel Vomacka at 2017-12-14T17:57:37Z
Include npm related files into Makefile and .gitignore
Extedned Makefile in install/ui
- $ make clean-local removes npm related files in the install/ui directory
Add node_modules and package-lock.json into .gitignore
Fixes: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1059a24d by Tomas Krizek at 2017-12-14T19:04:21Z
prci: bump ci-master-f27 template to 1.0.2
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
10a847b6 by Rob Crittenden at 2017-12-15T07:45:38Z
Make the path to CS.cfg a class variable
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a7ae2dbc by Rob Crittenden at 2017-12-15T07:45:38Z
Enable ephemeral KRA requests
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
8cb756a2 by Christian Heimes at 2017-12-18T10:51:14Z
Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.
See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c9f0a4b by Christian Heimes at 2017-12-19T12:26:39Z
Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.
See https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
b567f3af by Christian Heimes at 2017-12-19T12:28:06Z
Use pylint 1.7.5 with fix for bad python3 import
Closes: https://pagure.io/freeipa/issue/7315
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
23d729e0 by Michal Reznik at 2017-12-19T13:03:24Z
test_help: test "help" command without cache
This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.
https://pagure.io/freeipa/issue/7325
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c59cf57 by Christian Heimes at 2017-12-19T13:05:29Z
Require python-ldap 3.0.0b2
Use new LDAPBytesWarning to ignore python-ldap's bytes warnings. New
build is available in @freeipa/freeipa-master.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
bfd4e3ed by Christian Heimes at 2017-12-20T08:55:46Z
Custodia uninstall: Don't fail when LDAP is down
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9400a405 by Christian Heimes at 2017-12-20T12:01:02Z
Include ipa_krb5.h without util prefix
Fixes out-of-tree builds.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cf2d171d by Pavel Vomacka at 2018-01-04T15:24:42Z
WebUI: make keytab tables on service and host pages writable
There is no object class before adding the first item into tables,
therefore there are no ACI and WebUI is not able to figure out
whether table is writable or not. Adding flag 'w_if_no_aci'
tells "make it writable even if we have not ACIs and try to do
the API call.
https://pagure.io/freeipa/issue/7111
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
65c59233 by Michal Reznik at 2018-01-04T15:28:14Z
test_cert_plugin: check if SAN is added with default profile
https://pagure.io/freeipa/issue/7334
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
21b09522 by Rob Crittenden at 2018-01-04T15:34:37Z
Don't manually generate default.conf in server, use IPAChangeConf
Related: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
79432cbd by Rob Crittenden at 2018-01-04T15:34:37Z
Log contents of files created or modified by IPAChangeConf
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.
Fixes: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
6f5042cd by François Cami at 2018-01-04T15:36:54Z
10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"
Fixes: https://pagure.io/freeipa/issue/7341
Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.
Fix suggested by Florence Blanc-Renaud.
Signed-off-by: François Cami <fcami at fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
93c158b0 by Christian Heimes at 2018-01-04T18:36:27Z
ipa-run-tests: replace chdir with plugin
The ipa-run-tests command used os.chdir() to change into the ipatests/
directory. The approach works for simple cases but breaks some pytest
features. For example it makes it impossible to selects tests by their
fully qualified test name.
Further more, coverage statistics break because path and module names
get messed up by chdir.
A name plugin takes care of adjusting paths relative to ipatests and to
add ipatests as base. It's now possible to run tests with qualified test
names, e.g.
ipa-run-tests ipatests/test_ipalib/test_base.py::test_ReadOnly::test_lock
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
6fe3228f by Christian Heimes at 2018-01-08T08:52:49Z
Make fastlint even faster
- Check pycodestyle before pylint. pycodestyle takes seconds while
pylint can easily take half a minute or more.
- Fix exit, needs two $
- Add some newlines to make output more readable
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
cae2d99f by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Silence unmatchable dollar
Silence false positive "unmatchable dollar in regular expression".
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
1ed4461f by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Use of exit() or quit()
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a4f36eec by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Name unused variable in loop
For loop variable '_nothing' is not used in the loop body. The name
'unused' is used to indicate that a variable is unused.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
d3f43a67 by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Membership test with a non-container
Silence false positive by using isinstance(value, dict).
Also clean up and optimize most common cases.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
de616888 by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Fix exception in permission_del
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
dc599e07 by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Remove redundant assignment
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
73ee9ff4 by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f60b2c59 by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
5d02c6aa by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: Use explicit string concatenation
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
beb6d74b by Christian Heimes at 2018-01-09T06:53:28Z
LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
830866d6 by Florence Blanc-Renaud at 2018-01-09T06:58:52Z
Idviews: fix objectclass violation on idview-add
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a70dcb1e by Aleksei Slaikovskii at 2018-01-09T07:02:29Z
test_backup_and_restore.py AssertionError fix
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
f5c01c5e by Felipe Barreto at 2018-01-09T07:03:49Z
Fixing test_testconfig with proper asserts
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.
Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict
https://pagure.io/freeipa/issue/7346
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dbb7784b by Michal Reznik at 2018-01-09T08:36:33Z
test_renewal_master: add ipa csreplica-manage test
Add test case for setting renewal master using command
ipa-csreplica-manage.
Automation related to upstream ticket #7120. Testing using
config-mod already covered.
https://pagure.io/freeipa/issue/7321
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
434d7d42 by Michal Reznik at 2018-01-09T08:37:24Z
test_caless: test PKINIT install and anchor update
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.
https://pagure.io/freeipa/issue/7233
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0cef5107 by Michal Reznik at 2018-01-09T09:17:01Z
paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
efe21a1b by Michal Reznik at 2018-01-09T09:17:01Z
test_tasks: add sign_ca_and_transport() function
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ad996d79 by Michal Reznik at 2018-01-09T09:17:01Z
test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.
Covers Pagure issue #7106
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3bdac1a8 by Michal Reznik at 2018-01-09T09:17:01Z
tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
099856e1 by Michal Reznik at 2018-01-09T09:17:01Z
prci: run full external_ca test suite
Before this patch there was just one test in external_ca suite,
now we add one new test class thus deleting the specific class
in external_ca PRCI section.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
dc4109c1 by Christian Heimes at 2018-01-10T08:39:57Z
Sort external schema files
get_all_external_schema_files() now returns schema files sorted.
Fixes: https://pagure.io/freeipa/issue/7338
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0cab090f by Christian Heimes at 2018-01-12T12:47:06Z
ipa-run-tests: make --ignore absolute, too
ipa-run-tests now applies the same logic to --ignore then to included
paths.
https://pagure.io/freeipa/issue/7355
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
5c361f54 by amitkuma at 2018-01-12T19:33:20Z
Documenting kinit_lifetime in /etc/ipa/default.conf
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.
Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f0c0a14e by Stanislav Laznicka at 2018-01-16T13:15:58Z
Add a helpful comment to ca.py:install_check()
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cd83afcd by Stanislav Laznicka at 2018-01-16T15:36:10Z
replica_prepare: Remove the correct NSS DB files
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
https://pagure.io/freeipa/issue/7049
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e55969f7 by Michal Reznik at 2018-01-17T11:52:16Z
test_caless: add SAN extension to other certs
Currently when testing we are using SAN extension only in
KDC, wildcard certs and not in the other certs.
During replica installation we then see a warning about certs
having no `subjectAltName`.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cd660d19 by Felipe Barreto at 2018-01-17T15:01:13Z
Fixing test_backup_and_restore assert to do not rely on the order
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.
Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c1f7c617 by Christian Heimes at 2018-01-23T09:06:56Z
Lower python-ldap requirement for F27
For DNSSEC daemons on Python 3, python-ldap requirement was bumped to
python-ldap 3.0. But python-ldap 3.0 hasn't been released yet and is
only available as beta4 on rawhide. The DNSSEC fix hasn't landed either.
Lower requirements to python2-ldap 2.4.15 and python3-pyldap 2.4.35.1-2
until the DNSSEC fix has landed.
See https://pagure.io/freeipa/issue/7257
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc8c130b by amitkuma at 2018-01-23T09:09:12Z
Custom ca-subject logging
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem
After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.
Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
7924dae6 by Christian Heimes at 2018-01-23T16:10:16Z
Fix pylint error in ipapython/dn.py
ipapython/dn.py:1324: [R1710(inconsistent-return-statements), DN.__contains__]
Either all return statements in a function should return an expression, or none of them should.)
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e0c976ac by Christian Heimes at 2018-01-23T20:02:49Z
Require dbus-python on F27
Partly revert b03d5155. python2-dbus is not available on F27. The
package only provides dbus-python:
$ dnf install python2-dbus dbus-python
Last metadata expiration check: 0:18:39 ago on 2018-01-23T18:59:22 CET.
No match for argument: python2-dbus
Package dbus-python-1.2.4-8.fc27.x86_64 is already installed, skipping.
Error: Unable to find a match
Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e1e32182 by Christian Heimes at 2018-01-23T20:54:04Z
Give ODS socket a bit of time
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently
A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.
Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c8ba9eb0 by Felipe Barreto at 2018-01-24T18:09:03Z
Fixing vault-add-member to be compatible with py3
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
86a78ca2 by Florence Blanc-Renaud at 2018-01-29T10:19:56Z
test_integration: backup custodia conf and keys
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.
related ticket https://pagure.io/freeipa/issue/7247
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1c059fbf by Christian Heimes at 2018-01-29T13:49:16Z
Remove unused PyOpenSSL from spec file
https://pagure.io/freeipa/issue/7381
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
1235f595 by Alexander Koksharov at 2018-01-31T11:35:03Z
preventing ldap principal to be deleted
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c5a7464 by Aleksei Slaikovskii at 2018-01-31T15:03:19Z
Fixing translation problems
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
9c208ea1 by Mohammad Rizwan Yusuf at 2018-01-31T15:13:50Z
IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
related ticket: https://pagure.io/freeipa/issue/6894
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
aaf2eaab by Rob Crittenden at 2018-02-06T10:41:03Z
Move Requires: pythonX-sssdconfig into conditional
https://pagure.io/freeipa/issue/5638
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fa5394cc by Fraser Tweedale at 2018-02-06T10:42:34Z
Improve warning message for malformed certificates
The 'CertificateInvalid' message is used for malformed certificates.
The user error messages says "Invalid certificate...", but in X.509
"validity" has a specific meaning that does not encompass
well-formedness. For clarify, change the user-visible message to
say "Malformed".
Part of: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
01c534c2 by Fraser Tweedale at 2018-02-06T10:42:34Z
cert-request: avoid internal error when cert malformed
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
f1f18098 by Mohammad Rizwan Yusuf at 2018-02-06T11:16:14Z
When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.
related ticket: https://pagure.io/freeipa/issue/6611
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
1ad27076 by Mohammad Rizwan Yusuf at 2018-02-06T11:16:14Z
Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
156f9121 by Alexander Koksharov at 2018-02-06T11:25:08Z
Fix replica_promotion-domlevel0 test failures
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
https://github.com/freeipa/freeipa/commit/f51869bf5214e2d2322f85bf72b7ae86b6893974
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
7b7edd57 by Felipe Barreto at 2018-02-06T14:53:08Z
IntegrationTests now collects logs from all test methods
logs_dict should not be cleared. It's filled once per class and it
should not be cleared after running the first test.
https://pagure.io/freeipa/issue/7310
https://pagure.io/freeipa/issue/7335
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
6c81a2cb by amitkuma at 2018-02-07T11:56:41Z
ipa-advise for smartcards updated
......
authconfig --enablesmartcard --smartcardmodule=sssd --updateall
Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall
Resolves: https://pagure.io/freeipa/issue/7358
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d945583c by Felipe Barreto at 2018-02-07T12:24:46Z
Make IntegrationTest fail if an error happened during uninstall
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.
It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.
https://pagure.io/freeipa/issue/7357
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
84a10ee3 by Martin Basti at 2018-02-07T16:27:11Z
py3: ipa-dnskeysyncd: fix bytes issues
LDAP client returns values as bytes, thus ipa-dnskeysyncd must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
53f202bd by Martin Basti at 2018-02-07T16:27:11Z
py3: bindmgr: fix iteration over bytes
In py3 iteration over bytes returns integers, in py2 interation over
bytes returns string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
005d85ff by Tomas Krizek at 2018-02-07T16:27:11Z
py3: bindmgr: fix bytes issues
LDAP client returns values as bytes, thus bindmgr must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
efded226 by Tomas Krizek at 2018-02-07T16:27:11Z
py3 dnssec: convert hexlify to str
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
575e513b by Christian Heimes at 2018-02-07T16:27:11Z
More DNSSEC house keeping
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
7670dcb8 by Christian Heimes at 2018-02-07T16:27:11Z
Run DNSSEC under Python 3
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
6a54146b by Christian Heimes at 2018-02-07T16:27:11Z
Decode ODS commands
ODS commands are ASCII strings, but socket.recv() returns bytes and
socket.send() expects bytes. Encode/decode values properly.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
f39d855a by Christian Heimes at 2018-02-07T16:27:11Z
DNSSEC: Reformat lines to address PEP8 violations
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
6f65abfd by Christian Heimes at 2018-02-07T16:27:11Z
DNSSEC code cleanup
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
e5a508a7 by Michal Reznik at 2018-02-07T19:02:53Z
ipa_tests: test subca key replication
Test if key replication is not failing.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
387ae9fd by Christian Heimes at 2018-02-08T07:12:58Z
ipa-server-upgrade now checks custodia server keys
The ipa-server-upgrade command now checks for presence of ipa-custodia's
config and server keys. In case any of the files is missing, it
re-creates both files.
Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does
not auto-detect broken or mismatching keys yet.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
df0e6696 by Christian Heimes at 2018-02-08T07:24:54Z
Bump SELinux policy for DNSSEC
selinux-policy-3.13.1-283.24 fixes an AVC with OpenDNSSEC ods-signer.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1537971
See: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
ec228f41 by Sumit Bose at 2018-02-08T07:52:28Z
ipa-kdb: use magic value to check if ipadb is used
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.
Resolves https://pagure.io/freeipa/issue/7261
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7619fa41 by Christian Heimes at 2018-02-08T08:30:29Z
Bump python-ldap version to fix syncrepl bug
python-ldap had a bug in syncrepl caused by incompatible changes in
pyasn1. The bug has been fixed in 2.4.25-9.
Fixes: https://pagure.io/freeipa/issue/7240
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2391c75e by Christian Heimes at 2018-02-08T08:32:12Z
Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8821f7ae by Rob Crittenden at 2018-02-08T08:39:18Z
Fix detection of KRA installation so upgrades can succeed
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b07937d0 by Fraser Tweedale at 2018-02-08T12:53:30Z
Update IPA CA issuer DN upon renewal
When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.
Fixes: https://pagure.io/freeipa/issue/7316
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
939db89c by Christian Heimes at 2018-02-08T13:45:58Z
Update existing 389-DS cn=RSA,cn=encryption config
389-DS >= 1.4.0 on Fedora 28 has a default entry for
cn=RSA,cn=encryption,cn=config. The installer now updates the entry in
case it already exists. This ensures that token and personality are
correct for freeIPA
Fixes: https://pagure.io/freeipa/issue/7393
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
40ac8158 by Christian Heimes at 2018-02-08T15:58:13Z
Restart named-pkcs11 after KRA installation
KRA installer restarts 389-DS, which disrupts named-pkcs11
bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS
resolver.
Fixes: https://pagure.io/freeipa/issue/5813
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
73f61ce2 by Sumit Bose at 2018-02-08T17:46:47Z
ipa-kdb: update trust information in all workers
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.
But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.
During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.
To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).
An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.
Related to https://pagure.io/freeipa/issue/7351
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
1785a3e1 by Christian Heimes at 2018-02-09T07:28:11Z
Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ece17cef by Felipe Barreto at 2018-02-09T07:30:21Z
Check if replication agreement exist before enable/disable it
If the replication agreement does not exist, a custom exception is
raised explaining the problem.
https://pagure.io/freeipa/issue/7201
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4daac52d by Fraser Tweedale at 2018-02-09T07:57:41Z
ipaldap: allow GetEffectiveRights on individual operations
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b466172d by Fraser Tweedale at 2018-02-09T07:57:41Z
ldap2: fix implementation of can_add
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1adb3ede by Timo Aaltonen at 2018-02-09T08:14:22Z
Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
e6c707b1 by Timo Aaltonen at 2018-02-09T08:14:22Z
ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
93b7c401 by Aleksei Slaikovskii at 2018-02-09T08:44:11Z
Enable and start oddjobd after ipa-restore if it's not running.
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.
This patch fixes it. Also added regression test.
https://pagure.io/freeipa/issue/7234
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7364c268 by Florence Blanc-Renaud at 2018-02-12T16:30:52Z
ipa host-add --ip-address: properly handle NoNameservers
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
80585f5c by Mohammad Rizwan Yusuf at 2018-02-14T09:17:17Z
Before the fix, when ipa-backup was called for the first time, the LDAP database exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this and it runs under root, hence files were owned by root.
When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)
This test check if files are owned by dirsrv and db2ldif doesn't
fails
related ticket: https://pagure.io/freeipa/issue/7010
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
86a6fdcc by Aleksei Slaikovskii at 2018-02-14T13:26:27Z
test_backup_and_restore.py Fix logging
Use strings to log in restore_checker and backup functions.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8ffa33c2 by Christian Heimes at 2018-02-15T08:41:30Z
Generate same API.txt under Python 2 and 3
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a319a378 by Christian Heimes at 2018-02-15T08:41:30Z
Run API and ACI under Python 2 and 3
Make it possible to run API, ACI, and potests under Python 3.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ee3a267 by Christian Heimes at 2018-02-15T10:45:31Z
Fix i18n test for Chinese translation
Python 3's regular expression default to full range of unicode
characters. Restrict \w matches to ASCII and drop \b suffix check to fix
a problem with validation the Chinese translation zh_CN.
Co-Authored-By: Stanislav Laznicka <slaznick at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
0cc2a6ca by Christian Heimes at 2018-02-15T13:02:03Z
Fix multiple uninstallation of server
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.
Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
8b6506a5 by Florence Blanc-Renaud at 2018-02-15T13:10:48Z
User must not be able to delete his last active otp token
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.
This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).
Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.
The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.
Fixes:
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
c701cd21 by Florence Blanc-Renaud at 2018-02-15T13:10:48Z
389-ds OTP lasttoken plugin: Add unit test
Add a xmlrpc test checking that a user cannot delete his last
OTP token.
Related to
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
1b0c55a3 by Christian Heimes at 2018-02-15T17:32:17Z
Unified ldap_initialize() function
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.
Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f31797c7 by Stanislav Laznicka at 2018-02-15T17:43:12Z
Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a349629f by Christian Heimes at 2018-02-16T07:31:20Z
ipa-custodia-checker now uses python3 shebang
https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
83ed8d27 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: fixing test_hbac
Adding more wait_for_request between navigation and small
code refactor.
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
dae5bac3 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: fixing test_group
Removing old data that is not needed anymore.
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
3fa4378b by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: fixing test_navigation
Removing old menu options, including idview and navigation on the
side bar
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
7c3f9b79 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: refactoring login method to be more readable
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
49a17e98 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: changing how the login screen is detected
The "rcue-login-screen" element does not exist anymore. Changing the
code to use the ".login-pf" instead.
With the change, it's also necessary to check if the login screen is still
visible when trying to fill the fields of new password, otherwise a
StaleElementReferenceException exception will be raised.
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
12da43c5 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: fixing test_range test case
As described in the commit [1] and ticket [2], it should not be possible to
change the range of a local IPA domain.
The basic_crud was changed to make it flexible to do not run the mod operation
if needed.
[1] 55feea500be1f4ae7bf02ef3c48377a6751ca71d
[2] https://pagure.io/freeipa/issue/4826
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a072fe97 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: Changing how the initial load process is done
Instead of always entering the address on the address bar and reloading the
application, now the code checks if that is necessary.
With the change, the logout process is done correctly and we do not keep any
AJAX call left behind. Which could cause the user not being logout properly and
breaking the tests.
More about the logout problem described in:
https://github.com/freeipa/freeipa/pull/1479
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
81fb7e5a by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: fixing test_user.py::test_test_noprivate_posix
When filling the combo box (the gidnumber) in the dialog to create a new
user, the Add button was also clicked; closing the dialog. The wait
makes it to not click.
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a5bd7bf7 by Felipe Barreto at 2018-02-16T08:57:07Z
WebUI Tests: changing the ActionsChains.move_to_element to a new approach
The approach ActionChains.move_to_element no longer works as said here [1],
so, it's necessary to change it to the new one. This means, running a
javascript script to move the page to where the element is.
There are more details in the link [1], but in summary the w3c spec is
not obvious if a click should scroll the page to the element or not.
In one hand Chrome and Edge does that, but Firefox don't. As we use
Firefox to run the tests, we need the workaround.
[1] https://github.com/mozilla/geckodriver/issues/776
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
631d3152 by Christian Heimes at 2018-02-16T14:55:32Z
freeipa-server no longer supports i686 arch on F28
389-ds-base 1.4 is going to drop 32bit i686 arch support in Fedora 28,
https://bugzilla.redhat.com/show_bug.cgi?id=1530832 . Skip server
related packages (freeipa-server, python[23]-ipaserver,
freeipa-server-common, freeipa-server-dns, freeipa-server-trust-ad).
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1544386
Fixes: https://pagure.io/freeipa/issue/7400
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
364ffd5a by Stanislav Laznicka at 2018-02-19T13:16:51Z
Fix FileStore.backup_file() not to backup same file
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.
This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
- - - - -
f316eb83 by Petr Vobornik at 2018-02-19T13:21:26Z
fastcheck: do not test context in pycodestyle
`git diff` shows also context lines by default. When passed to pycodestyle
it can produce errors unrelated to changed lines. It prevents running of
subsequent checks.
Limiting context to 0 lines by `git diff -U0` enables to test only the
modified lines and allows to run subsequent checks.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d6470726 by Florence Blanc-Renaud at 2018-02-19T14:51:44Z
ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.
This commit also adds integration test for non-regression.
https://pagure.io/freeipa/issue/7342
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eaa5be3e by John L at 2018-02-19T19:52:40Z
Remove special characters in host_add random OTP generation
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9c2c3df0 by Christian Heimes at 2018-02-20T12:03:01Z
Add better CalledProcessError and run() logging
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.
The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.
Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
d7d13bc9 by Petr Vobornik at 2018-02-20T14:17:13Z
webui:tests: move DNS test data to separate file
So that the data can be used in other test without running
the DNS tests.
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
d73d49f3 by Petr Vobornik at 2018-02-20T14:17:13Z
webui:tests: realm domain add with DNS check
Try adding and deleting with "Check DNS" (in html 'ok' button)
DNS check expects that the added domain will have DNS record:
TXT _kerberos.$domain "$REALM"
When a new domain is added using dnszone-add it automatically adds
this TXT record and adds a realm domain. So in order to test without
external DNS we must get into state where realm domain is not added
(in order to add it) but DNS domain with the TXT record exists.
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
6b214512 by Petr Vobornik at 2018-02-20T14:17:13Z
webui:tests: close big notifications in realm domains tests
Realm domains commands produce big fat warnings about DNS state/checks.
Given the length of these warnings, they stay displayed for longer time.
As Web UI automated tests progresses quickly more of the warnings can
be displayed at the same time and thus taking a lot of space and thus
covering UI needed for next test step.
By closing the notifications before next action we make sure that test
won't fail because notification covered the required UI.
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
db2222fe by Petr Vobornik at 2018-02-20T14:17:13Z
temp commit to run the affected tests
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
90a75f0d by Christian Heimes at 2018-02-20T16:01:52Z
Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.
For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
aee0d218 by Christian Heimes at 2018-02-20T16:01:52Z
Upgrade named.conf to include crypto policy
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
68caeb8b by Christian Heimes at 2018-02-20T16:01:52Z
Add mocked test for named crypto policy update
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
805aea24 by Rob Crittenden at 2018-02-21T06:57:40Z
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.
Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.
Drop mod_nss-specific methods and functions.
There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.
TODO:
- backup and restore
- use user-provided PKCS#12 file for the certificate and key
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a0407f75 by Rob Crittenden at 2018-02-21T06:57:40Z
Remove main function from the certmonger library
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c64e285 by Rob Crittenden at 2018-02-21T06:57:40Z
Convert ipa-pki-proxy.conf to use mod_ssl directives
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
45966744 by Rob Crittenden at 2018-02-21T06:57:40Z
Enable upgrades from a mod_nss-installed master to mod_ssl
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5531c9f2 by Rob Crittenden at 2018-02-21T06:57:40Z
Don't backup nss.conf on upgrade with the switch to mod_ssl
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.
We already have a backup of nss.conf from pre-install. Stick with
that.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4d2c7a4a by Rob Crittenden at 2018-02-21T06:57:40Z
Add value in set_directive after a commented-out version
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa135e6e by Rob Crittenden at 2018-02-21T06:57:40Z
Update smart_card_auth advise script for mod_ssl
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7dc923cc by Stanislav Laznicka at 2018-02-21T06:57:40Z
mod_ssl migration: fix upload_cacrt.py plugin
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
20567523 by Stanislav Laznicka at 2018-02-21T06:57:40Z
httpinstance: handle supplied PKCS#12 files in installation
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8789afa1 by Stanislav Laznicka at 2018-02-21T06:57:40Z
x509: Remove unused argument of load_certificate_from_file()
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
60aa2c3b by Stanislav Laznicka at 2018-02-21T06:57:40Z
x509: Fix docstring of write_certificate()
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c85bf376 by Stanislav Laznicka at 2018-02-21T06:57:40Z
certupdate: don't update HTTPD NSS db
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9a7c3159 by Stanislav Laznicka at 2018-02-21T06:57:40Z
Make ipa-server-certinstall store HTTPD cert in a file
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
92d91ed5 by Stanislav Laznicka at 2018-02-21T06:57:40Z
fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0c388d1e by Stanislav Laznicka at 2018-02-21T06:57:40Z
service: rename import_ca_certs_* to export_*
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dde62ff8 by Stanislav Laznicka at 2018-02-21T06:57:40Z
httpinstance: backup mod_nss conf instead of just removing it
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8ea04ab3 by Stanislav Laznicka at 2018-02-21T06:57:40Z
httpinstance: verify priv key belongs to certificate
Verify the certificate issued during an installation belongs
to its private key.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ee49947b by Stanislav Laznicka at 2018-02-21T06:57:40Z
httpinstance: fix publishing of CA cert
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ca68ea7 by Stanislav Laznicka at 2018-02-21T06:57:40Z
httpinstance fixup: remove commented-out lines
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b2194136 by Stanislav Laznicka at 2018-02-21T06:57:40Z
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75845733 by Stanislav Laznicka at 2018-02-21T06:57:40Z
Backup ssl.conf when migrating from mod_nss
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
efaa48e4 by Petr Vobornik at 2018-02-21T08:50:59Z
Revert "temp commit to run the affected tests"
This reverts commit db2222fee4558004968900e8d1421abfb409f53a.
Temp commit was acked by accident. It should have been removed after
ack of approach of PR 1596. But the PR should not have been ACKed.
- - - - -
f7b23424 by Petr Vobornik at 2018-02-22T19:27:11Z
webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
"Include enabled" and "Include disabled" checkboxes on "Rules" tab
of HBAC Test Web UI page don't have any descriptions. It is not
clear what they do from only the labels.
This patch adds tooltips with metadata doc text of respected API
options. I.e. in practice it adds the same as CLI help when user
hovers over the checkbox label.
--enabled Include all enabled IPA rules into test [default]
--disabled Include all disabled IPA rules into test
Reviewed-By: Felipe Barreto <fbarreto at redhat.com>
- - - - -
2d8d5ad8 by Christian Heimes at 2018-02-23T08:29:43Z
Remove deprecated -p option from ipa-dns-install
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.
See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
88fd3f94 by Christian Heimes at 2018-02-23T10:04:10Z
certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c5fb6c85 by Christian Heimes at 2018-02-23T10:04:10Z
Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
492e3c9b by Christian Heimes at 2018-02-23T10:04:10Z
NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
66a32d89 by Christian Heimes at 2018-02-23T10:04:10Z
NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
a8555d42 by Christian Heimes at 2018-02-23T10:04:10Z
Update /etc/ipa/nssdb in client scripts
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
df99af4a by Christian Heimes at 2018-02-23T10:04:10Z
Remove unused modutils wrappers from NSS/CertDB
The disable system trust feature is no longer used.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
0aaee0a9 by Rob Crittenden at 2018-02-23T13:22:40Z
Don't return None on mismatched interactive passwords
This will cause the command to continue with no password set
at all which is not what we want.
We want to loop forever until the passwords match or the
user gives up and types ^D or ^C.
https://pagure.io/freeipa/issue/7383
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d749723a by Christian Heimes at 2018-02-23T13:38:20Z
Silence GCC warning in ipa-kdb
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.
ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
642712f9 by Christian Heimes at 2018-02-23T13:38:20Z
Silence GCC warning in ipa_extdom
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.
ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4295df17 by Florence Blanc-Renaud at 2018-02-23T13:39:34Z
ipa host-add: do not raise exception when reverse record not added
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cfe4150b by Christian Heimes at 2018-02-26T09:03:00Z
Move DNS related files to server-dns package
The freeipa-server package was shipping files that are only used by
freeipa-server-dns.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2a50a7da by Michal Reznik at 2018-02-26T09:11:33Z
tests: ca-less to ca-full - remove certupdate
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.
This patch removes the above mentioned commands in order to
properly test the scenario.
https://pagure.io/freeipa/issue/7309
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
e6ca3b0c by amitkuma at 2018-03-06T09:11:52Z
Removing extra spaces present in man ipa-server-install
There are extras space present in man page. PR removes
identified extra spaces.
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c9c41d2d by Stanislav Laznicka at 2018-03-06T12:00:23Z
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.
https://pagure.io/freeipa/issue/7430
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
95a45a2b by Rob Crittenden at 2018-03-06T19:17:16Z
Don't try to backup CS.cfg during upgrade if CA is not configured
https://pagure.io/freeipa/issue/7409
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3650e3b9 by Fraser Tweedale at 2018-03-07T11:31:04Z
upgrade: remove fix_trust_flags procedure
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup. With the move to mod_ssl, it now raises an
exception, so remove it.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
2b17a086 by Tibor Dudlák at 2018-03-08T07:57:55Z
Do not check deleted files with `make fastlint`
when any file from FreeIPA tree has been deleted there was
a failure like:
pylint
------
************* Module ipaserver/install/ntpinstance.py
ipaserver/install/ntpinstance.py:1: [F0001(fatal), ] No module named ipaserver/install/ntpinstance.py)
Adding --diff-filter to fastlint will not list deleted files
in git diff --names-only output to not include not existing
files to checklist.
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
9797309e by Ganna Kaihorodova at 2018-03-08T08:05:01Z
Overide trust methods for integration tests
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working
https://pagure.io/freeipa/issue/7313
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
c9c58f2d by Nathaniel McCallum at 2018-03-12T17:29:19Z
Fix OTP validation in FIPS mode
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a01a24ce by Nathaniel McCallum at 2018-03-12T17:29:19Z
Increase the default token key size
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d498d727 by Nathaniel McCallum at 2018-03-12T17:29:19Z
Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.
OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.
https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
54ea4aad by Florence Blanc-Renaud at 2018-03-13T09:09:13Z
ipa-server-install: handle error when calling kdb5_util create
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions
but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.
The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.
Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.
https://pagure.io/freeipa/issue/7438
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
317c20e9 by Michal Reznik at 2018-03-13T09:37:30Z
ipa_tests: test signing request with subca on replica
test to verify that replica is able to sign a certificate with
new sub CA.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
7960352f by Stanislav Laznicka at 2018-03-13T09:52:41Z
Backup HTTPD's mod_ssl config and cert-key pair
https://pagure.io/freeipa/issue/3757
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
105e7749 by Florence Blanc-Renaud at 2018-03-14T11:25:04Z
ipa-restore: remove /etc/httpd/conf.d/nss.conf
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.
https://pagure.io/freeipa/issue/7440
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
5a04936f by Michal Reznik at 2018-03-14T11:26:42Z
test_caless: adjust try/except to capture also IOError
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.
This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.
https://pagure.io/freeipa/issue/7439
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
2c05e42a by Felipe Barreto at 2018-03-14T11:28:16Z
Fixing cleanup process in test_caless
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.
That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
replica0.ipa.test.
ipapython.admintool: ERROR The ipa-server-install command failed
```
This commit changes the order of how a replica should be removed from
the topology.
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bffcef6b by Robbie Harwood at 2018-03-14T17:05:17Z
Log errors from NSS during FIPS OTP key import
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a3060b52 by amitkuma at 2018-03-15T06:31:37Z
Error message while adding idrange with untrusted domain
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
5ef49ffc by Felipe Barreto at 2018-03-15T08:26:56Z
Adding more tests to PR CI
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9a6a90bb by Felipe Barreto at 2018-03-15T08:26:56Z
prci: Bump ci-master-f27 template to 1.0.3
This enable us to run WebUI tests
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fd9ede52 by Christian Heimes at 2018-03-15T11:57:00Z
Simplify Python package installation
Move logic for installing just the Python packages out of the spec file
and into our root Makefile. It removes code duplication to simplify a
spec file that supports building without Python 2.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fa94ef04 by Christian Heimes at 2018-03-15T11:57:00Z
autoconf prefers Python 3 over 2
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.
See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7a03a4e9 by Christian Heimes at 2018-03-16T06:33:58Z
Instrument installer to profile steps
Installer now prints runtime of each step / part to install log.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bfd11701 by Rob Crittenden at 2018-03-16T06:42:07Z
Redirect CRL requests to the http port, not the https port
https://pagure.io/freeipa/issue/7433
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7c23a3b by Brian J. Murrell at 2018-03-16T07:01:53Z
Move ETag disabling to /ipa virtual server
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.
This enables better co-existence with other virtual servers that want ETags.
Signed-off-by: Brian J. Murrell <brian at interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
75f7b7b5 by Christian Heimes at 2018-03-16T10:50:41Z
Make fasttest pass without ~/.ipa/default.conf
Some fast tests depend on an api.env with realm, domain, and host. On
machines without ~/.ipa/default.conf, the settings are not available.
Provide dummy values to make tests pass.
Closes: https://pagure.io/freeipa/issue/7432
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
- - - - -
69599560 by Christian Heimes at 2018-03-16T13:25:37Z
Relax message check in test_create_host_with_ip
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.
This fixes a flaky test case on CI.
Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c450e2dc by Alexey Slaykovsky at 2018-03-16T13:26:48Z
Make WebUI unit tests to generate results as JUnit
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.
This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d6468615 by Rob Crittenden at 2018-03-16T15:35:10Z
Update Contributors.txt
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
8946bf26 by Rob Crittenden at 2018-03-16T16:44:32Z
Become IPA 4.6.90.pre1
- - - - -
3bb3e755 by Rob Crittenden at 2018-03-16T18:20:33Z
VERSION.m4: Set back to git snapshot
- - - - -
ce8ec502 by Christian Heimes at 2018-03-19T09:58:48Z
Pylint 1.8.3 fixes
Teach pylint more about the internals of API to fix various issues with
pylint 1.8.3.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
3871fe6d by Christian Heimes at 2018-03-19T14:46:56Z
Keep owner when backing up CA.cfg
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.
Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
2b47f899 by Christian Heimes at 2018-03-19T14:48:46Z
Require Dogtag PKI >= 10.6
Dogtag 10.6.0-0.2 contains SQL NSS DB fixes and full Python 3 support.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
68c7b036 by Rob Crittenden at 2018-03-19T16:38:41Z
Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.
The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.
This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.
Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden rcritten at redhat.com
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
64fca87a by Rob Crittenden at 2018-03-19T16:38:41Z
Remove the Continuous installer class, it is unused
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
a6e6e7f5 by Christian Heimes at 2018-03-20T09:15:28Z
More cleanup after uninstall
Remove more files during ipaserver uninstallation:
* /etc/gssproxy/10-ipa.conf
* /etc/httpd/alias/*.ipasave
* /etc/httpd/conf/password.conf
* /etc/ipa/dnssec/softhsm2.conf
* /etc/systemd/system/httpd.service.d/
* /var/lib/ipa/dnssec/tokens
Fixes: https://pagure.io/freeipa/issue/7183
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
83c173cf by Fraser Tweedale at 2018-03-20T09:28:05Z
install: configure dogtag status request timeout
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.
This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them. Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried. Setting a shorter timeout allows the request to be
re-tried.
Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support. It is known that a
value of 5s is too short in HSM environment.
This fix requires pki-core >= 10.6.0, which is already required by
the spec file.
Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
518e3578 by Ganna Kaihorodova at 2018-03-20T09:44:22Z
Fix for test TestInstallMasterReservedIPasForwarder
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
b947296f by Alexey Slaykovsky at 2018-03-20T13:42:49Z
Make tox tests to generate results in JUnit XML
As our tox runs pytest it's great to have their results in JUnit
format for later processing.
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
ce0b87e9 by Takeshi MIZUTA at 2018-03-21T07:41:34Z
Fix some typos in man page
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
0f31564b by Florence Blanc-Renaud at 2018-03-21T08:35:56Z
ipa-replica-install: make sure that certmonger picks the right master
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b43e7314 by Petr Vobornik at 2018-03-21T14:29:50Z
realm domains: improve doc text
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.
https://pagure.io/freeipa/issue/7424
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
48acb7d8 by Alexander Bokovoy at 2018-03-21T21:22:35Z
Processing of server roles should ignore errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
2da9a4ca by Alexander Bokovoy at 2018-03-21T21:22:35Z
Update template directory with new variables when upgrading ipa.conf.template
With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
b47d6a36 by Alexander Bokovoy at 2018-03-22T10:33:17Z
use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e7e06f6d by Stanislav Laznicka at 2018-03-22T15:17:29Z
Dogtag configs: rename deprecated options
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
7cbd9bd4 by Stanislav Laznicka at 2018-03-23T11:48:46Z
Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
48fb6d2c by Christian Heimes at 2018-03-23T12:08:39Z
Fix compatibility with latest pytest
pytest removed copy() method from its Namespace class. Use the copy
module to make a copy of early options.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
a678336b by Alexander Bokovoy at 2018-03-23T14:31:48Z
upgrade: Run configuration upgrade under empty ccache collection
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
830b608d by Stanislav Laznicka at 2018-03-24T13:18:23Z
Remove py35 env from tox testing
Ever since fa94ef04, only Python3 versions >=3.6 are supported.
Removing py35 env from tox tests.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d8cbd5d3 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: change get_http_pkey() function
change get_http_pkey() function to more generic one in
order to get pkey for different services
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
62a131ab by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add_host() support func in test_service
Add add_host() support func into test_service to
create temp hosts.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
0f5084b9 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add_service() support func in test_service
Add add_service() support func into test_service.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
735d48d8 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add more test cases to test_certification
Add cases for:
"cancel_cert_request", "cancel_hold_cert", "cancel_remove_hold",
"cancel_revoke_cert" and "revoke_cert"
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
cd86fd21 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add more test cases
Add more test cases to test_services. Details in the ticket.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
01fa5411 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add assert_notification()
Add assert_notification() function to check whether
we have a notification of particular type/
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
7fb4f755 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add assert_field_required()
Add assert_field_required() to check whether we
got 'Required field' error message.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
95de6f06 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add funcs to add/remove users public SSH key
Add funcs to add/remove users public SSH key.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
18e8c964 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: add function to run cmd on UI host
Run shell command on the UI system using "admin"
user's passwd from conf.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
55318394 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: make associations cancelable
Adjust associations functions to simulate "cancel"
action.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
16083eb9 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: test cancel and delete without button
Add "confirm_btn" to cancel dialog and if "None" return
for confirmation with "Enter" key.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
bf1f2d1c by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: select_combobox() fixes
Move strict "search_btn" element finding to later so we
do not fail when using combobox without search button.
Also switch open_btn.click() before fill_textbox() as it
is used to close the selection.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
5f87b9c3 by Michal Reznik at 2018-03-24T13:23:47Z
ui_tests: run ipa-get/rmkeytab command on UI host
Run ipa-get/rmkeytab command on UI host in order to test whether
we have the key un/provisioned.
https://pagure.io/freeipa/issue/7441
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
5afbe1d2 by Fraser Tweedale at 2018-03-26T07:39:17Z
replica-install: warn when there is only one CA in topology
For redundancy and security against catastrophic failure of a CA
master, there must be more than one CA master in a topology.
Replica installation is a good time to warn about this situation.
Print a warning at the end of ipa-replica-install, if there is only
one CA replica in the topology.
Fixes: https://pagure.io/freeipa/issue/7459
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
47cf159f by Stanislav Laznicka at 2018-03-26T07:42:07Z
Fix upgrading of FreeIPA HTTPD
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.
This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e707d974 by Stanislav Laznicka at 2018-03-26T07:42:07Z
ipa_backup: Backup the password to HTTPD priv key
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7580da41 by Felipe Barreto at 2018-03-26T07:51:25Z
Adding Django's Code of Conduct
We will use the Django's Code of Conduct to develop the FreeIPA CoC
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
30ab8c47 by Felipe Barreto at 2018-03-26T07:51:25Z
Changing Django's CoC to reflect FreeIPA CoC
Also including sections "Scope" and "Enforcement" from Contributor
Covenant [1]
[1] https://www.contributor-covenant.org/
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1fe795b7 by Pavel Picka at 2018-03-26T11:00:39Z
WebUI Hostgroups tests cases added
Added test for negative (invalid) names
Added test for add/add another/add and edit/cancel buttons
Added test for duplicate records
https://pagure.io/freeipa/issue/7458
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
ccec8c6c by amitkuma at 2018-03-26T13:16:54Z
clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.
Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b0d8c6c2 by amitkuma at 2018-03-26T13:16:54Z
clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.
Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
421fc376 by Fraser Tweedale at 2018-03-28T10:30:31Z
Fix upgrade when named.conf does not exist
Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step
that adds system crypto policy include to named.conf. This step
omitted the named.conf existence check; upgrade fails when it does
not exist. Add the existence check.
Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.
Part of: https://pagure.io/freeipa/issue/4853
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0176e1a6 by Fraser Tweedale at 2018-03-28T10:42:11Z
Add commentary about PKI admin password
Add a note in cainstance.configure_instance that "admin_password" is
the password to be used for the PKI admin account, NOT the IPA admin
password. In fact, it is set to the Directory Manager password.
This comment would have saved me some time during recent
investigation of a replica installation issue.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
34d06b2b by Alexander Bokovoy at 2018-03-28T13:29:00Z
Allow anonymous access to parentID attribute
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.
As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.
While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.
Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
70c6da9c by Petr Vobornik at 2018-03-28T13:31:27Z
webui tests: fix test_host:test_crud failure
test_host.py::test_host::test_crud fails in nightly tests in delete record
step.
It started to fail probably after commit 4295df17a42897f6f59be21c25c5dd03984e35d3
which changed host-add behavior into showing a warning message about DNS resolution
instead of raising an error. This warning notification stays displayed for some
time, as all longer, notifications. By being open it takes some area on the page.
Given that webui tests proceeds quicker than a user, the notification can
cover some elements.
The test fails because web driver cannot click on an element which is covered
by the notification. In this case, it cannot open a deleter dialog.
So the fix is to close the notification(s). This is OK since a user would do
it as well if it was in a way.
This kind of issue is harder to reproduce when testing locally because
most people uses screen resolution 1920x1200 or full HD. PR-CI uses
1400x1200 for web ui testing.
/usr/bin/Xvfb $DISPLAY -ac -noreset -screen 0 1400x1200x8
So alternative fix would be to change resolution used by the PR-CI. Combination
of both could be the best.
https://pagure.io/freeipa/issue/7468
Reviewed-By: Felipe Volpone <fbarreto at redhat.com>
- - - - -
64438f86 by Christian Heimes at 2018-03-28T19:18:48Z
Cleanup and remove more files on uninstall
* /etc/nsswitch.conf.ipabkp
* /etc/openldap/ldap.conf.ipabkp
* /var/lib/ipa/sysrestore/*
* /var/named/dyndb-ldap/ipa/
* /var/lib/dirsrv/scripts-%s/
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d705320e by Christian Heimes at 2018-04-03T06:07:46Z
Temporarily disable authconfig backup and restore
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.
Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e7c4f77d by Felipe Barreto at 2018-04-03T06:10:01Z
Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6b145bf3 by Felipe Barreto at 2018-04-03T06:10:01Z
temp commit: adding test to PR CI run
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a947695a by Felipe Barreto at 2018-04-03T12:20:18Z
Fix TestSubCAkeyReplication providing the right path to pki log
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6aca027e by Christian Heimes at 2018-04-04T06:58:48Z
Fix installer CA port check for port 8080
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge at gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5a4e358b by amitkuma at 2018-04-04T08:23:18Z
Correction of management spelling.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
951e5db1 by amitkuma at 2018-04-05T09:25:01Z
Correcting detect typo in server.m4
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
05f5cee7 by Timo Aaltonen at 2018-04-06T13:09:34Z
Merge tag 'release-4-6-3' into master-next
tagging IPA 4.6.3
- - - - -
2c92509b by Timo Aaltonen at 2018-04-06T13:18:30Z
Merge branch 'master' into master-next
- - - - -
a8d8159e by Timo Aaltonen at 2018-04-06T13:23:32Z
update the changelog
- - - - -
44514caa by Timo Aaltonen at 2018-04-06T13:28:57Z
fix-ipa-conf.diff: Dropped, upstream.
- - - - -
cd843dec by Timo Aaltonen at 2018-04-06T14:00:23Z
rules: Force building with python2.
- - - - -
b7293a91 by Ganna Kaihorodova at 2018-04-06T14:00:48Z
TestBasicADTrust.test_ipauser_authentication
test_ipauser_authentication is failing with error: "Confidentiality required"
Password operation must be performed over a secure connection
To start TLS encryption added -ZZ option, in order to be connection successful
https://pagure.io/freeipa/issue/7470
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
- - - - -
3ef300a3 by Timo Aaltonen at 2018-04-06T14:00:51Z
server.install: Updated.
- - - - -
5a7276f5 by Timo Aaltonen at 2018-04-06T14:01:53Z
debian/.gitignore: Ignore d/control.
- - - - -
84f16acb by Timo Aaltonen at 2018-04-06T14:04:33Z
rules: If git is installed, revert po/ on clean.
- - - - -
4526fc30 by Timo Aaltonen at 2018-04-06T14:20:11Z
server.dirs: Add missing directories, fix some permissions in postinst.
- - - - -
a3bd43c4 by Timo Aaltonen at 2018-04-06T14:23:27Z
control.server: Bump dogtag dependencies to 10.6.0~.
- - - - -
14d16783 by Timo Aaltonen at 2018-04-06T14:26:45Z
control.server: Drop mod-nss from Depends, mod_ssl is used instead.
- - - - -
4041786e by Timo Aaltonen at 2018-04-06T14:27:57Z
enable-mod-nss-during-setup.diff: Dropped, not needed anymore.
- - - - -
8e0bfb51 by Timo Aaltonen at 2018-04-06T14:31:43Z
server.postinst/postrm: Enable/disable mod_ssl.
- - - - -
90c004a7 by Timo Aaltonen at 2018-04-06T14:34:37Z
control: Bump 389-ds-base dependency.
- - - - -
f046b83d by Timo Aaltonen at 2018-04-06T14:35:08Z
bump pki dep on control.stub too
- - - - -
e4a86ba3 by Timo Aaltonen at 2018-04-06T21:41:25Z
rules: Modify python scripts to use python2.
- - - - -
8b0fb0e6 by Timo Aaltonen at 2018-04-06T23:27:05Z
fix-paths.diff: Add some paths to platform data.
- - - - -
38e76a9e by Timo Aaltonen at 2018-04-06T23:29:55Z
dont-setup-apache-logging.diff: Don't specify apache logging directories.
- - - - -
b82a2295 by Christian Heimes at 2018-04-09T07:01:29Z
Load librpm on demand for IPAVersion
ctypes.util.find_library() is costly and slows down startup of ipa CLI.
ipaplatform.redhat.tasks now defers loading of librpm until its needed.
CFFI has been replaced with ctypes, too.
See: https://pagure.io/freeipa/issue/6851
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7b1b0b35 by Petr Vobornik at 2018-04-09T07:02:40Z
Fix order of commands in test for removing topology segments
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc4f28de by Michal Reznik at 2018-04-09T07:06:48Z
test_webui: add user life-cycles tests
Add user life-cycles test cases.
https://pagure.io/freeipa/issue/7463
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2a6ba687 by Michal Reznik at 2018-04-09T07:06:48Z
test_web_ui: extend ui_driver methods
Add close_all_dialogs(),change assert_last_dialog_details() method
to assert_last_error_dialog() to make it more generic and tweak
add_record() method to skip asserts so we can assert later.
We are also changing assert_record_value() to accept list of values
and adding select_multiple_records().
https://pagure.io/freeipa/issue/7463
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
888d9861 by Christian Heimes at 2018-04-09T09:42:05Z
Require more recent glibc on F27
On CPUs with AVX-512 instruction set, ntpd sometimes segfaults because
PTHREAD_STACK_MIN is too small. The bug has been fixed in
glibc-2.26-24.fc27.x86_64 or later.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1564527
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
28acbc6c by Ganna Kaihorodova at 2018-04-09T13:15:47Z
Fix in IPA's multihost fixture
AD related tests, which aren't require all set of AD machines
were skipped with error msg: Not enough resources configured.
Changed hard coded number of AD machines to use.
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
- - - - -
7b546ffe by Rob Crittenden at 2018-04-09T13:23:41Z
Break out of teardown in test_replica_promotion.py if no config
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
bfb544ad by Tibor Dudlák at 2018-04-09T15:00:02Z
Removes ntp from dependencies and behave as there is always -N option
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0090a90b by Tibor Dudlák at 2018-04-09T15:00:02Z
Add dependency and paths for chrony
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca9c4d70 by Tibor Dudlák at 2018-04-09T15:00:02Z
Replace ntpd with chronyd in installation
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb28dfff by Tibor Dudlák at 2018-04-09T15:00:02Z
FreeIPA server is time synchronization client only
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
194518f1 by Tibor Dudlák at 2018-04-09T15:00:02Z
Add --ntp-pool option to installers
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d9c749e by Tibor Dudlák at 2018-04-09T15:00:02Z
Adding method to ipa-server-upgrade to cleanup ntpd
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
333acf1a by Tibor Dudlák at 2018-04-09T15:00:02Z
Update man pages for FreeIPA client, replica and server install
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ece56ea6 by Tibor Dudlák at 2018-04-09T15:00:02Z
Removes NTP server role from servroles and description
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dba87a47 by Tibor Dudlák at 2018-04-09T15:00:02Z
Remove NTP server role while upgrading
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74c2b46c by Tibor Dudlák at 2018-04-09T15:00:02Z
Remove unnecessary option --force-chrony
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
878cbaa2 by Tibor Dudlák at 2018-04-09T15:00:02Z
Add enabling chrony daemon when not configured
Moves chrony enablement and sync attempt to new method
so chrony will be enabled even when not configured.
Add logger info about skipping configuration to client's
installation when not on master and -N is used.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e279d891 by Tibor Dudlák at 2018-04-09T15:00:02Z
Configure chrony with pool when server not set
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
395a68d2 by Christian Heimes at 2018-04-10T05:58:52Z
Defer import of ipaclient.csrgen
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.
Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
9762bd12 by Christian Heimes at 2018-04-10T06:17:20Z
Provide ldap_uri in Custodia uninstaller
Without ldap_uri, IPAKEMKeys parses /etc/ipa/default.conf. During
uninstallation, the file may no longer contain ldap_uri. This workaround
is required for test case
test_replica_promotion.py::TestReplicaPromotionLevel0::test_promotion_disabled
Fixes: https://pagure.io/freeipa/issue/7474
Co-authored-by: Felipe Barreto <fbarreto at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
8246d0cd by Stanislav Laznicka at 2018-04-10T11:29:46Z
replica-install: pass --ip-address to client install
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
69ffce9f by Timo Aaltonen at 2018-04-10T14:40:19Z
hack-tomcat-race.diff: Restarting pki-tomcatd takes time
and renew_ca_cert does that several times in a row, so wait for a minute before starting to
migrating profiles to ldap to make sure the instance is up.
- - - - -
807a5cbe by Christian Heimes at 2018-04-10T15:35:17Z
certdb: Move chdir into subprocess call
According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.
See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1b320ac3 by Christian Heimes at 2018-04-10T15:35:17Z
Remove os.chdir() from test_ipap11helper
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7bd3bc1a by Timo Aaltonen at 2018-04-10T21:22:37Z
fix-apache-ssl-setup.diff: Fix mod_ssl setup.
- - - - -
6c49e8b5 by Timo Aaltonen at 2018-04-10T21:23:08Z
bump sleep for tomcat to 80s
- - - - -
cc3868a6 by Timo Aaltonen at 2018-04-11T15:42:47Z
hack-duplicate-cert-directive.diff: Delete a duplicate SSLCertificateFile directive until upstream is fixed.
- - - - -
3c24772e by Timo Aaltonen at 2018-04-11T16:49:42Z
fix-apache-ssl-setup.diff: Import NAME
- - - - -
ec898428 by Timo Aaltonen at 2018-04-11T16:50:10Z
server.postinst: Enable default-ssl site.
- - - - -
dd64aa01 by Timo Aaltonen at 2018-04-11T17:22:37Z
fix gentarball target
- - - - -
03962326 by Timo Aaltonen at 2018-04-11T17:22:48Z
Merge branch 'upstream-next' into master-next
- - - - -
19b48c40 by Timo Aaltonen at 2018-04-11T17:38:09Z
mangle the changelog
- - - - -
95dd8098 by Timo Aaltonen at 2018-04-11T17:42:36Z
control: Depend on chrony instead of ntp.
- - - - -
01eeacf5 by Timo Aaltonen at 2018-04-11T17:46:42Z
fix-paths.diff: Add CHRONY_CONF.
- - - - -
f4f785a8 by Timo Aaltonen at 2018-04-11T20:26:00Z
python-ipaserver.install: Updated after dropping NTP.
- - - - -
1afc3509 by Timo Aaltonen at 2018-04-11T20:31:22Z
fix-version.diff: Append +git to prerelease tag, don't require git.
- - - - -
c8cd0083 by Timo Aaltonen at 2018-04-11T20:31:41Z
pydist_overrides: Added.
- - - - -
c725f720 by Timo Aaltonen at 2018-04-11T21:39:56Z
rules: Update clean target.
- - - - -
b7be4cf2 by Christian Heimes at 2018-04-12T07:33:02Z
Fix Python dependencies
Fix typo in dependencies and require release of python-ldap.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
047eb2ff by Timo Aaltonen at 2018-04-12T11:01:47Z
control: Bump depends on bind9.
- - - - -
d01b5962 by Timo Aaltonen at 2018-04-12T11:04:39Z
releasing package freeipa version 4.7.0~pre1+git20180411-1
- - - - -
afc0d4b6 by Christian Heimes at 2018-04-12T18:29:35Z
Add nsds5ReplicaReleaseTimeout to replica config
The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.
See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5041b13f by Felipe Barreto at 2018-04-13T08:30:51Z
Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
Commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09 should not be pushed,
because it was not the intention to add a new test to .freeipa-pr-ci.
This commits reverts its change.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
91ae1348 by Timo Aaltonen at 2018-04-16T10:07:53Z
fix-bind-ldap-so-path.diff: Dropped, the plugin uses non-MA path now, fix depends to match.
- - - - -
7c8fd563 by Fraser Tweedale at 2018-04-16T10:16:40Z
Fix upgrade (update_replica_config) in single master mode
Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade
step that add an attribute to a replica config entry. The entry
only exists after a replica has been added, so upgrade was broken
for standalone server. Catch and suppress the NotFound error.
Related to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e16ea525 by Alexander Bokovoy at 2018-04-17T06:18:17Z
upgrade: treat duplicate entry when updating as not an error
When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.
Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1dbc6ded by Alexander Bokovoy at 2018-04-17T06:49:34Z
replication: support error messages from 389-ds 1.3.5 or later
389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".
Change the check_repl_update() to handle both formats.
Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
27ebd78f by Timo Aaltonen at 2018-04-17T07:01:00Z
control: Add python-augeas to python-ipaclient depends. (LP: #1764615)
- - - - -
64ffd117 by Alexander Bokovoy at 2018-04-17T12:28:45Z
install: validate AD trust-related options in installers
We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.
Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
692a9931 by Tibor Dudlák at 2018-04-17T14:25:12Z
Fix format string passed to pytest-multihost
Integration trust test suit failed with error trying to
start chronyd because of bad formating of passed string
See: https://pagure.io/python-pytest-multihost/issue/15
Resolves: https://pagure.io/freeipa/issue/7487
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b1bcfc73 by Timo Aaltonen at 2018-04-17T16:51:51Z
ldap-multiarch.diff: Replace hack-libarch.diff with a new patch to support more than x86. (LP: #1600634)
- - - - -
fb666595 by Timo Aaltonen at 2018-04-17T20:48:00Z
releasing package freeipa version 4.7.0~pre1+git20180411-2
- - - - -
d4dd2b1c by Ganna Kaihorodova at 2018-04-18T07:31:02Z
Fix for integration tests dns_locations
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
71f10b49 by Timo Aaltonen at 2018-04-18T14:51:26Z
tests/server-install: Fix the fake domain, single label domains are not supported anymore.
- - - - -
7828a99e by Timo Aaltonen at 2018-04-18T15:53:23Z
tests: If the server install fails, just dump the log and exit successfully.
- - - - -
b43c2f8a by Petr Vobornik at 2018-04-19T10:11:26Z
webui: refresh complex pages after modification
Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.
This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.
https://pagure.io/freeipa/issue/5776
Reviewed-By: Felipe Volpone <felipevolpone at gmail.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
105d7d7f by Varun Mylaraiah at 2018-04-19T10:59:09Z
WebUI tests: Extend user group tests with more scenarios
1) Extended webui group automation test with below scenarios
Scenarios
*Add user group with invalid names
*Add multiple groups records at one shot
*Select and delete multiple records
*Find and delete records etc...
2) Improved add_record method to support additional use cases:
*confirm by additional buttons: 'Add', 'Add and add another', 'Add and Edit,' 'Cancel'
*add multiple records in one call (uses 'Add and add another' behavior)
https://pagure.io/freeipa/issue/7485
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
1a6e3601 by Varun Mylaraiah at 2018-04-19T10:59:09Z
Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
a7b18372 by Fraser Tweedale at 2018-04-19T12:57:53Z
certprofile: reject config with multiple profileIds
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0f859335 by Fraser Tweedale at 2018-04-19T12:57:53Z
certprofile: add tests for config profileId scenarios
Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:
- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2de1aa27 by Alexander Bokovoy at 2018-04-19T12:59:45Z
ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.
Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.
Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b5bdd07b by Stanislav Laznicka at 2018-04-20T07:43:37Z
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
41352ef9 by Rob Crittenden at 2018-04-20T12:51:37Z
Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
Only certutil creates files in the local directory. Changing the
directory for pk12util breaks ipa-server-certinstall if the
PKCS#12 file is not passed in as an absolute path.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
138ae4ab by Rob Crittenden at 2018-04-20T12:51:37Z
ipa-server-certinstall failing, unknown option realm
The option realm was being passed in instead of realm_name.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
3384147c by Rob Crittenden at 2018-04-20T12:51:37Z
Some PKCS#12 errors are reported with full path names
This is related to change in certutil which does a cwd
to the location of the NSS database. certutil is used as part
of loading a PKCS#12 file to do validation.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
4919bd9d by Rob Crittenden at 2018-04-20T12:51:37Z
Remove xfail from CALes test test_http_intermediate_ca
The full chain is not required by mod_ssl.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
6c4635e7 by Anuja More at 2018-04-24T09:20:08Z
Adding test-cases for ipa-cacert-manage
File : ipatests/test_integration/test_external_ca.py
Scenario1: Manual renew external CA cert with invalid file
when ipa-server is installed with external-ca
and renew with invalid cert file the renewal
should fail.
Scenario2: install CA cert manually
Install ipa-server. Create rootCA, using
ipa-cacert-manage install option install
new cert from RootCA
Signed-off-by: Anuja More <amore at redhat.com>
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9d73e4a0 by Rob Crittenden at 2018-04-25T06:23:47Z
Allow dot as a valid character in an selinux identity name
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5165afd5 by Ganna Kaihorodova at 2018-04-25T09:52:32Z
Fix trust tests for Posix Support
Test ecxpects auto-detection of trust type, Windows Server 2016 doesn't have
support for MFU/NIS (SFU - Services for Unix), so auto detection doesn't work
Fix is to pass extra arguments to the trust-add command,
such as --range-type="ipa-ad-trust-posix" to enforce a particular range type
https://pagure.io/freeipa/issue/7508
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
07be3306 by amitkuma at 2018-04-25T10:06:09Z
RFE: ipa client should setup openldap for GSSAPI
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA. It currently sets:
URI
BASE
TLS_CACERT
This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI
Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ad2eb3d0 by Christian Heimes at 2018-04-25T10:14:23Z
CA replica PKCS12 workaround for SQL NSSDB
CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
04e1ae7b by Christian Heimes at 2018-04-25T10:14:23Z
Require 389-ds-base >= 1.4.0.8-1
1.4.0.8-1 contains a bug fix for an error in SASL connection handling.
See: https://pagure.io/389-ds-base/issue/49639
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
236fa61e by Christian Heimes at 2018-04-25T11:58:11Z
Create users in server-common pre hook
The ipaapi user was created in the server package but referenced by a
config file in the server-common package. The server-common package can
be installed without the server package. This caused an error
Unknown user 'ipaapi'
with systemd-tmpfiles --create. The users are now created in the
server-common package.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey at slaykovsky.com>
- - - - -
13b9608d by Christian Heimes at 2018-04-25T12:02:29Z
Add augeas dependency to client package
Commit 5d9c749e830819e0e12bdd9388b6b0c2542cf906 add dependency on augeas
Python package, but freeipa.spec was not updated. The python[23]-ipaclient
packages now correctly depend on python[23]-augeas.
Fixes: https://pagure.io/freeipa/issue/7512
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
53f87ee5 by Fraser Tweedale at 2018-04-25T12:41:12Z
py3: fix csrgen error handling
csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3. Fix the error
handling.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7633d62d by Fraser Tweedale at 2018-04-25T12:41:12Z
csrgen: support initialising OpenSSL adaptor with key object
As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0ac1d3ea by Fraser Tweedale at 2018-04-25T12:41:12Z
csrgen: drive-by docstring
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
852618fd by Fraser Tweedale at 2018-04-25T12:41:12Z
csrgen: fix when attribute shortname is lower case
OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute. This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").
Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *). If that fails, upper-case the type string and try
again.
Add some tests for the required behaviour.
Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9d838210 by Felipe Barreto at 2018-04-25T18:53:58Z
Adding GSSPROXY_CONF to be backed up on ipa-backup
Without GSSPROXY_CONF being backed up, we would get this error
"ipa: ERROR: No valid Negotiate header in server response"
when running any ipa command after a backup restore.
This commit also fixes the tests:
- TestBackupAndRestore::test_full_backup_and_restore
- TesttBackupAndRestore::test_full_backup_and_restore_with_selinux_booleans_off
https://pagure.io/freeipa/issue/7473
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
415578a1 by Felipe Barreto at 2018-04-25T18:53:58Z
Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
The test as it was, was testing the backup and restore based on previous
backups and restore, not with an actual installation.
Now, with a clear setup for each test, the test mentioned above will not
fail to do a lookup (using the host command, in check_dns method) for
the master domain.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2d5245ce by Florence Blanc-Renaud at 2018-04-26T06:31:08Z
ipa-advise config-server-for-smart-card-auth: use mod-ssl
ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.
The fix replaces references to nss.conf with ssl.conf.
https://pagure.io/freeipa/issue/7515
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
84e60e5f by Stanislav Laznicka at 2018-04-26T12:30:06Z
Fix typo in ipa-getkeytab --help
Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a17bd6db by Timo Aaltonen at 2018-04-26T15:14:43Z
server.postinst: Fix upgrade from earlier version.
- - - - -
994f71ac by Christian Heimes at 2018-04-26T19:19:53Z
Use single Custodia instance in installers
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
fc371b65 by Thierry Bordaz at 2018-04-27T08:26:26Z
Hardening of topology plugin to prevent erronous deletion of a replica agreement
When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.
https://pagure.io/freeipa/issue/7461
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1df1786b by Florence Blanc-Renaud at 2018-04-27T12:01:33Z
Migration from authconfig to authselect
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration
Fixes:
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c36bd383 by Florence Blanc-Renaud at 2018-04-27T12:01:33Z
New tests for authselect migration
Add new test for client and server installation when authselect tool
is used instead of authconfig
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e4424645 by Florence Blanc-Renaud at 2018-04-27T12:01:33Z
Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8fe5f8d2 by Florence Blanc-Renaud at 2018-04-27T12:01:33Z
ipa-advise: adapt config-client-for-smart-card-auth to authselect
ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
00a8d00e by Varun Mylaraiah at 2018-04-27T12:08:04Z
WebUI tests: Extend netgroup tests with more scenarios
Extended webui group automation test with below scenarios
Scenarios
*add netgroup with invalid names
*add and delete records in various scenarios
*verify button's action in various scenarios.
https://pagure.io/freeipa/issue/7505
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
e16a76ad by Michal Reznik at 2018-04-27T12:19:59Z
ui_tests: extend test_user suite
Extend WebUI test_user suite with the following test cases:
test_add_user_special
test_user_misc
test_ssh_keys
test_add_delete_undo_reset
test_disable_delete_admin
test_login_without_username
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
e43cfaeb by Michal Reznik at 2018-04-27T12:19:59Z
ui_driver: extension and modifications related to test_user
In this patch we tune login() in order to test login without
username.
Then we add edit_multivalued and undo_multivalued to test "undo"
and "reset" buttons.
Also there is a new boolean "negative" in mod_record() to switch
button assertion.
Later ssh_key methods were fine-tuned a little to add more keys,
delete all of them and to extend their usage to hosts and id views.
Lastly new method assert_value_checked() was introduced to assert
whether a particular record is checked.
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
61dc15e5 by Michal Reznik at 2018-04-27T12:19:59Z
ui_tests: introduce new test_misc cases file
By this commit we introduce new test_misc cases file to
test various miscellaneous cases that do not fit to other suites.
In this cases that "version" is present in profile`s "about".
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
51b9a82f by Anuja More at 2018-04-27T16:06:36Z
Adding test-cases for ipa-cacert-manage
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2d6d768d by Alexander Bokovoy at 2018-04-28T06:44:25Z
idoverrideuser-add: allow adding ssh key in web ui
CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.
Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.
Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3d30cf60 by Rob Crittenden at 2018-04-28T07:06:21Z
Update project metadata in ipasetup.py.in
Point mailing list to lists.fedorahosted.org
Use HTTPS for all URLs
Drop Solaris and Unix from platforms
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6856a9f4 by Rob Crittenden at 2018-04-28T07:07:28Z
Log service start/stop/restart message
It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.
https://pagure.io/freeipa/issue/7436
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
792adebf by Robbie Harwood at 2018-04-28T14:35:16Z
Enable SPAKE support using krb5.conf.d snippet
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
73c3495d by Christian Heimes at 2018-04-28T14:35:16Z
Use shutil to copy file
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d5e5bd50 by Stanislav Laznicka at 2018-04-30T09:04:35Z
Add absolute_import to test_authselect
This is to keep backward compatibility with Python 2
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c66e388 by Christian Heimes at 2018-04-30T12:13:40Z
Compatibility with pytest 3.4
The nose_compat plugin uses internal pytest APIs to suspend and resume
the capture manager. In pytest 3.4, the internal APIs have changed and a
public API was added.
The fix is required to run integration tests under Fedora 28.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4418963 by Christian Heimes at 2018-04-30T17:39:52Z
Remove contrib/nssciphersuite
The directory contained a script to generate mod_nss configuration
snippet. Since FreeIPA moved to mod_ssl, it is no longer of use.
Fixes: https://pagure.io/freeipa/issue/5673
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
c925b44f by Christian Heimes at 2018-04-30T18:42:00Z
Load certificate files as binary data
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6659392a by Fraser Tweedale at 2018-05-02T09:15:49Z
install: fix reported external CA configuration
The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.
Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.
The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2. This could confuse the administrator. Fix
the message.
Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0653d2a1 by Rob Crittenden at 2018-05-02T09:18:04Z
Validate the Directory Manager password before starting restore
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ae6c8d2c by Rob Crittenden at 2018-05-02T12:12:11Z
Handle whitespace, add separator to regex in set_directive_lines
We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.
For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e16e5cd0 by Rob Crittenden at 2018-05-02T12:12:11Z
Use a regex in installutils.get_directive instead of line splitting
This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5929d5d8 by Tibor Dudlák at 2018-05-02T20:44:54Z
Use temporary pid file for chronyd -q task
chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
606af69b by Christian Heimes at 2018-05-03T06:36:51Z
Make ipatests' create_external_ca a script
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.
Usage:
ipa-server-install --external-ca ...
python3 -m ipatests.create_external_ca
ipa-server-install --external-cert-file=/tmp/rootca.pem \
--external-cert-file=/tmp/ipaca.pem
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
ce3819c3 by Robbie Harwood at 2018-05-03T08:18:29Z
Move krb5 snippet into freeipa-client-common
Also move /usr/share/ipa into freeipa-common by necessity.
https://pagure.io/freeipa/issue/7524
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1c1089c4 by Christian Heimes at 2018-05-03T12:25:36Z
ipa-client package needs sssd-tool
Commit ccec8c6c4193a204428b7ba0f93dac6f0eb26020 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.
See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
63a5feb1 by Florence Blanc-Renaud at 2018-05-03T14:39:58Z
authselect test: skip test if authselect is not available
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
aa64ef03 by Florence Blanc-Renaud at 2018-05-03T14:39:58Z
authselect migration: use stable interface to query current config
The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1adc941d by Alexander Bokovoy at 2018-05-03T14:44:57Z
group-del: add a warning to logs when password policy could not be removed
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
648d7c0d by Rob Crittenden at 2018-05-03T15:34:45Z
Disable message about log in ipa-backup if IPA is not configured
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.
For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.
In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.
https://pagure.io/freeipa/issue/6843
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
880d9b41 by Christian Heimes at 2018-05-04T10:03:43Z
Require nss with fix for nickname bug
nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.
Partly revert commit ad2eb3d09b8336008d7f04c3d134c707530d9eb6 with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.
See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
573f1322 by Rob Crittenden at 2018-05-04T19:08:47Z
Fix certificate retrieval in ipa-replica-prepare for DL0
The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.
https://pagure.io/freeipa/issue/7469
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
c17ba11c by Christian Heimes at 2018-05-07T14:21:10Z
Require Dogtag 10.6.1
Dogtag 10.6.1 contains fixes for external CA support.
See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5e4da703 by Christian Heimes at 2018-05-07T14:21:10Z
Only run subset of external CA tests
All tests are taking over an hour to execute, which is too long for
PR-CI.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49b4a057 by Christian Heimes at 2018-05-07T14:22:10Z
Create missing /etc/httpd/alias for ipasession.key
The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.
Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.
See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2a58fe6a by Christian Heimes at 2018-05-07T14:23:04Z
Revert "Validate the Directory Manager password"
This reverts commit 0653d2a17e67a32c9adcca8145afa231f228b855. The commit
broke full ipa-restore.
See: https://pagure.io/freeipa/issue/7469
See: https://pagure.io/freeipa/issue/7535
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9e8fb94e by Alexander Bokovoy at 2018-05-08T20:39:22Z
service: allow creating services without a host to manage them
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6428657 by Alexander Bokovoy at 2018-05-08T20:39:22Z
group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
392f44a3 by Stanislav Laznicka at 2018-05-10T08:03:02Z
mod_ssl: add SSLVerifyDepth for external CA installs
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a885f07d by Stanislav Laznicka at 2018-05-10T08:05:22Z
Allow user administrator to change user homedir
https://pagure.io/freeipa/issue/7427
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8a8b641c by Felipe Barreto at 2018-05-10T19:52:42Z
Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
23c23a3c by Felipe Barreto at 2018-05-10T19:52:42Z
Fixing tests on TestReplicaManageDel
This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0
Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ef3f0851 by Michal Reznik at 2018-05-15T10:56:03Z
ui_tests: checkbox click fix
We check a box with clicking on label by default however sometimes
when a label is too short (1-2 letters) we are hitting an issue
that the checkbox obscures the label.
https://pagure.io/freeipa/issue/7547
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
897f1cda by Michal Reznik at 2018-05-15T10:57:26Z
ui_tests: improve "field_validation" method
Often when trying to check e.g. required field we pass the
method another element as parent in order to narrow down a scope
for validation. This way we can just pass "field" name to make the
process easier.
https://pagure.io/freeipa/issue/7546
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
8328a555 by Rob Crittenden at 2018-05-15T18:13:35Z
Update 4.7 translations
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7c5ee4e8 by Petr Vobornik at 2018-05-15T18:15:34Z
server-del do not return early if CA renewal master cannot be changed
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
60e992ca by Petr Vobornik at 2018-05-15T18:15:34Z
Fix test_server_del::TestLastServices
The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.
Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
021b2f6e by Rob Crittenden at 2018-05-15T18:56:52Z
Become IPA 4.6.90.pre2
- - - - -
230760ff by Rob Crittenden at 2018-05-15T19:35:26Z
VERSION.m4: Set back to git snapshot
- - - - -
a0e846f5 by Rob Crittenden at 2018-05-16T15:32:29Z
Return unique error when automount is already or not configured
Use identical return codes as ipa-client-install when uninstalling
ipa-client-automount and it is not configured, or when calling
it again to return that is ias already configured.
https://pagure.io/freeipa/issue/7396
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
a0eaa742 by Rob Crittenden at 2018-05-16T15:32:29Z
Client install should handle automount unconfigured on uninstall
ipa-client-automount now returns CLIENT_NOT_CONFIGURED when it is
not configured. Handle this in uninstall().
https://pagure.io/freeipa/issue/7396
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c61151f6 by Alexander Bokovoy at 2018-05-17T20:55:42Z
pylint3: workaround false positives reported for W1662
Pylint3 falsely reports warning W1662: using a variable that was bound
inside a comprehension for the cases where the same name is reused for a
loop after the comprehension in question.
Rename the variable in a loop to avoid it.
If the code looks like the following:
arr = [f for f in filters if callable(f)]
for f in arr:
result = result + f()
pylint3 would consider 'f' used outside of comprehension. Clearly, this
is a false-positive warning as the second 'f' use is completely
independent of the comprehension's use of 'f'.
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
- - - - -
b82af698 by Aleksei Slaikovskii at 2018-05-17T22:36:33Z
Radius proxy multiservers fix
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).
So this kind of behaviour is a bug, as it was determined on IRC.
This patch removes possibility to add more then one radius server
into radius proxy.
Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Koksharov <akokshar at redhat.com>
- - - - -
8d508b8e by Michal Reznik at 2018-05-18T10:17:54Z
ui_tests: extend test_selinuxusermap.py suite
Extend test_selinuxusermap.py suite with new test cases. Details in
the ticket.
We also modify "add_table_associations" to handle "cancel" and
"negative" in the way other methods works.
Lastly, we start using dialog_btn=None to test keyboard confirmation
as we did use it incorrectly with "Negative=True" where it was already
confirmed by "click".
Added tests:
addselinuxusermap_MLS_singlelevel
addselinuxusermap_cancel
addselinuxusermap_disabledhbacrule
addselinuxusermap_MLS_range
addselinuxusermap_MCS_range
addselinuxusermap_MCS_commas
addselinuxusermap_MLS_singlevalue
addselinuxusermap_multiple
addandeditselinuxusermap
selinuxusermap_undo
selinuxusermap_refresh
selinuxusermap_reset
selinuxusermap_update
selinuxusermap_backlink_cancel
selinuxusermap_backlink_reset
selinuxusermap_backlink_update
selinuxusermap_deletemultiple
add_user_selinuxusermap_cancel
add_host_selinuxusermap_cancel
add_hostgroup_selinuxusermap_cancel
selinuxusermap_requiredfield
selinuxusermap_duplicate
selinuxusermap_nonexistinguser
selinuxusermap_invalidusersyntaxMCS
selinuxusermap_invalidusersyntaxMLS
add_usernegative_selinuxusermap
selinuxusermap_addNegativeHBACrule
selinuxusermap_search
selinuxusermap_searchnegative
selinuxusermap_disablemultiple
selinuxusermap_enablemultiple
selinuxusermap_deleteNegativeHBACrule
add_selinuxusermap_adder_dialog_bug910463
delete_selinuxusermap_deleter_dialog_bug910463
https://pagure.io/freeipa/issue/7544
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
0959c476 by Michal Reznik at 2018-05-18T10:17:54Z
ui_tests: add click_undo_button() func
Add click_undo_button() function to simplify clicking on
particular`s field undo button/s.
https://pagure.io/freeipa/issue/7544
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
3508227f by Varun Mylaraiah at 2018-05-18T11:23:00Z
Extend WebUI test_krbpolicy suite with the following test cases: test_verifying_button (verify button's action in various scenarios) test_negative_value (verify invalid values) test_verifying_measurement_unit
https://pagure.io/freeipa/issue/7540
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
3c9810e9 by Petr Čech at 2018-05-18T14:39:18Z
webui:tests: Add tests for realmd domains
This patch expands WebUI testing on realmd domains
page. The added tests are:
test_add_single_labeled_domain
test_dnszone_del_hooked_to_realmdomains_mod
test_dns_reversezone_add_hooked_to_realmdomains_mod
test_dnszone_add_hooked_to_realmdomains_mod
test_del_domain_of_ipa_server_bug1035286
test_add_non_dns_configured_domain_positive
test_add_non_dns_configured_domain_negative
test_del_domain_with_force_update
test_del_domain_and_update
test_del_domain_and_refresh
test_del_domain_revert
test_del_domain_undo_all
test_del_domain_undo
test_add_domain_and_update
test_add_domain_with_trailing_space
test_add_domain_with_leading_space
test_add_empty_domain
test_add_duplicate_domaini
test_add_domain_and_revert
test_add_domain_and_refresh
test_add_domain_and_undo_all
test_add_domain_and_undo
test_add_domain_with_special_char
Reviewed-By: Felipe Volpone <felipevolpone at gmail.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
ad2ecbee by Timo Aaltonen at 2018-05-20T08:01:06Z
Merge branch 'upstream-next' into master-next
- - - - -
a275d7ba by Timo Aaltonen at 2018-05-20T08:01:35Z
bump the version
- - - - -
20cf1848 by Timo Aaltonen at 2018-05-20T14:20:18Z
fix server postinst version check
- - - - -
c08e1a2d by Timo Aaltonen at 2018-05-21T07:00:55Z
drop obsolete patches
- - - - -
d4f2f53e by amitkumar50 at 2018-05-21T18:32:38Z
ipa-advise: remove plugin config-fedora-authconfig
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.
Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
75e86f2f by Christian Heimes at 2018-05-22T06:39:33Z
Run PR-CI with Fedora 28
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
e06c7566 by amitkumar50 at 2018-05-22T15:03:06Z
ipa vault-archive overwrites an existing value without warning
Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.
In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.
This PR addresses the changes agreed in Bugzilla.
Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b650aaa8 by Timo Aaltonen at 2018-05-22T19:05:06Z
Create-kadm5.acl-if-it-doesn-t-exist.diff: Fix kadmind startup issue if kadm5.acl doesn't exist. (LP: #1772447)
- - - - -
2004a807 by Timo Aaltonen at 2018-05-23T16:11:14Z
fix-fontawesome-path.diff: Fix the path to font-awesome. (LP: #1772921)
- - - - -
c5a3a823 by Timo Aaltonen at 2018-05-23T16:24:49Z
fix-krb5kdc-cert-path.diff: Apache can't access KDC certs, move them to /var/lib/ipa/certs. (LP: #1772447)
- - - - -
d6513447 by Timo Aaltonen at 2018-05-23T16:39:36Z
ipa-httpd-pwdreader-force-fqdn.diff: Make sure HOSTNAME is a FQDN. (LP: #1769485)
- - - - -
8e303cfb by Timo Aaltonen at 2018-05-23T17:02:01Z
refresh patches
- - - - -
68b3fb58 by Timo Aaltonen at 2018-05-23T19:58:44Z
fix fontawesome patch
- - - - -
952b45a3 by Stanislav Laznicka at 2018-05-24T07:54:26Z
Travis: ignore 'line break after binary operator'
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a6f5ee5b by Timo Aaltonen at 2018-05-24T19:16:49Z
dont-allow-compressed-certs.diff
mod_deflate is enabled by default on Debian, but the current apache config doesn't know how to uncompress the received cert data so disallow gzip content for now. (LP: #1772450)
- - - - -
1e5c3d7c by Christian Heimes at 2018-05-25T14:26:14Z
Reproducer for issue 5923 (bytes in error response)
Error response used to contain bytes instead of text, which triggered an
exception.
See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
59ea5800 by Christian Heimes at 2018-05-25T18:44:01Z
Require python-ldap >= 3.1.0
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dbc37884 by Christian Heimes at 2018-05-27T14:05:50Z
Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8e165480 by Christian Heimes at 2018-05-27T14:05:50Z
Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.
The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
45d776a7 by Rob Crittenden at 2018-05-27T14:08:21Z
Don't try to set Kerberos extradata when there is no principal
This was causing ns-slapd to segfault in the password plugin.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7c5ecb8d by Rob Crittenden at 2018-05-27T14:08:21Z
Rename test class for testing simple commands, add test
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.
Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
af99032d by Florence Blanc-Renaud at 2018-05-28T19:25:47Z
ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).
If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1d70ce85 by Florence Blanc-Renaud at 2018-05-28T19:25:47Z
Test for 7526
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.
Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).
Related to:
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9b8bb85e by Christian Heimes at 2018-05-29T06:51:10Z
Add test case for allow-create-keytab
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a9c8ced by Christian Heimes at 2018-05-29T13:30:37Z
Use sane default settings for ldap connections
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.
https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
829998b1 by Christian Heimes at 2018-05-29T13:30:37Z
Apply sane LDAP settings to C code
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
172df673 by Christian Heimes at 2018-05-29T13:30:37Z
Refuse PORT, HOST in /etc/openldap/ldap.conf
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.
Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0030118d by Timo Aaltonen at 2018-05-29T15:03:56Z
Create kadm5.acl if it doesn't exist
kadmind doesn't start without it, and Debian doesn't ship it by default.
Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7a27651a by Timo Aaltonen at 2018-05-29T15:03:56Z
constants: Fix HTTPD_GROUP for Debian
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a3a3d6da by Timo Aaltonen at 2018-05-29T15:03:56Z
paths: Fix some path definitions for Debian.
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
86ef31d7 by Timo Aaltonen at 2018-05-29T15:03:56Z
Add mkhomedir support for Debian
Fixes: https://pagure.io/freeipa/issue/7556
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c5ee8ae5 by Timo Aaltonen at 2018-05-29T15:03:56Z
named.conf: Disable duplicate zone on debian, and modify data dir
zone already imported via default zones.
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ffdb20ae by Timo Aaltonen at 2018-05-29T15:03:56Z
ldapupdate: Add support for Debian multiarch
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.
Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c0d7bb9 by Timo Aaltonen at 2018-05-29T15:03:56Z
Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.
Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f47d86c7 by Stanislav Laznicka at 2018-05-29T15:03:56Z
Move config directives handling code
Move config directives handling code:
ipaserver.install.installutils -> ipapython.directivesetter
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fb16bc93 by Christian Heimes at 2018-05-30T06:18:40Z
Require JSS 4.4.4 with fix for sub CA replication
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.
Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version
See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
2256f9ef by Rob Crittenden at 2018-05-30T06:53:12Z
Validate the Directory Manager password before starting restore
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
Only validate the password if the IPA configuration is available
and dirsrv is running.
https://pagure.io/freeipa/issue/7136
https://pagure.io/freeipa/issue/7535
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
59b3eb04 by Rob Crittenden at 2018-05-30T06:53:12Z
Add tests for ipa-restore with DM password validation check
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:
1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked
Related: https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1da3eddf by Fraser Tweedale at 2018-05-30T13:09:55Z
Handle compressed responses from Dogtag
We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header. But we don't decompress the
received data. Inspect the response Content-Encoding header and
decompress the response body according to its value.
The `gzip.decompress` function is only available on Python 3.2 or
later. In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file. This commit avoids this
complexity. Therefore it should only be included in Python 3 based
releases.
Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0a87de5e by Christian Heimes at 2018-05-30T13:09:55Z
Backport gzip.decompress for Python 2
Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.
Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4274b361 by Mohammad Rizwan Yusuf at 2018-05-31T10:18:34Z
Test to check second replica installation after master restore
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.
related ticket: https://pagure.io/freeipa/issue/7247
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3e4b9cd9 by Pavel Picka at 2018-05-31T11:05:05Z
Adding WebUI Host test cases
Added test cases due to downstream test cases
- negative input
- ssh keys
- csr
- otp
- filter
- buttons
https://pagure.io/freeipa/issue/7550
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a2e8d989 by Robbie Harwood at 2018-05-31T15:53:25Z
Fix elements not being removed in otpd_queue_pop_msgid()
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
cf25823e by Christian Heimes at 2018-05-31T18:12:49Z
Print version string in installer
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
816daf93 by Fraser Tweedale at 2018-06-01T13:40:33Z
Add missing space in error string
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3927b0e7 by Mohammad Rizwan Yusuf at 2018-06-01T13:42:32Z
Extended UI test for selfservice permission.
Follwoing scenario added:
- test_add_all_attr
- test_add_and_add_another
- test_add_and_edit
- test_add_and_cancel
- test_add_permission_undo
- test_add_permission_reset
- test_permission_negative
- test_del_multiple_permission
- test_permission_using_enter_key
- test_reset_sshkey_permsission
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
326fd6a7 by amitkuma at 2018-06-05T18:01:11Z
Match Common Name attribute in Subject
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
992a5f48 by Christian Heimes at 2018-06-05T20:34:27Z
Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f03df5fe by Felipe Barreto at 2018-06-07T15:27:38Z
Adding xfail to failing tests
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.
TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b3eb5c5 by Rob Crittenden at 2018-06-07T16:55:01Z
Disable Schema Compat plugin during server upgrade
If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.
When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.
Upon restoring it will always write the camel-case version.
https://pagure.io/freeipa/issue/6721
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
f976f6cf by Rob Crittenden at 2018-06-08T08:49:18Z
Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.
https://pagure.io/freeipa/issue/6610
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b1f368c6 by Michal Reznik at 2018-06-08T12:03:30Z
ui_tests: fixes for issues with sending key and focus on element
Fixes 2 issues in WebUI tests. One issue is that we are unable to
confirm a dialog by "Enter" keyboard - "actions.click()" helps
here to get focus on the page.
Second issue is probbaly related to screen resolution as we cannot
click to some of the action buttons (buttons which are having issue
varies).
https://pagure.io/freeipa/issue/7583
Reviewed-By: Pavel Picka <ppicka at redhat.com>
- - - - -
53330738 by Christian Heimes at 2018-06-10T16:33:38Z
Use one Custodia peer to retrieve all secrets
Fix 994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4 was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
ed52baba by Christian Heimes at 2018-06-11T06:44:18Z
Make Python 2 build dependency optional
The specfile now uses three variables to determinate how to handle
Python support.
with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages
"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.
The patch also cleans up and fixes additional issues:
* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
were packages with Python 2 RPMs although they had a Python 3 shebang.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
390251d3 by Christian Heimes at 2018-06-11T06:44:18Z
Always build Python 3 packages
Remove with_python3 checks and always build Python 3 packages.
Co-authored-by: Stanislav Laznicka <slaznick at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec9ea73b by Aleksei Slaikovskii at 2018-06-11T08:48:40Z
Uninstall fix for named-pkcs11
Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.
Fixes backup/restore tests runs. Maybe something else.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
283987c1 by Aleksei Slaikovskii at 2018-06-11T08:48:40Z
Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
This reverts commit 415578a199a221a3ed78cbf4d629c3e4ff6f39ec.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fe70a9e6 by Rob Crittenden at 2018-06-11T10:20:48Z
Suppress missing cn=schema compat on installation
The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.
Check to see if it is configured at all before trying to
disable it.
https://pagure.io/freeipa/issue/6610
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c74f65ef by Christian Heimes at 2018-06-11T16:02:55Z
Split external_ca PR-CI into two jobs
The external_ca job takes about 38 minutes of testing. Split the tests
into TestExternalCA (~17 minutes) and TestSelfExternalSelf +
TestExternalCAInstall (~20 minutes).
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
f5a04da9 by Stanislav Levin at 2018-06-12T06:38:56Z
Fix translation of commands description in API Browser
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
114e46b7 by Kaleemullah Siddiqui at 2018-06-13T20:23:18Z
Test coverage for multiservers for radius proxy
Test checks that no multiservers can be added for
radius proxy
Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7d12bbb9 by Christian Heimes at 2018-06-14T07:04:06Z
Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
907e1649 by Christian Heimes at 2018-06-15T06:30:55Z
Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f1d5ab3a by Christian Heimes at 2018-06-15T11:02:53Z
Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f4835a7 by Anuja More at 2018-06-18T12:53:32Z
Test for ipa-replica-install fails with PIN error for CA-less env.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
eda831db by Florence Blanc-Renaud at 2018-06-19T06:51:02Z
Installer: configure authselect with-sudo
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f90e137a by Christian Heimes at 2018-06-19T06:56:46Z
Sort and shuffle SRV record by priority and weight
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
57fd79ff by Rob Crittenden at 2018-06-19T07:09:01Z
Replace some test case adjectives
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bdc3e3c5 by Mohammad Rizwan Yusuf at 2018-06-19T10:44:10Z
Extended UI test for Certificates
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
f1c7d3c2 by Christian Heimes at 2018-06-19T12:37:53Z
Start to deprecate Python 2 and 3.5
Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.
No longer claim support for Python 3.5. Python 3.5 is untested.
NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
2d278720 by Michal Reznik at 2018-06-19T12:58:08Z
ui_tests: extend test_config.py suite
Extend test_config.py suite with new test cases.
Added tests:
config_email_undo
config_groupsearch_reset
groupsearchfield_blank
groupsearchfield_existing
groupsearchfield_leading_space
groupsearchfield_notallowed
groupsearchfield_trailing_space
usersearchfield_trailing_space
sizelimit_blank
sizelimit_letter
sizelimit_space
timelimit_blank
timelimit_letter
timelimit_negative
timelimit_space
userDefaultShell_blank
userDefaultShell_leading_space
userDefaultShell_new
userDefaultShell_specialchar
userDefaultShell_trailing_space
useremail_leading_space
useremail_new
useremail_trailing_space
usergroup_new
userhomedir_blank
userhomedir_leading_space
userhomedir_numbers
userhomedir_space_inbetween
userhomedir_specialchar
userhomedir_trailing_space
usermigrationmode_disable
usermigrationmode_enable
usernamelength_blank
usernamelength_letters
usernamelength_max
usernamelength_new
usernamelength_space_inbetween
usernamelength_specialchar
userpwdexpnotify_blank
userpwdexpnotify_letters
userpwdexpnotify_max
userpwdexpnotify_space_inbetween
userpwdexpnotify_specialchar
usersearchfield_blank
usersearchfield_existing
usersearchfield_leading_space
usersearchfield_new
usersearchfield_notallowed
https://pagure.io/freeipa/issue/7576
Reviewed-By: Pavel Picka <ppicka at redhat.com>
- - - - -
0b794cd4 by Florence Blanc-Renaud at 2018-06-19T16:06:56Z
fix dependency for *-domainname.service file
FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.
Fixes:
https://pagure.io/freeipa/issue/7591
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
b9690615 by Rob Crittenden at 2018-06-20T06:38:03Z
Improve console logging for ipa-server-install
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:
The ipa-client-install command was successful
This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.
In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8ea22745 by Rob Crittenden at 2018-06-20T06:38:03Z
Drop attr defaultServerList if removing the last server
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
00ddb5dd by Rob Crittenden at 2018-06-20T06:38:03Z
server install: drop some print statements, change log level
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
036d51d5 by Rob Crittenden at 2018-06-20T06:38:03Z
Handle subyptes in ACIs
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):
userattr="ipaAllowedToPerform;read_keys#GROUPDN";
The regular expression pattern needed to be updated to handle
this case.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9ead7084 by Anuja More at 2018-06-20T08:06:39Z
Test that host can remove there own services
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
84ae625f by Ganna Kaihorodova at 2018-06-20T10:42:51Z
check nsds5ReplicaReleaseTimeout option was set
Check for nsds5ReplicaReleaseTimeout option was set
relates to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c3ff030 by Christian Heimes at 2018-06-21T09:49:26Z
Always set ca_host when installing replica
ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.
Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f4716b69 by Stanislav Levin at 2018-06-21T13:30:58Z
Add support for format method to translation objects
For now translation classes have old style % formatting way only.
But 'format' is convenience, preferred in Python3 string formatting method.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
854597c4 by Stanislav Levin at 2018-06-21T13:30:58Z
Use intended format() method of translation object
Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
65414d14 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations in domainlevel plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
229f1608 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix translation of idrange_* commands description
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6f245db8 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations in trust plugin
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1dfdbfd8 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations of error messages in serverroles plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b3bc490 by Stanislav Levin at 2018-06-21T13:30:58Z
Fix formatted translations of error messages in topology plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6fb45d2f by Tomas Krizek at 2018-06-21T13:54:49Z
test_dnssec: re-add named-pkcs11 workarounds
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.
This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.
Run DNSSEC tests on PR-CI
Co-authored-by: Felipe Barreto <fbarreto at redhat.com>
Related https://pagure.io/freeipa/issue/5348
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dae4aac9 by Christian Heimes at 2018-06-21T13:54:49Z
Tests: Set default TTL for DNS zones to 1 sec
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.
This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.
This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3a8f0bb1 by Christian Heimes at 2018-06-21T13:54:49Z
Remove restarted_named and xfail
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.
Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.
See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
32ed10ca by Stanislav Levin at 2018-06-21T16:42:05Z
Apply validate_doc() to NO_CLI commands
This should prevent from NO_CLI commands have no translatable
description or have no one at all in Web UI API Browser.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c1f7a14c by Stanislav Levin at 2018-06-21T16:42:05Z
Fix some untranslatable commands in Web UI API Browser
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
de8d3081 by Armando Neto at 2018-06-21T18:42:15Z
ipaserver config plugin: Increase search records minimum limit
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
14c869b3 by Christian Heimes at 2018-06-22T11:01:55Z
Improve and fix timeout bug in wait_for_entry()
replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.
Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.
See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
1b966f70 by Christian Heimes at 2018-06-22T11:01:55Z
Use common replication wait timeout of 5min
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
ad838c37 by Christian Heimes at 2018-06-22T11:01:55Z
Fix replication races in Dogtag admin code
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.
The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.
setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.
Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
c7ac8b91 by Sudhir Menon at 2018-06-22T15:02:40Z
DOAP Description for IPA Project
https://pagure.io/freeipa/issue/2536
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
89ae4341 by Sudhir Menon at 2018-06-22T15:02:40Z
Adding modified DOAP file
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e90d90c5 by Mohammad Rizwan Yusuf at 2018-06-25T08:37:58Z
Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
related ticket: https://pagure.io/freeipa/issue/7316
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Replaced hardcoded issuer CN for external ca with constant
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0e21d933 by Christian Heimes at 2018-06-25T11:41:18Z
Use 4 WSGI workers on 64bit systems
Commit f1d5ab3a03191dbb02e5f95308cf8c4f1971cdcf increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.
See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
01aa27f6 by Timo Aaltonen at 2018-06-26T06:53:12Z
control: Add libjs-scriptaculous to server depends.
- - - - -
c27a35ea by Timo Aaltonen at 2018-06-26T06:56:03Z
fix-gzip-path.diff: Fix path to gzip. (LP: #1778236)
- - - - -
ba8cbb8c by Christian Heimes at 2018-06-27T09:05:01Z
Ensure that public cert and CA bundle are readable
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1434f2a2 by Christian Heimes at 2018-06-27T09:05:01Z
Always make ipa.p11-kit world-readable
Ensure that ipa.p11-kit is always world-readable.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
89b2137d by Christian Heimes at 2018-06-27T09:05:01Z
Make /etc/httpd/alias world readable & executable
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.
Note: executable for a directory means, that a process is allowed to
traverse into the directory.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c2eb0f16 by Christian Heimes at 2018-06-27T09:05:01Z
Fix permission of public files in upgrader
Make CA bundles, certs, and cert directories world-accessible in
upgrader.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
39ac5f44 by Varun Mylaraiah at 2018-06-27T11:31:54Z
ui_tests: extend test_pwpolicy.py suite
Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574
Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Picka <ppicka at redhat.com>
- - - - -
81f36df7 by Alexander Bokovoy at 2018-06-27T15:49:35Z
ipaserver/dcerpc.py: handle indirect topology conflicts
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.
Use realmdomains to find a correct exclusion entry to build.
Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d622be29 by Armando Neto at 2018-06-27T18:25:39Z
Prevent the creation on users and groups with numeric characters only
Update regular expression validator to prevent user and group creation.
Fixes: https://pagure.io/freeipa/issue/7572
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a39f6563 by Florence Blanc-Renaud at 2018-06-28T09:41:17Z
ipa-client-install: enable and start oddjobd if mkhomedir
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called
Fixes:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7bf99e8d by Florence Blanc-Renaud at 2018-06-28T09:41:17Z
Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.
Related to:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0128b3f9 by Anuja More at 2018-06-29T08:31:50Z
Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
52cdd213 by Christian Heimes at 2018-06-29T13:48:43Z
Catch ACIError instead of invalid credentials
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.
Apparently no manual or automated test ran into the timeout during
testing.
Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f8159d0b by Christian Heimes at 2018-06-29T15:20:19Z
Pythhon3.7: re module has no re._pattern_type
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4084189f by Christian Heimes at 2018-06-29T15:20:19Z
pylint: Class node has been renamed to ClassDef
nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
627cb490 by Rob Crittenden at 2018-07-03T13:37:27Z
Extend CALessBase::installer_server to accept extra_args
Allow callers to pass abitrary extra arguments to the installer.
This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
00dceb43 by Justin Stephenson at 2018-07-03T13:37:27Z
Skip zone overlap check with auto-reverse
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dcaa62f6 by Nikhil Dehadrai at 2018-07-03T15:04:50Z
Test for improved Custodia key distribution
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Nikhil Dehadrai <ndehadra at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6896c90e by Christian Heimes at 2018-07-04T07:32:54Z
Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.
See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
a7627a7d by Christian Heimes at 2018-07-04T07:32:54Z
Require JSS 4.4.5 with replication fixes
JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.
See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
e140d198 by Michal Reznik at 2018-07-04T13:21:30Z
ui_tests: stabilization fixes
This patch aims to fix the following tests which seems to be quite
unstable recently:
test_user::test_actions - closing notification and moving to element
to have screenshot of current place.
test_user::certificates - add wait() / close_notification
Also adds missing @screenshot decorator to test_user_misc method.
Reviewed-By: Pavel Picka <ppicka at redhat.com>
- - - - -
79391ad8 by Armando Neto at 2018-07-04T13:21:30Z
ui_tests: fix test_config::test_size_limits
Fix a regression caused by: https://pagure.io/freeipa/issue/7606
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Pavel Picka <ppicka at redhat.com>
- - - - -
417f7486 by Michal Reznik at 2018-07-04T14:03:02Z
ipa_tests: ipa-replica-prepare stuck on user input
TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.
https://pagure.io/freeipa/issue/7615
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
53c54966 by Armando Neto at 2018-07-05T17:42:43Z
ipa-client-install: Update how comments are added by ipachangeconf
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.
IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.
New settings will be added without any note.
Issue: https://pagure.io/freeipa/issue/5202
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
198a2c61 by Christian Heimes at 2018-07-05T17:45:10Z
Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
9c86d35a by Christian Heimes at 2018-07-05T17:46:42Z
Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e8d33ccf by Armando Neto at 2018-07-05T21:09:27Z
ipa-server-install: fix zonemgr argument validator
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f0121f875bdb017b0636c02a6f5660e8a,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7c2ca141 by Christian Heimes at 2018-07-06T11:26:43Z
Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
10457a01 by Christian Heimes at 2018-07-06T11:26:43Z
Only create DNS SRV records for ready server
When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.
The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
7284097e by Christian Heimes at 2018-07-06T11:26:43Z
Delay enabling services until end of installer
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
e32cfd14 by Florence Blanc-Renaud at 2018-07-06T15:40:55Z
ipa client uninstall: clean the state store when restoring hostname
When ipa client was installed with the --hostname= option, it stores
[network]
hostname = (current hostname)
in /var/lib/ipa-client/sysrestore/sysrestore.state and changes the hostname
from (current hostname) to the value provided in --hostname.
During uninstall, the previous hostname is restored but the entry does
not get removed from sysrestore.state. As the uninstaller checks if all
entries from sysrestore.state have been restored, it warns that some
state has not been restored.
The fix calls statestore.restore_state() instead of statestore.get_state()
as this method also clears the entry.
https://pagure.io/freeipa/issue/7620
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8fa76762 by Christian Heimes at 2018-07-06T15:53:06Z
Fix CA topology warning
Commit 7284097eedef70dd556270732e6ab8e23501ce09 kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2941272 by Rob Crittenden at 2018-07-06T16:25:52Z
replicainstall: DS SSL replica install pick right certmonger host
Extend fix 0f31564b35aac250456233f98730811560eda664 to also move
the DS SSL setup so that the xmlrpc_uri is configured to point
to the remote master we are configuring against.
https://pagure.io/freeipa/issue/7566
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b274da72 by Armando Neto at 2018-07-07T08:20:01Z
Replace file.flush() calls with flush_sync() helper
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.
Commit 8bbeedc93fd442cbbb9bb70e5f446011e95211db introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.
However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.
Issue: https://pagure.io/freeipa/issue/7251
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
199d50a4 by Christian Heimes at 2018-07-09T12:36:42Z
Fix race condition in get_locations_records()
The method IPASystemRecords.get_locations_records() has a race condition.
The IPASystemRecords object creates a mapping of server names to server
data. get_locations_records() uses server_find() again to get a list of
servers, but then operates on the cached dict of server names.
In parallel replication case, the second server_find() call in
get_locations_records() can return additional servers. Since the rest of
the code operates on the cached data, the method then fails with a KeyError.
server_data is now an OrderedDict to keep same sorting as with
server_find().
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
811b0fdb by Christian Heimes at 2018-07-09T16:20:17Z
Tune DS replication settings
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
fcb2a069 by Stanislav Levin at 2018-07-09T16:27:05Z
Fix link to browser configuration guide on Login page
There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.
Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1fa2a7cd by Christian Heimes at 2018-07-09T18:15:18Z
Auto-retry failed certmonger requests
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.
A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.
Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
2b669c52 by Christian Heimes at 2018-07-09T18:15:18Z
Wait for client certificates
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
- - - - -
9222a08c by Christian Heimes at 2018-07-10T15:51:05Z
Fix DNSSEC install regression
7284097eedef70dd556270732e6ab8e23501ce09 introduced a regression in
DNSSEC master installation. For standalone and replica installation,
services have to be enabled before checking bind config.
Fixes: https://pagure.io/freeipa/issue/7635
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
b4ad0d19 by Armando Neto at 2018-07-11T08:11:38Z
Fix pylint 2.0 return-related violations
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0c1010d6 by Christian Heimes at 2018-07-11T08:50:33Z
Mark all expected failures as strict
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.
Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
ec65590c by Christian Heimes at 2018-07-11T08:50:33Z
Fix XPASS in test_installation
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.
See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
f48f00c6 by Christian Heimes at 2018-07-11T12:35:55Z
pylint 2.0: node.path is a list
In pylint 2.0 and astroid 2.0, node.path has become a list. It's usually
a list of one element unless namespace packages are involved.
See https://github.com/PyCQA/astroid/commit/7f46f9341cc54bbe6763409c4ca7ea3adfec098a#diff-f0ac879524bcb98964f7d8738a084820
See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
ba954efa by Armando Neto at 2018-07-12T06:49:43Z
Fix pylint 2.0 conditional-related violations
In order to support pylint 2.0 the following violations must be fixed:
- `chained-comparison` (R1716):
Simplify chained comparison between the operands This message is
emitted when pylint encounters boolean operation like
"a < b and b < c", suggesting instead to refactor it to "a < b < c".
- `consider-using-in` (R1714):
Consider merging these comparisons with "in" to %r To check if a
variable is equal to one of many values,combine the values into a
tuple and check if the variable is contained "in" it instead of
checking for equality against each of the values.This is faster
and less verbose.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f89e501e by Christian Heimes at 2018-07-12T13:26:25Z
Handle races in replica config
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.
ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
ca7cece1 by Petr Vobornik at 2018-07-12T13:38:01Z
WebUI build: replace uglifyjs with system package
UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.
On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
df95ba59 by Petr Vobornik at 2018-07-12T13:38:01Z
WebUI build: use NodeJS instead of Rhino
Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.
The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).
Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.
Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
19c3f173 by Petr Vobornik at 2018-07-12T13:38:01Z
Update Dojo and Dojo builder to 1.13.0
This is a result of the previous commits. Building the Dojo builder
was bit more complex as it was:
1. patched Dojo sources
2. built from Dojo builder sources.
3. moved to it's location in FreeIPA project
4. built by util/make-builder.sh (does minimazation and replaces
itself)
Then Dojo layer is built by just:
1. util/make-dojo.sh
This process was documented some time ago at:
https://www.freeipa.org/page/V3/WebUI_build
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
10de2f37 by Christian Heimes at 2018-07-12T16:19:34Z
Add tab completion and history to ipa console
ipa console is a useful tool to use FreeIPA's API in an interactive
Python console. The patch adds readline tab completion and history
support.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5affc9b9 by Christian Heimes at 2018-07-12T16:19:34Z
Create helper function to upload to temp file
upload_temp_contents() generates a temporary file on the remote side and
uploads content to that temporary file. The file name is returned.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
87904b8f by Christian Heimes at 2018-07-12T16:19:34Z
Fix ipa console filename
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.
ipa console now uses compile() to compile the code with print_function
__future__ feature.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4fc7f726 by Christian Heimes at 2018-07-13T17:56:03Z
Teach pylint how our api works
pylint 2.0 is more strict and complains about several aspects of
ipalib.api. It turns out that AstroidBuilder.string_build() can be used
to easily teach pylint about object attributes and attribute values.
Although the assignment wouldn't work with the actual implementation,
the string builder assignments shows pylint the names and values of
members. It works without additional transformation.
See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
aacf185f by Christian Heimes at 2018-07-13T17:56:03Z
Add pylint ignore to magic config.Env attributes
pylinti 2 is having a hard time to handle name mangled, magic attributes
correctly. Double under attributes like __d are internally renamed to
_Env__d. After multiple failed attempts, it was easier to just add more
pylint disable to the implementation.
pylint 2 also thinkgs that Env.server is defined much later or the env
doesn't have that member at all. Ignore the false warnings, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d1357194 by Armando Neto at 2018-07-14T10:04:19Z
Fix Pylint 2.0 violations
Fix the following violations aiming to support Pylint 2.0
- `unneeded-not` (C0113):
Consider changing "not item in items" to "item not in items" used
when a boolean expression contains an unneeded negation.
- `useless-import-alias` (C0414):
Import alias does not rename original package Used when an import
alias is same as original package.e.g using import numpy as numpy
instead of import numpy as np
- `raising-format-tuple` (W0715):
Exception arguments suggest string formatting might be intended Used
when passing multiple arguments to an exception constructor, the
first of them a string literal containing what appears to be
placeholders intended for formatting
- `bad-continuation` (C0330):
This was already included on the disable list, although with current
version of pylint (2.0.0.dev2) violations at the end of the files
are not being ignored.
See: https://github.com/PyCQA/pylint/issues/2278
- `try-except-raise` (E0705):
The except handler raises immediately Used when an except handler
uses raise as its first or only operator. This is useless because it
raises back the exception immediately. Remove the raise operator or
the entire try-except-raise block!
- `consider-using-set-comprehension` (R1718):
Consider using a set comprehension Although there is nothing
syntactically wrong with this code, it is hard to read and can be
simplified to a set comprehension.Also it is faster since you don't
need to create another transient list
- `dict-keys-not-iterating` (W1655):
dict.keys referenced when not iterating Used when dict.keys is
referenced in a non-iterating context (returns an iterator in
Python 3)
- `comprehension-escape` (W1662):
Using a variable that was bound inside a comprehension Emitted when
using a variable, that was bound in a comprehension handler, outside
of the comprehension itself. On Python 3 these variables will be
deleted outside of the comprehension.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6a2e6864 by Christian Heimes at 2018-07-16T10:23:48Z
Fedora 29: No longer build python2-ipaserver
Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.
On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ccd512d by Armando Neto at 2018-07-16T15:03:35Z
Disable Pylint 2.0 violations
Globally disabling the following violations:
- `assignment-from-no-return` (E1111):
Assigning to function call which doesn't return. Used when an
assignment is done on a function call but the inferred function
doesn't return anything.
- `keyword-arg-before-vararg` (W1113):
Keyword argument before variable positional arguments list in the
definition of %s function When defining a keyword argument before
variable positional arguments, one can end up in having multiple
values passed for the aforementioned parameter in case the method is
called with keyword arguments.
Locally disabling the following:
- `subprocess-popen-preexec-fn` (W1509):
Using preexec_fn keyword which may be unsafe in the presence of
threads The preexec_fn parameter is not safe to use in the presence
of threads in your application. The child process could deadlock
before exec is called. If you must use it, keep it trivial! Minimize
the number of libraries you call into.
https://docs.python.org/3/library/subprocess.html#popen-constructor
Fixed violations:
- `bad-mcs-classmethod-argument` (C0204):
Metaclass class method %s should have %s as first argument Used when
a metaclass class method has a first argument named differently than
the value specified in valid-metaclass-classmethod-first-arg option
(default to "mcs"), recommended to easily differentiate them from
regular instance methods.
- Note: Actually `cls` is the default first arg for `__new__`.
- `consider-using-get` (R1715):
Consider using dict.get for getting values from a dict if a key is
present or a default if not Using the builtin dict.get for getting a
value from a dictionary if a key is present or a default if not, is
simpler and considered more idiomatic, although sometimes a bit slower
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4edcf8e5 by Michal Reznik at 2018-07-17T13:14:48Z
Mark DL0 TestReplicaManageDel tests as xfail
Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.
https://pagure.io/freeipa/issue/7622
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7dadedc1 by Christian Heimes at 2018-07-17T14:52:31Z
Use python2_sitelib in spec file
%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
904458a4 by Christian Heimes at 2018-07-17T14:52:31Z
Update builddep command in BUILD.txt
It's no longer necessary to specify "with_python3" to get Python 3
dependencies.
python3-tox pulls in Python 2.6, 3.3, 3.4, 3.5, and pypy as weak
dependency. Use --setopt=install_weak_deps=False to make a build
environment leaner.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
653f327b by Christian Heimes at 2018-07-17T14:52:31Z
Add more RHEL customizations to spec file
- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34fe4b1d by Christian Heimes at 2018-07-17T14:52:31Z
Remove needless use of %defatt
Original patch by Jason Tibbitts <tibbs at math.uh.edu>
See: https://src.fedoraproject.org/rpms/freeipa/c/9cdadfb7d0d60982dfdadbb9655f44dc43b01549?branch=master
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab0835f9 by Stanislav Levin at 2018-07-17T19:32:28Z
Add endpoint for serving i18n requests
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process. This endpoint serves i18n requests
only.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
86b57236 by Stanislav Levin at 2018-07-17T19:32:28Z
Disable authentication to endpoint for serving i18n requests
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
de58b808 by Stanislav Levin at 2018-07-17T19:32:28Z
Implement "translations" AMD
This module is used to get translated messages via JSON
request in a synchronous manner. To ensure translatability
i18n messages should be initialized before any other JS code
interacted with user is run.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
9492fb7f by Stanislav Levin at 2018-07-17T19:32:28Z
Add dependency to "translations" module
To ensure translatability i18n messages should be
initialized before any other JS code interacted with user
is run.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
c0c6b21b by Stanislav Levin at 2018-07-17T19:32:28Z
Stop fetching translations at metadata phase
Now i18n data is loaded at "translations" module resolve,
on which "text" module depends. Therefore, there is no
need to do it twice.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
5d8fde0a by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at LoginScreen widget
To be translatable title and label fields should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2a81ec3b by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at login plugin
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
6bc37150 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translations at load_page plugin
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
7f9f59ba by Stanislav Levin at 2018-07-17T19:32:28Z
Fix translation of profile menu
To be translatable label field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
c4467aae by Stanislav Levin at 2018-07-17T19:32:28Z
Add static JSON dump of i18n_messages request
The JSON test data is needed to UI unit tests.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b8607e24 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix Web UI 'get_entity_param' test
"IPA.init()" is no longer responsible for "IPA.messages".
So "ipa_init" test JSON data must not contain "texts".
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
0dace623 by Stanislav Levin at 2018-07-17T19:32:28Z
Add support for JSON request in HTTP test class
"urllib.parse.urlencode()" brokes JSON request's data.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
0908e80d by Stanislav Levin at 2018-07-17T19:32:28Z
Add support for Accept-Language in HTTP test class
"Accept-Language" is used to test translations.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
f49fac7b by Stanislav Levin at 2018-07-17T19:32:28Z
Add tests for "i18n_messages" end point
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
bb67eea1 by Stanislav Levin at 2018-07-17T19:32:28Z
Fix Web UI "details lifecycle" test
IPA doesn't provide "messages" anymore.
"text" module should be used instead.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
4b2af257 by Stanislav Levin at 2018-07-17T19:32:28Z
Stop usage of "IPA.messages" in Web UI "utils" tests
IPA doesn't provide "messages" anymore.
But actually ones are no needed for these tests.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
717d59e2 by Armando Neto at 2018-07-18T07:53:53Z
Fix regression: Handle unicode where str is expected
Regression caused by 947ac4bc1f6f4016cf5baf2ecb4577e893bc3948 when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.
Issue: https://pagure.io/freeipa/issue/7626
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
759e8355 by Rob Crittenden at 2018-07-18T07:54:58Z
Update 4.7 translations
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
47e6f00a by Rob Crittenden at 2018-07-19T06:39:15Z
Update Contributors.txt
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
59ef5371 by Christian Heimes at 2018-07-19T06:40:33Z
Turn multihost config problems into errors
The pytest multihost plugin skips tests, when there is a problem with a
test configuration. Configuration bugs like missing resources are not
considered a problem.
The IPA pytest multihost config object now turns FilterError into a
fatal error, so make_multihost_fixture() fails a test instead of
skipping.
Fixes: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Ganna Kaihorodova <gkaihoro at redhat.com>
- - - - -
d4732786 by Stanislav Laznicka at 2018-07-19T06:42:33Z
ipatests: add installer framework testing
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
530da69e by Christian Heimes at 2018-07-19T13:44:46Z
Fix KRA replica installation from CA master
ipa-replica-install --kra-install can fail when the topology already has
a KRA, but replica is installed from a master with just CA. In that
case, Custodia may pick a machine that doesn't have the KRA auditing and
signing certs in its NSSDB.
Example:
* master with CA
* replica1 with CA and KRA
* new replica gets installed from master
The replica installer now always picks a KRA peer.
The change fixes test scenario TestInstallWithCA1::()::test_replica2_ipa_dns_install
Fixes: https://pagure.io/freeipa/issue/7518
See: https://pagure.io/freeipa/issue/7008
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f84b3f39 by Rob Crittenden at 2018-07-19T15:27:02Z
Become IPA 4.7.0
- - - - -
0724fdb1 by Timo Aaltonen at 2018-08-03T21:00:55Z
Merge branch 'upstream-next' into master-next
- - - - -
b93b62a7 by Timo Aaltonen at 2018-08-03T21:01:15Z
update changelog
- - - - -
2107952c by Timo Aaltonen at 2018-08-03T21:27:26Z
drop upstreamed patches, refresh others
- - - - -
5f373629 by Timo Aaltonen at 2018-08-03T21:53:42Z
mark some bugs as not upstreamable
- - - - -
de8e4125 by Timo Aaltonen at 2018-08-03T22:13:31Z
control, rules: Switch rhino to nodejs for ui build.
- - - - -
e9f54876 by Timo Aaltonen at 2018-08-03T22:14:03Z
d/s/local-options: Add some files to ignore.
- - - - -
d55b7ce7 by Timo Aaltonen at 2018-08-03T22:21:56Z
control, copyright: Add libjs-uglify to build-depends, the embedded copy was removed.
- - - - -
514fca12 by Timo Aaltonen at 2018-08-03T22:30:35Z
fix uglify deps, drop librhino-java too
- - - - -
29ef2c15 by Timo Aaltonen at 2018-08-03T22:42:11Z
control, fix-py3-lesscpy-name.diff: Add python3-lesscpy to build- depends, call the binary with the correct name.
- - - - -
7da8315a by Timo Aaltonen at 2018-08-03T22:52:48Z
control: Add python3-pkg-resources to build-depends.
- - - - -
4fd17917 by Timo Aaltonen at 2018-08-04T07:38:19Z
client.install: Add new template.
- - - - -
bc405b38 by Timo Aaltonen at 2018-08-04T07:44:18Z
control: Update vcs urls.
- - - - -
ac53bcf3 by Timo Aaltonen at 2018-08-04T07:45:01Z
control: Mark priority as optional.
- - - - -
949e6e96 by Timo Aaltonen at 2018-08-04T07:57:40Z
control, rules: Bump dh to 11.
- - - - -
bc60eea0 by Timo Aaltonen at 2018-08-04T08:01:31Z
control: Add adduser to server depends.
- - - - -
c089f4c4 by Timo Aaltonen at 2018-08-04T08:04:02Z
source/lintian-overrides: Updated.
- - - - -
a5fa72c7 by Timo Aaltonen at 2018-08-04T08:04:55Z
control: Bump policy to 4.1.5.
- - - - -
ea865937 by Timo Aaltonen at 2018-08-23T04:46:31Z
control: Update maintainer list address.
- - - - -
978ea07a by Timo Aaltonen at 2018-09-28T10:50:11Z
control: Build the server only on archs where 389-ds-base is available.
- - - - -
e27468a4 by Timo Aaltonen at 2018-09-28T11:08:50Z
control: Bump python-ldap build-dep to 3.1.
- - - - -
c3b4defd by Timo Aaltonen at 2018-09-28T11:10:25Z
let tests fail again
- - - - -
71b402b5 by Timo Aaltonen at 2018-09-28T11:10:43Z
releasing package freeipa version 4.7.0-1
- - - - -
30 changed files:
- .freeipa-pr-ci.yaml
- .gitignore
- .test_runner_config.yaml
- .test_runner_config_py3_temp.yaml
- .travis.yml
- .travis_run_task.sh
- .wheelconstraints.in
- ACI.txt
- API.txt
- BUILD.txt
- + CODE_OF_CONDUCT.md
- Contributors.txt
- Makefile.am
- README.md
- VERSION.m4
- client/Makefile.am
- client/ipa-certupdate
- client/ipa-client-automount
- client/ipa-client-install
- client/ipa-getkeytab.c
- client/ipa-join.c
- client/man/ipa-client-automount.1
- client/man/ipa-client-install.1
- client/man/ipa-getkeytab.1
- client/man/ipa.1
- + client/share/Makefile.am
- + client/share/freeipa.template
- configure.ac
- contrib/Makefile.am
- contrib/copy-schema-to-ca-RHEL6.py
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/7e8d5185b3443f67a24e60cccb95594edcd92300...71b402b51812077ca9b00f2f0bfca45fb36df6df
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/7e8d5185b3443f67a24e60cccb95594edcd92300...71b402b51812077ca9b00f2f0bfca45fb36df6df
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180928/2cc3fd4b/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list