[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream-next] 2045 commits: Set development version to 4.7.90
Timo Aaltonen
gitlab at salsa.debian.org
Mon Dec 7 20:57:54 GMT 2020
Timo Aaltonen pushed to branch upstream-next at FreeIPA packaging / freeipa
Commits:
d9b8fa3f by Rob Crittenden at 2018-07-19T11:30:46-04:00
Set development version to 4.7.90
- - - - -
f3faecbb by Thomas Woerner at 2018-07-20T12:53:38-04:00
Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)
The second argument was not used, but the first one was used twice.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd348773 by Ganna Kaihorodova at 2018-07-20T13:03:59-04:00
Add check for occuring traceback during uninstallation ipa master
Modified master uninstall task for traceback check
That approach give us wide coverage and multiple scenarious
to catch traceback during uninstallation process
Add verbose option to uninstall server and set to False
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1480502
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0e9fb8ac by Petr Vobornik at 2018-07-23T14:26:50+02:00
webui: change indentation of freeipa/_base/debug.js
Change to use spaces for indentation as it was the the only file
which uses tabs and not spaces.
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
78cefe09 by Petr Vobornik at 2018-07-23T14:26:50+02:00
webui: remove mixed indentation in App and LoginScreen
Only spaces should be used for indentation.
It was introduced in commits:
* 7f9f59bae2a362ce945c49ad8342393b7a5c024f
* 5d8fde0ac1a43c8f3dbc53b44d69f3663a8b36fb
Related to: https://pagure.io/freeipa/issue/7559
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
94bcd938 by Orion Poplawski at 2018-07-25T12:38:52-04:00
ipaclient-install: chmod needs octal permissions
Fixes incorrect usage introduced in 792adebfabb456d154164387fb7e60acb30f4325
https://pagure.io/freeipa/issue/7650
Signed-off-by: Orion Poplawski <orion at nwra.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8f202bbd by Felipe Barreto at 2018-07-27T09:50:06+02:00
Making nigthly test definition editable by FreeIPA's contributors
Now the test definition of nightly tests will be on freeipa repo. The
definition that's used on every PR (previously as .freeipa-pr-ci.yaml)
is in ipatests/prci_definitions/gating and the .freeipa-pr-ci.yaml file
is just a symlink to the real file.
In the same dir there is also nightly_master and nightly_rawhide, both
to be used in nightly tests.
Divided test_topology.py into 3 subtests.
Bumped vagrant template to version 0.1.6
This PR is the result of discussion on freeipa-devel mailing list [1].
[1] https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/4VAWJ4SFKKBFFICDLQCTXJWRRQHIYJLL/
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
6212423c by Christian Heimes at 2018-07-27T09:50:06+02:00
Fix topology configuration of nightly runs
Some nightly runs didn't have enough resources configured.
See: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
8edde14e by Christian Heimes at 2018-07-27T09:50:06+02:00
Add convenient template for temp commits
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
71ba408d by Thomas Woerner at 2018-07-30T17:26:23+02:00
ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
In the case that enabledService is not found ipaConfigString kdc entry, a
NotFound error was raised without setting the reason. This resulted in a
traceback.
Fixes: https://pagure.io/freeipa/issue/7652
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64145093 by Christian Heimes at 2018-08-02T17:07:43+02:00
Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.
Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7516979 by Thomas Woerner at 2018-08-03T13:23:21+02:00
httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
The session directory /etc/httpd/alias/ could be created with the wrong
SELinux context. Therefore httpd was not able to write to this directory.
Fixes: https://pagure.io/freeipa/issue/7662
Related-to: 49b4a057f1b0459331bcec2c8d760627d00e4571 (Create missing
/etc/httpd/alias for ipasession.key)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
354d7297 by Thomas Woerner at 2018-08-03T13:23:21+02:00
ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X
The template directory /var/log/dirsrv/slapd-X could be created with the
wrong SELinux context.
Related to: https://pagure.io/freeipa/issue/7662
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a71729cc by Thierry Bordaz at 2018-08-03T14:39:11+02:00
In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
11ec43a5 by Michal Reznik at 2018-08-03T15:14:57+02:00
prci_definitions: fix wrong indentation in the nightly yaml
TestLineTopologyWithoutCA definition has wrong indentation.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c1a0c3c5 by Florence Blanc-Renaud at 2018-08-06T16:51:56+02:00
Tests: add integration test for password changes by dir mgr
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd
Related to:
https://pagure.io/freeipa/issue/7601
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
016df47d by Pavel Picka at 2018-08-07T16:31:03+02:00
WebUI Tests stabilize
- close notifications
- add wait in cert test case
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
b5fa64ed by Pavel Picka at 2018-08-07T23:46:10+02:00
PR-CI extend timeouts
extend timeout with one hour as timed out many times in PRCI nightly
- test_dnssec
- test_replication_layouts_TestLineTopologyWithCA
- test_replication_layouts_TestLineTopologyWithCAKRA
- test_replication_layouts_TestStarTopologyWithCAKRA
- test_server_del
- test_webui
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
2a9f5eaa by Florence Blanc-Renaud at 2018-08-08T13:03:47+02:00
PRCI: extend timeouts for gating
Some tests have been identified as frequently failing on timeouts. While
we are investigating PRCI potential issues, increase the timeouts to
make PRCI usable. The rule is to add 30min if the test involves CA/KRA
installation or 20min otherwise for the most problematic tests.
test_forced_client_enrolment: from 1h to 1h20
test_vault: from 1h15 to 1h45
external_ca_1: from 1h to 1h20
test_sudo: from 1h to 1h20
test_authconfig: from 1h to 1h20
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
0aeccc08 by Michal Reznik at 2018-08-10T17:01:45+02:00
ipa_tests: test ssh keys login
Integration test for:
https://pagure.io/SSSD/sssd/issue/3747
IPA ticket: https://pagure.io/freeipa/issue/7664
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5cdd5a5 by Thomas Woerner at 2018-08-13T12:23:53+02:00
ipaclient: Remove --no-sssd and --no-ac options
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f6fa2e94 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Do not install ipa-replica-prepare
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
38936817 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1
With increasing the minimal domain level to 1 ipa-replica-install will
refuse to install if the domain has domain level 0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0ce79ec6 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Mark replica_file option as deprecated
The replica_file option is only supported for DL0. The option will be
marked deprecated for now.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
03776457 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Raise error if DL is set to 0 or DL0 options are used
In the case that the domain level is set to 0 or replica_file is set (not
None) an error will be raised.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a170b284 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Remove support for replica_file option from ipa-ca-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5f5180b8 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Remove support for replica_file option from ipa-kra-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9c2b0ce7 by Thomas Woerner at 2018-08-13T12:35:06+02:00
Remove DL0 specific sections from ipa-replica-install man page
Remove replica_file option and all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1"
prefixes and also sections specific to DL0 form the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7e172e3b by Thomas Woerner at 2018-08-13T12:35:06+02:00
Remove "at DL1" from ipa-replica-manage man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0eb140ea by Thomas Woerner at 2018-08-13T12:35:06+02:00
Remove "at DL1" from ipa-server-install man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b99dc46a by Thomas Woerner at 2018-08-13T12:35:06+02:00
Move DL0 raises outside if existing conditionals to calm down pylint
This pull should not remove code, therefore it is needed to add addtional
conditionals to calm down pylint beacuse of unreachable code.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2a788f1a by Thomas Woerner at 2018-08-13T12:35:06+02:00
ipatests: Drop test_password_option_DL0
DL0 is not supported anymore therefore this test is failing.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3b8c38ec by Thomas Woerner at 2018-08-13T12:35:06+02:00
ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import
This is not needed anymore due to the removal of the DL0 test
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c33cbe13 by Thomas Woerner at 2018-08-13T12:35:06+02:00
ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum
As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should
be used instead of DOMAIN_LEVEL_0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
94159bbe by Thomas Woerner at 2018-08-13T12:35:06+02:00
ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cb7f6b7b by Thomas Woerner at 2018-08-13T12:35:06+02:00
replicainstall: Make sure that domain fulfills minimal domain level requirement
The old domain level check to suggest to use ipa-replica-prepare has been
converted to make sure that domain fulfills minimal domain level
requirement (no DL0).
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1a0b0d2f by Alexander Bokovoy at 2018-08-13T13:03:13+02:00
ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
c2e1cdf8 by Serhii Tsymbaliuk at 2018-08-13T14:25:06+02:00
Replace logo images with new one (version 4.7)
Resolves: https://pagure.io/freeipa/issue/7362
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
de8f969f by Alexander Bokovoy at 2018-08-13T14:42:16+02:00
Move fips_enabled to a common library to share across different plugins
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
6907a0ce by Alexander Bokovoy at 2018-08-13T14:42:16+02:00
ipasam: do not use RC4 in FIPS mode
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
13000e2f by Christian Heimes at 2018-08-13T18:49:05+02:00
Disable DL0 specific tests
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
adfd82ee by Stanislav Levin at 2018-08-14T14:07:38+02:00
Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1721356d by Stanislav Levin at 2018-08-14T14:07:38+02:00
Fix translation of "sync_otp" plugin
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
14e21047 by Stanislav Levin at 2018-08-14T14:07:38+02:00
Fix translation of "SyncOTPScreen" widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
f68dca24 by Rob Crittenden at 2018-08-15T12:52:52+02:00
Convert members into types in sudorule-*-option
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
6fa1e6f1 by Tibor Dudlák at 2018-08-16T12:45:00+02:00
Re-open the ldif file to prevent error message
There was an issue with ipa-server-upgrade and it was
showing an error while upgrading:
DN... does not exists or haven't been updated, caused
by not moving pointer to file begining when re-reading.
Resolves: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
89799a14 by Tibor Dudlák at 2018-08-16T12:45:00+02:00
Add assert to check output of upgrade
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
51240f35 by Mohammad Rizwan Yusuf at 2018-08-16T14:23:32+02:00
Check if user permssions and umask 0022 is set when executing ipa-restore
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3322aad7 by Alexander Scheel at 2018-08-20T17:58:16-04:00
Add docstring to verify_kdc_cert_validity
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fc0f6b43 by Alexander Scheel at 2018-08-20T17:58:16-04:00
Add missing docstrings to kernel_keyring.py
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
77286f52 by Serhii Tsymbaliuk at 2018-08-21T17:38:32+02:00
Replace old login screen logo with new one
Related: https://pagure.io/freeipa/issue/7362
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a1409ec by Michal Reznik at 2018-08-23T08:21:22+02:00
test: client uninstall fails when installed using non-existing hostname
https://pagure.io/freeipa/issue/7620
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
df8bffd9 by Rob Crittenden at 2018-08-23T11:53:30+02:00
Honor no-host-dns when creating client host in replica install
--no-host-dns is supposed to avoid all DNS lookups so pass
this as the force value when creating the host in a replica
installation.
https://pagure.io/freeipa/issue/7656
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
f0228fa6 by Florence Blanc-Renaud at 2018-08-23T12:06:45+02:00
uninstall -v: remove Tracebacks
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Fixes: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
79fb0cc6 by Florence Blanc-Renaud at 2018-08-23T12:06:45+02:00
ipautil.run: add test for runas parameter
Add a test for ipautil.run() method called with runas parameter.
The test is using ipautil.run() to execute /usr/bin/id and
checks that the uid/gid are consistent with the runas parameter.
Note that the test needs to be launched by the root user
(non-privileged user may not have the rights to execute ipautil.run()
with runas parameter).
Related to: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a5a619ab by Florence Blanc-Renaud at 2018-08-23T12:08:45+02:00
ipa commands: print 'IPA is not configured' when ipa is not setup
Some commands print tracebacks or unclear error message when
they are called on a machine where ipa packages are installed but
IPA is not configured.
Consistently report 'IPA is not configured on this system' in this
case.
Related to https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10c62589 by Florence Blanc-Renaud at 2018-08-23T12:08:45+02:00
Test: test ipa-* commands when IPA is not configured
Add a test checking that ipa-* commands properly display
'IPA is not configured on this system' when called on a
system without IPA.
Related to: https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e4a3942e by Christian Heimes at 2018-08-23T14:49:06+02:00
Detect and prefer platform Python
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a347c116 by Christian Heimes at 2018-08-23T14:49:06+02:00
Rename Python scripts and add dynamic shebang
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8da61b9 by Christian Heimes at 2018-08-23T14:49:06+02:00
Generate scripts from templates
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
02f4a7a2 by Florence Blanc-Renaud at 2018-08-24T16:50:30+02:00
DS replication settings: fix regression with <3.3 master
Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
79cb8ffb by Stanislav Levin at 2018-08-27T17:10:32+02:00
Add MigrateScreen widget
This widget is intended to integrate password migrate page into the
entire IPA Web framework. The functionality is the same as mentioned
standalone "ipa/migration/index.html".
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
13f1471c by Stanislav Levin at 2018-08-27T17:10:32+02:00
Add "migrate" Web UI plugin
This plugin creates and registers a facet with password migrate page.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
9bc93d30 by Stanislav Levin at 2018-08-27T17:10:32+02:00
Return the result of "password migration" procedure
So far "migration" end point redirected to "error"/"invalid" page as
a result of the client request. To use ajax requests and to not
reload/load the whole page the response should include the result of
request.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
05d7162b by Stanislav Levin at 2018-08-27T17:10:32+02:00
Integrate "migration" page to IPA Web framework.
To use all advantages of entire Web framework the "migration" page
should use "migrate" plugin. As well this allows to use IPA
translations.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
8a22c652 by Stanislav Levin at 2018-08-27T17:10:32+02:00
Provide translatable messages for MigrateScreen widget
Translatable messages should be marked with @i18n. Also
these messages should be presented in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
9f6d5322 by Stanislav Levin at 2018-08-27T17:10:32+02:00
Clean up migration "error" and "invalid" pages from project
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
4088b283 by Stanislav Levin at 2018-08-27T17:10:32+02:00
Add basic tests for "migration" end point
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
28f4e0e0 by Petr Vobornik at 2018-08-27T17:10:32+02:00
webui: redable color of invalid fields on login-screen-like pages
Pages with widgets like LoginScreen, MigrateScreen use login-pf styling.
This page has dark background instead of light. Thus styling for labels
for fields with error has color which makes the label hard to read or
almost invisible.
Change it to white so it is still readable.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
f0c3a359 by Mohammad Rizwan Yusuf at 2018-08-27T14:31:32-04:00
Test if WSGI worker process count is set to 4
related ticket : https://pagure.io/freeipa/issue/7587
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6175672e by Tibor Dudlák at 2018-08-28T09:32:45+02:00
Do not set ca_host when --setup-ca is used
Setting ca_host caused replication failures on DL0
because it was trying to connect to wrong CA host.
Trying to avoid corner-case in ipaserver/plugins/dogtag.py
when api.env.host nor api.env.ca_host had not CA configured
and there was ca_host set to api.env.ca_host variable.
See: https://pagure.io/freeipa/issue/7566
Resolves: https://pagure.io/freeipa/issue/7629
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c3f23da4 by Stanislav Levin at 2018-08-28T10:17:26+02:00
Fix "get_key_index" to fit caller's expectations
The clients of "get_key_index" expect index of key in matching case
otherwise -1. But instead of this function returns the "undefined"
value.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0dcce426 by Stanislav Levin at 2018-08-28T10:17:26+02:00
Reindex 'key_indicies' after item delete
The "keys.splice(i, 1)" removes one item at the specified position
from an array. Thus hashes which are stored at "that._key_indicies"
are no longer valid and should be reindexed.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ad85cc8e by Pavel Picka at 2018-08-28T10:32:30+02:00
PRCI failures fix
test_installation.py
- ticket 7008 closed so removing xfail
- TestInstallWithCA1
- TestInstallWithCA
- TestInstallWithCA_DNS1
- TestInstallWithCA_DNS2
nightly_master
- test_backup_and_restore_TestUser[r>R]ootFilesOwnership[Permission]
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
8af6accf by Rob Crittenden at 2018-08-29T09:03:18+02:00
Retrieve certificate subject base directly instead of ipa-join
The subject base is used as a fallback to find the available
CA certificates during client enrollment if the LDAP connection
fails (e.g. due to new client connecting to very old server) and
for constructing the subject if a certificate is requested.
raw=True is passed to config-show in order to avoid parsing
the server roles which will fail because the services aren't
marked as enabled until after the client installation is
successful on a master.
ipa-join providing the subject base via stderr was fragile and
would cause client enrollment to fail if any other output was
included in stderr.
https://pagure.io/freeipa/issue/7674
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8528da5 by Christian Heimes at 2018-08-30T11:37:21+02:00
Refactor os-release and platform information
Move the /etc/os-release parser and platform detection code out of the
private _importhook module. The ipaplatform module now contains an
osinfo module that provides distribution, os, and vendor information.
See: https://www.freedesktop.org/software/systemd/man/os-release.html
See: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1c03181e by Christian Heimes at 2018-08-30T11:37:21+02:00
Don't check for systemd service
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.
This fixes a SELinux violation that prevented httpd from listing systemd
service files.
Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
90203fb0 by Michal Reznik at 2018-08-31T12:30:46+02:00
Add "389-ds-base-legacy-tools" to requires.
"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
fe650087 by Robbie Harwood at 2018-08-31T21:01:46+02:00
Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Related https://pagure.io/freeipa/issue/7262
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ab636682 by Robbie Harwood at 2018-08-31T21:01:46+02:00
Add cmocka unit tests for ipa otpd queue code
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
59df37ad by Michal Reznik at 2018-09-03T13:31:28+02:00
bump PRCI template version to 0.1.8
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
911416e4 by Florence Blanc-Renaud at 2018-09-03T13:56:39+02:00
ipa-server-install: do not perform forwarder validation with --no-dnssec-validation
ipa-server-install is checking if the forwarder(s) specified with
--forwarder argument support DNSSEC. When the --no-dnssec-validation
option is added, the installer should not perform the check.
Fixes: https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
739ddce6 by Florence Blanc-Renaud at 2018-09-03T13:56:39+02:00
tests: add test for server install with --no-dnssec-validation
Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.
Related to https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
1d3c308b by Thomas Woerner at 2018-09-05T11:46:31+02:00
Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug
New autoreconf -ivf call before configure
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cf1301fb by Armando Neto at 2018-09-05T15:14:32+02:00
Delete empty keytab during client installation
Client installation fails if '/etc/krb5.keytab' exists as a zero-length
file. Deleting empty keytab before proceeding with the installation
fixes the problem.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1857dc9d by Stanislav Levin at 2018-09-06T08:22:57+02:00
Fix render validation items on keypress event at login form
There are many no needed render callings which are performed
on each keypress event at login form. It is enough to update
validation items on "CapsLock" state change.
Fixes: https://pagure.io/freeipa/issue/7679
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2a227c24 by Florence Blanc-Renaud at 2018-09-06T11:49:53+02:00
ipa-replica-install: fix pkinit setup
commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.
The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.
Fixes: https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bcfd18f3 by Florence Blanc-Renaud at 2018-09-06T11:49:53+02:00
Tests: test successful PKINIT install on replica
Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica
Related to https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
31a92c16 by Michal Reznik at 2018-09-06T13:49:34+02:00
tests: sssd_ssh fd leaks when user cert converted into SSH key
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c29581c9 by Michal Reznik at 2018-09-06T13:49:34+02:00
add strip_cert_header() to tasks.py
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c7064494 by Armando Neto at 2018-09-06T14:36:15+02:00
Fix certificate type error when exporting to file
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca638310913ab6b0c239374f4b0ddeeedeb3.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6ad11d86 by Florence Blanc-Renaud at 2018-09-06T17:32:48+02:00
ipa-replica-install: properly use the file store
In ipa-replica-install, many components use their own instance
of the FileStore to backup configuration files to the pre-install
state. This causes issues when the calls are mixed, like for
instance:
ds.do_task1_that_backups_file (using ds.filestore)
http.do_task2_that_backups_file (using http.filestore)
ds.do_task3_that_backups_file (using ds.filestore)
because the list of files managed by ds.filestore does not include
the files managed by http.filestore, and the 3rd call would remove
any file added on 2nd call.
The symptom of this bug is that ipa-replica-install does not save
/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not
restore the file, leading to a line referring to ipa-rewrite.conf
that prevents httpd startup.
The installer should consistently use the same filestore.
Fixes https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b2ce20c6 by Florence Blanc-Renaud at 2018-09-06T17:32:48+02:00
Test: scenario replica install/uninstall should restore ssl.conf
Test that the scenario ipa-replica-install/ uninstall correctly
restores the file /etc/httpd/conf.d/ssl.conf
Related to https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
21f14e98 by Christian Heimes at 2018-09-06T17:39:00+02:00
Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.
See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c049992c by Armando Neto at 2018-09-06T17:40:58+02:00
Add test for client installation with empty keytab file
Missing test case for cf1301fb064fc230c780c4bc5eeccb723899f7b6.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fe0cc945 by Michal Reznik at 2018-09-11T09:20:11-04:00
bump PRCI template version to 0.1.9
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7da50cf4 by Rob Crittenden at 2018-09-12T10:37:57+02:00
Update required version of dogtag to detect when FIPS is available
When it was checking for FIPS it assumed that /proc/sys/crypto
existed which it doesn't in some containers and on Ubuntu.
This was updated in dogtag, this change is just to pull in the
fix.
https://pagure.io/freeipa/issue/7608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6f386f2e by Stanislav Levin at 2018-09-12T10:44:37+02:00
Fix translation of "unauthorized.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c66cdf0b by Stanislav Levin at 2018-09-12T10:44:37+02:00
Fix translation of "ssbrowser.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4b83227a by Stanislav Levin at 2018-09-12T10:44:37+02:00
Add basic tests to web pages which are located at /ipa/config/
The goal of these tests is to ensure that the translated text is
synced against a 'noscript' one.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0ed3dfb4 by Stanislav Levin at 2018-09-12T12:41:19+02:00
Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4da736e7 by Stanislav Levin at 2018-09-12T12:41:19+02:00
Add "reset_and_login" view to LoginScreen widget
Previous "reset" view is splitted to "reset" and "reset_and_login"
ones. "reset" is used to render "just reset password" logic. And
"reset_and_login" - "reset password and then log in".
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3a43bf88 by Stanislav Levin at 2018-09-12T12:41:19+02:00
Use "login" plugin instead of standalone JS file
Plugin "login" already has the same functionality as a JS code in
separated javascript file. There is no need to duplicate it.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
30bcad4c by Stanislav Levin at 2018-09-12T12:41:19+02:00
Clean up reset_password.js file from project
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d5c0bae9 by Stanislav Levin at 2018-09-12T12:41:19+02:00
Fix translations of messages in LoginScreen widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5c32ac3e by Stanislav Levin at 2018-09-12T12:41:19+02:00
Add "bounce" logic from "reset_password.js"
This should add support for https://pagure.io/freeipa/issue/4440
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b4885d3e by Stanislav Levin at 2018-09-12T12:41:19+02:00
Add tests for LoginScreen widget
Add some basic tests for different aspects of LoginScreen such as
'login', 'reset_and_login', 'reset' views.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
167791f3 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove ipa-replica-prepare script and man page
This is part of the DL0 code removal. As ipa-replica-prepare is only needed
and useful for domain level 0, the script can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
418da605 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from ipa-ca-install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed. An additional check for the new minimal
domain level has been added.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9af0b094 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from cainstance and ca in ipaserver/install
cainstance.replica_ca_install_check is only used in ca.install_check if
replica_config is not None (replica installation). As it is immediately
stopped if promote is not set, therefore it can be removed.
The check for cafile in ca.install_check has been dropped. promote is set
to True in ca.install_step_0 if replica_config is not None for
cainstance.configure_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
db5bff14 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from ipa_kra_install in ipaserver/install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed An additional check for the new minimal
domain level has been added. The use of extra args results in an error as
this was only needed for the replica file.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eaae9935 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from dsinstance ipaserver/install
Promote is now hard set to True in create_replica for later use in
_get_replication_manager.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71e19f11 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from kra in ipaserver/install
The code to add missing KRA certificates has been removed from install_check
as it was only reached if replica_config is not None and promote was False
for DL0 replica installations. Also the other places.
Promote is now hard set to True if replica_config is not None in install
for later use in krainstance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ecf80900 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove unused promote arg in krbinstance.create_replica in ipaserver/install
The argument was not used at all.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae94aae4 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from ipa_replica_install in ipaserver/install
Replica files are DL0 specific therefore the knob extension for
replica_file has been removed. Also the code that is only executed if
replica_file is not None.
The new variable replica_install has been added which is used in
ServerInstallInterface.__init__
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7e1d18d by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from __init__ in ipaserver/install/server
The methods _is_promote has been removed from all classes as this has only
been used internally to check if the domain level is correct.
The check if the installer object has the attribute replica_file has been
modified to use the new variable replica_install defined in
CompatServerReplicaInstall instead.
The DL0 specific code from ServerInstallInterface.__init__ has been removed
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2738c5c1 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from replicainstall in ipaserver/install/server
create_replica_config is not imported anymore from
ipaserver.install.installutils.
The promote argument has been removed from these functions and function
calls:
- install_replica_ds
- ds.create_replica
- install_krb
- krbinstance.create_replica
- install_http
- httpinstance.create_instance
The function install_check has been removed completely as it is only used
to prepare the DL0 installation.
All DL0 specific code has been removed from the install function.
The varaibles promote, installer.promote/options.promote and config.promote
have bene removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a42a7113 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove create_replica_config from installutils in ipaserver/install
This function is used to load the replica file. Without DL0 support this
is not needed at all anymore.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
15bf647e by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from custodiainstance in ipaserver/install
iWithout DL0 support the custodia mode can be used to determine if a
server or replica will be installed. Therefore the use of config.promote
can be removed.
A new check has been added to make sure the mode known in
get_custodia_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
842cb5f2 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER
This is related to the DL0 code removal. FIRST_MASTER describes this
mode a lot better.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fbe003f5 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove options.promote from install in ipaserver/install/server/install
There is no need to set options.promote to false anymore for a server
installation in the install function.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2f50d249 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove replica_file from ClientInstall class in ipaclient/install/client.py
There is no need to set replica_file to None for client installations.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
374138d0 by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove replica_file knob from ipalib/install/service.py
The replica_file option is not needed anymore. Threfore the option can
be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fca1167a by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py
These tests have been skipped already before. Therefore they can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7eb8695e by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py
The functions get_replica_filename and replica_prepare are not needed anymore
with the DL0 removal. The DL0 specific code has been removed from the
functions install_replica, install_kra and install_ca.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b689ba7e by Thomas Woerner at 2018-09-12T13:11:21+02:00
Remove DL0 specific code from ipatests/test_integration/test_caless.py
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c6b3cf6d by Rob Crittenden at 2018-09-12T10:43:06-04:00
Advise plugin for enabling sudo for members of the admins group
Create HBAC and a sudo rule for allowing members of the admins
group to run sudo on all enrolled hosts.
https://pagure.io/freeipa/issue/7538
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
09750589 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Drop concatenated title of remove dialog
As for now the default title of remove dialogs is set to
'Remove ${entity}', where 'entity' is also translatable text.
This construction is used via method 'create_remove_dialog'
of Search facet for the all association 'Delete' actions of
entities.
The such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5eea5354 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Users' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3921210d by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Hosts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3c26a3b8 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Services' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d06f4984 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Groups' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d23376f5 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'ID Views' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2d9cdd92 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Automember' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
46018680 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'HBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b5073e96 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Sudo' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
772e096d by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'SELinux User Maps' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8d13d4ef by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Password Policies' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dfd22e74 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Certificates' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
93eebdb5 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'OTP Tokens' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
36bfd1f8 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'RADIUS Servers' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dcd90343 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Certificate Identity Mapping Rules' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
a863cec3 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Automount Locations' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d5979fb2 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
855e138a by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'RBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1f391b7c by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'ID Ranges' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
291ea453 by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Topology' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3e1a4a1d by Stanislav Levin at 2018-09-18T13:51:51+02:00
Add title to remove dialog of 'Trusts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
7729bb73 by Florence Blanc-Renaud at 2018-09-19T10:13:15+02:00
ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect
instead of authconfig, but authselect enable-feature with-smartcard
does not set pam_cert_auth=True in /etc/sssd/sssd.conf.
As a result, smart card auth on a client fails.
The fix adds a step in ipa-advise to configure pam_cert_auth=True.
The fix also forces the use of python3 interpreter, and handles
newer versions of SSSD which use OpenSSL instead of NSS (the trusted
CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem
Fixes https://pagure.io/freeipa/issue/7532
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d0173c95 by Florence Blanc-Renaud at 2018-09-19T10:18:45+02:00
authselect: harden uninstallation of ipa client
When ipa client is uninstalled, the content of sysrestore.state
is read to restore the previous authselect profile and features.
The code should properly handle the case where sysrestore.state
contains the header for the authselect section, but the key=value
for profile and features are missing.
Fixes https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a7e4b0e by Florence Blanc-Renaud at 2018-09-19T10:18:45+02:00
tests: add test for uninstall with incomplete sysrestore.state
Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.
Related to https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2b3fd701 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Fix hardcoded CSR in test_webui/test_cert.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
95928f62 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Use random IPs and domains in test_webui/test_host.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1212402a by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Increase request timeout for WebUI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
d582484b by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1f04c481 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Use random realmdomains in test_webui/test_realmdomains.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
685cef55 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Fix test_user::test_login_without_username (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
41258d81 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Fix unpermitted user session in test_selfservice (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2b739701 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Add SAN extension for CSR generation in test_cert (Web UI tests)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b58bc750 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Generate CSR for test_host::test_certificates (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
93eafaec by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Add cookies clearing for all Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
970af640 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Remove unnecessary session clearing in some Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1affddaa by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Increase some timeouts in Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
46eb9a38 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Fix UI_driver.has_class exception. Handle situation when element has no class attribute
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
d020fc49 by Serhii Tsymbaliuk at 2018-09-19T13:32:51+02:00
Change Web UI tests setup flow
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
e3820682 by Rob Crittenden at 2018-09-19T11:42:49-04:00
Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.
Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.
https://pagure.io/freeipa/issue/7528
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2064c72b by Rob Crittenden at 2018-09-21T10:21:14+02:00
Fix uninstallation test, use different method to stop dirsrv
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
11b3cdff by Rob Crittenden at 2018-09-21T10:21:14+02:00
Add uninstallation tests to night master and rawhide
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
24888132 by Florence Blanc-Renaud at 2018-09-24T08:42:40+02:00
ipatests: mark known failures as xfail
The tests in test_integration/test_installation.py
that inherit from InstallTestBase2 all fail in
test_replica2_ipa_kra_install because of ticket
7654: ipa-kra-install fails on DL1
This is an issue linked to dogtag (see
https://pagure.io/dogtagpki/issue/3055), where the
installation of a KRA clone creates a range depletion
when multiple clones are created from the same master.
Marking the tests as known failure, waiting for dogtag's
fix.
Related to https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
288fe328 by Florence Blanc-Renaud at 2018-09-24T12:55:48+02:00
Tests: remove dl0 tests from nightly definition
Commit fca1167af48651c3454c33c77ef28ec333220040 removed the following tests
from ipatests/test_integration/test_replica_promotion.py:
TestReplicaPromotionLevel0
TestKRAInstall
TestCAInstall
TestReplicaManageCommands
TestOldReplicaWorksAfterDomainUpgrade
but the nightly definition was not updated accordingly.
The fix removes the unexisting tests from nightly.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
ca68848e by Stanislav Levin at 2018-09-25T15:16:05+02:00
Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
35fa528c by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Users' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d97ff69e by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c4729e11 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6e839f91 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ea0e6a36 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
db6462b8 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f741c62f by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
71594466 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
9cbf16a7 by Stanislav Levin at 2018-09-25T15:16:05+02:00
Add a title to 'remove' dialog for details of 'Trusts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
70349753 by Alexander Bokovoy at 2018-09-26T11:40:19+02:00
Support Samba 4.9
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.
Add a default mapping of the nobody group to BUILTIN\Guests.
BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.
For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.
This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.
Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0659ed35 by Florence Blanc-Renaud at 2018-09-26T11:44:21+02:00
ipa-server-upgrade: fix inconsistency in setup_lightweight_ca_key_retrieval
The method setup_lightweight_ca_key_retrieval is called on
server upgrade and checks first if it needs to be executed or if
a previous upgrade already did the required steps.
The issue is that it looks for setup_lwca_key_retrieval in sysupgrade.state
but writes setup_lwca_key_retieval (with a missing r).
The fix consistently uses setup_lwca_key_retieval (as older installations
may already contain this key in sysupgrade.state).
Fixes https://pagure.io/freeipa/issue/7688
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4460cc5e by Rob Crittenden at 2018-09-26T13:26:42+02:00
Fix identifier typo in UI
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f658a3d1 by Stanislav Levin at 2018-09-26T13:50:11+02:00
Fix loading 'freeipa/text' at production mode
As for now 'ssbrowser.html' and 'unauthorized.html' pages are
loaded without JS error at development mode only.
There is no standalone 'freeipa/text' module as source at
production mode. Thus 'core' one have to be loaded first and
then 'text'.
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
43d9eda9 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association_table' facet, is set to something
like 'Remove ${other_entity} from ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association_table' widget for the all 'Delete' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4b8509f9 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'remove' dialog for 'association_table' widget of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0825170a by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'remove' dialog for 'association_table' widget of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
79aa5920 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'remove' dialog for 'association_table' widget of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c2e6e010 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Allow having a custom title of 'Remove' dialog for 'attribute_table' widget
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8657b57a by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'Automember' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1fd6817b by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c2eebee3 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c115efd1 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'SELinux' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ea115bf8 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'CA' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6eed6776 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'Topology' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
57e65a5c by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'Remove' dialog for 'association_table' widget of 'Vault' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6b27c203 by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to 'unprovision' dialog
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5052641a by Stanislav Levin at 2018-09-26T13:56:53+02:00
Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e1a30d3c by Christian Heimes at 2018-09-27T06:55:34+02:00
Workaround for pyasn1 0.4
pyasn1 0.4 changed handling of ANY containers in a backwards
incompatible way. For 0.3.x, keep explicit wrap and unwrap in octet
strings for ANY container members. For >= 0.4, let pyasn1 do the job..
This patch also makes sorting of extended_key_usage_bytes() stable and
adds tests.
Tested with pyasn1 0.3.7 and 0.4.4.
Fixes: https://pagure.io/freeipa/issue/7685
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4a58adf7 by Christian Heimes at 2018-09-27T10:23:03+02:00
Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b431e9b6 by Christian Heimes at 2018-09-27T11:49:04+02:00
Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
78c722d4 by Christian Heimes at 2018-09-27T15:35:35+02:00
Require sssd-ipa instead of sssd meta pkg
The sssd meta package pulls in additional dependencies that are not
required by IPA clients. Only depend on sssd-ipa.
Also update SSSD to 1.16.3-2 with fixes with support for One-Way Trust
authenticated by trust secret.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1345975
See: https://pagure.io/freeipa/issue/7710
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
964a9bdc by Christian Heimes at 2018-09-27T16:11:18+02:00
Py3: Replace six.string_types with str
In Python 3, six.string_types is just an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ea396528 by Christian Heimes at 2018-09-27T16:11:18+02:00
Py3: Replace six.integer_types with int
In Python 3, six.integer_types is (int,). In most places, the alias can
be simply replaced with int. In other places, it was possible to
simplify the code by unpacking the tuple.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
61156b0a by Christian Heimes at 2018-09-27T16:11:18+02:00
Py3: Replace six.text_type with str
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ed967ec2 by Christian Heimes at 2018-09-27T16:11:18+02:00
Py3: Replace six.bytes_type with bytes
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
54765474 by Stanislav Levin at 2018-09-27T16:33:25+02:00
Fix javascript 'errors' found by jslint
There are several JavaScript errors, which have come with PRs:
2362, 2371, 2372.
JavaScript code have to follow jsl requires.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
54a0e9e9 by Stanislav Levin at 2018-09-27T16:33:25+02:00
Add jslint check to PR CI tests
For now, from all possible lint checks, pylint applies only.
jslint can prevent JavaScript errors at WebUI.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5dbcc1a9 by Florence Blanc-Renaud at 2018-09-28T10:27:18+02:00
ipatests: mark known failure for installation_TestInstallWithCA2
The test TestInstallWithCA2 and TestInstallWithCA_DNS2 fail in
test_replica0_with_ca_kra_dns_install because they both try to
install a (first instance of) KRA.
This is a known issue, thus marking as xfail.
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4b60bc38 by Christian Heimes at 2018-10-01T08:30:10+02:00
Lint yaml and RPM spec
Let's catch broken YAML files (Travis, PR-CI) and spec file early.
- Use rpmlint to detect syntax errors in spec file early
- Attempt to parse all YAML files with PyYAML
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
234c71ca by Stanislav Levin at 2018-10-01T10:28:14+02:00
Drop concatenated title of 'add' dialog
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.
This leads to a bad quality translation and should be changed to
an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c6221a51 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Users' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
70cb5ba0 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'OTP' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6881bf8d by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Host' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8a834cda by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Service' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
794a51ea by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Groups' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
348e813b by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'ID Views' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
bf49664d by Stanislav Levin at 2018-10-01T10:28:14+02:00
Drop concatenated title of 'add' dialog for 'attribute_table' widget
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e363fb3e by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Automember' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
fd732aaa by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'HBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8655c9be by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Sudo' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e506f266 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'SELinux' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4bd03e47 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Password Policies' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c38aab10 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Certificates' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
38ea2dae by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'RADIUS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
98c290e4 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Certificate Identity' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
bafa0d5f by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Automount' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8dddc003 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'DNS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f3584661 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Vault' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
16fed6e9 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'RBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f349479f by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'ID Ranges' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e3c0c4d7 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Trusts' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e89493e2 by Stanislav Levin at 2018-10-01T10:28:14+02:00
Add title to 'add' dialog for 'Topology' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
a2ad4174 by Fraser Tweedale at 2018-10-02T10:18:32+02:00
Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option). This regression was introduced in the
'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3,
and reflected in the 'ca' plugin in commit
c7064494e5801d5fd4670e6aab1e07c65d7a0731.
The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field. Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.
Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).
Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef57be61 by Alexander Bokovoy at 2018-10-02T12:10:21+02:00
When stripping PO files, sort the output
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6f6cac04 by Alexander Bokovoy at 2018-10-02T12:10:21+02:00
Re-sort the translations before importing new ones from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
60cb8979 by Alexander Bokovoy at 2018-10-02T12:10:21+02:00
Import updated translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a502fa93 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Drop concatenated title of 'Add' dialog for details of entity
As for now the 'Add' dialog title, which is initialized within
details of the entity, contains translated concatenated texts,
like:
'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_add_dialog' of
association_facet for the all 'Add' actions within details
of entities.
The concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dda488ef by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Certificate' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d588d3e9 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Users' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dc9e5c57 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ac52faca by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Services' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
9e4de506 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Groups' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
01eba53c by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'ID Views' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
30094d82 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
35b1b65a by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
958b1057 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b3ac2304 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
171c6a01 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Drop concatenated title of add dialog for association_table widget
As for now the default title of add dialogs, which are
initialized from 'association_table' widget, is set to something
like 'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'create_add_dialog' of
'association_table' widget for the all 'Add' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3c81e170 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Hosts entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
20688f0f by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Services entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c14ef573 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Groups entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1ccafd48 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of HBAC entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2ea8f088 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Sudo entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0e1accda by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of SELinux User Maps entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
073eac08 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Certificates entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
29ca7bf3 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Vaults entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0f30fd83 by Stanislav Levin at 2018-10-02T16:37:17+02:00
Add title to 'add' dialog for 'association_table' widget of Topology entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c0c8e7f5 by Rob Crittenden at 2018-10-05T12:00:41+02:00
Add entry for Serhii to mailmap
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
75326406 by Alexander Bokovoy at 2018-10-05T12:02:39+02:00
Update list of contributors
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
15d5e44e by Christian Heimes at 2018-10-05T12:06:19+02:00
Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4f04e91b by Florence Blanc-Renaud at 2018-10-05T08:59:34-04:00
ipatests: remove TestReplicaManageDel (dl0)
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
341a1205 by Christian Heimes at 2018-10-05T09:04:15-04:00
Fix zonemgr encoding issue
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.
This also fixes 'b' prefix in error messages like:
option zonemgr: b'empty DNS label'
Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9e1c26c7 by Florence Blanc-Renaud at 2018-10-09T14:53:56+02:00
certdb: provide meaningful err msg for wrong PIN
ipa-server-install or ipa-replica-install do not provide
a meaningful error message in CA-less mode when the install
fails because of a wrong PIN.
Update the err msg so that it provides a hint to the user.
Fixes https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
6650d1b5 by Florence Blanc-Renaud at 2018-10-09T14:53:56+02:00
ipa tests: CA less
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
7f507519 by Thomas Woerner at 2018-10-10T09:56:40+02:00
Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.
A new command has been added to the ipa tool:
ipa automember-find-orphans --type={hostgroup,group} [--remove]
This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.
The IPA API version has been increased and a test case has been added.
Using ideas from a patch by: Rob Crittenden <rcritten at redhat.com>
See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6793043 by Florence Blanc-Renaud at 2018-10-10T11:32:26+02:00
ipatests: mark known failures as xfail
Commit 5dbcc1a9d30cdb0bc1c4f8476be37a3ef781f9be marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail
Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ef0fe8b by Alexander Bokovoy at 2018-10-10T11:36:00+02:00
adtrust: define Guests mapping after creating cifs/ principal
All Samba utilities load passdb modules from the configuration file. As
result, 'net groupmap' call would try to initialize ipasam passdb module
and that one would try to connect to LDAP using Kerberos authentication.
We should be running it after cifs/ principal is actually created in
ipa-adtrust-install or otherwise setting up group mapping will fail.
This only affects new installations. For older ones 'net groupmap' would
work just fine because adtrust is already configured and all principals
exist already.
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
the initial setup.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1e76f100 by Rob Crittenden at 2018-10-12T16:55:52-04:00
Enable LDAP debug output in client to display TLS errors in join
If ipa-join fails due to a TLS connection error when doing an
LDAP-based enroll then nothing is logged by default except an
Invalid Password error which is misleading (because the failure
occurs during the bind).
The only way that debugging would have been sufficient is if
the user passed --debug to ipa-client-install which is not great.
This log level is otherwise very quiet and only logs one or two
lines on errors which is perfect.
https://pagure.io/freeipa/issue/7728
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
531eca43 by Stanislav Levin at 2018-10-15T10:04:33+02:00
Move ipa's systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.
Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3eac88a4 by Florence Blanc-Renaud at 2018-10-15T10:20:25+02:00
Bump requires 389-ds-base
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
[error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.
Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e55d17d6 by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check range name and base ID duplication
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
369fb23e by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check adding range without primary and secondary RID bases
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b180991a by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check primary RID base duplication
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
dde4d19f by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check adding range with overlapping of existing local range
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
70f51c0d by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check modifying ID range with invalid or missing values
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
dd590e7e by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": - check creating ID range with special characters in name - check modifying ID range with existing secondary RID base
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
6595949e by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check creating ID Range with overlapping of primary and secondary RID base
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2d845cc7 by Serhii Tsymbaliuk at 2018-10-15T14:11:42+02:00
UI tests for "ID Range": check deleting primary local range
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
4c3f0104 by Serhii Tsymbaliuk at 2018-10-16T09:09:02+02:00
UI tests for "ID Range": Clean unnecessary Python2 compatible code constructions
https://pagure.io/freeipa/issue/7709
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5466eca0 by Rob Crittenden at 2018-10-16T11:16:41+02:00
Remove tests which install KRA on replica w/o KRA on master
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.
A KRA can be added afterward.
https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fbcb79af by Florence Blanc-Renaud at 2018-10-17T15:51:10+02:00
ipatests: fix path in expected error message
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
2fba5acc by Rob Crittenden at 2018-10-19T11:53:32-04:00
Handle NTP configuration in a replica server installation
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
In the first case simply pass down the options to the client
installer invocation.
If the client is pre-enrolled and NTP options are provided then
raise an exception.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0e22314c by Petr Vobornik at 2018-10-23T10:23:16+02:00
ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.
After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.
This patch updates the url.
https://pagure.io/freeipa/issue/7731
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5c0885d2 by Thomas Woerner at 2018-10-23T15:55:36+02:00
Update annobin to fix continuous-integration/travis-ci/pr issues
gcc is updated with the dnf builddep line, but annobin is not. Therefore
configure fails with "C compiler cannot create executables".
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478
See: https://pagure.io/freeipa/issue/7740
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
389c17c5 by Thomas Woerner at 2018-10-23T16:45:22+02:00
Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8e98c72e by Thomas Woerner at 2018-10-23T16:45:22+02:00
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3b79deae by Alexander Bokovoy at 2018-10-23T16:50:43+02:00
net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.
If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.
Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.
Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.
For upgrade code this is enough as in
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
23e33443 by Christian Heimes at 2018-10-24T10:49:12+02:00
Add lgtm.yml to analyzse C code with LGTM
See https://lgtm.com/help/lgtm/customizing-file-classification
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4600e62b by Florence Blanc-Renaud at 2018-10-24T14:20:29+02:00
ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.
Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
836e2959 by Christian Heimes at 2018-10-24T16:11:55+02:00
Fix ipadb_multires resource handling
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
* ipadb_multires_free() supports NULL as no-op.
* ipadb_multibase_search() consistently frees and NULLs
struct ipadb_multires **res on error.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5fe3198d by Christian Heimes at 2018-10-24T16:11:55+02:00
Don't abuse strncpy() length limitation
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:
warning: ‘strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
Use memcpy() instead if strncpy() to copy data of known size.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4de97f49 by Christian Heimes at 2018-10-24T17:44:20+02:00
Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.
Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a42ca499 by Christian Heimes at 2018-10-24T18:28:23+02:00
Add Coverity Scan target
Add "make cov-scan" to automate Coverity scan builds. cov-build requires
extra quirks to work with recent versions of GCC on Fedora.
The make target requires a token and Coverity's build chain. Both are
available for privileged project owners on
https://scan.coverity.com/projects/freeipa-freeipa .
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
235b5bd6 by Rob Crittenden at 2018-10-26T08:11:03+02:00
Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.
Related to https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e59ee609 by Rob Crittenden at 2018-10-26T08:11:03+02:00
Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
55277729 by Rob Crittenden at 2018-10-26T08:11:03+02:00
Collect the client and server uninstall logs in tests
When running the integration tests capture the uninstallation
logs as well as the installation logs.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4de5ea09 by Florence Blanc-Renaud at 2018-10-26T17:21:07+02:00
ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.
This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.
Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa559808 by Florence Blanc-Renaud at 2018-10-26T17:21:07+02:00
ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.
Related to: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e7f3d1d by Christian Heimes at 2018-10-26T18:04:23+02:00
Improve Python configuration for LGTM
LGTM is no longer able to analyse all Python code without importing it.
Define OS and Python package dependencies and build the project for
Python, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec54fa77 by Christian Heimes at 2018-10-26T20:10:23+02:00
Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.
Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
204353e4 by Christian Heimes at 2018-10-26T20:10:23+02:00
Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4b920df4 by Fraser Tweedale at 2018-10-26T21:37:39+02:00
Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260a407477c7516b33ce4238b69c8dd8d and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec208e97 by Christian Heimes at 2018-10-26T21:37:39+02:00
Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.
See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49df1ab1 by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": check search filter
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
63cbf629 by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": check creating and deleting of multiple rules
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a68035dc by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": check creating and deleting of automember rule conditions
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
33a74fb2 by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": check setting default user/host group
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
cd795257 by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": Negative cases
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
8949aa64 by Serhii Tsymbaliuk at 2018-10-30T16:26:29+01:00
UI tests for "Automember": Extend search cases
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1d4b43ef by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check "Add Automount..." dialogs
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
e957e0ae by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check modifying map and key settings
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
97f158ae by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": Fix item deleting
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
de06bf27 by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check creating indirect automount map without some fields
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
b7a149fe by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check creating automount key without some fields
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
ba40590e by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check indirect map duplication
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
6444808f by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check some negative cases
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
8f2a75cb by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
UI tests for "Automount": check dialog confirmation using ENTER
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
89545210 by Serhii Tsymbaliuk at 2018-10-31T11:55:35+01:00
WebUI tests: Make possible to use kwargs with @screenshot decorator
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
9b7a152e by Rob Crittenden at 2018-11-01T13:08:58+01:00
Pass a list of values into add_master_dns_records
During replica installation the local IP addresses should be
added to DNS but will fail because a string is being passed
to an argument expecting a list. Convert to a list before
passing in individual IPs.
Discovered when fixing https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4cde696d by Rob Crittenden at 2018-11-01T13:08:58+01:00
Demote log message in custodia _wait_keys to debug
This was previously suppressed because of the log level in
an installation was set to error so it was never displayed
Keeping consistency and demoting it to debug since the
log level is increased to info.
Related: https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f4e37385 by Rob Crittenden at 2018-11-01T13:08:58+01:00
Enable replica install info logging to match ipa-server-install
Increase log level to info by setting verbose=True and adding
a console format.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7408
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
aa261ba5 by Christian Heimes at 2018-11-01T13:56:31+01:00
has_krbprincipalkey: avoid double free
Set keys to NULL after free rder to avoid potential double free.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
800e448a by Christian Heimes at 2018-11-01T13:56:31+01:00
ipadb_mspac_get_trusted_domains: NULL ptr deref
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
does not guarantee that it returns a non-empty result.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
da2078bc by Christian Heimes at 2018-11-01T13:56:31+01:00
ipapwd_pre_mod: NULL ptr deref
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4cd26fcb by Fraser Tweedale at 2018-11-06T10:59:06+01:00
ipaldap: avoid invalid modlist when attribute encoding differs
ipaldap does not take into account the possibility of the attribute
encoding returned by python-ldap differing from the attribute
encoding produced by FreeIPA. In particular this can occur with DNs
with special characters that require escaping. For example,
python-ldap (or the underlying LDAP library) escapes special
characters using hex encoding:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU
Whereas FreeIPA, when encoding the DN, escapes the character
directly:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU
Therefore it is possible to generate an invalid modlist. For
example, during external CA certificate renewal, if the issuer DN
includes a comma in one of the attribute values (as above), an
invalid modlist will be generated:
[ (ldap.MOD_ADD, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
, (ldap.MOD_DELETE, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
]
Although encoded differently, these are the same value. If this
modification is applied to the object, attributeOrValueExists (error
20) occurs.
To avoid the issue, put deletes before adds in the modlist. If a
value is present (with different encodings) as both an addition and
a deletion, it must be because the original object contained the
value with a different encoding. Therefore it is safe to delete it,
then add it back.
Note that the modlist is not optimal. In the simplest case (like
above example), there should be no modification to perform. It is
considerably more complex (and more computation) to implement this
because the raw attribute values must be decoded before comparison.
Fixes: https://pagure.io/freeipa/issue/7750
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8007e14 by Fraser Tweedale at 2018-11-07T08:39:42+01:00
rpc: always read response
If the server responds 401 and the response body is empty, the
client raises ResponseNotReady. This occurs because:
1. For a non-200 response, the response read only if the
Content-Length header occurs.
2. The response must be read before another request (e.g. the
follow-up request with WWW-Authenticate header set), and this
condition was not met. For details see
https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.
This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.
Nevertheless, this problem has been observed in the wild. I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.
Resolve the issue by always reading the response. It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.
Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0a5a7bde by Christian Heimes at 2018-11-07T13:11:48+01:00
Fix test_cli_fsencoding on Python 3.7
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now
supports UTF-8 file system encoding with non-UTF-8 C locale.
See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538
See: https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
324da5c3 by Sergey Orlov at 2018-11-07T13:48:54+01:00
ipatests: add test for ipa-advise for enabling sudo for admins group
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo
Related to https://pagure.io/freeipa/issue/7538
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b0f3595 by Christian Heimes at 2018-11-07T16:28:35+01:00
Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
82af0340 by Alexander Bokovoy at 2018-11-07T16:37:18+01:00
ipaserver.install.adtrust: fix CID 323644
Fix Coverity finding CID 323644: logically dead code path
The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.
As result, a part of the code got neglected and was never executed.
Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.
We mock up the actual execution so that no access to LDAP or Samba is
needed.
Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
da70f397 by Serhii Tsymbaliuk at 2018-11-08T08:34:13+01:00
Increase memory size for ipaserver topology (nightly-master.yaml)
Fix "Cannot allocate memory" error for Web UI tests
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
816783a1 by Christian Heimes at 2018-11-08T13:16:26+01:00
Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.
Coverity Scan issue 323649, Copy-paste error
The copied code will not have its intended effect.
In postprocess_result: A copied piece of code is inconsistent with the
original (CWE-398)
See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e569afb0 by Christian Heimes at 2018-11-08T16:03:21+01:00
Fix test_cli_fsencoding on Python 3.7, take 2
0a5a7bdef7c300cb8f8a8128ce6cf5b115683cbe introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
41247438 by Christian Heimes at 2018-11-08T17:44:45+01:00
Replace messagebus with modern name dbus
"messagebus" is an old, archaic name for dbus. Upstream dbus has started
to move away from the old name. Let's use the modern term in FreeIPA,
too.
Fixes: https://pagure.io/freeipa/issue/7754
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e64ae1d0 by Christian Heimes at 2018-11-08T17:46:38+01:00
Add missing tests to nighly runs
Run test_customized_ds_config_install and test_dns_locations in nightly
runs.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4cede866 by Christian Heimes at 2018-11-08T17:46:38+01:00
Speed up test_customized_ds_config_install
Reuse master instance when installing replica with custom DS config.
This avoids one extra ipa-server-install and also tests replica
installation from a master with custom DS config.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
60a31d3f by Florence Blanc-Renaud at 2018-11-09T15:58:10+01:00
Nightly tests: add test_user_permissions.py
Run the above test in the nightly test suites
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
044ffe0d by François Cami at 2018-11-09T17:16:19-05:00
Add sysadm_r to default SELinux user map order
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d731f6fd by Fraser Tweedale at 2018-11-12T11:23:16+01:00
certdb: ensure non-empty Subject Key Identifier
Installation or IPA CA renewal with externally-signed CA accepts an
IPA CA certificate with empty Subject Key Identifier. This is
technically legal in X.509, but is an operational issue.
Furthermore, due to an extant bug in Dogtag
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
startup failure.
Reject CA certificates with empty Subject Key Identifier.
Fixes: https://pagure.io/freeipa/issue/7762
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
87474cc1 by Serhii Tsymbaliuk at 2018-11-12T12:04:27+01:00
Split Web UI test suite in nightly PR CI configuration
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3e8f550c by Rob Crittenden at 2018-11-13T10:44:14+01:00
Add tests for ipa-cacert-manage install
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
35d1d345 by Rob Crittenden at 2018-11-13T10:44:14+01:00
Add support for multiple certificates/formats to ipa-cacert-manage
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1e6a77a6 by Florence Blanc-Renaud at 2018-11-13T10:51:07+01:00
ipatests: fix CA less expectations
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.
The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.
Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f7511edb by William Brown at 2018-11-13T12:07:27+01:00
Support the 1.4.x python installer tools in 389-ds
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f9b0fc1 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
Remove some basic pystyle and pylint errors
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
383311a1 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
Don't try legacy installs
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed955d14 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
Move lib389 imports to module scope
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56f8e200 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
DS uninstall: fix serverid missing in state restore
During uninstallation, we're using serverid which we get from
sysrestore.state. This was not set in the newer install,
return it back.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
104ef413 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
DS install: fix DS asking for NSS pin during install
DS now comes with nsslapd-security turned on and its own CA
cert in its NSS database. We're re-setting the NSS database
and setting our own CA cert to it, the DS pin file therefore
needs to be updated with the new password after this reset.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8342d41 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
DS install: don't fail if SSL already configured
DS now comes with certain SSL capabilities turned on after
installation. Previously, we did not expect this and were
blindly forcing everything on without checking, whether it
needs turning on. This would result in failures if the
config entries are already set the way we want. Relax this
configuration.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8fb63966 by Stanislav Laznicka at 2018-11-13T12:07:27+01:00
Use the newer way of removing the DS instance
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a606b44f by Christian Heimes at 2018-11-13T12:07:27+01:00
Drop dependency on 389-ds-base-legacy-tools
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d39bb65a by Christian Heimes at 2018-11-13T12:07:27+01:00
Remove DS perl paths from debian platform
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
19cd9603 by Florence Blanc-Renaud at 2018-11-13T12:40:44+01:00
ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.
The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.
The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).
Fixes https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1c2c2ee6 by Florence Blanc-Renaud at 2018-11-13T12:40:44+01:00
tests: add xmlrpc test for ipa user-add --radius-username
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.
The test ensures that the command is now succeeding.
Related to https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5d603fce by Florence Blanc-Renaud at 2018-11-13T12:40:44+01:00
radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.
The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>
Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
da4c12c3 by Florence Blanc-Renaud at 2018-11-13T12:40:44+01:00
ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1be415cd by Florence Blanc-Renaud at 2018-11-13T12:42:38+01:00
ipatests: add missing tests for test_caless
Two tests were missing from nightly definition:
- test_caless.py::TestReplicaCALessToCAFull
- test_caless.py::TestServerCALessToExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b7e17aa by Florence Blanc-Renaud at 2018-11-13T13:04:19+01:00
ipatests: update tests for ipa-server-certinstall
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).
The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).
The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.
The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).
Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.
Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5483f9f6 by Florence Blanc-Renaud at 2018-11-13T13:04:19+01:00
temp commit: run test_integration/test_caless.py::TestCertInstall
Please remove before pushing
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1dd98d25 by Florence Blanc-Renaud at 2018-11-13T13:22:54+01:00
Revert "temp commit: run test_integration/test_caless.py::TestCertInstall"
This reverts commit 5483f9f6bb268f42b70eef227e268f8e28922f01.
- - - - -
e6d7f200 by Christian Heimes at 2018-11-13T13:37:58+01:00
Ignore W504 code style like in travis config
pycodestyle both complains about "W504 line break after binary operator"
and "W503 line break before binary operator" when all warnings are
enabled. FreeIPA already ignores W504 in travis config. Let's ignore it
in fastcheck, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8944458d by Christian Heimes at 2018-11-13T13:37:58+01:00
Address pylint violations in lite-server
Teach pylint that env instance has lite_* members
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
85286beb by Christian Heimes at 2018-11-13T13:37:58+01:00
Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7bdc9bad by Christian Heimes at 2018-11-13T13:37:58+01:00
Ignore consider-using-enumerate for now
Ignore new consider-using-enumerate warning for now and clean up code
later.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
496d1756 by Christian Heimes at 2018-11-13T13:37:58+01:00
Address consider-using-in
Replace multiple comparisons with 'in' operation.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83cdd27f by Christian Heimes at 2018-11-13T13:37:58+01:00
Fix comparison-with-callable
Pylint warns about comparing callable. Replace equality with identity
test.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71360776 by Christian Heimes at 2018-11-13T13:37:58+01:00
Fix useless-import-alias
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1e569c4f by Christian Heimes at 2018-11-13T13:37:58+01:00
Fix Module 'pytest' has no 'config' member
pytest.config is created dynamically.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c00dd211 by Christian Heimes at 2018-11-13T13:37:58+01:00
Fix various dict related pylint warnings
* dict-keys-not-iterating
* dict-values-not-iterating
* dict-items-not-iterating
* dict-iter-method
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dc2c71bf by Christian Heimes at 2018-11-13T13:37:58+01:00
Fix raising-format-tuple
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec61f5de by Christian Heimes at 2018-11-13T13:37:58+01:00
Silence comparison-with-itself in tests
Test code performs comparison to itself in order to verify __eq__ and
__ne__ implementations.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3abfaa57 by Christian Heimes at 2018-11-13T13:37:58+01:00
Require pylint 2.1.1-2
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:
is_subclass_of fails with AttributeError: 'NoneType' object has no
attribute 'name'
pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.
See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2a293ed by Fraser Tweedale at 2018-11-13T14:19:18+01:00
Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.
To report the correct subject, look it up using the current
nickname.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
61e1d7a8 by Fraser Tweedale at 2018-11-13T14:19:18+01:00
certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
14ad844b by Florence Blanc-Renaud at 2018-11-13T15:16:35+01:00
ipatests: add missing tests in test_backup_and_restore.py
3 tests were missing from this test file in the nightly tests:
- TestBackupAndRestoreWithReplica
- TestBackupAndRestoreDMPassword
- TestReplicaInstallAfterRestore
one test was having the wrong name in nightly_rawhide:
TestUserRootFilesOwnershipPermission
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ee52ceb9 by Alexander Bokovoy at 2018-11-13T17:43:28+01:00
Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
13917ddc by Christian Heimes at 2018-11-14T07:57:13+01:00
certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.
Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
1e2c4d5b by Christian Heimes at 2018-11-15T15:02:13+01:00
Fix pytest deprecation warning
conftest uses the Function attribute of a pytest.Function object. Latest
pytest has deprecated the attribute:
_pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function
is deprecated, please use pytest.Function instead
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0c0a392d by sudharsanomprakash at 2018-11-15T17:52:10-05:00
Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash at yahoo.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ec404fa by Florence Blanc-Renaud at 2018-11-16T09:22:48+01:00
freeipa.spec.in: add BuildRequires for python3-lib389
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.
Fixes https://pagure.io/freeipa/issue/7767
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6dc8b0c6 by Serhii Tsymbaliuk at 2018-11-16T10:55:56+01:00
Fix nightly PR CI configuration for Web UI tests
Add strip operator for test_suite definitions (in nightly_*.yaml) to prevent inserting line breaks.
https://pagure.io/freeipa/issue/7756
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
122f968c by Alexander Bokovoy at 2018-11-16T16:54:38-05:00
ipa-kdb: reduce LDAP operations timeout to 30 seconds
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.
Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
7434a329 by Christian Heimes at 2018-11-20T09:31:32+01:00
PR-CI: Restart rpcbind when it blocks kadmin port
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.
A new workaround detects the blocked port and restarts rpcbind.service.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
55c0a932 by Florence Blanc-Renaud at 2018-11-20T13:34:07+01:00
ipatests: fix test_replica_uninstall_deletes_ruvs
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
23306a28 by Florence Blanc-Renaud at 2018-11-20T15:12:25+01:00
ipa-replica-install: password and admin-password options mutually exclusive
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.
The fix makes --password and --admin-password options
mutually exclusive.
Fixes https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
26e35dca by Florence Blanc-Renaud at 2018-11-20T15:12:25+01:00
ipatests: add test for ipa-replica-install options
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1e7be6fb by Florence Blanc-Renaud at 2018-11-21T07:36:01+01:00
ipatests: add missing tests for test_external_ca.py
Some tests were missing from nightly definition:
test_external_ca.py::TestExternalCAdirsrvStop
test_external_ca.py::TestExternalCAInvalidCert
test_external_ca.py::TestMultipleExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
19211257 by Florence Blanc-Renaud at 2018-11-21T07:36:01+01:00
ipatests: add missing tests for test_installation.py
Some tests were missing in the nightly:
- test_installation.py::TestInstallWithCA_DNS3
- test_installation.py::TestInstallWithCA_DNS4
Relates to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d18b0d55 by Florence Blanc-Renaud at 2018-11-21T07:36:01+01:00
ipatests: add missing tests for test_replica_promotion.py
The following test was missing from nightly:
test_replica_promotion.py::TestReplicaInstallCustodia
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8decef33 by Christian Heimes at 2018-11-21T08:57:08+01:00
Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8182ebc6 by Sergey Orlov at 2018-11-21T10:29:51+01:00
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
a709da67 by François Cami at 2018-11-21T15:41:00+01:00
Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dd0490e1 by François Cami at 2018-11-21T15:41:00+01:00
Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
42fb0cc6 by Varun Mylaraiah at 2018-11-23T10:42:44+01:00
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
58053b27 by Christian Heimes at 2018-11-23T10:44:09+01:00
TestBackupAndRestoreWithReplica needs 2 replicas
The test case TestBackupAndRestoreWithReplica needs two replicas but
PR-CI just had topology: *master_1repl.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
533a5b26 by Christian Heimes at 2018-11-26T16:54:43+01:00
pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f800d8f8 by Christian Heimes at 2018-11-26T16:54:43+01:00
pylint: Fix duplicate-string-formatting-argument
pylint 2.2 has a checker for duplicate string formatting argument.
Instead of passing the same argument multiple times, reference the
argument by position.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d8791f8f by Christian Heimes at 2018-11-26T16:54:43+01:00
pylint: also verify scripts
Build all scripts in install/tools/ to check them with pylint, so that
``make pylint`` always checks all scripts. The script files are
generated by make.
Please note that fastlint does not check script files.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
bb4b5581 by Christian Heimes at 2018-11-26T16:54:43+01:00
Address misc pylint issues in CLI scripts
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.
* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07c163ca by Serhii Tsymbaliuk at 2018-11-27T14:20:34+01:00
Fix "ID views" tests fail after running "Automember" tests
Clear default user/host group before deleting.
https://pagure.io/freeipa/issue/7771
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3243498f by Christian Heimes at 2018-11-27T14:43:20+01:00
Increase debugging for blocked port 749 and 464
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
372c2fc9 by Florence Blanc-Renaud at 2018-11-27T17:20:35-05:00
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).
Fixes https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d2fa2ecb by Florence Blanc-Renaud at 2018-11-27T17:20:35-05:00
ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c650add by Francisco Trivino at 2018-11-28T20:35:31+01:00
prci_definitions: update vagrant memory topology requirements
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7aceca2d by Adam Williamson at 2018-11-29T16:57:33+01:00
Fix authselect invocations to work with 1.0.2
Since authselect 1.0.2, invoking an authselect command sequence
like this:
['authselect', 'sssd', '', '--force']
does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.
This broke uninstallation.
In all cases, features are now passed as separate arguments instead of one
argument separated by space.
Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
25cfeea7 by Diogo Nunes at 2018-11-30T10:03:29+01:00
PR-CI: Move to Fedora 29 template, version 0.2.0
Enable testing (gating and nightly) to use the new F29 template.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
800f2690 by Florence Blanc-Renaud at 2018-11-30T11:05:17+01:00
ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
#3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.
Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
93e3fc4d by Florence Blanc-Renaud at 2018-11-30T11:05:17+01:00
ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2616795b by Christian Heimes at 2018-11-30T13:13:52+01:00
Update temp commit template to F29
The temp_commit.yaml template now uses F29 as well. It also contains all
topology configurations from the nightly jobs.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8a835daf by Fraser Tweedale at 2018-12-03T10:32:36+01:00
certupdate: add commentary about certmonger behaviour
It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate. Add some commentary to explain this behaviour.
Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc70c78e by Thomas Woerner at 2018-12-03T11:26:08+01:00
New firewall support class in ipatests/pytest_ipa/integration/firewall
The new Firewall class provides methods to enable and disable a service,
service lists and also methods to apply a passthrough rule, also to add,
prepend and also remove a list of passthrough rules:
class Firewall
__init__(host)
Initialize with host where firewall changes should be applied
Unmasks, enables and starts firewalld
enable_service(service)
Enable firewall service in firewalld runtime and permanent
environment
disable_service(service)
Disable firewall service in firewalld runtime and permanent
environment
enable_services(services)
Enable list of firewall services in firewalld runtime and
permanent environment
disable_services(services)
Disable list of firewall services in firewalld runtime and
permanent environment
passthrough_rule(rule, ipv=None)
Generic method to get direct passthrough rules to firewalld
rule is an ip[6]tables rule without using the ip[6]tables command..
The rule will per default be added to the IPv4 and IPv6 firewall.
If there are IP version specific parts in the rule, please make
sure that ipv is set properly.
The rule is added to the direct sub chain of the chain that is
used in the rule
add_passthrough_rules(rules, ipv=None)
Add passthough rules to the end of the chain
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
prepend_passthrough_rules(rules, ipv=None)
Insert passthough rules starting at position 1 as a block
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
remove_passthrough_rules(rules, ipv=None)
Remove passthrough rules
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e3d134e6 by Thomas Woerner at 2018-12-03T11:26:08+01:00
ipatests/pytest_ipa/integration/tasks.py: Configure firewall
install_master: Enable firewall services freeipa-ldap and freeipa-ldaps by
default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled after the master has been
successfully installed.
install_replica: Enable firewall services freeipa-ldap and freeipa-ldaps
by default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled before the replica gets
installed and disabled if the installation failed.
install_adtrust: Enable firewall service freeipa-trust after
ipa-adtrust-install has been called.
uninstall_master: Disable services freeipa-ldap, freeipa-ldaps,
freeipa-trust and dns after ipa-server-install --uninstall -U has been
called.
install_dns: Enable firewall service dns after ipa-dns-install has been
called.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d427e4b2 by Thomas Woerner at 2018-12-03T11:26:08+01:00
ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.
The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
5a740144 by Thomas Woerner at 2018-12-03T11:26:08+01:00
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain..
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.
The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.
The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3ac830c7 by Thomas Woerner at 2018-12-03T11:26:08+01:00
ipatests/test_integration/test_dnssec.py: Enable dns firewall service
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3a7153c7 by Thomas Woerner at 2018-12-03T11:26:08+01:00
ipatests/test_integration/test_replica_promotion.py: Configure firewall
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
dde2aa4b by Varun Mylaraiah at 2018-12-03T13:58:19+01:00
ipatests: add tests for NTP options usage on server, replica, and client
The following tests are added in test_ntp_options.py :: TestNTPoptions
- test_server_and_client_install_without_option_n
- test_server_and_client_install_with_option_n
- test_server_and_client_install_with_multiple_ntp_server
- test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
- test_server_and_client_install_with_mixed_options
- test_two_step_replica_install_using_ntp_options
- test_two_step_replica_install_without_ntp_options
Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
715d1223 by Varun Mylaraiah at 2018-12-03T13:58:19+01:00
nightly_master.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mavrun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
83487c49 by Varun Mylaraiah at 2018-12-03T13:58:19+01:00
nightly_rawhide.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
b7ae9f7a by Mohammad Rizwan Yusuf at 2018-12-05T11:00:52+01:00
Test KRA installtion after ca agent cert renewal
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.
related ticket: https://pagure.io/freeipa/issue/7288
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7debb4de by Alexander Bokovoy at 2018-12-05T11:03:10+01:00
Update translations from Zanata
Following translations were updated:
- Spanish
- Ukranian
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
52c3c908 by Florence Blanc-Renaud at 2018-12-05T11:06:21+01:00
ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2301538 by Florence Blanc-Renaud at 2018-12-05T11:06:21+01:00
PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.
Fixes https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a938adc by Florence Blanc-Renaud at 2018-12-05T11:09:23+01:00
ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07e6d514 by Christian Heimes at 2018-12-05T11:35:45+01:00
Require Dogtag PKI 10.6.8-3
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.
Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.
Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7581cc0 by Mohammad Rizwan Yusuf at 2018-12-06T14:33:14+01:00
Test error when yubikey hardware not present
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.
related ticket : https://pagure.io/freeipa/issue/6979
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
97e9e009 by Christian Heimes at 2018-12-07T11:39:23+01:00
Resolve user/group names in idoverride*-find
ipa idoverrideuser-find and ...group-find have an --anchor argument. The
anchor argument used to support only anchor UUIDs like
':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular
user or group names and translate them to anchors.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5a2a7151 by Christian Heimes at 2018-12-07T11:39:23+01:00
Add integration tests for idviews
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f52e0e31 by Christian Heimes at 2018-12-07T11:39:23+01:00
Run idviews integration tests in nightly
See: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
03edd82d by Diogo Nunes at 2018-12-07T09:44:34-02:00
PR-CI: Add gating tests to nightly_[master, f28, rawhide]
The objective of this change is to address the problem mentioned in this
thread: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/FIOWT53LJMAZQYHOTT4BEAJX5Q6422LB/
Since the concept of nightly is being a superset of gating, the gating
tests are incorporated in nightly in this commit.
Fixes: https://pagure.io/freeipa/issue/7788
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
a0e09526 by Oleg Kozlov at 2018-12-07T14:06:29+01:00
Check pager's executable before subprocess.Popen
Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function.
Fixes: https://pagure.io/freeipa/issue/7746
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
228d1c81 by Thomas Woerner at 2018-12-07T17:29:59+01:00
ipatests integration/tasks.py: Honor clean for firewall in uninstall_master
This fix will make sure that the firewall services are only cleaned up if
the clean flag is True for example for backup and restore tests where the
clean flag is set to False for the server uninstall.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8e25ee64 by Thomas Woerner at 2018-12-07T17:29:59+01:00
ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f86b410f by Thomas Woerner at 2018-12-07T17:29:59+01:00
ipatests/test_integration/test_replica_promotion.py: Fix firewall config
The firewall needs to be configured before installing replicas.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a6862bd7 by Thomas Woerner at 2018-12-07T17:29:59+01:00
ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cdfbcd40 by Diogo Nunes at 2018-12-07T17:44:05+01:00
Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
a81ea9af by Florence Blanc-Renaud at 2018-12-10T17:04:56+01:00
ipatests: fix test_full_backup_and_restore
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c09927d1 by Christian Heimes at 2018-12-11T12:14:32+01:00
Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.
check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.
Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
39eaf2fa by Christian Heimes at 2018-12-11T12:16:00+01:00
Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d6fd2ad4 by Christian Heimes at 2018-12-11T13:46:52+01:00
Remove dead code
set_sssd_domain_option() is no longer used. Changes are handled by
sssd_update().
See: https://pagure.io/freeipa/issue/7751
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
917d81b8 by Christian Heimes at 2018-12-11T13:46:52+01:00
Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.
Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a2222ea by Christian Heimes at 2018-12-11T13:46:52+01:00
Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a86abd37 by Christian Heimes at 2018-12-11T13:46:52+01:00
Log stderr in run_command
pytest_multihost's run_command() does not log stderr when a command
fails. Wrap the function call to log stderr so it's easier to debug
failing tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f0e11dac by Christian Heimes at 2018-12-11T13:46:52+01:00
Test smart card advise scripts
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f330c59d by Christian Heimes at 2018-12-11T13:46:52+01:00
Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a9f34c76 by Christian Heimes at 2018-12-13T14:53:38+01:00
Disable nss-p11-kit crypto policy for tests
NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all
PKCS#11 providers including the default SoftHSM2 token. On Fedora 28
OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is
protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because
it is waiting for PIN.
Delete the p11-kit policy and regenerate crypto policy.
OpenLDAP debug output:
ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
18f610ca by Christian Heimes at 2018-12-13T16:55:41+01:00
Always collect test logs
mh.install() is the default multi host installer. Most integration test
classes use it to install master, replicas, and clients. In case of a
failed installation, the test collector step is skipped.
Guard log collection with a try/finally block so logs are always
collected.
Also collect journald output for mh.install() steps. The journal output
was missing from installation logs and were only available in each test
step.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
0fb87bfe by Christian Heimes at 2018-12-13T17:04:00+01:00
LDAPUpdate: Batch index tasks
The LDAPUpdate framework now keeps record of all changed/added indices
and batches all changed attribute in a single index task. It makes
updates much faster when multiple indices are added or modified.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed436e4b by Christian Heimes at 2018-12-13T17:04:00+01:00
Add more LDAP indices
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.
* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq
automountMapKey and autoMountMapName filters are used for automount.
Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.
SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.
ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.
Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a34d92d2 by Christian Heimes at 2018-12-13T17:04:00+01:00
Create reindex task for ipaca DB
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.
See: https://pagure.io/dogtagpki/issue/3083
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
faa122a8 by Florence Blanc-Renaud at 2018-12-13T20:29:41+01:00
replication: check remote ds version before editing attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.
Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).
Fixes https://pagure.io/freeipa/issue/7796
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18cac460 by Serhii Tsymbaliuk at 2018-12-13T21:14:57+01:00
WebUI: Temporary fix for UnexpectedAlertPresentException
It is regression in Firefox 55
Fixed in Firefox 65:
https://bugzilla.mozilla.org/show_bug.cgi?id=1503015
https://pagure.io/freeipa/issue/7809
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
f28a8177 by Oleg Kozlov at 2018-12-14T09:15:42+01:00
Replace nss.conf with zero-length file instead of removing
Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag.
Fixes: https://pagure.io/freeipa/issue/7745
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
97f87513 by François Cami at 2018-12-14T10:15:04+01:00
Fix NFS unit names
NFS unit names were renamed.
Compatibility was maintained with older unit names
through symlinks. When these symlinks are removed
only new unit names work, so changing to using non-
symlink unit names is required.
Fixes: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a56aa6d by François Cami at 2018-12-14T10:15:04+01:00
ipa-client-automount: use nfs-utils unit
- remove nfs-idmapd from units we enable & start as:
- it is not used on NFS clients anymore
- it is a static unit
- remove rpc-gssd as well as it is a static unit
- restart nfs-utils and rpc-gssd
- manage systemctl-related exceptions during uninstall
Fixes: https://pagure.io/freeipa/issue/7780
Fixes: https://pagure.io/freeipa/issue/7781
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7c0b0f34 by François Cami at 2018-12-14T10:15:04+01:00
ipatests: add a test for ipa-client-automount
Add an automount location then configure a client
to use it. Only runs nightly.
Related-to: https://pagure.io/freeipa/issue/7780
Related-to: https://pagure.io/freeipa/issue/7781
Related to: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
caffe2e8 by Christian Heimes at 2018-12-14T13:44:28+01:00
Fix test_advise in nightly runs
test_advise now needs one client, too.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
e62eb000 by Alexander Bokovoy at 2018-12-14T14:04:02+01:00
ipa-sidgen: make internal fetch_attr helper really internal
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.
Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.
Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7107342 by Christian Heimes at 2018-12-17T13:35:13+01:00
Require 3.41.0-3 on Fedora 28
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.
nss-3.41.0-1.fc29 is available in F29 stable.
See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c0fd5e39 by Florence Blanc-Renaud at 2018-12-19T14:19:46+01:00
replica install: set the same master as preferred source for domain and CA
During ipa-replica-install, the installer creates a ReplicaConfig
object that contains a config.ca_host_name attribute, built from
api.env.ca_host.
This attribute is used as preferred source when asking the DNS for a CA
master from which to initialize the CA instance
(see commit 8decef33 for master selection and preferred host).
In most of the cases, /etc/ipa/default.conf does not contain any
definition for ca_host. In this case, api.env.ca_host is set to
the local hostname.
As a consequence, replica install is trying to use the local host
as preferred source (which does not have any CA yet), and the method
to find the CA source randomly picks the CA in the DNS.
With the fix, the master picked for domain replication is also used as
preferred source for CA/KRA.
Fixes: https://pagure.io/freeipa/issue/7744
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0e5a8fbb by Oleg Kozlov at 2018-12-21T15:54:00+01:00
Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.
Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7688808d by Christian Heimes at 2019-01-03T12:44:10+01:00
Add index on idnsName
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.
The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.
Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
670bcc01 by Christian Heimes at 2019-01-08T17:25:56+01:00
Require 389-DS = 1.4.0.16
CI is failing with 389-DS 1.4.0.20-1. Pin dependency to 1.4.0.16 for
now.
Note: RPM/DNF don't like a pin with dash. Therefore I had to change
ds_version from 1.4.0.16-1 to 1.4.0.16.
Fixes: https://github.com/freeipa/freeipa/pull/2731
See: https://pagure.io/389-ds-base/pull-request/50121
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e5be4092 by Christian Heimes at 2019-01-08T17:25:56+01:00
Make conftest compatible with pytest 4.x
pytest 3.6 has deprecated get_marker in 3.6. The method was removed in 4.x
and replaced with get_closest_marker.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
77852105 by Florence Blanc-Renaud at 2019-01-09T09:51:31+01:00
pkinit enable: use local dogtag only if host has CA
ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
64be3141 by Florence Blanc-Renaud at 2019-01-09T09:51:31+01:00
ipatests: add integration test for pkinit enable on replica
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3bed3d4d by Christian Heimes at 2019-01-09T11:15:35+01:00
Use debug logger in ntpd_cleanup()
ipa-server-update shows spurious warnings when updating a server, e.g.
No such file name in the index
Warning: NTP service entry was not found in LDAP.
Lower all log levels in ntpd_cleanup() to debug to not confuse the user.
Fixes: https://pagure.io/freeipa/issue/7829
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3c38aea6 by Alexander Bokovoy at 2019-01-10T11:24:08+01:00
ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
When looking through the topology of a trusted forest, we should support
all types of forest trust records. Since Samba Python bindings parse the
data into a typed structure, a type of the record has to be taken into
account or there will be type mismatch when accessing elements of the
union:
typedef [switch_type(lsa_ForestTrustRecordType)] union {
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
[case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
[default] lsa_ForestTrustBinaryData data;
} lsa_ForestTrustData;
typedef struct {
lsa_ForestTrustRecordFlags flags;
lsa_ForestTrustRecordType type;
NTTIME_hyper time;
[switch_is(type)] lsa_ForestTrustData forest_trust_data;
} lsa_ForestTrustRecord;
typedef [public] struct {
[range(0,4000)] uint32 count;
[size_is(count)] lsa_ForestTrustRecord **entries;
} lsa_ForestTrustInformation;
Each entry in the lsa_ForestTrustInformation has forest_trust_data
member but its content depends on the value of a type member
(forest_trust_data is a union of all possible structures).
Previously we assumed only TLN or TLN exclusion record which were
of the same type (lsa_StringLarge). Access to forest_trust_data.string
fails when forest_trust_data's type is lsa_ForestTrustDomainInfo as it
has no string member.
Fix the code by properly accessing the dns_domain_name from the
lsa_ForestTrustDomainInfo structure.
Fixes: https://pagure.io/freeipa/issue/7828
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2aa24eed by Alexander Bokovoy at 2019-01-10T11:24:08+01:00
make sure IPA_CONFDIR is used to check that client is configured
Fixes a test ipatests/test_cmdline/test_cli.py:test_cli_fs_encoding()
which sets IPA_CONFDIR and attempts to interpret the resulting error
message. However, if the test is run on an enrolled machine (a
developer's laptop, for example), check_client_configuration() will
succeed because it ignores IPA_CONFDIR and, as result, api.finalize()
will fail later with a stacktrace.
Pass an environment object and test an overridden config file existence
in this case to fail with a proper and expected message.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8276caf8 by Christian Heimes at 2019-01-10T12:57:14+01:00
Don't use Python dependency generator yet
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c26cb5af by Christian Heimes at 2019-01-11T12:00:31+01:00
Require krb5 with fix for CVE-2018-20217
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.
See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ef6e14c by Christian Heimes at 2019-01-11T16:45:05+01:00
Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user at .service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ee68740 by Thomas Woerner at 2019-01-11T20:01:54+01:00
Enable firewall in the tests for PR CI
The firewall has not been enabled in the tests for PR CI so far. With these
steps this is done now:
install_packages: Install firewalld, enable and start firewalld service.
install_server: Enable firewalld services freeipa-ldap freeipa-ldaps and
dns after server installation.
run_tests: Disable firewalld services freeipa-ldap freeipa-ldaps and dns
after server uninstallation.
Related-to: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef7a9037 by Serhii Tsymbaliuk at 2019-01-14T10:16:58+01:00
Fix "Configured size limit exceeded" warning on Web UI
Suppress size limit warning in 'refresh' command.
Ticket: https://pagure.io/freeipa/issue/7603
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b90ebf4 by Rob Crittenden at 2019-01-15T09:41:22+01:00
Remove 389-ds templates now that lib389 is used for installs
The templates created the inf files for calling the 389-ds
installer setup-ds.pl. Now that lib389 is being used for installation
these are no longer necessary.
Related: https://pagure.io/freeipa/issue/4491
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
96518136 by Christian Heimes at 2019-01-15T14:29:22-05:00
Fix systemd-user HBAC rule
2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that
encoded the service wrongly.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e3f37960 by Stanislav Levin at 2019-01-16T08:57:51+01:00
Don't use cross-origin request
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.
Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.
So, just follow the Same Origin policy.
Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
256f2982 by Christian Heimes at 2019-01-17T14:29:34+01:00
Mark failing NTP test as expected failure
See: https://pagure.io/freeipa/issue/7719
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
49cc72d5 by Sergey Orlov at 2019-01-17T14:36:27+01:00
Remove unused tests
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.
Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
165a9411 by Christian Heimes at 2019-01-18T11:33:11+01:00
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.
Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.
Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
63fa87a3 by Florence Blanc-Renaud at 2019-01-22T16:38:59+01:00
replica installation: add master record only if in managed zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.
The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.
During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a91e645a by Florence Blanc-Renaud at 2019-01-22T16:38:59+01:00
ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
19b1eb1f by Christian Heimes at 2019-01-29T12:44:19+01:00
Use expanduser instead of HOME env var
The HOME directory may not be available in containers. It's also the
wrong variable on some platforms. Use os.path.expanduser() instead of
HOME.
Fixes: https://pagure.io/freeipa/issue/7837
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ba969da by Christian Heimes at 2019-01-29T12:44:19+01:00
Add workaround for lib389 HOME bug
lib389 <= 1.4.0.20 needs HOME env var. Temporary set env var until
lib389 is fixed.
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae74d348 by Christian Heimes at 2019-01-29T12:47:15+01:00
Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.
The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cd37542 by Christian Heimes at 2019-01-29T12:47:15+01:00
Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
76437dc8 by Serhii Tsymbaliuk at 2019-01-29T16:19:02+01:00
Split test_webui_hosts PRCI tests
Web UI test_host is too heavy and causes timeout errors during night runs,
so it is moved to separate configuration.
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
13f20854 by Sergey Orlov at 2019-01-29T14:42:13-05:00
Remove obsolete tests from test_caless.py
Related issue #4270 is closed as "won't fix" after 4 years.
The tests are obsolete now.
See: https://pagure.io/freeipa/issue/4271
See: https://pagure.io/freeipa/issue/4270
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
53e0b225 by Christian Heimes at 2019-01-30T08:06:02+01:00
ipa-getkeytab: resolve symlink
Resolve one level of symbolic links to support a dangling symlink as
keytab target. To prevent symlink attacks, only resolve symlink when the
symlink is owned by the current effective user and group, or by root.
Fixes: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20d8286b by Sergey Orlov at 2019-01-30T08:16:55+01:00
ipatests: fix ldap server url
master.external_hostname was used to construct ldap url
which caused ldappasswd utility to exit with error due to host name
mismatch in client certificate. master.hostname should be used instead
as this name is used to generate certificate.
Fixes https://pagure.io/freeipa/issue/7844
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
146168d4 by Mohammad Rizwan Yusuf at 2019-02-01T13:27:10+01:00
Check if issuer DN is updated after external-ca > self-signed
This test checks if issuer DN is updated properly after CA is
renewed back from external-ca to self-signed
related ticket : https://pagure.io/freeipa/issue/7762
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fd4b84d6 by Rob Crittenden at 2019-02-01T13:54:49-05:00
tests: Don't provide explicit hostname to ldapmodify
Manual revert of bbac233b5ee487ab0e035cf0b861144769a0b738
The assumption was that ldap.conf was hosed and it couldn't
tell what hostname to use so one was hardcoded. This code
doesn't explicitly test that ldap.conf is sane but it is
a nice side-effect I suppose.
https://pagure.io/freeipa/issue/5880
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ed74b898 by Rob Crittenden at 2019-02-04T09:12:29+01:00
Update mod_nss cipher list so there is overlap with a 4.x master
dogtag updated its cipher list, disabling a lot of ciphers, which
causes an overlap problem with a RHEL 6.x IPA master.
This update script adds the two available ciphers to the nss.conf
so that creating a CA replica is possible.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
88795fb9 by Serhii Tsymbaliuk at 2019-02-04T14:14:26+01:00
Fix certificate revocation tests for Web UI
- correct revocation date before search
- increase timeouts
https://pagure.io/freeipa/issue/7834
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
0b17ae90 by Christian Heimes at 2019-02-04T14:24:15-05:00
Require 389-ds 1.4.0.21
1.4.0.21 fixes a problem with create_suffix_entry and uses
os.path.expanduser() instead of getenv('HOME').
See: https://pagure.io/389-ds-base/pull-request/50121
See: https://pagure.io/389-ds-base/issue/49984
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc33be73 by Christian Heimes at 2019-02-04T14:24:15-05:00
Mark two failing automember tests as xfail
Two automember tests of the XML-RPC test suite have started to fail with
389-DS 1.4.0.21 update. The test failure seems to be related to a change of
389-DS' automember plugin,
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html.
See: https://pagure.io/freeipa/issue/7855
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d5d9233b by Christian Heimes at 2019-02-05T08:39:13-05:00
Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5be9341f by Christian Heimes at 2019-02-05T08:39:13-05:00
Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.
The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.
LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a3934a21 by Christian Heimes at 2019-02-05T08:39:13-05:00
Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a2ceb15 by Christian Heimes at 2019-02-05T08:39:13-05:00
Use secure LDAP connection in tests
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e4fff900 by Christian Heimes at 2019-02-05T08:39:13-05:00
Use LDAPS when installing CA on replica
On a replica, 389-DS is already configured for secure connections when
the CA is installed.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d87a3b01 by Christian Heimes at 2019-02-05T08:39:13-05:00
Let 389-DS configure LDAPI for us
The new lib389 installer configures LDAPI with correct socket path by
default. Use LDAPI to boot strap the IPA domain and autobind.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
73bc11a2 by Christian Heimes at 2019-02-05T08:39:13-05:00
Add ldapmodify/search helper functions
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bf1875a0 by Serhii Tsymbaliuk at 2019-02-06T18:11:56+01:00
Web UI tests: Get rid of *_cert_path and *_csr_path config variables
Web UI tests now don't require additional configuration to test certificates.
Self-signed certificates and CSR are generated on fly.
Next variables from ~/.ipa/ui_test.conf for now are deprecated:
- arbitrary_cert_path
- service_csr_path
- user_csr_path
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b763bc79 by Serhii Tsymbaliuk at 2019-02-06T18:11:56+01:00
Fix test_arbitrary_certificates for Web UI
- fix selector for "Add" button in the certificate dialog
- specify selector for the certificate dialog
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
0376d704 by Florence Blanc-Renaud at 2019-02-06T13:13:46-05:00
Tests: fix option name for dsctl
389-ds-base has modified one option name in dsctl, and our test
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
is still using the old option (--doit) instead of the new one
(--do-it).
Fixes: https://pagure.io/freeipa/issue/7856
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
93fb037d by Christian Heimes at 2019-02-07T12:33:45+01:00
Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
Samba's ZERO_STRUCT() macro, see
https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
instead of generic __typeof__().
Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4d0b8a0 by Christian Heimes at 2019-02-07T13:21:18+01:00
Update build requirements on twine
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
272837f1 by Christian Heimes at 2019-02-07T13:38:34+01:00
Remove ZERO_STRUCT() call
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().
During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5c8c00a4 by Christian Heimes at 2019-02-11T18:06:25+01:00
Test --external-ca-type=ms-cs
Verify that ipa-server-install with external CA and CA type ms-cs adds
the correct extension to the CSR.
Fixes: https://pagure.io/freeipa/issue/7548
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
425dff1e by Sergey Orlov at 2019-02-12T11:07:19+01:00
ipatests: add test for correct modlist when value encoding differs
See: https://pagure.io/freeipa/issue/7750
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ec29a7f by Christian Heimes at 2019-02-12T11:14:06+01:00
Disable dependency on dogtag-pki PyPI package
The dependency on 'dogtag-pki' PyPI package causes problems.
For one it's not the full pki package. It only provides the client part,
but ipaserver also needs the pki.server subpackage with pkispawn command.
The Fedora package dependency generator turns the requirement into a
package requirement, but python3-pki does not provide the package name
python3.7dist(dogtag-pki).
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
144a9c74 by Mohammad Rizwan Yusuf at 2019-02-12T12:00:29+01:00
ipatests: check if username are not optimized out in semanage context
ipa users having default semanage context were optimized out.
This test checks if those users are listed.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1dc2287a by Francisco Trivino at 2019-02-12T12:03:55+01:00
prci_definitions: Add nightly flow for pki dep testing
This commit adds PKI nightly flow definition. It executes relevant
freeipa tests in order to catch PKI regressions.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e63c6b20 by Florence Blanc-Renaud at 2019-02-15T18:21:47+01:00
tests: mark xfail for test_selinux_user_optimized on fed<=28
The test TestUserPermissions::test_selinux_user_optimized is
testing the fix for SSSD issue 3819, but the fix is not
available in fedora 28. Hence mark the test as xfail when
executed on fedora <=28 (our nightly tests also run on fed 28).
For full ref: fixed in sssd 1.16.4, Fedora 28 provides
1.16.3-2.fc28 only, while Fedora 29 provides 2.0.0-3.fc29.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5e7f82db by Serhii Tsymbaliuk at 2019-02-18T14:53:06+01:00
Web UI: Increase timeouts for UI tests in Nightly PR configuration
Some test suites for WebUI in Nightly PR configuration have timeouts without any reserve.
So these tests fails randomly.
Timeout values for these test was increased to {real duration} + ~30%
https://pagure.io/freeipa/issue/7864
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
55253228 by François Cami at 2019-02-19T01:16:34+01:00
ipa-server-install: fix ca setup when fs.protected_regular=1
/tmp is a sticky directory. When the OS is configured with
fs.protected_regular=1, this means that O_CREATE open is forbidden
for files in /tmp if the calling user is not owner of the file,
except if the file is owned by the owner of the directory.
The installer (executed as root) currently creates a file in /tmp,
then modifies its owner to pkiuser and finally writes the pki config
in the file. With fs.protected_regular=1, the write is denied because
root is not owner of the file at this point.
The fix performs the ownership change after the file has been written.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1677027
Fixes: https://pagure.io/freeipa/issue/7866
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cb14883a by Florence Blanc-Renaud at 2019-02-19T14:51:56+01:00
tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
d1f5ed64 by Sumit Bose at 2019-02-19T15:36:55+01:00
ipa_sam: remove dependency to talloc_strackframe.h
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
65898379 by Florence Blanc-Renaud at 2019-02-20T09:18:38+01:00
pkinit setup: fix regression on master install
The commit 7785210 intended to fix ipa-pkinit-manage enable
on a replica without any CA but introduced a regression:
ipa-server-install fails to configure pkinit with the fix.
This commit provides a proper fix without the regression:
pkinit needs to contact Dogtag directly only in case there is
no CA instance yet (for ex. because we are installing the
first master).
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
a25de958 by Florence Blanc-Renaud at 2019-02-20T09:18:38+01:00
test: add non-reg test checking pkinit after server install
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
c69875c8 by François Cami at 2019-02-27T21:42:39+01:00
ipa-client-automount: handle NFS configuration file changes
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
behavior
* avoids backing up the new NFS configuration file as we do
not have to modify it.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981
Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4fd4cf68 by François Cami at 2019-02-28T18:27:58+01:00
pylintrc: ignore R1720 no-else-raise errors
Newer pylint trips on unnecessary else/elif after raise.
Ignore that error for now as it breaks our build.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
40dd0979 by François Cami at 2019-03-01T08:38:11+01:00
ipatests: remove all occurrences of osinfo.version_id
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.
Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e6d560af by Christian Heimes at 2019-03-01T11:44:27+01:00
Make IPADiscovery available in PyPI packages
The ipaclient PyPI package does not ship the ipaclient.install
subpackage. The ipaclient.install.ipadiscovery module with IPADiscovery
is now available as ipaclient.discovery, so it can be used by consumers
of PyPI packages.
The module ipaclient.install.ipadiscovery provides a backwards
compatibility shim with deprecation warning.
Fixes: https://pagure.io/freeipa/issue/7861
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b5f1d33f by Christian Heimes at 2019-03-01T11:44:27+01:00
Reformat and PEP8 ipaclient.discovery
Since the moved code is detected as new/modified code, make fastlint is
complaining about PEP 8 violations.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dccb2e0e by Ian Pilcher at 2019-03-04T19:35:49+01:00
Allow issuing certificates with IP addresses in subjectAltName
Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.
* One of the DNS names in the SAN resolves to the IP address
(possibly through a CNAME).
* All of the DNS entries in the resolution chain are managed by
this IPA instance.
* The IP address has a (correct) reverse DNS entry that is managed
by this IPA instance
https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8ec4868a by Fraser Tweedale at 2019-03-04T19:35:49+01:00
cert-request: restrict IPAddress SAN to host/service principals
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
eb70e64c by Fraser Tweedale at 2019-03-04T19:35:49+01:00
cert-request: collect only qualified DNS names for IPAddress validation
Collect only qualified DNS names for IPAddress validation. This is
necessary because it is undecidable whether the name 'ninja' refers
to 'ninja.my.domain.' or 'ninja.' (assuming both exist). Remember
that even a TLD can have A records.
Now that we are only checking qualified names for the purpose of
IPAddressName validation, remove the name length hack from
_san_dnsname_ips().
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9c750f07 by Fraser Tweedale at 2019-03-04T19:35:49+01:00
cert-request: generalise _san_dnsname_ips for arbitrary cname depth
Generalise _san_dnsname_ips to allow arbitrary cname depths. This
also clarifies the code and avoids boolean blindness. Update the
call site to maintain the existing behvaiour (one cname allowed).
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e37c025d by Fraser Tweedale at 2019-03-04T19:35:49+01:00
cert-request: report all unmatched SAN IP addresses
During SAN validation, it is possible that more than one
iPAddressName does not match a known IP address for the DNS names in
the SAN. But only one unmatched IP address is reported. Update the
error message to mention all unmatched iPAddressName values.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
474a2e69 by Fraser Tweedale at 2019-03-04T19:35:49+01:00
Add tests for cert-request IP address SAN support
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a65c12d0 by Fraser Tweedale at 2019-03-04T19:35:49+01:00
cert-request: more specific errors in IP address validation
Update the IP address validation to raise different error messages
for:
- inability to reach IP address from a DNS name
- missing PTR records for IP address
- asymmetric PTR / forward records
If multiple scenarios apply, indicate the first error (from list
above).
The code should now be a bit easier to follow. We first build dicts
of forward and reverse DNS relationships, keyed by IP address. Then
we check that entries for each iPAddressName are present in both
dicts. Finally we check for PTR-A/AAAA symmetry.
Update the tests to check that raised ValidationErrors indicate the
expected error.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
24c77bc4 by Sergey Orlov at 2019-03-05T09:25:25+01:00
ipatests: fix host name for ssh connection from controller to master
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".
Fixes https://pagure.io/freeipa/issue/7874
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6489117 by François Cami at 2019-03-07T15:19:37+01:00
ipa-client-automount: fix PEP8 issues
Commit 6a56aa6d4987bc4856997351a413c014e14abdd6 introduced
C0303, W1201 and R1710 errors in ipa-client-automount.in.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8327e11b by Fraser Tweedale at 2019-03-08T18:17:36+11:00
cert-request: handle missing zone
SAN IP address validation, while determining the zone for a DNS name
or IP address, does not handle missing zones. The resulting
dns.resolver.NoNameservers exception is not caught. As a result,
InternalError is returned to client.
Update cert-request IP address name validation to handle this case.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2e7c3f6 by François Cami at 2019-03-13T16:09:24+01:00
ipatests: add too-restritive mask tests
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.
Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f90a4b95 by François Cami at 2019-03-13T16:09:24+01:00
ipa-{server,replica}-install: add too-restritive mask detection
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.
Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0d23fa92 by Florence Blanc-Renaud at 2019-03-14T09:39:55+01:00
CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4e3a64f7 by Florence Blanc-Renaud at 2019-03-14T09:39:55+01:00
Test: add new tests for ipa-crlgen-manage
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2e73c964 by Florence Blanc-Renaud at 2019-03-14T09:39:55+01:00
ipa server: prevent uninstallation if the server is CRL master
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.
Related to https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
33af8c75 by Sumit Bose at 2019-03-14T09:42:35-04:00
ipa-extdom-exop: add instance counter and limit
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.
To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.
By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.
If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6defe320 by Rob Crittenden at 2019-03-19T11:00:43-04:00
Send only the path and not the full URI to httplib.request
Sending the full uri was causing httplib to send requests as:
POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1
>From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.
https://pagure.io/freeipa/issue/7883
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e12e3e84 by Serhii Tsymbaliuk at 2019-03-20T11:33:50+01:00
WebUI test: Fix automember tests according to new behavior
After deleting user/host from group "rebuild" task is triggered,
so the entity returns to the group. And we check if it exists.
Also the order of cleaning test resources are changed:
groups are being deleted only after corresponding rules.
New automembership design description:
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
Ticket: https://pagure.io/freeipa/issue/7881
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
55004225 by Peter Keresztes Schmidt at 2019-03-20T17:32:43+01:00
README: Update link to freeipa-devel archive
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
33378403 by Florence Blanc-Renaud at 2019-03-20T17:45:00+01:00
XML RPC test: fix test_automember_plugin
With 389-DS 1.4.0.21, automember plugin also gets triggered on modify ops
by default. This means that a member manually removed gets automatically
re-added by the plugin.
This behavior can be disabled by setting autoMemberProcessModifyOps=off in
the entry cn=Auto Membership Plugin,cn=plugins,cn=config.
Before 389-DS 1.4.0.21, it was possible to remove a member and the member
did not get re-added (unless automember-rebuild was called). This former
behavior can be forced by setting autoMemberProcessModifyOps=off.
This commit fixes the test and checks the behavior when
autoMemberProcessModifyOps=off and when autoMemberProcessModifyOps=on..
Fixes: https://pagure.io/freeipa/issue/7855
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3ae38973 by Florence Blanc-Renaud at 2019-03-21T15:18:56+01:00
Coverity: fix issue in ipa_extdom_extop.c
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
The comparison is using the pointer while it should use the pointed value..
Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
133b199f by Serhii Tsymbaliuk at 2019-03-21T16:01:11+01:00
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
It allows to avoid confusion with identical short hostnames.
There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone
https://pagure.io/freeipa/issue/7206
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0a7c2726 by Christian Heimes at 2019-03-22T15:50:51+01:00
GIT: ignore ipa-crlgen-manage
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6e8d38ca by Florence Blanc-Renaud at 2019-03-25T09:46:36+01:00
ipa-replica-manage: fix force-sync
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".
force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).
In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.
The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.
Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b9dc9757 by Alexander Bokovoy at 2019-03-25T09:48:31+01:00
domainlevel-get: fix various issues when running as non-admin
Use proper filter that is caught up by the ACI for 'permission:System:
Read Domain Level' to allow any authenticated user to see the domain
level.
If the server doesn't have domain level set, callers in replica
installer expect errors.NotFound but never get it.
Return the right exception here and change the other caller to follow
the same convention.
Inability to retrieve ipaDomainLevel attribute due to a filter mismatch
casues ipa-replica-install to fail if run as a replica host principal.
Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code.
Fixes: https://pagure.io/freeipa/issue/7876
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e5244fbe by Stanislav Levin at 2019-03-25T09:49:45+01:00
Completely drop /var/cache/ipa/sessions
This directory has been already dropped in @6d66e826c,
but not entirely.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
885af7fe by Christian Heimes at 2019-03-25T14:30:37+01:00
Fix assign instead of compare
Commit 53e0b2255d92c9c21c19306cf37cc8de0476dc9c introduced a minor bug.
Instead of comparing errno to ENOENT, the check assigned ENOENT to
errno.
Coverity: CID 337082
See: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
52e5ef81 by Christian Heimes at 2019-03-27T15:09:30+01:00
replica install: acknowledge ca_host override
Fixup for commit c0fd5e39c726ef4dc12e87a2f9c08ebb32ed27fe. Only set
ca_host to source master hostname if ca_host points to the local host.
This permits users to override ca_host in /etc/ipa/default.conf when
installing a replica.
Related: https://pagure.io/freeipa/issue/7744
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
d76dccc0 by Christian Heimes at 2019-03-28T00:21:00+01:00
Use api.env.container_masters
Replace occurences of ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')
with api.env.container_masters.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e9fd8adf by Christian Heimes at 2019-03-28T00:21:00+01:00
Consolidate container_masters queries
Replace manual queries of container_masters with new APIs get_masters()
and is_service_enabled().
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2a8176ee by Alexander Bokovoy at 2019-03-28T14:08:19+01:00
Add design page for one-way trust to AD with shared secret
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
120bab0d by Alexander Bokovoy at 2019-03-28T14:08:19+01:00
trust: allow trust agents to read POSIX identities of trust
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dc8f074c by Alexander Bokovoy at 2019-03-28T14:08:19+01:00
trusts: add support for one-way shared secret trust
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.
Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.
Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18cb30d4 by Alexander Bokovoy at 2019-03-28T14:08:19+01:00
upgrade: upgrade existing trust agreements to new layout
Existing trust agreements will lack required Kerberos principals and
POSIX attributes expected to allow Active Directory domain controllers
to query IPA master over LSA and NETLOGON RPC pipes.
Upgrade code is split into two parts:
- upgrade trusted domain object to have proper POSIX attributes
- generate required Kerberos principals for AD DC communication
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dca901c0 by Alexander Bokovoy at 2019-03-28T14:08:19+01:00
upgrade: add trust upgrade to actual upgrade code
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
025facb8 by Christian Heimes at 2019-03-28T17:57:58+01:00
Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>:
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
0770d8a0 by François Cami at 2019-03-28T17:57:58+01:00
ipatests: Exercise hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>
Signed-off-by: Francois Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
99133eb1 by Christian Heimes at 2019-03-28T17:57:58+01:00
Simplify and improve tests
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
94b86354 by Christian Heimes at 2019-03-28T17:57:58+01:00
Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d810e1ff by Christian Heimes at 2019-03-28T17:57:58+01:00
Consider hidden servers as role provider
Hidden services are now considered as associated role providers, too. This
fixes the issue of:
invalid 'PKINIT enabled server': all masters must have IPA
master role enabled
and similar issues with CA and DNS.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
56d97f94 by Christian Heimes at 2019-03-28T17:57:58+01:00
Improve config-show to show hidden servers
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f839d3c9 by Christian Heimes at 2019-03-28T17:57:58+01:00
More test fixes
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e7e0f190 by Christian Heimes at 2019-03-28T17:57:58+01:00
Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
8b1bb211 by Christian Heimes at 2019-03-28T17:57:58+01:00
Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e04dc9a8 by Christian Heimes at 2019-03-28T17:57:58+01:00
Test replica installation from hidden replica
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d727321c by Christian Heimes at 2019-03-28T17:57:58+01:00
Add design draft
The design draft explains implementation details, limitations, and API
changes for the new feature.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
713c9b0c by Christian Heimes at 2019-03-28T17:57:58+01:00
Don't fail if config-show does not return servers
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
19db292e by Thomas Woerner at 2019-03-29T09:59:55+01:00
Extend test for orphan automember rules (issue/6476)
The test was not executing ipa automember-rebuild --type hostgroup.
The test has been extended to execute it twice: Once when it needs to fail
because there is an orphan automember rule. Also after this orphan
automember rule has been removed. Here the test needs to succeed.
Fixes: https://pagure.io/freeipa/issue/7891
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
98b7fbec by Fraser Tweedale at 2019-03-29T10:23:32+01:00
Fix installation when CA subject DN has escapes
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a376b613 by Christian Heimes at 2019-03-29T11:35:26+01:00
Add test case for configure_openldap_conf
IPAChangeConf doesn't handle lines with mixed assignment values
correctly.
See: https://pagure.io/freeipa/issue/7838
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
5b337a54 by Oleg Kozlov at 2019-03-29T14:04:04+01:00
Show a notification that sssd needs restarting after idrange-mod
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.
Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.
Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
692cbc5d by Tibor Dudlák at 2019-03-29T18:56:40+01:00
Fix test_ntp_options to use tasks' methods
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ffcbb835 by Alexander Bokovoy at 2019-04-01T12:08:12+02:00
ipasam: use SID formatting calls to libsss_idmap
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d60122f9 by Florence Blanc-Renaud at 2019-04-01T12:35:42+02:00
ipa-server-upgrade: fix add_systemd_user_hbac
During upgrade, the method add_systemd_user_hbac is creating
a hbacsvc and a hbacrule, but fails in python2 because of
unicode conversion errors.
The arguments should be defined as u'value'.
Fixes: https://pagure.io/freeipa/issue/7896
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
23ae171d by Florence Blanc-Renaud at 2019-04-01T12:55:46+02:00
ipa-setup-kra: fix python2 parameter
ipa-setup-kra is failing in python2 with
invalid 'role_servrole': must be Unicode text
because of a unicode conversion error.
The method api.Command.server_role_find is called with the parameter
role_servrole='IPA master' but it should rather be
role_servrole=u'IPA master'
Fixes: https://pagure.io/freeipa/issue/7897
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
de4a9875 by Alexander Bokovoy at 2019-04-01T13:27:41+02:00
oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.
This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.
It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.
Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c3fc551c by Christian Heimes at 2019-04-01T16:10:59+02:00
Disable flaky hidden replica backup test
The test case for hidden replica restore is flaky and sometimes fails.
The general issues is covered by upstream bug 7894.
See: https://pagure.io/freeipa/issue/7894
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
cc1fb2fa by Sergey Orlov at 2019-04-01T10:24:46-04:00
Revert "Tests: Remove DNS configuration from trust tests"
This reverts commit 1d9e1521c59a5b43c2322892ce5cbe8cceff2790.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3e01d261 by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
It was changed in f487233df002bf73dd48d5c87a146b90542bd034
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c59a5b43c2322892ce5cbe8cceff2790. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
14f27d29 by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: disable bind dns validation when preparing to establish AD trust
Before establishing trust with AD it is recommended in documentation
(and for many setups necessary) to create add DNS forwarder for AD domain..
Bind config supplied by ipa server has dnssec validation enabled.
If Windows server DNS does not have DNSSEC enabled with valid certificate,
then bind will not be able to use it as forwarder and trust will not be
established.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d0a612a by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: in test_trust.py fix parent class
TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8955cc7 by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: fix expectations of `ipa trust-find` output for trust with root domain
Test was expecting that when trust is established with forest root, than all
three AD domains should be found when quering trust-find for that domain.
Actually only root domain and its subdomain should be returned, without
the tree domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
03e2693a by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: relax requirements for time server quality
When synchronizing time with windows server using chronyd I often see
error "No suitable source for synchronisation". This happens because chronyd
with default options refuses to use time servers with big jitter and delay.
For some reasons Windows time server does have big jitter. In some test setups
delay also can be rathe big.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
35a4642a by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: allow AD hosts to be placed in separate domain config objects
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94a6cb11 by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: adapt test_trust.py for changes in multihost fixture
AD hosts can now be extracted from list in respective class attributes and host
domain names -- from properties provided by multihost plugin (host.domain.name).
Also removed conditional skips of tests when test configuration contains only
part of required AD machines as this feature never worked:
multihost plugin removes all machines from config which are not explicitly
requested.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8197165 by Sergey Orlov at 2019-04-01T10:24:46-04:00
ipatests: refactor test_trust.py
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.
Additional changes:
* TestEnforcedPosixADTrust was totally removed as it was duplicate of
TestPosixADTrust
* code of repeated checks was moved to methods
* A task was cretated for cleaning up DNS configuration changes made for
establishing trust
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3cb1ccb3 by Christian Heimes at 2019-04-02T19:35:38+02:00
Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e4621f12 by Christian Heimes at 2019-04-02T19:35:38+02:00
Add tasks.systemd_daemon_reload()
systemd daemon must be reloaded after a config file is added, changed,
or removed. Provide a common API endpoint in ipaplatform.tasks.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1dfac4f5 by Christian Heimes at 2019-04-02T19:35:38+02:00
Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
35095458 by Christian Heimes at 2019-04-03T15:16:21+02:00
Require a minimum SASL security factor of 56
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.
Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
3c354e74 by Christian Heimes at 2019-04-04T10:05:10+02:00
Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.
Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0c50cc39 by Alexander Bokovoy at 2019-04-07T12:26:09+02:00
Remove DsInstance.request_service_keytab as it is not needed anymore
DsInstance.request_service_keytab() used to configure
/etc/sysconfig/dirsrv which is not needed anymore with 389-ds-base
1.4.1.2. Thus, the method became indistinguishable from the parent and
can be removed completely.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a241a81b by Rob Crittenden at 2019-04-08T10:22:45+02:00
Add interactive prompt for the LDAP bind password to ipa-getkeytab
This provides a mechanism to bind over LDAP without exposing
the password on the command-line.
https://pagure.io/freeipa/issue/631
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3fdbf48f by Christian Heimes at 2019-04-08T14:53:35+02:00
Skip orphan automember rule test
389-DS 1.4.0.22 was pushed to Fedora over the weekend. The new versin
breaks test_find_orphan_automember_rules. Skip the test case for now
until we have more time to investigate the issue.
Related: https://pagure.io/freeipa/issue/7902
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cb0f24bf by Alexander Bokovoy at 2019-04-08T17:51:38+02:00
Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.
Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).
To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].
Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8a5dc1b3 by Christian Heimes at 2019-04-09T09:13:27+02:00
Adapt cert-find performance workaround for users
ipa cert-find --users=NAME was slow on system with lots of certificates..
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.
Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a5213140 by Christian Heimes at 2019-04-09T11:28:37+02:00
Make netifaces optional
netifaces is a binary Python extension. Outside of the installer, it's
only used by CheckedIPAddress.get_matching_interface, which is only
called from installer code.
Make the import of netifaces optional to reduce the amount of
dependencies for PyPI package use case. Binary extensions are especially
annoying, because they depend on shared libraries, compiler, and header
files to be present.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
6fed1700 by Christian Heimes at 2019-04-09T11:48:22+02:00
automount: rmtree temp directory
ipa-client-automount uses the host keytab to acquire a TGT. The script
sets up a temporary directory for its ccache. At the end of the script
it removes the ccache and temp directory again.
In case of a failed kinit, the ccache is not created and the removal of
the ccache causes an exception. The automount installer now uses
shutil.rmtree() to remove the temporary directory and all its content.
Fixes: https://pagure.io/freeipa/issue/7862
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
fdc3554d by Christian Heimes at 2019-04-09T13:38:28+02:00
Gating: remove vault and kdcproxy tests
Vault and KDC proxy are neither critical subsystems nor are they likely to
fail. They have been pretty stable and don't see any major development.
It's sufficient to run them in nightly tests only.
The removal speed up gating a bit. Especially vault tests are slow and
usually take more than 30 minutes to complete
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
66873e2b by Christian Heimes at 2019-04-10T11:21:25+02:00
Improve error handling in DNSSEC helpers
* ipa-dnskeysyncd now handles CONNECT_ERROR during bind
* ipa-dnskeysyncd no longer logs full traceback on connection error.
* ipa-dnskeysync-replica now handles SERVER_DOWN/CONNECT_ERROR
exceptions and turns them into pretty error messages.
Fixes: https://pagure.io/freeipa/issue/7905
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
8c4d75fd by Christian Heimes at 2019-04-10T13:43:23+02:00
Add current default.cfg from Dogtag
base/server/etc/default.cfg from commit
https://github.com/dogtagpki/pki/commit/b93183406c0be6ce233eb4ed4c116aa858635cdf
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a2b02fc by Christian Heimes at 2019-04-10T13:43:23+02:00
Simplify and slim down ipaca_default.ini
* Remove internal stuff from DEFAULT section
* Remove all non-user modifiable paths
* Remove OCSP, RA, TKS, TPS sections
* Remove deprecated options and replace them with current options
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
70beccad by Christian Heimes at 2019-04-10T13:43:23+02:00
Add IPA specific vars to ipaca_default.ini
Common settings like "pki_*_signing_key_algorithm" now use an IPA
specific template variable. The approach makes it easier to change all
signing parameters to use a different algorithm.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f847d775 by Christian Heimes at 2019-04-10T13:43:23+02:00
Use new pki_ipaca.ini to spawn instances
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd47cfc7 by Christian Heimes at 2019-04-10T13:43:23+02:00
Add pki.ini override option
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94937424 by Christian Heimes at 2019-04-10T13:43:23+02:00
Simplify and consolidate ipaca.ini
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dba89712 by Christian Heimes at 2019-04-10T13:43:23+02:00
Verify pki ini override early
ipa-server-install now verifies the pki ini override file earlier
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42efdc7b by Christian Heimes at 2019-04-10T13:43:23+02:00
Add test case for pki config override
Install CA with 4096bit RSA key and SHA-384 signature.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b2c5d6c by Christian Heimes at 2019-04-10T13:43:23+02:00
Add --pki-config-override to man pages
Mention the new option in the man pages for CA, KRA, replica, and server
installation. The documentation must be improved once we have figured
out which options are going to be supported.
Fixes: pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2826da2 by Florence Blanc-Renaud at 2019-04-10T14:54:43-04:00
ipa-client-install: autodiscovery must refuse single-label domains
Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.
Fixes: https://pagure.io/freeipa/issue/7598
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf42dc1f by François Cami at 2019-04-11T10:04:00+02:00
ipaserver/install/krainstance.py: chown after write
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.
Refactoring suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
536e7da6 by Tibor Dudlák at 2019-04-11T10:19:32+02:00
Support interactive prompt for ntp options
As the FreeIPA server is no longer a NTP service
providing instance its clients and replicas
configuration of time service can not be handled
as it was before change to chrony. Configuration
using master FQDN or autodiscovery for DNS record
would make no difference because every FreeIPA
instance is only chrony client now and does not
update DNS _ntp._udp record.
FreeIPA now asks user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.
Resolves: https://pagure.io/freeipa/issue/7747
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d68fe6b9 by François Cami at 2019-04-11T13:56:15+02:00
ipaserver/install/cainstance.py: unlink before creating new file in /tmp
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So unlink temporary file before shutil.copy to it.
Fixes: https://pagure.io/freeipa/issue/7907
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b79ea6a6 by Florence Blanc-Renaud at 2019-04-15T12:05:22+02:00
Fix wrong evaluation of attributes in check_repl_update
The method check_repl_update in ipaserver/install/replication.py badly
handles the attributes nsds5ReplicaLastUpdateStart and
nsds5ReplicaLastUpdateEnd as it expects them to contain an int.
These attributes are defined as GeneralizedTime
(OID 1.3.6.1.4.1.1466.115.121.1.24, for instance
nsds5ReplicaLastUpdateEnd='20190412122523Z') but older versions of 389-ds can
also return the value 0 for uninitialized values (see 389-ds ticket 47836).
The code must be able to handle the generalized time format or the 0 value.
The fix removes the 'Z' from the GeneralizedTime and converts to an int,
or assigns 0.
Fixes: https://pagure.io/freeipa/issue/7909
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
80928ba6 by Christian Heimes at 2019-04-16T10:45:59+02:00
Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.
On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.
On systems without NM, fall back to create /etc/resolv.conf directly.
Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
45b8cc1d by Christian Heimes at 2019-04-16T16:51:40+02:00
Increase default key size for CA to 3072 bits
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
00a7868f by Christian Heimes at 2019-04-16T16:51:40+02:00
Reuse key type and size in certmonger resubmit
Certmonger has hard-coded defaults for key size and key type. In case a
request does not contain these values, certmonger uses 2048 RSA keys.
Since the CA now has 3072, it will also rekey the CA to 2048 instead of
resubmitting with the existing 2048 bit key.
Use key-size and key-type from the existing request when resubmitting.
Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2bad9fd0 by Christian Heimes at 2019-04-16T16:51:40+02:00
Explain why tests still use 2048bit external CA
The test case verifies that IPA supports external CAs with weaker keys.
Related: Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ba25c7e by François Cami at 2019-04-16T16:58:54+02:00
ipatests: add nfs tests
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.
This extends the existing automount location test and must be
run nightly.
Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Peter Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5ecede78 by Robbie Harwood at 2019-04-17T13:56:05+02:00
Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.
On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
36c65c4a by Christian Heimes at 2019-04-23T12:55:35+02:00
Remove deprecated object logger
The object logger methods been deprecated for about two years since release
4.6.0. The log manager used to moneky-patch additional log methods like
info(), warning(), and error() into API plugin objects. The methods have
been replaced by calls to module logger objects in 4.6.0.
Remove monkey-patch logger methods, log manager, and its root logger from
ipapython.ipa_log_manager.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
921d803d by Stanislav Levin at 2019-04-24T08:10:45+02:00
Add missing deps for `make pylint`
The make target `pylint` hasn't a full list of its dependencies.
This leads to problems like:
- different build results
- PR tests just do not run pylint over some Python scripts.
The new build target (`python_scripts`) was implemented.
It's intended for building all Python scripts (files, containing
@PYTHONSHEBANG@ as a shebang placeholder).
The make `pylint` should require it.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
edd53d8c by Stanislav Levin at 2019-04-24T08:10:45+02:00
Fix `inconsistent-return-statements` in ipa-dnskeysync-replica
This problem was discovered by pylint.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3f9e23f1 by Christian Heimes at 2019-04-24T09:09:28+02:00
Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.
Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.
Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5452eb6e by Christian Heimes at 2019-04-24T09:09:28+02:00
Reduce startup_timeout to 120sec as documented
man(5) default.conf says that startup_timeout has a default value of 120
seconds. Even 120 seconds are not effective unless systemd is also
reconfigured to have a larger DefaultTimeoutStartSec.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c361d74 by Alexander Bokovoy at 2019-04-24T09:47:31+02:00
Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e05008d1 by Alexander Bokovoy at 2019-04-24T09:47:31+02:00
Update mailmap
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
993fd4d7 by Alexander Bokovoy at 2019-04-24T09:47:31+02:00
Update list of contributors and sort them alphabetically
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d796c37f by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: use -m lesscpy instead of hard-coded name
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ff41a09e by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian doesn't have authselect
Skip authselect configuration and migration on Debian/Ubuntu.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
da2cf1c5 by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
750e658d by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8592603e by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: Use different paths for KDC cert and key
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
edaea886 by Christian Heimes at 2019-04-24T14:08:20+02:00
Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.
Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d703f3db by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
81d0108a by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: auto-generate config files for oddjobd
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0fa692a5 by Christian Heimes at 2019-04-24T14:08:20+02:00
Debian: Use RedHatCAService for pki-tomcatd
The RedHatCAService service class contains extra logic to wait for CA
service to be up and running. Debian now correctly waits for Dogtag before
proceeding with the installation process.
Fixes: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
411e6c37 by Christian Heimes at 2019-04-24T16:23:17+02:00
Deprecate ipa-client-install --request-cert
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.
Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd58a705 by Christian Heimes at 2019-04-24T17:08:24+02:00
Fix and extend pki config override test
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4ba88869 by Alexander Bokovoy at 2019-04-24T15:47:19-04:00
Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.
Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.
Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b2c5691e by Alexander Bokovoy at 2019-04-24T15:47:19-04:00
Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.
There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8686cd3b by Christian Heimes at 2019-04-25T08:57:58+02:00
Pass token_name to certmonger
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74e09087 by Christian Heimes at 2019-04-25T12:53:08+02:00
Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f5912d00 by Sergey Orlov at 2019-04-25T14:46:11+02:00
ipatests: new tests for ipa-winsync-migrate utility
Fixes https://pagure.io/freeipa/issue/7857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
23d5c052 by Oleg Kozlov at 2019-04-25T14:47:09+02:00
Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.
If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.
Fixes: https://pagure.io/freeipa/issue/7630
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dcd488b3 by Christian Heimes at 2019-04-26T09:50:23+02:00
Refactor tasks to include is_selinux_enabled()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d7e17655 by Christian Heimes at 2019-04-26T09:50:23+02:00
Check for SELinux AVCs after installation
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a22b4a35 by Christian Heimes at 2019-04-26T09:56:44+02:00
chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning
Configuration file /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2c5ce1a by François Cami at 2019-04-26T10:25:00+02:00
ipaplatform: add more services
Healthcheck needs to check more services than currently defined
in ipaplatform. Add these services.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
beffa7bc by Christian Heimes at 2019-04-26T12:09:22+02:00
Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.
Except for DMLDAP, handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.
The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.
Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f3c4f87 by Christian Heimes at 2019-04-26T12:47:51+02:00
Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5d4a8017 by Christian Heimes at 2019-04-26T12:47:51+02:00
Add helper to look for missing binaries
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.
A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c3144111 by Christian Heimes at 2019-04-26T12:47:51+02:00
Correct path to systemd-detect-virt
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2a459ce0 by Christian Heimes at 2019-04-26T12:53:23+02:00
Make python-ldap optional for PyPI packages
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.
A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d59f155e by Christian Heimes at 2019-04-26T12:53:23+02:00
Make IPADiscovery work without ldap
ipaclient.discover.IPADiscovery skips LDAP discovery when python-ldap is
not present.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bdce9164 by Christian Heimes at 2019-04-26T12:53:23+02:00
Make ipaclient.discovery usable from command line
For debugging and testing make it possible to run a simple domain
discovery from the command line
```
$ python3 -m ipaclient.discovery demo1.freeipa.org
realm DEMO1.FREEIPA.ORG (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
domain demo1.freeipa.org (Discovered LDAP SRV records from demo1.freeipa.org)
basedn dc=demo1,dc=freeipa,dc=org (From IPA server ldap://ipa.demo1.freeipa.org:389)
server ipa.demo1.freeipa.org (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
servers ['ipa.demo1.freeipa.org']
Success
$ python3 -m ipaclient.discovery freeipa.org
realm None
domain None
basedn None
server None
servers []
NO_LDAP_SERVER
```
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
161008d5 by Florence Blanc-Renaud at 2019-04-26T17:26:00+02:00
ipactl restart: fix wrong logic when checking service list
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.
Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.
Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c981879 by Christian Heimes at 2019-04-29T16:51:40+02:00
Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.
A new test verifies that config-show works with hidden and configured HTTP
service.
Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.
Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
628ec088 by Alexander Bokovoy at 2019-04-29T17:55:04+03:00
Become FreeIPA 4.7.90.pre1
- - - - -
dc113a0a by Alexander Bokovoy at 2019-04-29T17:58:14+03:00
Turn master branch back after pre-release tagging
- - - - -
e73fdcf8 by Christian Heimes at 2019-04-30T10:32:43-04:00
Import urllib submodules
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
294aa3a3 by Alexander Bokovoy at 2019-05-02T11:39:23+02:00
Revert "Require a minimum SASL security factor of 56"
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.
The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.
We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
78652a52 by Adam Williamson at 2019-05-02T09:36:54-04:00
Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
660c4984 by François Cami at 2019-05-06T17:46:19+02:00
ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
ipa-client-automount assumes the NFS domain to be the same as the IPA domain.
This is not always the case.
This commit adds a --idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Fixes: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d76737e4 by François Cami at 2019-05-06T17:46:19+02:00
ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6415ec3 by François Cami at 2019-05-07T09:00:42+02:00
ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.
Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
5331510e by François Cami at 2019-05-07T09:08:40+02:00
ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
98b4c710 by Alexander Bokovoy at 2019-05-11T21:15:37+02:00
upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured
Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
ac6568dc by Stanislav Levin at 2019-05-12T23:49:07+02:00
Fix `build_requestinfo` in OpenSSL1.1.0+ environments
Since OpenSSL 1.1.0 the `req_info` field of X509_REQ structure is
no longer a pointer to X509_REQ_INFO. This results in a crash of
`build_requestinfo` in environments having OpenSSL1.1.0+ (libcrypto).
With this patch, the X509_REQ definition becomes the version dependent.
Both OpenSSL1.0.x and OpenSSL1.1.x are supported.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64dc92cc by Christian Heimes at 2019-05-14T12:27:55+02:00
Load libldap_r-*.so.2
libldap_r.so is only available in the OpenLDAP development packages. The
openldap package provides libldap_r-*.so.2.
Fixes: https://pagure.io/freeipa/issue/7941
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b8a2af2 by Stanislav Levin at 2019-05-14T15:58:40+02:00
Fix `build_requestinfo` in LibreSSL environments
`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2042b5a0 by Christian Heimes at 2019-05-14T17:11:54+02:00
Use PKCS#8 instead of traditional privkey format
The modern PKCS#8 private key format supports better encryption standard
and is preferable over traditional, weak PKCS#1 key format.
Fixes: https://pagure.io/freeipa/issue/7943
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
ecc08e39 by Rob Crittenden at 2019-05-14T12:46:56-04:00
Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS)
A PKCS#12 file is generated from a set of input files in various
formats. This file is then used to provide the public and private
keys and certificate chain fro importing into an NSS database.
In order to work in FIPS mode stronger encryption is required.
The default OpenSSL certificate algo is 40-bit RC2 which is not
allowed in FIPS mode. The default private key algo is 3DES.
Use AES-128 instead for both.
Fixes: https://pagure.io/freeipa/issue/7948
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b7533d9c by Alexander Bokovoy at 2019-05-14T14:52:29-04:00
Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
58fe6fac by Alexander Bokovoy at 2019-05-14T14:52:29-04:00
Set up CI with Azure Pipelines
Sets up a pipeline to run FreeIPA build and tests in Azure Pipelines.
Azure Pipelines provides 10 parallel free runners for open source projects.
Use them to run following jobs:
- Build: build RPMs and Fedora 30 container with them
- Lint: run linting of the source code
- Tox: run py36,pypi,pylint tests using Tox
- Web UI unit tests: run Web UI unit tests with Grunt/QUnit/PhantomJS
- XMLRPC tests: install FreeIPA server and run XMLRPC tests against it
All jobs are running in Fedora 30 containers. Build, Lint, Tox, and Web
UI unit tests run inside f30/fedora-toolbox container. Build job
generates a container with pre-installed FreeIPA packages using official
fedora:30 container. All containers are picked up from
registry.fedoraproject.org.
Artifacts from the build job are pushed to a pipeline storage and reused
in the XMLRPC tests. They also are accessible in the 'Summary' tab to
download.
XUnit and QUnit outputs from the tests that produce it are reported in
the 'Tests' tab.
Logs from individual steps from each job are available for review in
the 'Logs' tab. They also can be downloaded.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9cb6817b by Alexander Bokovoy at 2019-05-16T09:51:45+03:00
azure-run-tests: handle single unexpanded parameter too
If TESTS_TO_RUN contains a single parameter that cannot be expanded,
bash will not perform brace elimination. Remove braces manually.
For example, TESTS_TO_RUN='test_xmlrpc/test_*.py' will not expand
outside of ipatests and the script would generate
tests_to_run=-k{test_xmlrpc/test_*.py}
Braces then will prevent actual ipa-run-tests execution from matching
any of XMLRPC tests.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c41b3ae9 by Alexander Bokovoy at 2019-05-16T09:51:45+03:00
fix selenium imports in automount web UI test
Fixes: https://pagure.io/freeipa/issue/7942
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
245a8bcd by Alexander Bokovoy at 2019-05-16T09:51:45+03:00
test_legacy_clients: fix class inheritance
Fixes: https://pagure.io/freeipa/issue/7940
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74f3ca5d by Alexander Bokovoy at 2019-05-16T09:51:45+03:00
i18n_messages: get back a locale needed for testing
Commit f49fac7bda8150aee2086be9afdbe4eb81c3f18a added a special
workaround to get fr-fr locale translations installed when running
tests in Travis CI.
Get it back to Azure Pipelines.
Fixes: https://pagure.io/freeipa/issue/7951
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
289f9c7e by Christian Heimes at 2019-05-16T13:20:38+02:00
Delay import of SSSDConfig
SSSDConfig is not available on PyPI.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b7e81fb by Christian Heimes at 2019-05-16T13:20:38+02:00
Replace imports from ipaserver
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8bd469c5 by Christian Heimes at 2019-05-16T13:20:38+02:00
Don't import ipaserver in conf.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
984a44a4 by Christian Heimes at 2019-05-16T13:20:38+02:00
integration plugins import ldif
Make ipatests depend on python-ldap.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2d22fdaf by Christian Heimes at 2019-05-16T13:20:38+02:00
Forbid imports of ipaserver and install packages
ipatests' plugin and integration tests must no longer import ipaserver
or ipa*.install packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4254489 by Florence Blanc-Renaud at 2019-05-16T14:28:00+02:00
Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db
The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.
Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7fe10d99 by Florence Blanc-Renaud at 2019-05-16T14:28:00+02:00
ipatests: add integration test checking the files mode
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.
Related to https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6662e99e by Rob Crittenden at 2019-05-16T14:38:43-04:00
Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN
Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).
Add a knob to allow configuring the maximum hostname length (FQDN)
The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.
The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.
https://pagure.io/freeipa/issue/2018
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6a9c20a8 by Serhii Tsymbaliuk at 2019-05-21T14:45:27+02:00
Fix occasional 'whoami.data is undefined' error in FreeIPA web UI
'Metadata' phase (Web UI initialization flow) doesn't wait "whoami" response.
It causes the error when on the next phase "whoami" data is undefined.
To avoid this "whoami" request now has flag async = false,
so init_metadata waits until it will be completed.
Ticket: https://pagure.io/freeipa/issue/7917
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5263c36c by Stanislav Levin at 2019-05-21T13:07:45-04:00
Respect TMPDIR, TEMP or TMP environment variables during testing
The FreeIPA uses its own classes for managing temp files and
directories for tests. One of its underlying low-level functions
is `mkdtemp`.
According to documentation for `mkdtemp`:
```
If dir is not None, the file will be created in that directory; otherwise, a
default directory is used. The default directory is chosen from a
platform-dependent list, but the user of the application can control the
directory location by setting the TMPDIR, TEMP or TMP environment variables.
```
It's actually the truth,
/usr/lib64/python3.7/tempfile.py:
```
def _candidate_tempdir_list():
"""Generate a list of candidate temporary directories which
_get_default_tempdir will try."""
dirlist = []
# First, try the environment.
for envname in 'TMPDIR', 'TEMP', 'TMP':
dirname = _os.getenv(envname)
if dirname: dirlist.append(dirname)
# Failing that, try OS-specific locations.
if _os.name == 'nt':
dirlist.extend([ _os.path.expanduser(r'~\AppData\Local\Temp'),
_os.path.expandvars(r'%SYSTEMROOT%\Temp'),
r'c:\temp', r'c:\tmp', r'\temp', r'\tmp' ])
else:
dirlist.extend([ '/tmp', '/var/tmp', '/usr/tmp' ])
```
For now, there is a hardcoded assertion of a temp directory (`/tmp`) in
IPA tests. But some systems use the mentioned environment variables
(for example, pam_mktemp https://www.openhub.net/p/pam_mktemp).
It's easy to check an actual temp dir via `gettempdir`.
Fixes: https://pagure.io/freeipa/issue/7956
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9cd88587 by Florence Blanc-Renaud at 2019-05-22T17:53:13+02:00
CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN
After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.
RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.
The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN
Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
48041033 by Florence Blanc-Renaud at 2019-05-22T17:53:13+02:00
ipatests: CA renewal must refresh cn=CAcert
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
ipaconfigstring: ipaCA
Related to https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e3f35843 by Tibor Dudlák at 2019-05-22T18:20:22+02:00
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.
Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
be39d3a9 by Tibor Dudlák at 2019-05-22T18:20:22+02:00
ipatests: Add Unattended option to external ca task
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
c9c8b3e0 by Kaleemullah Siddiqui at 2019-05-23T09:58:18+02:00
Order of master and replica corrected in logger.info
Order of master/replica was incorect which has been
corrected
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
67490acb by Thierry Bordaz at 2019-05-24T12:42:51+02:00
Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed. Else the attribute is set to 'nolog'
https://pagure.io/freeipa/issue/4812
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
64d187e5 by Florence Blanc-Renaud at 2019-05-24T17:18:56-04:00
NSSDatabase: fix get_trust_chain
In the get_trust_chain method, use certutil -O with the option
--simple-self-signed to make sure that self-signed certs properly
get processed.
Note: this option has been introduced in nss 3.38 and our spec file
already requires nss >= 3.41.
Scenario: when IPA CA is switched from self-signed to externally-signed,
then back to self-signed, the same nickname can be used in
/etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
the original and renewed certs are present in the NSS db, running
$ certutil -O -n <IPA CA alias>
produces a complex output like the following (this command is used to find
the trust chain):
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
The renewal code is disturbed by this output.
If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
used to extract the trust chain, the output is as expected for a self-signed
cert:
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
As a result, the scenario self-signed > externally signed > self-signed
works.
Fixes: https://pagure.io/freeipa/issue/7926
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
6a2c356d by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
ipa-run-tests: add support of globs for test targets and ignores
ipa-run-tests expands arguments passed with their full paths. However,
it doesn't support expanding globs, so targets like 'test_ipa*' cannot
be specified.
Expand the code that replaces '--ignore foo' and 'foo' positional
arguments with support for '--ignore foo*' and 'foo*'.
This allows to reduce a number of additional steps in the CI pipeline
preparation.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c8ef093e by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
Azure Pipelines: simplify test job definitions
Rewrite templates to make test job declarations simpler and easier to
work with.
A test job template can be instantiated this way:
- template: templates/test-jobs.yml
parameters:
jobName: Base
jobTitle: Base tests
testsToRun:
- test_cmdline
- test_install
- test_ipaclient
- test_ipalib
- test_ipaplatform
- test_ipapython
testsToIgnore:
- test_integration
- test_webui
- test_ipapython/test_keyring.py
taskToRun: run-tests
Both 'testsToRun' and 'testsToIgnore' accept arrays of test matches.
Wildcards also supported:
....
testsToRun:
- test_xmlrpc/test_hbac*
....
'taskToRun' specifies a script ipatests/azure/azure-${taskToRun}.sh that
will be executed in the test environment to actually start tests.
Parameters 'testsToRun' and 'testsToIgnore' define TESTS_TO_{RUN,IGNORE}
variables that will be set in the environment of the test script. These
variables will have entries from the parameters separated by a space.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5230e2a1 by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
Azure Pipelines: run fast linter in case of a pull request build
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
53a0fa91 by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
LDAPCreate: allow callers to override objectclasses
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.
We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.
Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef67dece by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6163cbc1 by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
test_ipagetkeytab: allow testing LDAP connection beyond bind operation
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.
This is required to perform actual tests for use of the retrieved keys.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0f891c6a by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
test_ipagetkeytab: factor out DM password reader
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b5fbbd19 by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
Keytab retrieval: allow requesting arcfour-hmac for SMB services
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.
Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.
While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.
Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
46234f0c by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
test_ipagetkeytab: test retrieval of explicit encryption types
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.
Add a test case that performs this operation.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a9bcf531 by Alexander Bokovoy at 2019-05-28T09:55:51+03:00
ipa-pwd-extop: do not remove MagicRegen mod, replace it
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.
ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.
With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.
Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696
Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3f33ac88 by Stanislav Levin at 2019-05-28T10:01:23+03:00
Make `pycodestyle` results identical
Currently, pycodestyle is running on:
- make fastlint:
`$(PYTHON) -m pycodestyle --diff`
According to docs:
```
The project options are read from the [pycodestyle] section of the
tox.ini file or the setup.cfg file located in any parent folder of the
path(s) being processed.
```
So, pycodestyle respects tox.ini:
```
[pycodestyle]
# E402 module level import not at top of file
# W504 line break after binary operator
ignore = E402, W504
```
- PR Travis `lint`:
`pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:`
According to docs:
```
Please note that if the option –ignore=errors is used, the
default configuration will be overridden and ignore only the
check(s) you skip.
```
So, pycodestyle doesn't respect tox.ini.
For now, fastlint ignores E402, W504, while Travis lint ignores only W504..
This issue is exposed by Azure Pipelines, which employs fastlint.
Fixes: https://pagure.io/freeipa/issue/7962
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
891d54e4 by Fraser Tweedale at 2019-05-28T10:03:00+03:00
dn: handle multi-valued RDNs in Name conversion
When applying DN to a cryptography.x509.Name, multi-valued RDNs get
"flattened" into separate RDNs. Update the constructor to correctly
handle Name values with multi-valued RDNs.
Fixes: https://pagure.io/freeipa/issue/7963
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9b22283 by Fraser Tweedale at 2019-05-28T10:04:30+03:00
add test for external CA key size sanity check
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.
Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
581b7148 by Mohammad Rizwan Yusuf at 2019-05-28T09:43:40+02:00
Test if ipactl restart restarts the pki-tomcatd
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.
related ticket : https://pagure.io/freeipa/issue/7927
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
ef324a7f by German Parente at 2019-05-28T09:47:55+02:00
ipa-replica-manage: remove "last init status" if it's None.
we remove the "last init status" section in the output of
ipa-replica-manage to avoid confusion and show epoch date
when status is None
Fixes: https://pagure.io/freeipa/issue/7716
Signed-off-by: German Parente <gparente at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0b21e2ab by Florence Blanc-Renaud at 2019-05-28T15:02:49-04:00
ipatests: add integration test for ipa-replica-manage list
The command
ipa-replica-manage list -v <node>
can display:
last init ended: 1970-01-01 00:00:00+00:00
last init status: None
when called on a node that never had total update.
The fix for 7716 modifies the command so that it doesn't print
those lines when there is no last init status.
This commit adds a new test checking the output of
ipa-replica-manage list -v <node>.
Related to: https://pagure.io/freeipa/issue/7716
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2a006c7 by Fraser Tweedale at 2019-05-29T12:49:27+10:00
Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see. The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too. Extract it to a subroutine in the
cainstance module.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c28a42e2 by Fraser Tweedale at 2019-05-29T12:49:27+10:00
cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates. Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a3becc76 by Fraser Tweedale at 2019-05-29T12:49:27+10:00
constants: add ca_renewal container
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
09aa3d1f by Fraser Tweedale at 2019-05-29T12:49:27+10:00
Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a9f09fee by Fraser Tweedale at 2019-05-29T12:49:27+10:00
ipa-cert-fix: add man page
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e41b7457 by Fraser Tweedale at 2019-05-29T12:49:27+10:00
ipa-cert-fix: use customary exit statuses
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured. Update
ipa-cert-fix exit statuses accordingly.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
72027226 by Fraser Tweedale at 2019-05-29T12:49:27+10:00
require Dogtag 10.7.0-1
Dogtag 10.7 includes the 'pki-server cert-fix' enhancements required
by ipa-cert-fix. Bump the dep min bound.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
582cc7da by Fraser Tweedale at 2019-05-29T12:49:27+10:00
ipa-cert-fix: handle 'pki-server cert-fix' failure
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart). When this case arises, ignore the
CalledProcessError and continue.
We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier. But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
162dce1c by Fraser Tweedale at 2019-05-29T12:49:27+10:00
ipa-cert-fix: fix spurious renewal master change
We only want to become the renewal master if we actually renewed a
shared certificate. But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset. Fix the
bug.
A static type system would have excluded this bug.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f30f040d by Fraser Tweedale at 2019-05-29T12:49:27+10:00
avoid realm_to_serverid deprecation warning
ipaserver.installutils.realm_to_serverid was deprecated. Use
ipapython.ipaldap.realm_to_serverid instead.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3f02fc94 by Sergey Orlov at 2019-05-29T10:44:41+03:00
ipatests: new tests for establishing one-way AD trust with shared secret
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
c0d40880 by Armando Neto at 2019-06-04T09:42:41-03:00
Bump PR-CI template version
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8f4ca395 by Alexander Bokovoy at 2019-06-05T10:47:40+03:00
azure tests: make sure /etc/docker folder exists
Azure tests fail because we couldn't configure docker for IPv6 anymore.
This happened because we weren't able to copy our configuration file to
/etc/docker -- looks like the docker directory does not exist.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cd2b2443 by Sergey Orlov at 2019-06-05T14:45:57+02:00
ipatests: allow to relax security of LDAP connection from controller to IPA host
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f606d820 by Rob Crittenden at 2019-06-05T13:18:45-04:00
Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.
https://pagure.io/freeipa/issue/7965
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
21777e4b by Rob Crittenden at 2019-06-05T15:28:57-04:00
When reading SSH pub key don't assume last character is newline
The code was attempting to strip off any trailing newline and then
calling lstrip() on the rest.
This assumes that the key has a trailing newline. At best this
can cause the last character of the comment to be lost. If there
is no comment it will fail to load the key because it is invalid.
Patch by Félix-Antoine Fortin <felix-antoine.fortin at calculquebec.ca>
https://pagure.io/freeipa/issue/7959
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1d03afc9 by Kaleemullah Siddiqui at 2019-06-06T16:51:55+02:00
Tests for autounmembership feature
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077
Tests for autounmembership feature has been added in
this PR
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
1284bf15 by Rob Crittenden at 2019-06-07T11:24:45+02:00
Drop list of return values to be ignored in AdminTool
This was an attempt to suppress client uninstallation failure
messages in the server uninstallation script. This method
inadvertently also suppressed client uninstallation messages and
was generally confusing.
This reverts part of b96906156be37a7b29ee74423b82f04070c84e22
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c1c50650 by Rob Crittenden at 2019-06-07T11:24:45+02:00
Return 0 on uninstall when on_master for case of not installed
This is to suppress the spurious error message:
The ipa-client-install command failed.
when the client is not configured.
This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cef4edd3 by Rob Crittenden at 2019-06-07T11:24:45+02:00
Fix expected return code in tests when server is uninstalled
It is likely that these were fixed by the original change
b96906156be37a7b29ee74423b82f04070c84e22 but was uncaught because
these tests are not executed in CI because the server is configured.
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
07f7e3ea by Florence Blanc-Renaud at 2019-06-10T12:02:17+02:00
ipatests: fix test_caless.py
Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".
The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.
This commit answers 'no' to the question and allows to proceed with
the ipa server installation.
Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
df99680e by Fraser Tweedale at 2019-06-11T15:52:06+10:00
.gitignore: add ipa-cert-fix program
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ad747297 by Fraser Tweedale at 2019-06-11T16:14:44+10:00
dn: sort AVAs when converting from x509.Name
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ec0976c by Rob Crittenden at 2019-06-11T09:25:31-04:00
tests: Wait for automember rebuild --no-wait tasks to finish
The behavior of automember changed with the design
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
such that members are "cleaned up" first then re-added. This has
the effect of removing members that no longer apply to a rule.
This was breaking the automember rebuild tests because sometimes
the tests were faster than 389-ds causing memberships to be missed.
This does a client-side wait for the task to finish up so still
exercises the rebuild code.
https://pagure.io/freeipa/issue/7972
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
10b721d1 by Rob Crittenden at 2019-06-11T19:42:50+02:00
admintool: don't display log file on errors unless logging is setup
The admintool will display the message when something goes wrong:
See %s for more information" % self.log_file_name
This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.
This can happen if validation catches and raises an exception.
Fixes: https://pagure.io/freeipa/issue/7952
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6ec3c84c by Florence Blanc-Renaud at 2019-06-11T15:40:58-04:00
ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
The test test_backup_and_restore.py::TestBackupAndRestore
test_full_backup_and_restore_with_selinux_booleans_off
requires SELinux to be enabled because it's using
getsebool command.
Skip the test if SELinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7970
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c191c257 by François Cami at 2019-06-13T23:13:43+02:00
Hidden replica documentation: fix typo
The hidden replica documentation mentioned using
$ ipa server-state <hostname> --state=enable
whereas the right command is
$ ipa server-state <hostname> --state=enabled
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
910ff25b by Florence Blanc-Renaud at 2019-06-13T23:24:01+02:00
ipatests: fix TestUserPermissions::test_selinux_user_optimized
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).
The vagrant images currently in use in the nightly tests
are configured with selinux disabled. Add skipif marker when
selinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
77bfd5f9 by Stanislav Levin at 2019-06-16T20:32:31+03:00
Resolve tox substitutions to absolute paths
Since tox-3.8.0 the substituted virtualenv-paths of tox
(like {envpython} or {envsitepackagesdir}) have become relative.
The documentation says nothing about this. Thus, these paths
should always be resolved as absolute.
https://github.com/tox-dev/tox/issues/1339
Fixes: https://pagure.io/freeipa/issue/7977
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
02d6fc74 by Christian Heimes at 2019-06-17T14:31:12+10:00
Bump release number to 4.7.91
rpm sorts pre1 release after dev releases. To have dev releases override
pre releases in upstream, the patch level must be bumped after every pre
release.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
854d3053 by Fraser Tweedale at 2019-06-18T10:36:24+10:00
Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**. This can occur in
normal operation, and should be a temporary condition. Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
c027b933 by Christian Heimes at 2019-06-18T10:36:24+10:00
Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.
Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
e08a340a by Armando Neto at 2019-06-18T14:15:15+10:00
Add Fedora 30 test definitions and bump template version
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3a233a90 by François Cami at 2019-06-19T11:09:53+10:00
nfs.py: fix user creation
nfs.py calls "ipa user-add" without inputting the password twice
leading to a timeout. Input password twice then.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d16dd2fd by Stanislav Levin at 2019-06-19T19:20:14+10:00
Fix Pytest4.1+ warnings about pytest.config
pytest.config global is deprecated since Pytest4.1:
https://docs.pytest.org/en/latest/deprecations.html#pytest-config-global
https://github.com/pytest-dev/pytest/issues/3050
Fixes: https://pagure.io/freeipa/issue/7981
Co-authored-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9836511a by Stanislav Levin at 2019-06-19T19:20:14+10:00
Fix Pytest4.x warning about `message`
"message" parameter of pytest.raises is deprecated since Pytest4.1:
```
It is a common mistake to think this parameter will match the
exception message, while in fact it only serves to provide a custom
message in case the pytest.raises check fails.
```
That was the truth for test_unrecognised_attr_type_raises, which has
wrongly checked an exception message.
Fixes: https://pagure.io/freeipa/issue/7981
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d86b57c0 by Stanislav Levin at 2019-06-19T11:39:51+02:00
Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6d02eddd by Christian Heimes at 2019-06-24T09:35:57+02:00
Replace PYTHONSHEBANG with valid shebang
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.
The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.
Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ac86707d by Christian Heimes at 2019-06-24T10:00:37+02:00
Increase default debug level of certmonger
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.
Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0184e967 by Rob Crittenden at 2019-06-24T14:04:03+02:00
Log the raised message when DNS check_zone_overlap fails
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.
This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8f7d3335 by Stanislav Levin at 2019-06-25T09:33:06-04:00
Make use of `named` well-known service
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9c4dcdb by Florence Blanc-Renaud at 2019-06-25T11:02:59-04:00
stageuser-find: fix search with non-posix user
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.
Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0294ad21 by Florence Blanc-Renaud at 2019-06-25T11:02:59-04:00
ipatests: add a test for stageuser-find with non-posix account
Add a new XMLRPC test with the following scenario:
- ldapadd a user without the posixaccount objectclass
- call ipa stageuser-find <user>
- check that 1 entry is returned
Related: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
34bfffd1 by Alexander Bokovoy at 2019-06-26T10:50:45+02:00
adtrust upgrade: fix wrong primary principal name
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT at REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT at REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc348b99 by François Cami at 2019-06-26T12:55:06+02:00
ipa-client-automount: fix '--idmap-domain DNS' logic
Previously '--idmap-domain DNS' would assume the Domain
parameter of idmapd.conf was already absent. With this
fix, the Domain parameter is always removed and the
configuration file is always backuped.
Related-to: https://pagure.io/freeipa/issue/7918
Fixes: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
694c3667 by François Cami at 2019-06-26T12:55:06+02:00
ipatests: add proper timeouts to nfs.py
When tests for https://pagure.io/freeipa/issue/7918 were
written no sleep interval was provided between calls to
ipa-client-automount leading to random test failures.
Add sleep intervals.
Related-to: https://pagure.io/freeipa/issue/7918
Related-to: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b5bb436e by Stanislav Levin at 2019-06-26T20:47:58+03:00
Exit on fail in azure multiline script
By default, the `last` exit code returned from Azure script will be
checked and, if non-zero, treated as a step failure. Luckily,
for Linux script is a shortcut for Bash. Hence errexit/e option
could be applied. But Azure pipelines doesn't set it by default:
https://github.com/microsoft/azure-pipelines-agent/issues/1803
For multiline script this is a problem, unless otherwise designed.
Some of benefits of checking the result of each subcommand:
- preventing subsequent issues (broken packages, container images, etc.)
- time saving (next steps will not run)
- good diagnostics (tells which part of script fails)
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
881ec5a3 by Serhii Tsymbaliuk at 2019-06-27T10:10:40+02:00
WebUI: Fix 'user not found' traceback on user ID override details page
Disable link to user page from user ID override in case it is in 'Default Trust View'
Ticket: https://pagure.io/freeipa/issue/7139
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7af4c7d4 by Alexander Bokovoy at 2019-06-27T16:50:15+03:00
adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade
For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT at REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
54836bce by François Cami at 2019-06-27T19:49:50+02:00
test_nfs.py: change pr-ci configuration to run on master_2repl_1client
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c0cf65c4 by François Cami at 2019-06-28T10:53:07+02:00
Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b49c627a by François Cami at 2019-06-28T10:53:07+02:00
ipa_client_automount.py and ipactl.py: fix codestyle
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
37ab150c by François Cami at 2019-06-28T10:53:07+02:00
Introduce minimal ipa-client-automount.in and ipactl.in
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6c9fcccf by Alexander Bokovoy at 2019-06-28T13:30:59+02:00
trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.
The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.
trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.
Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.
Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
986e16da by Anuja More at 2019-06-28T14:26:20+02:00
ipatests: POSIX attributes are no longer overwritten or missing
Added test which validates that POSIX attributes, such
as shell or home directory, are no longer overwritten or missing.
Related Ticket : https://pagure.io/SSSD/sssd/issue/2474
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
84201e1d by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
adtrust: add design document for Samba domain member on IPA client
Document general design for Samba file server running on IPA client as a
domain member in IPA domain.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cdb94e0f by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d85e0550 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipapython.ipautil.run: allow skipping stdout/stderr logging
There are cases when output from a utility run contains sensitive
content that is better to avoid logging. For example, klist can be told
to show actual encryption keys with -K option. Redacting them out with
nolog option to ipapython.ipautil.run() is not possible because
replacement routine expects exact matches.
Introduce two boolean options that allow to skip printing output from
the utility being run:
-- nolog_output: skip printing captured stdout
-- nolog_error: skip printing captured stderr
These options default to False (thus, stdout/stderr content will
continue to be printed). In case they were set to True, corresponding
line will contain
stdout=<REDACTED>
or
stderr=<REDACTED>
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a4235262 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipasam: add lookup of an account by SID
Samba may ask for an account based on a SID value. Implement a callback
to return a result of such lookup since we should have SID for every
domain account that is supposed to be usable through SMB protocol.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
91abd1f6 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipasam: add handling of machine accounts
Domain member is represented for SMB as a machine account with
NetBIOS name ending with '$', e.g. 'FILESERVER$'. Such name will need to
be resolved as a POSIX account by smbd at some point but first we need
to make sure it is returned as a machine account through PASSDB layer.
In addition to that, machine accounts are normal Kerberos services,
named as 'cifs/<hostname>@REALM'. This name also will need to be
resolved as a POSIX account by smbd on the domain controller.
These two factors mean that LDAP entry for SMB kerberos service has to
have multiple 'uid' values. This is allowed by the LDAP schema and we
need to support it in ipasam.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
653f7207 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
kdb: support SMB services on IPA domain members
SMB service on IPA domain member will have both ipaIDOjbect and ipaUser
object classes. Such service will have to be treated as a user in order
to issue MS-PAC record for it.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d631e008 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.
In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.
Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.
As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
afb8305a by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipaserver.plugins.service: add service-add-smb to set up an SMB service
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.
Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.
Most controversial would probably be a lack of the authentication
indicator that could be associated with the service. However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.
Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
814592cf by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e25392e9 by Alexander Bokovoy at 2019-06-29T11:00:28+03:00
prci: add test_integration/test_smb to the gating set
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6b2efdfa by François Cami at 2019-06-29T12:29:46+03:00
Makefile.am: add .in files to fastlint target
Previously fastlint would only process .py files.
Detect which .in files are in fact Python files and add
them to the list of files to process during the fastlint
Makefile target.
Original change suggested by Alexander Bokovoy.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93dc2d56 by Serhii Tsymbaliuk at 2019-07-01T09:05:07+02:00
WebUI: Disable 'Unlock' action for users with no password
Administrator should reset user password to make the unlock option available.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd7198ac by Serhii Tsymbaliuk at 2019-07-01T09:10:01+02:00
WebUI: Fix automount maps pagination
Apply pagination filter for cases when all table data is already loaded.
Ticket: https://pagure.io/freeipa/issue/6627
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bb91fcab by Florence Blanc-Renaud at 2019-07-01T09:16:21+02:00
dnsrecord-mod: allow to modify ttl without passing the record
The command
ipa dnsrecord-mod <zone> <record> --ttl
requires to provide at least one record to modify. When none
is specified, it prompts by proposing each of the existing records,
for instance:
ipa dnsrecord-mod ZZZZZ.org ns11 --ttl=86400
No option to modify specific record provided.
Current DNS record contents:
A record: xxx.xxx.xxx.xxx
AAAA record: xxxx:xx
Modify A record 'xxxx.xxxx.xxxx.xxxx'? Yes/No (default No):
Modify AAAA record 'xxxx:xx'? Yes/No (default No):
ipa: ERROR: No options to modify a specific record provided.
The admin should be able to modify the TTL value without
re-entering the record information. The issue happens because of an
internal check that forgot to consider 'dnsttl' as a valid standalone
modification.
Fixes: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f25a7c2e by Florence Blanc-Renaud at 2019-07-01T09:16:21+02:00
XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD --ttl
The test suite did not have any test for modification of the TTL
of an existing DNS record.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
339771b0 by Tibor Dudlák at 2019-07-01T13:21:21+02:00
Remove unreachable code
Removing same elsif from install_check method.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c18ee9b6 by Tibor Dudlák at 2019-07-01T13:21:21+02:00
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
215e8f76 by Stanislav Levin at 2019-07-01T14:44:57+03:00
Fix a typo in `replace` rule of 50-ipaconfig.update
According to ipaserver/install/ldapupdate.py, the format of `replace`
action (during a parsing of update files) should be `old::new`.
By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...',
while it should be 'guest_u$$...'.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b2acd650 by Stanislav Levin at 2019-07-01T14:44:57+03:00
Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c484d79e by Rob Crittenden at 2019-07-01T14:55:29+02:00
For Fedora and RHEL use system-wide crypto policy for mod_ssl
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.
For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.
Fixes: https://pagure.io/freeipa/issue/7667
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b57c818f by Christian Heimes at 2019-07-01T14:55:29+02:00
Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.
TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.
TLS 1.2 works everywhere and supports PFS.
Related: https://pagure.io/freeipa/issue/7667
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a43100ba by Rob Crittenden at 2019-07-02T10:35:00+03:00
Don't configure disabled krb5 enctypes in FIPS mode
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.
This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd9fd097 by Rob Crittenden at 2019-07-02T10:35:00+03:00
Remove DES3 and RC4 enctypes from Kerberos
These are already marked as deprecated by the KDC.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
258cacb1 by Rob Crittenden at 2019-07-02T10:35:00+03:00
Add test_smb to night Fedora 30 test suite
This exercises the removal of 3DES and RC4 via Samba.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6b28947 by Alexander Bokovoy at 2019-07-02T10:36:28+03:00
translations: update from Zanata Spanish and Ukrainian translations
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
71884176 by Florence Blanc-Renaud at 2019-07-02T10:41:25+03:00
ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py
The test is calling dnsrecord-mod --ttl and should expect a unicode
value in order to be python2/python3 compatible.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
672d808e by Armando Neto at 2019-07-02T12:16:24+02:00
prci: bump ci-master-f30 template
No major changes, dependencies updated.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b5534488 by Christian Heimes at 2019-07-02T16:38:00+02:00
Use system-wide crypto policy for TLS ciphers
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.
Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6b07c19 by Armando Neto at 2019-07-03T08:07:32+02:00
prci: fix nightly_master test definitions
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7027f791 by François Cami at 2019-07-03T08:13:39+02:00
Make dnf more robust and faster
Sometimes the prepare-build step of azure pipelines fails
with download errors:
"configure: error: Package requirements (nspr) were not met:"
This can be due to fastestmirror not being used to check
mirror availability and sometimes speed. Combined with a
too-low default number of retries, and a high timeout this
can lead to download failures that could be avoided.
Activate fastestmirror, add more download workers, and tune
timeout/retries to make dnf more reliable.
Fixes: https://pagure.io/freeipa/issue/7999
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
15db8785 by Alexander Bokovoy at 2019-07-03T09:29:22+03:00
Become IPA 4.8.0
- - - - -
21a5938a by Alexander Bokovoy at 2019-07-03T09:32:41+03:00
Changing IPA master back to git snapshots
- - - - -
56b1b5ac by Alexander Bokovoy at 2019-07-03T09:40:11+03:00
Set git master to 4.9.0
- - - - -
d2c92927 by Christian Heimes at 2019-07-04T10:43:51+02:00
Use nis-domainname.service on all RH platforms
RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.
Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0d15eb78 by Sergey Orlov at 2019-07-04T15:46:59+02:00
ipatests: add test for sudo with runAsUser and domain resolution order.
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
47406552 by Sergey Orlov at 2019-07-04T15:46:59+02:00
ipatests: mark test_domain_resolution_order as expectedly failing
SSSD fix have not yet landed in Fedora 29 and below.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
be7f54d4 by François Cami at 2019-07-08T17:30:24+02:00
ipatests/azure: display actual dnf repo URLs
Display which dnf repositories were available at the
prepare-build step via metalink.
Also display the fastestmirror cache.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ac1ea0ec by Stanislav Levin at 2019-07-15T14:41:23+03:00
Fix `test_webui.test_selinuxusermap`
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
843f57ab by Sergey Orlov at 2019-07-15T14:35:51+02:00
ipatests: new test for trust with partially unreachable AD topology
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.
Relates to: https://pagure.io/freeipa/issue/7895.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
ef39e1b0 by Florence Blanc-Renaud at 2019-07-15T17:08:21+03:00
upgrade: remove ipaCert and key from /etc/httpd/alias
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
2312b38a by Stanislav Levin at 2019-07-16T13:23:21+03:00
Simplify ipa-run-tests script
This is a sort of rollback to the pre #93c158b05 state with
several improvements.
For now, the nodeids calculation by ipa-run-tests is not stable,
since it depends on current working directory. Nodeids (tests
addresses) are utilized by the other plugins, for example.
Unfortunately, the `pytest_load_initial_conftests` hook doesn't
correctly work with pytest internal paths, since it is called
after the calculation of rootdir was performed, for example.
Eventually, it's simpler to follow the default convention for
Python test discovery.
There is at least one drawback of new "old" implementation.
The ignore rules don't support globs, because pytest 4.3.0+
has the same facility via `--ignore-glob`:
> Add the `--ignore-glob` parameter to exclude test-modules with
> Unix shell-style wildcards. Add the collect_ignore_glob for
> conftest.py to exclude test-modules with Unix shell-style
> wildcards.
Upon switching to pytest4 it will be possible to utilize this.
Anyway, tests for checking current basic facilities of
ipa-run-tests were added.
Fixes: https://pagure.io/freeipa/issue/8007
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2d4e2a6 by Stanislav Levin at 2019-07-16T13:23:21+03:00
Make use of Azure Pipeline slicing
The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:
> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.
>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.
Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.
About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)
Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:
ipa-run-tests --slices=2 --slice-num=1 test_cmdline
- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:
ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
--slice-num=2 test_cmdline
Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c7500220 by Stanislav Levin at 2019-07-16T13:23:21+03:00
Avoid use of '/tmp' for pip operations
`ipa-run-tests` is not an entry_point script, so
pip during an installation of ipatests package checks
if the file path is executable. If not - just don't set
the executable permission bits.
pip's working directory defaults to /tmp/xxx.
Thus, if /tmp is mounted with noexec such scripts lose
their executable ability after an installation into
virtualenv. This was found on Travis +
freeipa/freeipa-test-runner:master-latest docker image.
Build directory of pip could be changed via env variable
PIP_BUILD, for example.
Fixes: https://pagure.io/freeipa/issue/8009
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5530911f by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Fix rpmlint errors for Rawhide
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
d55c9b6d by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Use any nodejs version instead of forcing a version before nodejs 11
Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.
Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
0187a746 by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Use stage and phase attempt counters when saving test artifacts
Azure Pipelines provide counters for running test jobs, these split into
System.StageAttempt and System.PhaseAttempt. Use them to make test
artifacts unique.
For XML test results we don't need to name them differently as they
aren't uploaded as artifacts but rather presented in a separate test
pane.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
5a83eea2 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
Add altSecurityIdentities attribute from MS-WSPP schema definition
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.
FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.
Define altSecurityIdentities attribute to allow specifying indexing
rules for it.
Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
72589959 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
Create indexes for altSecurityIdentities and ipaCertmapData attributes
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.
This is then basically a full-table scan, which applies the filter test
to the contained members.
Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
41ca4d48 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
certmap rules: altSecurityIdentities should only be used for trusted domains
IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.
Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
95c2b34c by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
certmaprule: add negative test for altSecurityIdentities
Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
130e1dc3 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
21a9a710 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
install: fix --external-ca-profile option
Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7171142a by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Fix use of incorrect variable
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b15bd50e by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Add more tests for --external-ca-profile handling
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
80e76f09 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Collapse --external-ca-profile tests into single class
To avoid having to spawn new CI hosts for each kind of
--external-ca-profile argument we are testing, collapse the three
separate test classes into one. Uninstall the half-installed IPA
after each section of tests.
This change is in response to review comment
https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2c8352fe by Fraser Tweedale at 2019-07-17T17:58:58+03:00
ci: add --external-ca-profile tests to nightly
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
33f39d88 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
ci: add --external-ca-profile tests to gating
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e771fa59 by Rob Crittenden at 2019-07-19T13:13:34-04:00
Remove posixAccount from service_find search filter
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.
This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.
https://pagure.io/freeipa/issue/8013
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
3c388f5a by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtaginstance: add profile to tracking requests
Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.
To use fresh renewals the tracking request must record the profile
to be used. Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.
Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger). So we do not
need any special handling for those certificates.
This commit does not handle upgrade. It will be handled in a
subsequent commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f6f6f83d by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: add profile to Dogtag tracking requests
To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.
Update the upgrade method that checks tracking requests to look for
the profile. Tracking requests will be recreated if the expected
data are not found. The code that actually adds the tracking
requests was updated in a previous commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
858ef599 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
certmonger: use long options when invoking dogtag-ipa-renew-agent
To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.
-N -> --force-new
-O -> --approval-option
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1fb6fda0 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtag-ipa-ca-renew-agent: always use profile-based renewal
Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request". The
latter is brittle in the face of:
- missing certificate record in database
- missing original request record in database (pointed to by
certificate record)
- "mismatched" certificate or request records (there have been many
cases of this; it is suspected that request/serial range conflicts,
or something similar, may be the cause)
The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
588f1ddc by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtaginstance: avoid special cases for Server-Cert
The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing. But there is no real need for this - the only (potential)
difference is the token name. Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4f4e2f96 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: always add profile to tracking requests
The profile for every Dogtag system cert tracking request is now
explicitly specified. So remove the code that handled unspecified
profiles.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
482866e4 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: update KRA tracking requests
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates. If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.
But the KRA was left out. Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2d22f568 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: log missing/misconfigured tracking requests
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa567558 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: fix spurious certmonger re-tracking
The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade. Replace
'key-storage' with the correct parameter, 'key-file'.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1bf008a6 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
cainstance: add profile to IPA RA tracking request
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper. This includes the IPA RA agent certificate. Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request. This also covers the upgrade scenario (because
the same method gets invoked).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bb779baa by Fraser Tweedale at 2019-07-22T13:33:24+10:00
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
65d9a9be by Fraser Tweedale at 2019-07-22T13:33:24+10:00
ipatests: test ipa-server-upgrade in CA-less deployment
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f5822e3a by Rob Crittenden at 2019-07-22T13:33:24+10:00
httpinstance: add pinfile when tracking certificate
When the HTTP certificate gets untracked then tracked again, it
loses its pin file. Ensure we add the pin file when (re-)tracking
the HTTP certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b7ad1157 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dsinstance: add proflie when tracking certificate
When the DS certificate gets untracked then tracked again (via
dsinstance.start_tracking_certificate()), it loses its profile
configuration. Although it is the default profile, we want to
retain the explicit reference. Ensure we add the profile when
re-tracking the DS certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6316a006 by Serhii Tsymbaliuk at 2019-07-22T11:28:46+02:00
WebUI tests: Fix timeout issues for reset password tests
- Increase wait timeout after password reset
- Wait for server response after login in TestLoginScreen.test_reset_password_and_login_view
Ticket: https://pagure.io/freeipa/issue/8012
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
94b4af55 by Christian Heimes at 2019-07-25T15:16:33-04:00
Add PKCS#11 module name to p11helper errors
The p11helper module now includes the name of the PKCS#11 shared library
in error messages.
Fixes: https://pagure.io/freeipa/issue/8015
Co-Authored-By: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b52d40b0 by Sumedh Sidhaye at 2019-07-25T15:21:39-04:00
Test: To check ipa replica-manage del <FQDN> does not fail
Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.
ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
Related Ticket: https://pagure.io/freeipa/issue/7929
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5e97e800 by Florence Blanc-Renaud at 2019-07-26T10:47:30+02:00
Azure pipeline: report failure in prepare-build step
The azure pipeline defines a "prepare build" step that
installs the FreeIPA development dependencies but the
step does not report failures of the dnf builddep command.
As a consequence, subsequent steps may fail (for instance
because of components not installed such as tox) but are
hard to diagnose.
The fix reports the command failure.
Fixes: https://pagure.io/freeipa/issue/8022
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
68b85703 by François Cami at 2019-07-26T10:49:54+02:00
ipatests: test multiple invocations of ipa-client-samba --uninstall
Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
5b65551b by François Cami at 2019-07-26T10:49:54+02:00
ipa-client-samba: remove and restore smb.conf only on first uninstall
Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
ed6ee90c by François Cami at 2019-07-26T10:49:54+02:00
ipatests: test ipa-client-samba after --uninstall
Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
cd2cbaec by François Cami at 2019-07-26T10:49:54+02:00
ipa-client-samba: remove state on uninstall
The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.
Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>
https://pagure.io/freeipa/issue/8021
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
de1fa7cc by Sumedh Sidhaye at 2019-07-26T15:18:53+02:00
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6af723c0 by Serhii Tsymbaliuk at 2019-07-26T18:10:02+02:00
WebUI: Add PKINIT status field to 'Configuration' page
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'
Ticket: https://pagure.io/freeipa/issue/7305
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f16ea8e6 by Serhii Tsymbaliuk at 2019-07-29T17:38:45+02:00
WebUI tests: Fix request timeout for test_trust
Because of intergration with AD server response can take time more then 1 minute.
So request_timeout is increased to 120s.
Ticket: https://pagure.io/freeipa/issue/8024
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
11e40336 by Florence Blanc-Renaud at 2019-07-30T09:39:06+02:00
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules
Test scenario:
- create a hostgroup
- create a host
- create an automember rule for the hostgroup with a condition fulfilled
by the host
- delete the hostgroup
- call automember-rebuild (1)
- call automember-find-orphans to remove the orphan automember group
- call automember-rebuild(2)
The test was expecting the first rebuild command to fail but this
assumption is not true if the DS version is >= 1.4.0.22 because of the
fix for https://pagure.io/389-ds-base/issue/50077
Modify the test so that it expects failure only when DS is older.
Fixes: https://pagure.io/freeipa/issue/7902
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
402246a7 by François Cami at 2019-07-30T12:01:27+02:00
ipapython/admintool.py: use SERVER_NOT_CONFIGURED
Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.
Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a66124ba by François Cami at 2019-07-30T18:57:53+02:00
prci_definitions: add master_3client topology
Some tests would benefit from using a multi-client topology.
As PR-CI now supports master_3client, use it.
Fixes: https://pagure.io/freeipa/issue/8026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
21cd9775 by François Cami at 2019-07-30T23:42:54+02:00
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data()
Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.
Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
526b85a6 by François Cami at 2019-07-30T23:42:54+02:00
ipatests: rename config_replica_resolvconf_with_master_data()
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
80561224 by François Cami at 2019-07-30T23:42:54+02:00
test_nfs.py: switch to master_3repl
test_nfs.py historically used master_2repl_1client.
Now that master_3client exists, switch to that as it allows removal
of custom install/cleanup steps.
Fixes: https://pagure.io/freeipa/issue/8027
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
27baf350 by Florence Blanc-Renaud at 2019-07-31T09:34:34+03:00
user-stage: transfer all attributes from preserved to stage user
The user-stage command is internally implemented as:
- user_show(all=True) in order to read the user attributes
- loop on the attributes defined as possible to add using stageuser-add and
transform them into new options for stageuser_add (for instance stageuser-add
provides the option --shell for the attribute loginshell, but there is no
option for the attribute businesscategory).
- call stageuser_add in order to create a new entry in the active users subtree
- user-del to remove the previous entry in the staged users subtree
The issue is in the 2nd step. Only the attributes with a stageuser-add option
are processed.
The logic of the code should be slightly modified, so that all the attributes
read in the first step are processed:
- if they correspond to an option of stageuser-add, process them like it's
currently done. For instance if the entry contains displayname, then it
should be processed as --displayName=value in the stageuser-add cmd
- if they do not correspond to an option of stageuser-add, add them with
--setattr=<attrname>=<attrvalue>
Note that some attributes may need to be filtered, for instance user-show
returns has_password or has_keytab, which do not correspond to attributes
in the LDAP entry.
Fixes: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8ebbb271 by Florence Blanc-Renaud at 2019-07-31T09:34:34+03:00
xmlrpc test: add test for preserved > stage user
When moving a preserved user to the stage area, check that the
custom attributes are not lost ( = the attr for which there is
no specific user_stage option).
Test scenario:
- add a stage user with --setattr "businesscategory=value"
- activate the user, check that businesscategory is still present
- delete (preserve) the user, check that attr is still present
- stage the user, check that attr is still present
Related: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
44bcf099 by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: Update test tasks for client to be interactive
Related: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2bc7fb7f by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: Add tests for interactive chronyd config
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.
Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d0efb9ea by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: refactor TestNTPoptions
Move common and error messages to class scope to be reused again.
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b7fae30 by Tibor Dudlák at 2019-07-31T14:21:37+02:00
Increase ntp_options test timeout
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
70b96d76 by François Cami at 2019-08-02T20:15:04+02:00
azure-pipelines.yml: switch to Python 3.7
* switch to Python 3.7 (UsePythonVersion at 0 task)
* use "pip install --user"
Fixes: https://pagure.io/freeipa/issue/8030
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
adcf0425 by Theodor van Nahl at 2019-08-06T07:13:37+02:00
Fix UnboundLocalError in ipa-replica-manage on errors
If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
69138c84 by Christian Heimes at 2019-08-06T12:39:46+02:00
Test external CA with DNS name constraints
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a440ae8 by Christian Hermann at 2019-08-07T08:18:59+02:00
configure.ac: don't rely on bashisms
93fb037d8409d9d46606c31d8a240e3963b72651 introduced unportable shell
syntax, which led to erros like
./configure: 3179: ./configure: CFLAGS+= -D__STDC_WANT_LIB_EXT1__=1: not found
in case a posix shell is used.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
73c32dbf by Rob Crittenden at 2019-08-07T08:35:28+02:00
Don't return SSH keys with ipa host-find --pkey-only
This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82
https://pagure.io/freeipa/issue/8029
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
802a54bf by Alexander Bokovoy at 2019-08-08T09:46:10+02:00
Change RA agent certificate profile to caSubsystemCert
Currently, RA agent certificate is issued using caServerCert profile.
This has unfortunate side effect of asserting id-pk-serverAuth EKU which
is not really needed for RA agent. If IPA CA certificate adds SAN DNS
constraints into issued certificates, presence of id-pk-serverAuth EKU
forces NSS (and other crypto libraries) to validate CN value with
regards to SAN DNS constraints, due to historical use of CN bearing DNS
name.
Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail
the check.
Default IPA CA configuration does *not* add SAN DNS constraints into RA
agent certificate. However, it is better to be prepared to such
behavior.
Related: https://bugzilla.redhat.com/1670239
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c82585e by Christian Heimes at 2019-08-08T09:46:10+02:00
Update comments to explain caSubsystemCert switch
Related: https://bugzilla.redhat.com/1670239
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8f969a59 by Alexander Bokovoy at 2019-08-09T11:31:14-04:00
Restore SELinux context for p11-kit config overrides
When 74e09087 started disabling softshm2 module in p11-kit-proxy,
we missed to restore SELinux context on the configuration override
creation.
We don't need an explicit restore_context() when removing the override
because restore_file() already calls restore_context().
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0000fe05 by Timo Aaltonen at 2019-08-11T11:37:29+03:00
install: Add missing scripts to app_DATA.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
17c2e31f by Christian Heimes at 2019-08-13T11:30:18+02:00
Don't move keys when key backup is disabled
The CA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is
set to False. It's the case when FreeIPA is configured with HSM support.
Related: https://pagure.io/freeipa/issue/7677
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a36556e1 by Christian Heimes at 2019-08-13T18:43:58+02:00
Allow insecure binds for migration
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
c9938e3d by Alexander Bokovoy at 2019-08-13T16:45:53-04:00
Add Theodor van Nahl to the Contributors.txt
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
661804b7 by Alexander Bokovoy at 2019-08-14T14:18:17+03:00
Update translations
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef80a074 by Alexander Bokovoy at 2019-08-14T14:18:17+03:00
Update contributors
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
41e5d465 by Florence Blanc-Renaud at 2019-08-14T14:21:31+03:00
Nightly test definition: add missing tests
The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py
The following tests was missing from nightly_f29:
- test_integration/test_smb.py
The following test was missing from nightly_rawhide:
- test_integration/test_smb.py
Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
076d955b by Christian Heimes at 2019-08-19T09:56:08+02:00
Store HSM token and state
The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.
Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson at polisen.se>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
9fe984fe by Sumit Bose at 2019-08-19T11:20:57+03:00
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.
Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.
Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c78cb940 by Alexander Bokovoy at 2019-08-19T11:20:57+03:00
ipa-extdom-extop: test timed out getgrgid_r
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().
Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c709f131 by François Cami at 2019-08-21T11:00:04+02:00
travis-ci: make dnf invocations more resilient
Travis-CI sometimes fails to download repository metadata or
packages. Change dnf configuration and invocation:
* activate dnf fastestmirror
* add more dnf retries
* invoke "dnf makecache" twice
Fixes: https://pagure.io/freeipa/issue/8048
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Scott Poore <spoore at redhat.com>
- - - - -
bebe09f3 by Christian Heimes at 2019-08-21T12:48:36+03:00
Fix ca_initialize_hsm_state
Fixup for commit eb2313920e20bb4a74fc0abc52c496ccf2822dab.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
481c5400 by Armando Neto at 2019-08-22T09:43:51-03:00
prci: update test definitions
Update boxes used in nightlies runs and add new ones.
Based on the changes made in freeipa/freeipa-pr-ci#304.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
24c6ce27 by Alexander Bokovoy at 2019-08-22T09:43:51-03:00
Mark failing test as xfail for use of python-dns make_ds method
https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.
Mark the test as expecting to fail until python-dns is fixed in Fedora.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a71c59c7 by Michal Polovka at 2019-08-27T12:04:45+02:00
ipatests: Test for ipa-backup with ipa not configured
Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.
https://pagure.io/freeipa/issue/6843
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
405dcc6b by François Cami at 2019-08-28T22:15:50-04:00
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.
Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b27ad6e9 by François Cami at 2019-08-28T22:15:50-04:00
ipa-client-automount: always restore nsswitch.conf at uninstall time
ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c8de3b549d1d284087131da13135e34
would always restore nsswitch.conf to the previous state which in some cases
was wrong.
Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e5af8c19 by Rob Critenden at 2019-08-28T22:15:50-04:00
Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.
Mark the original location as deprecated.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
41ef8fba by Rob Critenden at 2019-08-28T22:15:50-04:00
Use tasks to configure automount nsswitch settings
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.
Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.
To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.
tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b24359ca by sumenon at 2019-08-29T10:07:32+02:00
Added testcase to check capitalization fix while running ipa user-mod
1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of the user is applied.
2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions
Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
03a228aa by François Cami at 2019-08-29T17:34:27+02:00
ipatests: remove xfail in TestIpaClientAutomountFileRestore
Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.
Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
73f049c7 by François Cami at 2019-08-29T17:34:27+02:00
authconfig.py: restore user-nsswitch.conf at uninstall time
Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.
Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
b20ae34b by Serhii Tsymbaliuk at 2019-08-29T20:16:43+02:00
WebUI tests: Fix login screen loading issue
test_webui/test_loginscreen fails because login screen is rendered with delays.
To solve the issue small pause added after login.
Ticket: https://pagure.io/freeipa/issue/8053
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
b48fe19f by Florence Blanc-Renaud at 2019-08-30T10:16:52+02:00
ipatests: fix wrong xfail in test_domain_resolution_order
The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.
The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.
Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
253779af by Michal Polovka at 2019-08-30T12:20:21+02:00
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions
Topology for TestIpaNotConfigured is changed from ipaserver to
master_1repl in order to prevent aforementioned test suite runner from
configuring ipa-server, which is required by the test itself.
Resolves: https://pagure.io/freeipa/issue/8055
Related: https://pagure.io/freeipa/issue/6843
- - - - -
51836c05 by Christian Heimes at 2019-08-31T00:48:35+02:00
Replace %{_libdir} macro in BuildRequires
The %{_libdir} macro is architecture dependend and therefore does not
correctly work across different platforms. In the past the SRPM was
created on a platform with /usr/lib64. Recent SRPMs have /usr/lib, which
breaks dnf builddep.
Depend on krb5-server directly rather than a file in krb5-server
package:
$ rpm -qf /usr/lib64/krb5/plugins/kdb/db2.so
krb5-server-1.16.1-25.fc29.x86_64
Fixes: https://pagure.io/freeipa/issue/8056
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
02262ac7 by François Cami at 2019-09-02T17:39:11+02:00
ipapython/ipachangeconf.py: change "is not 0" for "!= 0"
Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850
Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4a437a3c by Florence Blanc-Renaud at 2019-09-04T08:28:14+02:00
config plugin: replace 'is 0' with '== 0'
Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'
Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8d2125f6 by Christian Heimes at 2019-09-04T10:30:07+02:00
Enable literal-comparison linter again
The literal comparison linter checks for "value is 0" or "value is ''".
Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0fc4b8c2 by Christian Heimes at 2019-09-04T10:30:07+02:00
Fix wrong use of identity operation
Strings should not be compared with the identity operation 'is' or
'is not'.
Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0d7eb0a9 by Christian Heimes at 2019-09-04T10:30:07+02:00
Add new env vars to pylint plugin
The vars api.env.host_princ and smb_princ where introduced a while ago.
Sometimes parallel linting complain about the attributes. Add both to
the list of known members in pylint_plugins.py.
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
faf34fcd by Rob Crittenden at 2019-09-04T14:52:14+02:00
Replace replication_wait_timeout with certmonger_wait_timeout
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.
Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
54035982 by Rob Crittenden at 2019-09-04T14:52:14+02:00
Log the replication wait timeout for debugging purposes
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
adf2eab2 by Rob Crittenden at 2019-09-04T14:52:14+02:00
Log dogtag auth timeout in install, provide hint to increase it
There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.
In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.
Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5db48f15 by Rob Crittenden at 2019-09-05T09:15:23+02:00
Add missing timeout option to logging statement
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9414b038 by Robbie Harwood at 2019-09-05T14:53:55-04:00
Log INFO message when LDAP connection fails on startup
Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
45b4f537 by Robbie Harwood at 2019-09-05T14:53:55-04:00
Fix NULL pointer dereference in maybe_require_preauth()
ipadb_get_global_config() is permitted to return NULL.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c1af6aa2 by Florence Blanc-Renaud at 2019-09-06T09:05:52+02:00
ipatests: add nightly definition for DS integration tests
This commit is a first step in order to run nightly
integration tests with the 389-ds Directory Server.
It is updating the tests that should be run against
a nightly build of 389-ds.
The vagrant box freeipa/389ds-master-f30 version 0.0.1 has already
been created, available in vagrant cloud.
freeipa-pr-ci workspace also already contains the nightly scheduler
definition for this job (saturdays 00:10, using nightly_master_389ds.yaml)
but the cron job is not scheduled yet.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
074bf285 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: allow to pass additional options for clients installation
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
3fa7865f by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: add utility functions related to using and managing user accounts
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
1fe69f35 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: modify run_command to allow specify successful return codes
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
1d033b04 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: refactor and extend tests for IPA-Samba integration
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba
Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
0770254c by Rob Crittenden at 2019-09-06T10:29:43-04:00
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
65d38af9 by Rob Crittenden at 2019-09-06T10:29:43-04:00
Skip lock and fork in ipa-server-guard on unsupported ops
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.
Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
8ce0e6bf by Michal Polovka at 2019-09-09T12:12:39+02:00
ipatests: add tests for ipa host-add with non-default maxhostnamelength
Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:
- check that maxhostname cannot be changed to a value < 64
- check that ipa host-add is refused if the hostname length is > maxhostname
- check that ipa host-add is OK if the hostname length is <= maxhostname
Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
80e4c18b by Alexander Bokovoy at 2019-09-10T12:25:07+03:00
adtrust: avoid using timestamp in klist output
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.
Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
9c0a35f1 by Changmin Teng at 2019-09-10T12:33:21+03:00
Add new authentication indicators in kdc.conf.template
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.
Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
d0570404 by Changmin Teng at 2019-09-10T12:33:21+03:00
Extend the list of supported pre-auth mechanisms in IPA server API
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
c7b938a1 by Robbie Harwood at 2019-09-10T12:33:21+03:00
Enable krb5 snippet updates on client update
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
39e3704a by Robbie Harwood at 2019-09-10T12:33:21+03:00
Move certauth configuration into a server krb5.conf template
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
179c8f40 by Robbie Harwood at 2019-09-10T12:33:21+03:00
Add a skeleton kdcpolicy plugin
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
15ff9c8f by Changmin Teng at 2019-09-10T12:33:21+03:00
Implement user pre-authentication control with kdcpolicy plugin
We created a Kerberos kdcpolicy plugin to enforce user
pre-authentication policy for newly added pkinit and hardened policy.
In the past version of freeIPA, password enforcement exists but was done
by removing key data for a principal while parsing LDAP entry for it.
This hack is also removed and is now also enforced by kdcpolicy plugin
instead.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
b66e8a1e by Changmin Teng at 2019-09-10T12:33:21+03:00
Modify webUI to adhere to new IPA server API
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
952dd2a5 by Changmin Teng at 2019-09-10T12:33:21+03:00
Add design document
This document details authentication indicaters and kerberos ticket
policies implemented in IPA.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
2e0850e7 by Armando Neto at 2019-09-11T18:16:11+02:00
prci: fix typo on nightly test definitions
PR-CI breaks if the class to execute the tests doesn't exist.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
123c93f9 by Serhii Tsymbaliuk at 2019-09-11T18:26:34+02:00
WebUI: Make 'Unlock' option is available only on locked user page
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e5f04258 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: plugin doesn't allow @ in group name
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.
Group name can legaly contain this character and therefore the
common approach doesn't work in such case.
Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.
Here we implement two new separate calls for resolving users and
groups.
Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5f898c3c by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: plugin doesn't use timeout in blocking call
Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
84b6c0f5 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: use sss_nss_*_timeout calls
Use nss calls with timeout in extdom plugin
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bddf64b9 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: add extdom protocol documentation
Add the description of extdom protocol and its versions
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
991d508a by Francisco Trivino at 2019-09-12T11:17:15+02:00
prci: increase gating tasks priority
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.
This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9aeb6bae by Alexander Bokovoy at 2019-09-12T17:17:53+03:00
add default access control when migrating trust objects
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0be98884 by Alexander Bokovoy at 2019-09-12T17:17:53+03:00
adtrust: add default read_keys permission for TDO objects
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.
This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6064365a by ndehadra at 2019-09-13T14:46:46+02:00
Hidden Replica: Add a test for Automatic CRL configuration
Added test to check whether hidden replica can be configurred
as CRL generation master.
Related Tickets:
https://pagure.io/freeipa/issue/7307
Signed-off-by: ndehadra <ndehadra at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f1e20b45 by Tibor Dudlák at 2019-09-16T09:44:52+02:00
Add container environment check to replicainstall
Inside the container environment master's IP address
does not resolve to its name.
Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75515431 by Serhii Tsymbaliuk at 2019-09-17T08:35:32+02:00
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.
Ticket: https://pagure.io/freeipa/issue/7961
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
4dbc6926 by Serhii Tsymbaliuk at 2019-09-17T18:12:43-03:00
WebUI: Fix new test initialization on "HBAC Test" page
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.
New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.
Ticket: https://pagure.io/freeipa/issue/8031
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
7dde3a42 by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: add new utilities for file management
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ea9aead by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: refactoring: use library function to check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ab2842b by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: add tests for cached_auth_timeout in sssd.conf
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain
Related to: https://bugzilla.redhat.com/1685581
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e5e0693a by Anuja More at 2019-09-19T15:52:51+02:00
Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
48a3f4af by Rob Crittenden at 2019-09-19T10:11:52-04:00
Don't log host passwords when they are set/modified
The host password was defined as a Str type so would be
logged in cleartext in the Apache log.
A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.
The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.
This also removes the search option from passwords.
https://pagure.io/freeipa/issue/8017
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ffb4b624 by Rob Crittenden at 2019-09-19T10:13:26-04:00
Re-order tasks.restore_pkcs11_modules() to run earlier
It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.
By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.
https://pagure.io/freeipa/issue/8034
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a38a3843 by Alexandre Mulatinho at 2019-09-19T10:44:09-04:00
ipa-scripts: fix all ipa command line scripts to operate with -I
Replacing -E flag to -I on all ipa python scripts except tests.
Signed-off-by: Alexandre Mulatinho <alex at mulatinho.net>
Related: https://pagure.io/freeipa/issue/7987
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
78d27f82 by Armando Neto at 2019-09-20T08:12:21-03:00
Update definitions for nightly tests
Update nightly definitions used to test if FreeIPA works when repo
`updates-testing` is enabled.
These changes include all tests currently defined in `nightly_master.yaml`.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9c20641f by Rafael Guterres Jeffman at 2019-09-20T10:12:09-04:00
Re-add function façades removed by commit 2da9088.
ansible-freeipa breaks if this functions do not exist, so they will be
added back and marked as deprecated.
Related Tickets:
https://pagure.io/freeipa/issue/8062
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5b28c458 by Rob Crittenden at 2019-09-20T10:16:57-04:00
Report if a certmonger CA is missing
If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:
"Failed to get request: bus, object_path and dbus_interface
must not be None."
This was often seen during upgrades.
Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.
https://pagure.io/freeipa/issue/7870
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a2313114 by Florence Blanc-Renaud at 2019-09-20T13:14:18-04:00
ipatests: enable 389-ds audit log and collect audit file
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on
and collect the generated audit file. This will help troubleshoot failures
related to DS.
Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c11fd328 by Robbie Harwood at 2019-09-22T20:27:25+03:00
Fix segfault in ipadb_parse_ldap_entry()
lcontext may be NULL here, probably due to a restarted 389ds. Based on
a patch by Rob Crittenden.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
055ea253 by Florence Blanc-Renaud at 2019-09-22T20:29:41+03:00
ipa-backup: backup the PKCS module config files setup by IPA
ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.
The fix adds the file to the list of files to include in a backup.
Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
29192377 by Florence Blanc-Renaud at 2019-09-22T20:29:41+03:00
ipatests: ensure that backup/restore restores pkcs 11 modules config file
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.
Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
802e54dd by Florence Blanc-Renaud at 2019-09-23T14:36:10+02:00
replica install: enforce --server arg
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.
Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
8da0e2e9 by Rob Crittenden at 2019-09-23T09:27:28-04:00
ipa-restore: Restore ownership and perms on 389-ds log directory
Previously it would end up being owned by root:root mode 0755
instead of dirsrv:dirsrv mode 0770.
https://pagure.io/freeipa/issue/7725
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
98ee5f24 by Armando Neto at 2019-09-23T12:23:37-03:00
prci: update packages for pki and testing nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
90f72324 by Christian Heimes at 2019-09-24T15:23:30+02:00
Don't create log files from help scripts
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.
This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.
Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7e92e651 by Fraser Tweedale at 2019-09-25T12:42:06+10:00
IPASecStore: support extra key arguments
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler
arguments. Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
8fbcc335 by Fraser Tweedale at 2019-09-25T12:42:06+10:00
NSSWrappedCertDB: accept optional symmetric algorithm
Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication). If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.
The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).
Client-side changes will occur in a subsequent commit.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
bfead9ce by Fraser Tweedale at 2019-09-25T12:42:06+10:00
ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used. If the server
responds 404, fall back to a request *without* an algorithm
parameter. This handles both of the possible 404 scenarios:
a) It is an old server that does not support extra Custodia key
parameters;
b) The server supports extra parameters but the key does not exist,
in which case the fallback request will also fail with 404.
Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
7c7a827c by Fraser Tweedale at 2019-09-25T12:42:06+10:00
Bump Dogtag min version to 10.7.3
Dogtag 10.7.3 adds AES support for key export, enabling lightweight
CA key replication to use AES. Bump the Requires min version.
Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
d0b420f6 by Stanislav Levin at 2019-09-25T20:14:06+10:00
Fixed errors newly exposed by pylint 2.4.0
Newest Pylint introduced additional checks [1]:
- import-outside-toplevel [2]
> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.
- no-else-continue [3]
> These checks highlight unnecessary else and elif blocks after
break and continue statements.
- unnecessary-comprehension [4]
> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.
[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905
Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
feae9de7 by Stanislav Levin at 2019-09-25T20:14:06+10:00
Setup DNS for AP Docker container
Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 ipa.example.test ipa
cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```
As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder..
It's not desirable to rely on this.
Let's clear test environment.
[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c8b0d1d6 by Rob Crittenden at 2019-09-25T11:38:31-04:00
Disable dogtag cert publishing
Dogtag had only one switch, ca.publish.enable, for both CRLs and certs.
Since cert publishing is not used in IPA it should be disabled to
avoid false positives in the logs.
https://pagure.io/freeipa/issue/7522
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6127aa0e by Florence Blanc-Renaud at 2019-09-25T15:59:51-04:00
ipatests: fix fedora29 nightly definition
test_sssd is using a wrong dependency (fedora30 build instead
of fedora29 build). As a result, this test is not triggered
by PRCI because it's waiting forever for a dependency.
(See the status: fedora-30/test_sssd Pending — unassigned)
Fix the version in the fedora 29 nightly definition.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bc53544c by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes rpmlint warning on freeipa.spec.
This patch removes a warning due to mixed usage of spaces and tabs
in freeipa.spec.in file.
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c898be1d by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
51e0f564 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d4fab336 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
73529e06 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removed unnecessary imports after code review.
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
883b4424 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Fixes pylint errors introduced by version 2.4.0.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b2a2d7f4 by Florence Blanc-Renaud at 2019-09-27T15:33:15+02:00
ipa user_add: do not check group if UPG is disabled
The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.
When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.
Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.
Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
387ee6e6 by Florence Blanc-Renaud at 2019-09-27T15:33:15+02:00
ipatests: add XMLRPC test for user-add when UPG plugin is disabled
Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
as the default group for new users is not POSIX (ipausers), the
command is expected to fail
- create a user with the --gid parameter
The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
As the UPG plugin is disabled, the user creation will not trigger
the creation of a group with the same name, and command is
expected to succeed
- re-enable the UPG plugin for other tests
Related to: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
121971a5 by Florence Blanc-Renaud at 2019-10-01T09:37:36+02:00
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.
The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254
As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
for host in hosts_unexpected:
value = host.hostname if rtype == 'SRV' else host.ip
> assert value not in txt
E AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E '192.168.121.25' is contained here:
E ipa-ca.ipa.test. 1 IN A 192.168.121.254
E ? ++++++++++++++
This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.
Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7aec6f10 by Mohammad Rizwan Yusuf at 2019-10-01T08:17:55-04:00
Check file ownership and permission for dirsrv log instance
Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.
related ticket : https://pagure.io/freeipa/issue/7725
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
19d51683 by Alexander Bokovoy at 2019-10-01T10:38:00-04:00
Add local helpers to handle unixid structure
Samba did remove unixid_from_*() helpers in the upstream commit
c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are
very simple, make a local copy instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf700637 by Cédric Jeanneret at 2019-10-02T15:29:08+02:00
Add new tip for dependencies
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a4ca3426 by Armando Neto at 2019-10-03T09:01:16-03:00
prci: increase timeout for jobs that required AD
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after https://github.com/freeipa/freeipa-pr-ci/commit/380c8b8c78a1ce277b7c1a327bda9d123c117c4d.
This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c2c1000e by Mohammad Rizwan Yusuf at 2019-10-07T08:08:35+02:00
Installation of replica against a specific server
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.
related ticket: https://pagure.io/freeipa/issue/7566
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c77bbe78 by Mohammad Rizwan Yusuf at 2019-10-07T08:08:35+02:00
Add test to nightly yamls
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0b8c81a5 by Christian Heimes at 2019-10-10T09:20:51+02:00
Don't install a preexec_fn by default
ipautil.run() now only installs a preexec_fn when it is actually needed.
This addresses a compatibility issue with mod_wsgi subinterpreters under
Python 3.8.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
See: https://bugs.python.org/issue37951
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0d7f89c5 by Sergey Orlov at 2019-10-10T13:27:03+02:00
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain -- two forwarders:
one for root domain and another one for treedomain.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1ac7169d by François Cami at 2019-10-14T11:01:40+02:00
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)
660c49 introduced --idmap-domain which sets the Domain option in
idmapd.conf. However the help message for that knob mentioned
idmap.conf which is wrong. Fix that.
Reported by Marc Muehlfeld <mmuehlfe at redhat.com>.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
e6db4980 by François Cami at 2019-10-16T12:14:19+02:00
ipatests: temporarily remove test_smb from gating
test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0fc8562b by Florence Blanc-Renaud at 2019-10-17T08:11:45+02:00
ipa-server-certinstall manpage: add missing options
Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE
Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
326d417d by Fraser Tweedale at 2019-10-17T08:17:46+02:00
krainstance: set correct issuer DN in uid=ipakra entry
If IPA CA has custom subject DN (not "CN=Certificate
Authority,{subject_base}"), the uid=ipakra people entry gets an
incorrect 'description' attribute. The issuer DN in the
'description' attribute is based on the aforementioned pattern,
instead of the actual IPA CA subject DN.
Update KRAInstance.configure_instance() to require the CA subject DN
argument. Update ipaserver.install.kra.install() to pass the CA
subject DN.
Fixes: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ea50ff7 by Fraser Tweedale at 2019-10-17T08:17:46+02:00
upgrade: fix ipakra people entry 'description' attribute
Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.
Part of: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e767386e by Fraser Tweedale at 2019-10-17T08:17:46+02:00
test_integration: add tests for custom CA subject DN
Define integration test for custom CA subject DN and subject base
scenarios. Add to nightly CI runs.
Part of: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
16149831 by Stanislav Levin at 2019-10-17T08:29:06+02:00
Restore running of 'test_ipaserver' tests on Azure
`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1ed7dd4b by Stanislav Levin at 2019-10-17T08:29:06+02:00
Install language packs for tests
* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive
* 'en_US' is a commonly used locale
AP warns regularly:
```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
921f5002 by Florence Blanc-Renaud at 2019-10-17T08:36:54+02:00
ipa-backup: fix python2 issue with os.mkdir
Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)
ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).
Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
3d8a444f by Armando Neto at 2019-10-18T11:27:09-03:00
prci: increase timeout argument for test_sssd.py
Follow-up for commit a4ca34261a55af96e3428822f08f8b2292e6234a.
Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci at 380c8b8.
This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.
This also adds a missing but available topology to `temp_commit.yaml`.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
f44b73b9 by François Cami at 2019-10-18T22:40:00+02:00
ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore
The fixes for https://pagure.io/freeipa/issue/8054 and
https://pagure.io/freeipa/issue/8038 are intended for f30.
Given that the fixes will not be backported to f29, disable
that test.
Fixes: https://pagure.io/freeipa/issue/8063
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c6769ad1 by Stanislav Levin at 2019-10-21T18:01:32+11:00
Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
73796c77 by Spencer E. Olson at 2019-11-01T13:46:14-04:00
Fixes debian path for IPA_CUSTODIA_HANDLER
Debian installs into a different directory for libexec files. This patch
fixes the path to the custodia files for debian.
Signed-off-by: Spencer E. Olson <olsonse at umich.edu>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
14be2715 by Sergey Orlov at 2019-11-01T13:49:09-04:00
ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
09d5b938 by Rob Crittenden at 2019-11-04T09:45:07-05:00
Enable AES SHA 256 and 384-bit enctypes in Kerberos
https://pagure.io/freeipa/issue/8110
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b10e43c3 by Sergey Orlov at 2019-11-05T17:24:24+01:00
ipatests: strip newline character when getting name of temp file
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
f16c08b7 by Sergey Orlov at 2019-11-05T17:24:24+01:00
ipatests: in DNS zone file add A record for name server
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```
Fixed by replacing hard-coded value with short name of the AD instance.
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
bc56642b by Christian Heimes at 2019-11-05T11:48:28-05:00
Block camellia in krbenctypes update in FIPS
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.
Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
560acf37 by Christian Heimes at 2019-11-05T11:48:28-05:00
Skip commented lines after substitution
LDAP updater now ignores commented out lines after substitution.
Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3cb9444c by Robbie Harwood at 2019-11-06T15:39:51-05:00
Provide modern example enctypes in ipa-getkeytab(1)
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1e3de172 by Rob Crittenden at 2019-11-07T13:00:15-05:00
Add conditional restart (try-restart) capability to services
This will conditionally restart a service if it is active.
https://pagure.io/freeipa/issue/8105
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>
- - - - -
3593e536 by Rob Crittenden at 2019-11-07T13:00:15-05:00
Conditionally restart certmonger after client installation
If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.
If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.
A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.
https://pagure.io/freeipa/issue/8105
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>
- - - - -
87c24ebd by Florence Blanc-Renaud at 2019-11-08T12:57:54+01:00
smartcard: make the ipa-advise script compatible with authselect/authconfig
"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).
The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.
Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f0a1f084 by Christian Heimes at 2019-11-11T09:31:14+01:00
Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.
Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0f4c41ab by Christian Heimes at 2019-11-11T09:31:14+01:00
Add tests for member management
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
72540c42 by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: refactor FileBackup helper
* `cp` now preserves all attributes of original file, there is no reason
to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk
Related to: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2b230ce by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: replace ad hoc backup with FileBackup helper
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```
This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf
This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.
Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f58fb573 by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: enable test_smb.py in gating.yaml
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c271044 by Cédric Jeanneret at 2019-11-12T10:49:49+02:00
Prevents DNS Amplification Attack and allow to customize named
While [1] did open recursion, it also opened widely a security flaw.
This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.
In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.
Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079
[1] https://github.com/freeipa/freeipa/commit/5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
97a31e69 by Christian Heimes at 2019-11-12T12:26:49+01:00
Use default ssh host key algorithms
ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.
The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c62bd160 by Armando Neto at 2019-11-12T09:16:11-03:00
prci: rename definitions files and jobs to change how fedora releases are referenced
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.
Future changes would only require to update the name and version of the template used.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
99d6845d by Armando Neto at 2019-11-12T09:16:11-03:00
prci: bump fedora release
Fedora 31 is the latest release, Fedora 30 is now the previous release.
New template boxes were built for current tests definitions with
updated dependencies.
Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d317fd4d by Alexander Bokovoy at 2019-11-12T17:08:43+02:00
Update translations
Add Portuguese translation
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d243c188 by Alexander Bokovoy at 2019-11-12T20:49:18+02:00
Update contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cd887a48 by Francisco Trivino at 2019-11-14T13:09:24+01:00
prci: bump template version and fix test_smb gating definition
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.
This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
8124b1bd by Christian Heimes at 2019-11-14T16:01:15+01:00
Test installation with (fake) userspace FIPS
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e5368244 by Armando Neto at 2019-11-14T12:03:36-03:00
prci: bump template version for temp_commit and nightly_latest
Commit cd887a48b510fe17ed181d61d4fc69eb978c771d did that for gating,
this commit bumps the version for the remaining definitions.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c0b0c6b4 by Serhii Tsymbaliuk at 2019-11-19T13:31:08+01:00
WebUI: Fix adding member manager for groups and host groups
- fix API method call for adding member manager
- fix regressions in host group associated tables
Ticket: https://pagure.io/freeipa/issue/8123
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e08a6de6 by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
DNParam: raise Exception when multiple values provided to a 1-val param
When ipa user-add-certmapdata is called with multiple --subject or
multiple --issuer, the DNParam's _convert_scalar method is called with
a tuple containing all the params and should raise an exception as the
--subject and --issuer are single-value params.
The DNParam _convert_scalar method internally calls the DN init method,
and the DN init method is able to create a DN from a tuple of RDNs.
As such, it won't raise exception if a tuple/list is provided.
Check that _convert_scalar is only provided a single element.
Fixes: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ecdd7dae by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer
ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7893fb9c by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
test_ipalib: add test for DNParam class
A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ba466a80 by Alexander Bokovoy at 2019-11-20T16:19:00+01:00
Do not run trust upgrade code if master lacks Samba bindings
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
b216701d by Christian Heimes at 2019-11-20T17:08:40+01:00
Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ae256fa5 by Cédric Jeanneret at 2019-11-20T17:12:34-05:00
Update selinux-policy minimal requirement
Since 6c2710446718828e6840ac34ea6fc704ae6790db we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
7f6b1c99 by Serhii Tsymbaliuk at 2019-11-21T16:44:11+01:00
WebUI: Fix notification area layout
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.
Ticket: https://pagure.io/freeipa/issue/8120
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
9db6f65a by Alexander Bokovoy at 2019-11-21T11:13:12-05:00
Allow presence of LDAP attribute options
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.
When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c5f32165 by Alexander Bokovoy at 2019-11-21T11:13:12-05:00
Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c02cc93c by Rob Crittenden at 2019-11-21T11:13:12-05:00
Add integration test for Kerberos ticket policy
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
438094f8 by François Cami at 2019-11-23T00:12:24+01:00
DSU: add Design for Disable Stale Users
Add disable-stale-users.md: feature document for the upcoming DSU feature..
Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
04bb8ef2 by Timo Aaltonen at 2019-11-25T12:21:24+01:00
Debian: Fix font-awesome path.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
094cf629 by Florence Blanc-Renaud at 2019-11-25T12:38:32+01:00
Nightly definition: use right template for krbtpolicy
The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests
Switch to master_1repl template.
Related: https://pagure.io/freeipa/issue/8001
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e8735774 by Sergey Orlov at 2019-11-26T11:14:41+01:00
ipatests: add check that ipa-adtrust-install generates sane smb.conf
Related to: https://pagure.io/freeipa/issue/6951
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4abd2f76 by Simo Sorce at 2019-11-26T11:33:48+01:00
Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes #8071
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
02ce407f by Rob Crittenden at 2019-11-26T15:24:20+02:00
CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.
Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.
In case of errors log the full value on when the server is in
debug mode.
Reported by Jamison Bennett from Cloudera
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
095d3f9b by Christian Heimes at 2019-11-28T16:09:07+01:00
Add test case for OTP login
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.
Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8b98555 by Christian Heimes at 2019-11-28T16:09:07+01:00
Fix otptoken_sync plugin
The plugin had two bugs:
For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.
The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.
Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e3ad7853 by Alexander Bokovoy at 2019-11-29T11:14:18+01:00
covscan: free encryption types in case there is an error
Even when a number of translated encryption types is zero, the array
might still be allocated. Call free() in any case as free(NULL) does
nothing.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e9dd7577 by Alexander Bokovoy at 2019-11-29T11:14:18+01:00
covscan: free ucs2-encoded password copy when generating NTLM hash
On successful code path we leak internal copy of the ucs2-encoded
password.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7dfc6e00 by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: generic uninstall should call ipa server-del
At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master
Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8cf4271a by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: fix teardown
The uninstall method of some tests can be skipped as the cleanup is
already done before.
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b3d65037 by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: fix test_crlgen_manage
The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.
The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
20ef79c0 by Christian Heimes at 2019-11-29T17:02:16+01:00
Remove FIPS noise from SSHd
When a system is in FIPS mode, SSHd can prints some noise to stderr:
FIPS mode initialized\r\n
This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d1539579 by Christian Heimes at 2019-11-29T17:02:16+01:00
FIPS: server key has different name in FIPS mode
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
6a17a916 by Christian Heimes at 2019-11-29T17:02:16+01:00
Skip paramiko tests in FIPS mode
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.
See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
0451db9d by Christian Heimes at 2019-12-02T16:48:07+01:00
Enable TLS 1.3 support on the server
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.
The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.
Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
0198eca7 by Christian Heimes at 2019-12-02T16:48:07+01:00
Update Apache HTTPd for RHBZ#1775146
Fedora 30 update FEDORA-2019-d54e892077 httpd-2.4.41-6.1.fc30
Fedora 31 update FEDORA-2019-ae1dd32c5f httpd-2.4.41-9.fc31
RHEL 8.2 RHEA-2019:47297-02 httpd-2.4.37-21
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
639bb719 by Christian Heimes at 2019-12-02T16:48:07+01:00
Don't hard-code client's TLS versions and ciphers
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.
Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.
The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
2319b38c by Armando Neto at 2019-12-02T16:39:01-03:00
travis: Remove CI integration
Removing Travis CI in favour of Azure Pipelines.
All tests previously tested by Travis are also configured in Azure.
Repos [1] and [2] were used to build Docker images for Travis, thus
they are no longer required for branches master and ipa-4-8.
Branches ipa-4-7 and ipa-4-6 don't have Azure pipelines configured,
so Travis will continue to be used by them.
1 - https://github.com/freeipa/ipa-docker-test-runner
2 - https://github.com/freeipa/freeipa-builder
Related: https://pagure.io/freeipa/issue/7323
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
2c9b212c by Florence Blanc-Renaud at 2019-12-04T09:06:56+01:00
trust upgrade: ensure that host is member of adtrust agents
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname at realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn
Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
28929897 by Christian Heimes at 2019-12-04T10:35:14+01:00
Don't run test_smb in gating tests
test_smb slows down gating and PR turnover. The test takes between 45 and
50 minutes to execute while the other gating tests finish in about or less
than half the time.
The Samba / AD integration tests are still executed in nightly tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
dcb33e44 by Christian Heimes at 2019-12-05T15:07:57+01:00
Optimize user-add by caching ldap2.has_upg()
The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.
context is cleared after every request.
Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf9f9bb3 by Christian Heimes at 2019-12-05T15:09:38+01:00
Fix logic of check_client_configuration
The helper function ipalib.util.check_client_configuration() now
considers a client configured when either:
* confdir is overridden (e.g. with IPA_CONFDIR) and the conf_default
file exists.
* confdir is /etc/ipa, /etc/ipa/default.conf exists and client
sysrestore state exists.
The check for sysrestore state is faster than checking for the presence
of the directory and presence of files in the directory. The sysrestore
state is always presence. sysrestore.index may be missing if no files
were backed up.
Fixes: https://pagure.io/freeipa/issue/8133
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c1272e48 by Florence Blanc-Renaud at 2019-12-05T17:48:42+01:00
ipatests: fix TestMigrateDNSSECMaster teardown
The test is installing master +DNSSEC, then replica and migrates the DNSSEC
to the replica.
During teardown, the replica is removed with ipa server-del. This operation
deletes the entries cn=DNS and cn=DNSSEC on the master, but if the
replication is stopped before the operations are replicated on the replica,
the replica may end up with a dangling cn=DNSSEC entry and no cn=DNS entry.
In this case ipa-server-install --uninstall on the replica will fail.
The fix: uninstall the DNSSec master as the last step of teardown
Related: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dbfb011d by Christian Heimes at 2019-12-06T10:23:15+01:00
Fix lite-server to work with GSS_NAME
The lite-server does no longer work correctly since rpcserver is also
using GSS_NAME. Set up GSS_NAME from ccache.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
836b90f6 by Anuja More at 2019-12-06T15:41:09+01:00
ipatests : Login via ssh using private-key for ipa-user should work.
Added test for : https://pagure.io/SSSD/sssd/issue/3937
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
650db3b8 by MIZUTA Takeshi at 2019-12-10T16:20:24+01:00
Add config that maintains existing content to ipa-client-install manpage
If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained..
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
44b3791b by Christian Heimes at 2019-12-10T16:22:11+01:00
Require idstart to be larger than UID_MAX
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.
Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3cae7f4e by Christian Heimes at 2019-12-10T16:22:48+01:00
Fix service ldap_disable()
Fix comparison bug that prevents ldap_disable to actually disable a
service.
Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d30dd529 by Christian Heimes at 2019-12-10T16:23:31+01:00
Check valid before/after of external certs
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d5dad53e by François Cami at 2019-12-11T16:57:03-05:00
adtrust.py: mention restarting sssd when adding trust agents
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.
Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c30a0c22 by Christian Heimes at 2019-12-12T09:58:16+01:00
Fix get_trusted_domain_object_from_sid()
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.
Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6462cc0f by François Cami at 2019-12-12T10:01:25+01:00
ipatests: fix pr-ci templates' indentation
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
dd7fdaa7 by Alexander Bokovoy at 2019-12-12T18:24:44+01:00
DNS install check: allow overlapping zone to be from the master itself
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d070c595 by Thomas Woerner at 2019-12-12T18:24:44+01:00
Test repeated installation of the primary with DNS enabled and domain set
Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.
The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator..
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a2820bbb by Thomas Woerner at 2019-12-12T18:24:44+01:00
Enable TestInstallMasterDNSRepeatedly in prci_definitions
For fedora-latest, pki-fedora, fedora-previous and fedora-rawhide
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f0d12b7f by Sumit Bose at 2019-12-13T03:49:47+02:00
ipa-kdb: Remove keys if password auth is disabled
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.
With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.
But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.
In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.
This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.
Related to https://pagure.io/freeipa/issue/8001
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8f1ed12 by François Cami at 2019-12-13T04:47:52+02:00
ipatests/test_nfs.py: wait before umount
umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.
Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3d402b69 by Alexander Bokovoy at 2019-12-13T17:33:33+02:00
ipa-client-samba: map domain sid of trust domain properly for display
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.
Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8a522bed by Florence Blanc-Renaud at 2019-12-13T17:49:22+02:00
ipa-cacert-manage man page: fix indentation
Fix the indentation of the SYNPOSIS section
Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0926cb87 by Armando Neto at 2019-12-14T14:19:21+02:00
ipatests: Improve test_commands reliability
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df59f09e by Dinesh Prasanth M K at 2019-12-14T14:20:34+02:00
Adding auto COPR builds
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f80a6548 by Thomas Woerner at 2019-12-16T18:02:22+01:00
DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ef1b8d0f by Armando Neto at 2019-12-16T17:17:37-03:00
ipatests: Skip test_sss_ssh_authorizedkeys method
Temporarily skipping test due to unknown time-outs happening regularly.
Issue: https://pagure.io/freeipa/issue/8151
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
0162f3aa by Anuja More at 2019-12-17T08:29:49+01:00
ipatests: filter_users should be applied correctly.
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
aa9340cf by Fraser Tweedale at 2019-12-17T09:18:37+01:00
removed unused function export_pem_p12
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3d779b49 by Fraser Tweedale at 2019-12-17T09:20:43+01:00
ipatests: assert_error: allow regexp match
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c4b0cf4d by Fraser Tweedale at 2019-12-17T09:20:43+01:00
Fix test regressions caused by certificate validation changes
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages. Update the
error message assertions to get these tests going again.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
775bbb91 by Gaurav Talreja at 2019-12-17T15:53:31-03:00
prci: bump template version for nightly_rawhide
New template is based on Fedora-Cloud-Base-Vagrant-Rawhide-20191201.n.0.x86_64.vagrant-libvirt.box
Template used : https://app.vagrantup.com/freeipa/boxes/ci-master-frawhide/versions/0.0.10
Tested at : https://github.com/freeipa-pr-ci2/freeipa/pull/94
Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
2ed5eca7 by Alexander Bokovoy at 2019-12-18T14:16:33+01:00
Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7b3aafc by Jayesh Garg at 2019-12-18T18:48:36+01:00
Test if ipactl starts services stopped by systemctl
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.
Signed-off-by: Jayesh Garg <jgarg at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
2a2cc961 by Fraser Tweedale at 2019-12-19T15:50:44+01:00
ipatests: add test for certinstall with notBefore in the future
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
09a5192f by Jayesh at 2019-12-20T16:17:42+02:00
Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions
Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83ec9296 by Anuja More at 2019-12-20T16:29:30+02:00
Add integration test for otp kerberos ticket policy.
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bfc998ea by Anuja More at 2019-12-23T10:21:25+01:00
Fix fedora version for xfail for sssd test
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ad3bf504 by Jayesh at 2019-12-23T12:56:30+01:00
Test for ipa-ca-install on replica
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
fb3c2c14 by Jayesh Garg at 2019-12-23T12:56:30+01:00
Nightly definations commit
Signed-off-by: Jayesh Garg <jgarg at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a22e8734 by Armando Neto at 2020-01-03T09:43:40-03:00
prci: update packages for rawhide nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5b95d4cc by François Cami at 2020-01-06T09:42:21-05:00
ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.
Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5fe8fc62 by François Cami at 2020-01-06T09:42:21-05:00
ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.
Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e2d69380 by Florence Blanc-Renaud at 2020-01-10T17:07:57+01:00
AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f35738ef by Anuja More at 2020-01-13T13:05:47+01:00
Add xmlrpc test with input validation check for kerberos ticket policy.
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b5b9efeb by Rob Crittenden at 2020-01-13T10:08:38-05:00
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ae140ae4 by Florence Blanc-Renaud at 2020-01-14T16:27:50-05:00
ipatests: fix backup and restore
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."
As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.
The fix makes a stricter comparison, looking for /bin/gzip.
Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3ccf73bf by Robbie Harwood at 2020-01-15T10:00:08+01:00
Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab4e910c by Robbie Harwood at 2020-01-15T10:00:08+01:00
Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df6a89be by Robbie Harwood at 2020-01-15T10:00:08+01:00
Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e107b8e4 by Christian Heimes at 2020-01-17T15:47:00+01:00
Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
10b62ad6 by Christian Heimes at 2020-01-22T13:15:19-05:00
Make assert_error compatible with Python 3.6
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
0ad4f4c8 by Sergey Orlov at 2020-01-23T16:38:56+01:00
ipatests: add test_winsyncmigrate suite to nightly runs
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0a55e82d by Christian Heimes at 2020-01-24T08:35:47-05:00
Add tracemalloc support to profile memory usage
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9ae7c4b by Christian Heimes at 2020-01-24T08:35:47-05:00
lite-setup: configure lite-server test env
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.
The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:
$ contrib/lite-setup.py master.ipa.example
$ source ~/.ipa/activate.sh
(ipaenv) $ kinit username
(ipaenv) $ make lite-server
IPA server UI is available on http://localhost:8888/ipa/
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4a1f56ec by Gaurav Talreja at 2020-01-27T09:38:20-03:00
Normalize test definations titles
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336
Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
acfb6191 by Rob Crittenden at 2020-01-28T13:05:31-05:00
Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6cb4f4bd by Rob Crittenden at 2020-01-28T13:05:31-05:00
ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8e71605c by Rob Crittenden at 2020-01-28T13:05:31-05:00
Add tests for ipa-cacert-manage delete command
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)
As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
769180c2 by Fraser Tweedale at 2020-01-29T21:47:14+11:00
Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
15fd3661 by Sergey Orlov at 2020-01-30T11:47:54+01:00
ipatests: add check for output contents of ipa-client-samba
Check that ipa-client-samba tool reports specific properties of domains:
name, netbios name, sid and id range
Related to https://pagure.io/freeipa/issue/8149
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7862e9be by Gaurav Talreja at 2020-01-30T11:53:20+01:00
Normalize title of test external_ca in prci-definition
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1c787cc3 by Robbie Harwood at 2020-01-31T14:36:31+01:00
Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ff10f3fa by Robbie Harwood at 2020-01-31T14:36:31+01:00
Support DAL version 8.0
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93e81cfd by Robbie Harwood at 2020-01-31T14:36:31+01:00
Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d92f21ae by Isaac Boukris at 2020-02-01T10:05:46+02:00
Fix DAL v8 support
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c940f96b by Isaac Boukris at 2020-02-01T10:05:46+02:00
Fix legacy S4U2Proxy in DAL v8 support
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab1999de by Anuja More at 2020-02-04T07:57:43+01:00
After mounting "Unspecified GSS failure" should not be in logs.
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.
This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
- - - - -
edfe95b1 by Endi S. Dewata at 2020-02-04T19:34:26+11:00
Removed hard-coded default profile subsystem class name
Previously in order to enable the LDAP profile subsystem
the ca_enable_ldap_profile_subsystem() would check the
current value of the profile subsystem class parameter in
CS.cfg. If the parameter was still set to the default value
(i.e. ProfileSubsystem), the code would change it to
LDAPProfileSubsystem.
There is a effort in PKI to clean up the profile subsystem
classes which may require changing the default value for
this parameter. However, this improvement is blocked since
the ca_enable_ldap_profile_subsystem() is implicitly assuming
that the default value will always be ProfileSubsystem.
This patch modifies the code such that instead of checking
for a specific value that needs to be changed, it will check
whether it has the desired value already. This mechanism
will reduce potential conflicts with future PKI improvements.
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
b5c8efa3 by sumenon at 2020-02-04T09:20:23-05:00
Tier-1 test for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
000703c8 by sumenon at 2020-02-04T09:20:23-05:00
Nightly definition for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
d7830d90 by sumenon at 2020-02-05T10:02:37+01:00
Adding back temp config definition removed
fedora-latest/temp_commit section was removed from
temp_commit.yaml file while working with PR4108, adding it back.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9418042e by Serhii Tsymbaliuk at 2020-02-05T12:04:50+01:00
WebUI tests: Fix 'Button is not displayed' exception
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.
Ticket: https://pagure.io/freeipa/issue/8169
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
19f0142e by Armando Neto at 2020-02-05T14:48:34-03:00
prci: Bump version of all templates
These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a4634a59 by Serhii Tsymbaliuk at 2020-02-06T10:21:36+01:00
WebUI tests: Fix broken reference to parent facet in table record check
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).
Ticket: https://pagure.io/freeipa/issue/8157
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
60f746d9 by Florence Blanc-Renaud at 2020-02-10T15:22:54+01:00
ipatests: update packages for rawhide and updates-testing nightlies
The nightly tests for rawhide and updates_testing are expected
to set
update_packages: True
in all the job definitions to make sure that dnf/yum update is called
before starting the tests.
This tag was missing for some jobs, this commit fixes the issue.
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
f0f2c264 by Sumedh Sidhaye at 2020-02-11T17:24:37+01:00
Added a test to check if ipa host-find --pkey-only does not return SSH public key
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
cec1ddc3 by Florence Blanc-Renaud at 2020-02-11T17:28:19+01:00
ipatests: fix modify_sssd_conf()
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
ff547a27 by Alexander Bokovoy at 2020-02-12T11:45:39+01:00
install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
292d686c by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fec66942 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Migrate unittest/nose to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c7447fd by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Warn about unittest/nose/xunit tests
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
43a97082 by Alexander Bokovoy at 2020-02-12T18:08:32+02:00
Update Azure Pipelines to use Fedora 31
nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.
[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot
Co-authored-by: Stanislav Levin <slev at altlinux.org>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
19462788 by Stanislav Levin at 2020-02-12T18:08:32+02:00
ipatests: Properly kill gpg-agent
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.
This results in an error like:
```
================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...
> os.unlink(entry.name, dir_fd=topfd)
E FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'
/usr/lib64/python3.7/shutil.py:450: FileNotFoundError
```
The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
92b440a0 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Teach Pylint how to handle request.context
With Astroid change [0] a inference for builtin containers
was improved. This means that all the elements of such containers
will be inferred if they are not Python constants (previously
ignored).
This change introduces several issues, one of them is a volatile
error exposed at multi-job Pylinting, but could be guaranteed
produced at single-job mode as:
```
PYTHONPATH=. /usr/bin/python3 -m pylint --rcfile=./pylintrc \
--load-plugins pylint_plugins ipaserver/plugins/dns.py ipalib/request.py
ipalib/request.py:76: [E1101(no-member), destroy_context] Instance of 'bool' has no 'disconnect' member)
-----------------------------------
Your code has been rated at 9.97/10
```
Or even adding 'context.some_attr = True' into ipalib/request.py.
It's should be treated as no one member of `context`'s attrs is a
`Connection` instance and has `destroy_context` member.
To tell Pylint that there are such members the corresponding
transformation is added.
[0] https://github.com/PyCQA/astroid/commit/79d5a3a7
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e128e7d6 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Synchronize pylint plugin to ipatests code
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a309de6c by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Clean up comment
I added a comment in @d0b420f6d, later, on refactoring in
@c6769ad12 I forgot to remove it. So, it is just a clean up.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ba12165e by Stanislav Levin at 2020-02-12T18:08:32+02:00
lint: Make Pylint-2.4 happy again
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4f09416f by Anuja More at 2020-02-12T17:34:32+01:00
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name
If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.
Related to: https://bugzilla.redhat.com/1746951
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
0a4bec2a by Anuja More at 2020-02-12T17:34:32+01:00
Update topology for test_integration/test_sssd.py
Added changes in topology for test_sssd.py
As in test it needs client also.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b3dbb368 by Alexander Bokovoy at 2020-02-13T21:20:13+02:00
adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
902821e8 by Stanislav Levin at 2020-02-14T09:29:20+02:00
ipatests: Allow zero-length arguments
Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.
For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
'--norc',
'--noprofile',
'-c',
'--',
"/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
'--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']
Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.
So, a short-termed solution is the quotting of zero-length arguments.
Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e1b6e3ba by François Cami at 2020-02-14T09:33:43+02:00
ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.
Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5f9d5281 by François Cami at 2020-02-14T09:33:43+02:00
ipatests: make sure ipa-client-automount reverts sssd.conf
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
87a1d34c by Anuja More at 2020-02-14T09:37:38+02:00
ipatests: SSSD should fetch external groups without any limit.
When there are more external groups than default limit, then
SSSD should fetch all groups.
Related : https://pagure.io/SSSD/sssd/issue/4058
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
209e0ac8 by Christian Heimes at 2020-02-14T09:40:40+02:00
Remove dependency on custodia package
ipa-server no longer use any files and features from the custodia
package. The python3-custodia package provides all Custodia features for
ipa-custodia.service.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
856fdbc1 by Christian Heimes at 2020-02-14T09:42:52+02:00
dnsrecord: Treat empty list arguments correctly
dnsrecord_del fails when one of the record arguments is an empty list:
AttrValueNotFound("AAAA record does not contain 'None'",)
The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].
The patch maps None to empty list.
Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
273ff270 by Julian Gethmann at 2020-02-14T09:48:50+02:00
Fix typo in idrange.py docstring
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
001de6ee by Sergey Orlov at 2020-02-14T12:48:34+01:00
ipatests: add test_trust suite to nightly runs
The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e5291963 by Alexander Bokovoy at 2020-02-17T16:03:11+02:00
kdb: make sure audit_as_req callback signature change is preserved
audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.
Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ba904672 by Alexander Bokovoy at 2020-02-17T16:03:11+02:00
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10e8e7af by Kaleemullah Siddiqui at 2020-02-17T17:02:32+01:00
Tests for backup-restore when pkg required is missing
Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore
https://pagure.io/freeipa/issue/7630
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e4966f9c by Rob Crittenden at 2020-02-18T09:15:57-05:00
Don't fully quality the FQDN in ssbrowser.html for Chrome
The trailing dot causes it to not function as expected, remove
it from the example.
https://pagure.io/freeipa/issue/8201
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
939ee59c by Kaleemullah Siddiqui at 2020-02-19T10:42:01+01:00
Fix for regression from PR#3962
There was a regression caused in nightly run of test
TestBackupReinstallRestoreWithDNS of test_backup_and_restore
test suite because of PR#3962.
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b0d57d99 by Mohammad Rizwan Yusuf at 2020-02-20T08:40:54-05:00
Test AES SHA 256 and 384 Kerberos enctypes enabled
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
fe21094c by Mohammad Rizwan Yusuf at 2020-02-24T08:45:06-05:00
Test if certmonger reads the token in HSM
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.
related : https://pagure.io/certmonger/issue/125
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
80679542 by Mohammad Rizwan Yusuf at 2020-02-24T08:45:06-05:00
Add certmonger wait_for_request that uses run_command
Add a little utility function to get the certmonger status
of a request id on a particular host and wait until it is either
failed on the CA or issued (or times out).
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
51fcca53 by Thomas Woerner at 2020-02-24T15:02:24+01:00
ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels
The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9eb1be87 by Florence Blanc-Renaud at 2020-02-24T15:06:04+01:00
Part2: Don't fully quality the FQDN in ssbrowser.html for Chrome
The web page ssbrowser.html is displayed when the browser doesn't
enable javascript. When js is enabled, the content is taken from
ipaserver/plugins/internal.py.
The commit e4966f9 fixed a string in ssbrowser.html but did not
fix the corresponding string in ipaserver/plugins/internal.py,
resulting in a different page depending on javascript enabled/not
enabled.
This commit makes both contents consistent.
Fixes: https://pagure.io/freeipa/issue/8201
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
ecc398c4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow to not provide tests to be ignored
As for now, a list of tests which will be ignored by Pytest is
mandatory. But actually, a list of tests to run is explicitly set
in yaml config. And thus, 'ignore' list should be an optional field.
This simplifies tests definitions to drop extra stuff.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
157fa59e by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow SSH for Docker environments
IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
879855ce by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow to run integration tests
Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.
This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.
New Azure IPA tests workflow:
+ 1) Azure generate jobs using Matrix strategy
2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ c) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ d) launch IPA tests on tests' controller
e) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
f) publish regular system logs as artifacts
[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b8251556 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Make it possible to configure distro-specific stuff
This allows to run IPA tests on Azure using any distro.
To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
a) which Docker image to use to build IPA packages (rpm, deb, etc.)
b) how to prepare Build environment
c) how to build IPA packages
d) how to prepare environment to run Tox tests
e) how to prepare environment to run WebUI unittests
f) which base Docker image to use to build the new image to run
IPA tests within it
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fa104daf by Stanislav Levin at 2020-02-25T18:02:12+02:00
yamllint: Lint all the YAML files
For now, a list of YAML files' paths is hardcoded (even after
globbing) into Makefile.am. Moreover, Azure templates are not
checked at all until Azure triggered.
With this change, the list of YAMLs is populated automatically
on yamllinting.
Jinja templates are not parseable by a regular yaml module, to
skip such the YAML_TEMPLATE_FILES is utilized.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d3f1b9b4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Don't collect twice systemd_journal.log
This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
31d05650 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Add support for testing multi IPA environments
Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.
Next examples are for 'master-only' topologies.
Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.
Concurrency results for TestInstallMaster:
------------------------------------------
| job concurrency | time/jobs |
------------------------------------------
| 5 | 40/5 |
| 4 | 34/4 |
| 3 | 25/3 |
| 2 | 19/2 |
| 1 | 17/1 |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.
But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.
Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
| job concurrency | time | jobs used | jobs free |
------------------------------------------------------------------
| 5 | 40 | 4 | 6 |
| 4 | 34 | 5 | 5 |
| 3 | 25 | 7 | 3 |
| 2 | 19 | 10 | 0 |
| 1 | 34 | 20 | 0 |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.
New Azure IPA tests workflow:
+ 1) generate-matrix.py script generates JSON from user's YAML [0]
2) Azure generate jobs using Matrix strategy
3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) GNU 'parallel' launch each IPA environment in parallel:
+ 1) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ 2) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ 3) launch IPA tests on tests' controller
c) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
d) publish regular system logs as artifacts
[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e280a2f0 by Stanislav Levin at 2020-02-25T18:02:12+02:00
pylint: Run Pylint over Azure Python scripts
> Pylint is a tool that checks for errors in Python code, tries to enforce a
> coding standard and looks for code smells. It can also look for certain type
> errors, it can recommend suggestions about how particular blocks can be
> refactored and can offer you details about the code's complexity..
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6daf4d2e by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Sync Gating definitions to current PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1fa033c3 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Preliminary check for provided limits
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e925148a by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Free Docker resources after usage
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9203404c by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Skip tests requiring external DNS
An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
38e0a9f4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Rebalance tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a1e98cd by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Report elapsed time
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f589a895 by Rob Crittenden at 2020-02-26T13:42:10-05:00
Fix div-by-zero when svc weight is 0 for all masters in location
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.
Implement the following rules:
1. If all masters have weight == 0 then all are equally
weighted.
2. If any masters have weight == 0 then they have an
extremely small chance of being chosen, percentage is
0.1.
3. Otherwise it's percentage change is based on the sum of
the weights of non-zero masters.
https://pagure.io/freeipa/issue/8135
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
132ef03a by Armando Neto at 2020-03-01T15:26:13-03:00
prci: bump version for latest and previous templates
Packages updated in the new templates.
Boxes:
* https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.4
* https://app.vagrantup.com/freeipa/boxes/ci-master-f30/versions/0.0.7
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8007cec8 by Anuja More at 2020-03-03T10:23:58+02:00
ipatests: Added test when 2FA prompting configurations is set.
Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1556f3f7 by Mohammad Rizwan Yusuf at 2020-03-03T08:11:51-05:00
Test if server installer lock Bind9 recursion
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well
related : https://pagure.io/freeipa/issue/8079
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ee8657c by Florence Blanc-Renaud at 2020-03-05T07:20:15+01:00
ipatests: fix TestSubCAkeyReplication
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
5b573bb9 by Vit Mojzis at 2020-03-05T09:57:00+01:00
Add freeipa-selinux subpackage
Add freeipa-selinux subpackage containing selinux policy for FreeIPA
server. This policy module will override the distribution policy.
Policy files where extracted from
https://github.com/fedora-selinux/selinux-policy
See Independent policy project guidelines for more details about
shipping custom SELinux policy.
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9288901f by Christian Heimes at 2020-03-05T09:57:00+01:00
Integrate SELinux policy into build system
Hook up the new policy to autoconf and automake.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0c9949e8 by Vit Mojzis at 2020-03-05T09:57:00+01:00
selinux: move BUILD_SELINUX_POLICY definition
BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.
Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
473f9baf by Vit Mojzis at 2020-03-05T09:57:00+01:00
selinux: Remove obsolete memcached access
Drop memcached_stream_connect access since memcached is no longer used.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
68c72e34 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
Privilege: add a helper checking if a principal has a given privilege
server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
911992b8 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
fc4c3ac7 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Thanks to sorlov for the nightly test definitions and new test.
Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
888c7ba9 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: update docstring to reflect changes in FileBackup.restore()
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9450aef7 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: replace utility for editing sssd.conf
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`
This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
early
* has convenient interface for simple options modification,
both in domain and service sections
* allows sophisticated modifications through SSSDConfig object
Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3dd679b3 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: use remote_sssd_config to modify sssd.conf
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e01e7fe6 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: remove invalid parameter from sssd.conf
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
233a18b2 by Florence Blanc-Renaud at 2020-03-10T18:21:50+01:00
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing
When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1fbc4e01 by Florence Blanc-Renaud at 2020-03-10T18:21:50+01:00
selinux policy: add the right context for org.freeipa.server.trust-enable-agent
This commit sets the system_u:object_r:ipa_helper_exec_t:s0 context to the
oddjob script org.freeipa.server.trust-enable-agent.
Without this context, oddjob cannot launch the command
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent
when ipa-adtrust-install --add-agents is run with SElinux enforcing.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
593fac1c by Alexander Bokovoy at 2020-03-11T17:41:17+01:00
Tighten permissions on PKI proxy configuration
As we need to store credentials for AJP protocol comminucation,
ensure only root can read the configuration file.
Related: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec73de96 by Alexander Bokovoy at 2020-03-11T17:41:17+01:00
Secure AJP connector between Dogtag and Apache proxy
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.
For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
Fixes: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6739d872 by Mohammad Rizwan Yusuf at 2020-03-11T15:48:42-04:00
Move wait_for_request() method to tasks.py
Moved the method so that it can be used by other modules too
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9bcc57d9 by Mohammad Rizwan Yusuf at 2020-03-11T15:48:42-04:00
Test if getcert creates cacert file with -F option
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.
related: https://pagure.io/freeipa/issue/8105
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7c059c81 by Sergey Orlov at 2020-03-12T07:39:12+01:00
ipatests: provide docstrings instead of imporperly placed comments
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8dd663e0 by Sergey Orlov at 2020-03-12T07:39:12+01:00
ipatests: add test for SSSD updating expired cache items
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.
Related to: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b88562b2 by Christian Heimes at 2020-03-12T07:46:59+01:00
Cleanup SELinux policy
* Remove FC for /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains. The
file has been moved to oddjobs/ subdirectory a long time ago.
* Simplify FC for oddjob scripts. All com.redhat.idm.* and org.freeipa.*
scripts are labeled as ipa_helper_exec_t.
* use miscfiles_read_generic_certs() instead of deprecated
miscfiles_read_certs() to address the warning:
```
Warning: miscfiles_read_certs() has been deprecated, please use miscfiles_read_generic_certs() instead.
```
(Also add org.freeipa.server.trust-enable-agent to .gitignore)
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ae1352c by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup..
The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.
Fixes: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c2e355ae by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8578281 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
With opendnssec 2, read the zone list from file
With OpenDNSSEC 1.4, the code was using the command
$ ods-ksmutil zonelist export
which printed the zonelist as XML in its output.
With OpenDNSSEC 2, the code is using the command
$ ods-enforcer zonelist export
which prints a message instead:
"Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
The code needs to extract the zonelist file name and read the XML
from the file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8080bf7b by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Support OpenDNSSEC 2.1: new ods-signer protocol
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.
The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).
With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import
The command ods-ksmutil notify must be replace with ods-enforce flush.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b6865831 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
DnsSecMaster migration: move the call to zonelist export later
When migrating the DNSSec Master to a replica, the setup of
opendnssec is re-using the database and needs to call zonelist
export.
With opendnssec 1.4 this call is done with ods-ksmutil while
opendnssec 2.1 uses ods-enforcer that communicates with
odsenforcerd that is not started yet.
Move the call after ods-enforcerd is started.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
682b59c8 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
opendnssec2.1 support: move all ods tasks to specific file
Move all the routines run_ods* from tasks to _ods14 or _ods21 module
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4e3a2bd6 by sumenon at 2020-03-12T17:24:33-04:00
ipatests: check that ipa-healthcheck warns if no dna range is set
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.
Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
44e73428 by Rob Crittenden at 2020-03-12T17:24:33-04:00
Move execution of ipa-healthcheck to a separate function
This removes a lot of duplication and simplifies the test
code.
It returns the command returncode and the JSON data (if any)
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1eb6a9bf by François Cami at 2020-03-13T15:30:09+01:00
ipa-restore: restart services at the end
When IPA was not installed on the restore target host, and
when httpd was already running, "ipactl stop" does not stop
httpd. "ipactl start" at the end of the restore tool will
therefore not restart httpd either.
Calling "ipactl restart" at the end of the restore fixes the
issue, and as an added bonus, makes sure IPA can restart itself
properly.
Fixes: https://pagure.io/freeipa/issue/8226
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9c9c6a70 by Stanislav Levin at 2020-03-13T11:27:36-04:00
spec: Take the ownership over '/usr/libexec/ipa/custodia'
Ideally, an every file on system has to have an owner.
'/usr/libexec/ipa/custodia' directory was added recently, but:
```
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia/ipa-custodia-dmldap
freeipa-server-4.8.4-2.fc31.x86_64
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia
file /usr/libexec/ipa/custodia is not owned by any package
```
ALTLinux build system warns about files or directories which were
'created' during a package installation but haven't an owner. So,
after the resyncing spec file to upstream's one my build fails.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7a9ac1f5 by Christian Heimes at 2020-03-16T13:04:17+01:00
Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b2ab2863 by Anuja More at 2020-03-17T09:13:16+02:00
ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
6018ccaa by Anuja More at 2020-03-17T09:13:16+02:00
Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
14c9cf99 by Stanislav Levin at 2020-03-18T16:36:36+02:00
pki-proxy: Don't rely on running apache until it's configured
This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.
Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e08f7a9e by Florence Blanc-Renaud at 2020-03-19T10:55:11+01:00
idviews: prevent applying to a master
Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.
Fixes: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
20d601e9 by Florence Blanc-Renaud at 2020-03-19T10:55:11+01:00
xmlrpc tests: add a test for idview-apply on a master
Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.
Related: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2997a74a by Alexander Bokovoy at 2020-03-19T13:27:30+01:00
Prevent adding IPA objects as external members of external groups
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.
Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.
RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.
Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c77f4213 by sumenon at 2020-03-20T08:20:56+01:00
ipatests: Added testcase to check logrotate is added for healthcheck tool
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
a55a7222 by Christian Heimes at 2020-03-20T15:18:30+01:00
Integrate ipa_custodia policy
ipa-custodia is an internal service for IPA. The upstream SELinux policy
has a separate module for ipa_custodia. Fold the current policy from
Fedora rawhide into ipa's SELinux policy.
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2332243 by Christian Heimes at 2020-03-20T15:18:30+01:00
Move freeipa-selinux dependency to freeipa-common
The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
37538624 by Florence Blanc-Renaud at 2020-03-21T07:37:05+02:00
ipatests: wait for SSSD to become online in backup/restore tests
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.
Fixes: https://pagure.io/freeipa/issue/8228
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
080a5831 by Christian Heimes at 2020-03-21T07:40:33+02:00
Bootstrap Sphinx documentation
Run sphinx-quickstart and include sphinx dependencies.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
d267d434 by Christian Heimes at 2020-03-21T07:40:33+02:00
Introduce FreeIPA
Copied from https://www.freeipa.org/page/About
- - - - -
a4456b01 by Christian Heimes at 2020-03-21T07:40:33+02:00
Include design documentation
- - - - -
a4efb302 by Christian Heimes at 2020-03-21T07:40:33+02:00
Test documentation builds in Azure
- - - - -
f8638e96 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
fix osdc2015 and lca2016 dates
- - - - -
71ec597c by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add initial workshop modules
- - - - -
64109d5a by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: external authnz module (WIP); minor fixes
- - - - -
96f93687 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add rpmfusion instructions
- - - - -
26f4be58 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
sudo make me a sandwich
- - - - -
70ec83dd by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add mod_auth_gssapi section
- - - - -
ea16b853 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections
- - - - -
aafbbd9b by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: selinux and other minor fixes
- - - - -
0417063d by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes
- - - - -
c90fabd6 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview
- - - - -
4c5db754 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add Windows prep details
- - - - -
1445311e by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: update f22 installation steps
- - - - -
77cb86bc by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: incorporate wibrown\'s feedback
- - - - -
e76d1726 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: update troubleshooting doc
- - - - -
514f4c29 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: clarify prep goals and VirtualBox version
- - - - -
fe03beb0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add missing dnf install vagrant
- - - - -
7a865b7f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: remove definition list of VMs
- - - - -
31676d7c by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: typospotting
- - - - -
69b2fd6f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: presentation, minor curriculum edits
- - - - -
9c2072c6 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: support vagrant-libvirt on Fedora
- - - - -
326011da by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add debian/ubuntu prep instructions
- - - - -
855556e0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details
- - - - -
32b37185 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add certificate management module
- - - - -
a209cb9d by Fraser Tweedale at 2020-03-21T07:40:34+02:00
20151029-osdc-freeipa-workshop: add app.py
- - - - -
37b38ead by zdover at 2020-03-21T07:40:34+02:00
making a list's items agree with one another
- - - - -
dd22a3c2 by zdover at 2020-03-21T07:40:34+02:00
first tranche of edits
- - - - -
2012713c by zdover at 2020-03-21T07:40:34+02:00
thirty percent edited
- - - - -
e8c9efed by zdover at 2020-03-21T07:40:34+02:00
sixty percent edited
- - - - -
39d1715c by zdover at 2020-03-21T07:40:34+02:00
100 percent complete edit
- - - - -
df311568 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
merge (most of) zdover's edits
- - - - -
1723910a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
freeipa-workshop: fix mod_authnz_pam link
- - - - -
fb5ab1d4 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add copyright notice
- - - - -
73da5802 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
remove proposal
- - - - -
4a48fe31 by Abhijeet at 2020-03-21T07:40:34+02:00
Update workshop.rst
Correction in Windows hosts file path.
- - - - -
638d9862 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
initial commit
- - - - -
3ed5610f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting
- - - - -
08a96bdf by Fraser Tweedale at 2020-03-21T07:40:34+02:00
enable and start httpd on client
- - - - -
17b87fbc by Fraser Tweedale at 2020-03-21T07:40:34+02:00
workshop: remove references to freeipa-workshop-vagrantfile repo
- - - - -
05ab50a1 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add vagrant box building instructions
- - - - -
25e55198 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update to f23
- - - - -
40f6a1b7 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add replica installation module
- - - - -
73b1b05a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
symlink README to workshop.rst
- - - - -
88b77080 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add internal links to modules
- - - - -
1e1de65e by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update clone url
- - - - -
73d8f7bb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update feedback url
- - - - -
f8d94388 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
bump libvirt vm mem to 1G; other fixes
- - - - -
ae56b9a2 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
building: note disk and memory requirements
- - - - -
9cf59656 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add facilitator notes; remove feedback link
- - - - -
49c48aa9 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added vagrant-libvirt-doc rpm and polkit rule
- - - - -
0db3a569 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added --mkhomedir option for server and replica.
- - - - -
7f187146 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added bash-completion rpm to build instructions.
- - - - -
18c0ef42 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting
- - - - -
681f8ae5 by Robert Collins at 2020-03-21T07:40:34+02:00
Note sss_cache -E.
- - - - -
2f9c9c87 by Ariel O. Barria at 2020-03-21T07:40:34+02:00
vagrant user does not have permission to write to /etc/resolv.conf
detect through DNS autodiscovery.
- - - - -
65489291 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
updates for FreeIPA 4.3
- - - - -
3be3ca97 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
certs: request SAN DNS name
- - - - -
44b6c2be by Fraser Tweedale at 2020-03-21T07:40:34+02:00
prep: updates for f24, box version 0.0.7
- - - - -
77eea677 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
Change workshop "Modules" to "Units"
Because the term "module" is used in various parts of the curriculum
in a technical context, for clarity refer to the sections of the
curriculum as "units" instead.
- - - - -
0f7a460f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
minor editoral improvements
- - - - -
d14dc294 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add sudorule unit
- - - - -
7a6b9147 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add selinuxusermap unit
- - - - -
a097485e by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add sudorule and selinux units to TOC
- - - - -
c14042dc by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Module added about ssh pubkey management
- - - - -
33cd0bb6 by Armando Neto at 2020-03-21T07:40:34+02:00
Update instructions for Fedora 28 / FreeIPA 4.6.90
- - - - -
b6c50da0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
split workshop into separate files
- - - - -
66ff3675 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add inter-module links
- - - - -
bc1c5a84 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add more prerequisites and fix some links
- - - - -
345850eb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
Vagrantfile: set DNS configuration in network-scripts
The Vagrantfile puts the server's address in /etc/resolv.conf but
this configuration will not survive a reboot or network restart.
Add configuration to /etc/sysconfig/network-scripts/ to ensure the
correct resolver is always used.
- - - - -
0678ed56 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
rename certificates module
- - - - -
3a0f8a11 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
lots of minor tweaks and updates
- - - - -
8e0d4bcc by Fraser Tweedale at 2020-03-21T07:40:34+02:00
suggest `ipa help topics`
- - - - -
a2f3088a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting
- - - - -
8ff19cdb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add resources section
- - - - -
416d87b9 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Corrected some typos and added improvements to some setup instructions
- - - - -
3bd27cfe by François Cami at 2020-03-21T07:40:34+02:00
8-sudorule.rst: add sudo and su-l as services for bob's HBAC rule.
Add a note about the behavior change of passwordless sudo
in sudo 1.8.23 and newer.
- - - - -
265d064b by Sam Bristow at 2020-03-21T07:40:34+02:00
Workaround networking issues with Libvirt
Vagrant 2.2 on Fedora 30 enables QEMU Session by default [1] which causes
problems with setting up the private network.
Explicitly telling Vagrant not to use the QEMU session if we're running on
Libvirt is the suggested workaround for now.
[1] https://fedoraproject.org/wiki/Changes/Vagrant_2.2_with_QEMU_Session
- - - - -
acfe34e2 by Alexander Bokovoy at 2020-03-21T07:40:34+02:00
Add unit 11: Kerberos ticket policy
Kerberos ticket policy unit describes ways of control of Kerberos
tickets in FreeIPA with the help of ticket policies.
- - - - -
c4a55522 by Christian Heimes at 2020-03-21T07:40:34+02:00
Fix codestyle
- - - - -
145afd68 by Christian Heimes at 2020-03-21T07:40:34+02:00
Include workshop in sphinx build
- - - - -
a9a225d7 by Christian Heimes at 2020-03-21T07:40:34+02:00
Use m2r instead of recommonmark
recommonmark does not support markdown tables.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
9f2553c6 by Christian Heimes at 2020-03-21T07:42:20+02:00
Add explicit syntax language to code blocks
m2r converts code blocks into ReST code blocks with syntax highlighting.
Auto-detection of the language does not work correctly, though.
Explicitly set the language for console, ini, and Python blocks.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c6a379c4 by Alexander Bokovoy at 2020-03-21T07:57:06+02:00
Move workshop documents to doc/workshop
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34b961dc by Alexander Bokovoy at 2020-03-21T08:04:45+02:00
Override master document for ReadTheDocs
ReadTheDocs.org engine assumes master document is 'contents.rst', we use
'index.rst'. Specify the master document explicitly.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
452ef8cc by Alexander Bokovoy at 2020-03-21T08:10:31+02:00
Do not force any particular sphinx theme
This allows ReadTheDocs to use own theme.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a3b7bae by Rob Crittenden at 2020-03-21T09:36:40+01:00
Test that ipa-healthcheck human output translates error strings
The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.
https://bugzilla.redhat.com/show_bug.cgi?id=1752849
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3aad16a7 by Vit Mojzis at 2020-03-24T10:17:14+02:00
selinux: disable ipa_custodia when installing custom policy
Since ipa_custodia got integrated into ipa policy package, the upstream policy
module needs to be disabled before ipa module installation (in order to be able
to make changes to the ipa_custodia policy definitions).
Upstream ipa module gets overridden automatically because of higher priority of
the custom module, but there is no mechanism to automatically disable
ipa_custodia.
Related: https://pagure.io/freeipa/issue/6891
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
99a62f29 by Serhii Tsymbaliuk at 2020-03-24T10:19:13+02:00
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1
Ticket: https://pagure.io/freeipa/issue/8239
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9e47799c by Sergey Orlov at 2020-03-24T10:20:39+02:00
ipatests: remove test_ordering
The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.
The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8602b15 by Christian Heimes at 2020-03-24T10:22:18+02:00
Add pytest OpenSSH transport with password
The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.
The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
92e36258 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
Keep ipa.pot translation file in git for weblate
Weblate tool sends pull requests that update translations directly.
For this to work, we need to keep ipa.pot in the tree.
Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b4722f39 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
Update translation infrastructure
1. Build po/ipa.pot every time we update PO files (each build)
2. Drop any rebuilt PO changes if the only difference is in the
translation file's header in a timestamp or timestamp+bug report
link.
3. Only apply the logic for dropping the changes if we are operating on
a git tree checkout because there is no otherwise an easy way to
detect the changes.
4. Hook strip-po target to the cleanup target to allow dropping unneeded
translation changes automatically.
5. Finally, strip ipaclient/remote_plugins/* locations from the ipa.pot
template. This saves us around 23,000 lines from the ipa.pot file and
reduces visual clutter in the translation files.
This approach allows to avoid unneccesary commits because even when
there are no changes to translation files, po/ipa.pot header would be
updated with a new translation update timestamp.
Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3fc932a2 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update ipa.pot template
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0be22a6a by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Bengali translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6cd244da by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Catalan translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
68cc0491 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Czech translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
117893f0 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update German translation
Several translated strings were splitted into smaller ones. The older
translation either is a duplicate of the new one or does not apply
anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
439c488f by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update English (United Kingdom) translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2859216b by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Spanish translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e6574914 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Basque translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1a0232a6 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update French translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
35c1da83 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Hindi translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f18a4f8d by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Hungarian translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
347d9c78 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Indonesian translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
60d69a87 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Japanese translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1c30d186 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Kannada translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0c9066e8 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Marathi translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7f3cc11a by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Dutch translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3e636959 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Punjabi translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
047c8cc5 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Polish translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
baf1a721 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Portuguese translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
45dede73 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Portuguese (Brazil) translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ad3ef9de by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Russian translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ed55c408 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Slovak translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e50c2500 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Tajik translation timestamp
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9fcae159 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Ukrainian translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
42e86692 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Chinese (China) translation
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9120d65e by Mohammad Rizwan Yusuf at 2020-03-24T13:49:57+01:00
Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation with AD.
related: https://pagure.io/freeipa/issue/8193
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
312d00df by Mohammad Rizwan Yusuf at 2020-03-24T13:49:57+01:00
Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.
related: https://pagure.io/freeipa/issue/8193
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
aae30eb7 by Sergey Orlov at 2020-03-24T18:26:03+01:00
ipatests: provide AD admin password when trying to establish trust
`ipa trust-add --password` command requires that user provides a password..
Related to: https://pagure.io/freeipa/issue/7895
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0711c4a0 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: avoid mutable default argument
certmonger._get_requests has a mutable default argument. Although
at the present time it is never modified, this is an antipattern to
be avoided.
In fact, we don't even need the default argument, because it is
always called with a dict() argument. So just remove it.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e0fb3816 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: move 'criteria' description to module docstring
The 'criteria' parameter is used by several subroutines in the
ipalib.install.certmonger module. It has incomplete documentation
spread across several of these subroutines. Move the documentation
to the module docstring and reference it where appropriate.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
18ebd111 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: support dnsname as request search criterion
We need to be able to filter Certmonger tracking requests by the DNS
names defined for the request. The goal is to add the
'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so
we will use that name as a search criterion. Implement support for
this.
As a result of this commit it will be easy to add support for subset
match of other Certmonger request list properties. Just add the
property name to the ARRAY_PROPERTIES list (and update the
'criteria' description in the module docstring!)
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4cf9c868 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
httpinstance: add fqdn and ipa-ca alias to Certmonger request
BACKGROUND:
We are implementing ACME support in FreeIPA (umbrella ticket:
https://pagure.io/freeipa/issue/4751). ACME is defined in RFC 8555.
HTTPS is REQUIRED (https://tools.ietf.org/html/rfc8555#section-6.1).
Therefore, every FreeIPA server that provides the ACME service
capability must be reachable by HTTPS.
RFC 8555 does not say anything about which port to use for ACME.
The default HTTPS port of 443 is implied. Therefore, the FreeIPA
ACME service will be reached via the Apache httpd server, which will
be the TLS server endpoint.
As a usability affordance for ACME clients, and as a maintainability
consideration i.e. to allow the topology to change without having to
reconfigure ACME clients, there should be a a single DNS name used
to reach the IPA ACME service.
The question then, is which DNS name to use.
REQUIREMENTS:
Each FreeIPA server that is also an ACME server must:
1. Be reachable via a common DNS name
2. Have an HTTP service certificate with that DNS name as a SAN
dNSName value
DESIGN CONSIDERATION - WHAT DNS NAME TO USE?:
Some unrelated FreeIPA ACME design decisions provide important
context for the DNS name decision:
- The ACME service will be automatically and unconditionally
deployed (but not necessarily *enabled*) on all CA servers.
- Enabling or disabling the ACME service will have topology-wide
effect, i.e. the ACME service is either enabled on all CA
servers, or disabled on all CA servers.
In a CA-ful FreeIPA deployment there is already a DNS name that
resolves to all CA servers: ``ipa-ca.$DOMAIN``, e.g.
``ipa-ca.example.com``. It is expected to point to all CA servers
in the deployment, and *only* to CA servers. If internal DNS is
deployed, the DNS records for ``ipa-ca.$DOMAIN`` are created and
updated automatically. If internal DNS is not deployed,
administrators are required to maintain these DNS records
themselves.
The ``ipa-ca.$DOMAIN`` alias is currently used for OCSP and CRL
access. TLS is not required for these applications (and it can
actually be problematic for OCSP). Enabling TLS for this name
presents some risk of confusion for operators. For example, if they
see that TLS is available and alter the certificate profiles to
include an HTTPS OCSP URL in the Authority Information Access (AIA)
extension, OCSP-using clients may fail to validate such
certificates. But it is possible for administrators to make such a
change to the profile, whether or not HTTPS is available.
One big advantage to using the ``ipa-ca.$DOMAIN`` DNS name is that
there are no new DNS records to manage, either in the FreeIPA
implementation or for administrators in external DNS systems.
The alternative approach is to define a new DNS name, e.g.
``ipa-acme.$DOMAIN``, that ACME clients would use. For internal
DNS, this means the FreeIPA implementation must manage the DNS
records. This is straightforward; whenever we add or remove an
``ipa-ca.$DOMAIN`` record, also add/remove the ``ipa-acme.$DOMAIN``
record. But for CA-ful deployments using external DNS, it is
additional work for adminstrators and, unless automated, additional
room for error.
An advantage of using a different DNS name is ``ipa-ca.$DOMAIN`` can
remain inaccessible over HTTPS. This possibly reduces the risk of
administrator confusion or creation of invalid AIA configuration in
certificate profiles.
Weighing up the advantages and disadvantages, I decided to use the
``ipa-ca.$DOMAIN`` DNS name.
DESIGN CONSIDERATION - CA SERVERS, OR ALL SERVERS?:
A separate decision from which name to use is whether to include it
on the HTTP service certificate for ACME servers (i.e. CA servers)
only, or on all IPA servers.
Combined with the assumption that the chosen DNS name points to CA
servers *only*, there does not seem to be any harm in adding it to
the certificates on all IPA servers.
The alternative is to only include the chosen DNS name on the HTTP
service certificates of CA servers. This approach entails some
additional complexity:
- If a non-CA replica gets promoted to CA replica (i.e. via
``ipa-ca-install``), its HTTP certificate must be re-issued with
the relevant name.
- ipa-server-upgrade code must consider whether the server is a CA
replica when validating (and if necessary re-creating) Certmonger
tracking requests
- IPA Health Check must be made aware of this factor when checking
certificates and Certmonger tracking requests.
Weighing up the options, I decided to add the common DNS name to the
HTTP service certificate on all IPA servers. This avoids the
implementation complexity discussed above.
CHANGES IN THIS COMMIT
When (re-)tracking the HTTP certificate, explicitly add the server
FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.
Related changes follow in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f7c45641 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~1`.
ACME support requires TLS and we want ACME clients to access the
service via the ipa-ca.$DOMAIN DNS name. So we need to add the
ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To
facilitiate this, add a special case to the cert-request command
processing. The rule is:
- if the dnsName being validated is "ipa-ca.$DOMAIN"
- and the subject principal is an "HTTP/..." service
- and the subject principal's hostname is an IPA server
Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
Otherwise continue with the usual dnsName validation.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4d5b5a90 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
httpinstance: add ipa-ca.$DOMAIN alias in initial request
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~2`.
For new server/replica installation, issue the HTTP server
certificate with the 'ipa-ca.$DOMAIN' SAN dNSName. This is
accomplished by adding the name to the Certmonger tracking request.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf4c2c64 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~3`.
If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
resubmit the certificate request to add the name. This action is
performed after the tracking request has already been updated.
Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
request, if it does not immediately succeed (fairly likely during
ipa-server-upgrade) and if the notAfter date of the current cert is
still far off (also likely), then Certmonger will wait 7 days before
trying again (unless restarted). There is not much we can do about
that in the middle of ipa-server-upgrade.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
45b5384b by Fraser Tweedale at 2020-03-25T11:13:03+11:00
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname
Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c1c45df4 by Alexander Bokovoy at 2020-03-25T09:39:01+02:00
ipatests: always skip additional input for group-add-member --external
'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.
Do not wait for the entry that would never come by using 'ipa -n'..
Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
e913fdc8 by Christian Heimes at 2020-03-25T09:52:59+02:00
SELinux: apache_manage_pid_files for F30
SELinux policy on F30 doesn't have the interface
apache_manage_pid_files(). Define the interface conditionally.
Fixes: https://pagure.io/freeipa/issue/8241
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
38204856 by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
Fix indentation levels
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c191ddf by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipatests: allow changing sysaccount passwords as cn=Directory Manager
Extend ldappasswd_sysaccount_change() helper to allow changing
passwords as a cn=Directory Manager.
Related to: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a620ac0f by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipatests: test sysaccount password change with a password policy applied
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.
The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
- as a user: must succeeed
- as a cn=Directory Manager: must succeed even with a password re-use
- as a user again: must fail due to password re-use
Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
527f30be by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN
SLAPI_BIND_TARGET_DN is deprecated since 2011 by 389-ds team,
see commit f6397113666f06848412bb12f754f04258cfa5fa in 389-ds:
https://pagure.io/389-ds-base/c/f6397113666f06848412bb12f754f04258cfa5fa?branch=master
Use SLAPI_BIND_TARGET_SDN instead and move internal ipa-pwd-extop
helpers to accept Slapi_DN references rather than strings.
Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d9c41df6 by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
132a0f87 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Don't save password history on non-Kerberos accounts
While other password policies were properly ignored the password
history was always being saved if the global history size was
non-zero.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ff6984e2 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Add ability to change a user password as the Directory Manager
This is to confirm that the Directory Manager is not affected by
password policy.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
89066892 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Test that pwpolicy only applied on Kerberos entries
Also test that a normal user has password history enforcement
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ac5cb426 by Christian Heimes at 2020-03-25T14:44:52+01:00
po: fix LINGUAS to use whitespace separation
The po/LINGUAS file contains a list of all avilable translations.
According to the GNU gettext documentation it's is a whitespace
separated list. Our LINGUAS file used newline separated list with inline
comments. This conflicts with weblate automation.
Fixes: https://pagure.io/freeipa/issue/8159
See: https://www.gnu.org/software/gettext/manual/html_node/po_002fLINGUAS.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d07da417 by Mohammad Rizwan Yusuf at 2020-03-25T15:18:57+01:00
ipatests: Skip test using paramiko when FIPS is enabled
Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f9804558 by François Cami at 2020-03-26T13:18:14+01:00
ipatests: test_replica_promotion.py: test KRA on Hidden Replica
The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.
Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
77ed0918 by Alexander Bokovoy at 2020-03-28T19:55:10+01:00
Remove Fedora repository fastmirror selection
Fast mirror selection somehow stopped working. If disabled, the
difference is around 20 seconds for the 'Prepare build environment' step
(2:49 versus 3:09), so while we are saving, currently it is not a lot.
Also remove explicit nodejs stream choice, it seems to be not needed
anymore (again).
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
ee80d0db by François Cami at 2020-03-28T19:55:10+01:00
pr-ci templates: update test_fips timeouts
test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.
Fixes: https://pagure.io/freeipa/issue/8247
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
58ad7b74 by Sumedh Sidhaye at 2020-03-30T15:07:48-04:00
Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state
When a resubmit request is submitted an "invalid cookie"
error message is no longer shown
Earlier an "invlaid cookie" error message was shown when getcert list was called.
The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit
Pagure Issue: https://pagure.io/freeipa/issue/8164
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Fixup for test to verify that POLL will not error out on cookie
Author: Rob Crittenden <rcritten at redhat.com>
Date: Tue Mar 24 15:30:38 2020 -0400
Fixed review comments
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
01b207bc by Alexander Bokovoy at 2020-03-31T09:21:37+03:00
Add 'api' and 'aci' targets to make
'makeapi' and 'makeaci' has to be run in a particular environment that
forces IPA Python modules from the source tree used instead of what
might be installed system-wide.
Create 'make api' and 'make aci' targets to provide easy access to them.
Make sure we run Python interpreter with PYTHONPATH set to force use of
the source tree.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6472a107 by Alexander Bokovoy at 2020-03-31T09:21:37+03:00
Allow rename of a host group
RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.
Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd9f1b3d by sumenon at 2020-03-31T11:52:42-04:00
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup
This testcase compares the output of ipahealtcheck.ipa.dns check
with the SRV records displayed by 'ipa dns-update-system-records --dry-run'
command executed on IPA server with integrated DNS setup.
https://bugzilla.redhat.com/show_bug.cgi?id=1695125
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
3a9b66b5 by François Cami at 2020-04-01T12:09:16+02:00
ipatests: test ipa-backup with different role configurations.
ipa-backup should refuse to execute if the local IPA server does not
have all the roles used in the cluster.
A --disable-role-check knob should also be provided to bypass the
check.
Add an integration test for the new behavior and the knob.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
9324bba6 by François Cami at 2020-04-01T12:09:16+02:00
test_backup_and_restore: add server role verification steps
Add calls to "ipa server-role" to check whether the server role
changes are applied before calling ipa-backup.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
3665ba92 by François Cami at 2020-04-01T12:09:16+02:00
ipa-backup: Make sure all roles are installed on the current master.
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.
With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.
Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
5e44fc80 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add test_fips to testing-fedora nightly run
test_integration/test_fips.py was missing in nightly_latest_testing.yaml
for no obvious reason.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e9273968 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add test_automember to "previous" nightly run
test_integration/test_smb.py was missing in nightly_previous.yaml
for no obvious reason.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a2dee05b by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add AD DC as a DNS forwarder before establishing trust
"ipa trust-add" was not able to establish trust because it could not
find the AD domain controller.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
98b6326a by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: explicitly save output of certutil
The test setup was failing because output redirection does not work in
run_command() when specifued as list element.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b8e1a7d5 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: run all cases from test_integration/test_idviews.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
99a322a4 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: run test_integration/test_cert.py in PR-CI
Execute test_integration/test_cert.py test in gating and generic
nightly test runs
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1c4aa66b by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add missing classes from test_installation in nightly runs
The following test classes were missing in all nightly definitions:
* TestADTrustInstall
* TestADTrustInstallWithDNS_KRA_ADTrust
* TestKRAinstallAfterCertRenew
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9b3c3202 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add missing classes from test_nfs in nightly_previous run
Test class test_integration/test_nfs.py::TestIpaClientAutomountFileRestore
was missing in nightly_previous.yaml
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a02df530 by Mohammad Rizwan Yusuf at 2020-04-02T14:30:52+02:00
ipatests:Test if proper error thrown when AD user tries to run IPA commands
Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.
related: https://pagure.io/freeipa/issue/8163
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fb0d2f1 by François Cami at 2020-04-02T16:10:27+02:00
pr-ci templates: update test_fips timeouts
test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.
Fixes: https://pagure.io/freeipa/issue/8247
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
d8135b73 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add test for sssd behavior with disabled trustdomains
When a trusted subdomain is disabled in ipa, users from this domain
should not be able to access ipa resources.
Related to: https://pagure.io/SSSD/sssd/issue/4078
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b238812b by Sergey Orlov at 2020-04-03T11:15:57+02:00
update prci definitions for test_sssd.py
The test now requires AD domain + subdomain
Related to: https://pagure.io/SSSD/sssd/issue/4078
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3ae0d0d7 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add utility for getting sssd version on remote host
This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
84c94f73 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add context manager for declaring part of test as xfail
This function provides functionality similar to pytest.mark.xfail
but for a block of code instead of the whole test function. This has
two benefits:
1) you can mark single line as expectedly failing without suppressing
all other errors in the test function
2) you can use conditions which can not be evaluated before the test start.
The check is always done in "strict" mode, i.e. if test is expected to
fail but succeeds then it will be marked as failing.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
26233c88 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: mark test_trustdomain_disable test as expectedly failing
The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed
Fedora 30 version yet.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f5f960ed by Michal Polovka at 2020-04-03T08:32:20-04:00
Test for output being indented by default value if not stated implicitly.
Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.
Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a087fd92 by François Cami at 2020-04-06T16:53:31+02:00
ipatests: move ipa_backup to tasks
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
both the path to the backup and the whole result from run_command ;
The path to the backup can be determined from the result.
Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3022bb5f by Rob Crittenden at 2020-04-06T12:54:20-04:00
Perform baseline healthcheck
Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.
https://bugzilla.redhat.com/show_bug.cgi?id=1774032
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
aa5a3336 by Stanislav Levin at 2020-04-07T15:22:47-04:00
Azure: Allow distros to install Python they want
The platforms may have different Pythons.
But due to [0] the Python installed via the 'UsePythonVersion at 0'
task should be compatible with the container's 'libpythonxx.so'.
'AZURE_PYTHON_VERSION' platform variable is introduced to cover
this. So, if your distro has Python3.8, set the mentioned variable
to '3.8', later, this version will be installed by the
'UsePythonVersion at 0' Azure task for 'WebUI_Unit_Tests' and 'Tox'
jobs.
To allow tox to run any Python3 environment the 'py3' one is used..
'py3' is the well-known Tox's environment, which utilizes 'python3'
executable.
[0]: https://github.com/microsoft/azure-pipelines-tasks/issues/11070
Fixes: https://pagure.io/freeipa/issue/8254
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
d1b53ded by Stanislav Levin at 2020-04-08T11:27:45+03:00
Azure: Gather coredumps
Applications may crash.
If a crash happens on a remote system during CI run it's sometimes
very hard to understand the reason. The most important means to
analyze such is a stack trace. It's also very important to check
whether there was a core dump or not, even a test passed.
For Docker environment, the core dumps are collected by the host's
systemd-coredump, which knows nothing about such containers (for
now). To build an informative thread stack trace debuginfo packages
should be installed. But they can't be installed on the host OS
(ubuntu), That's why after all the tests completed an additional
container should be up and the host's core dumps and host's journal
should be passed into it.
Even if there weren't enough debuginfo packages at CI-runtime, the
core dump could be analyzed locally later.
Fixes: https://pagure.io/freeipa/issue/8251
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3985183d by Sam Morris at 2020-04-08T14:17:31+03:00
Debian: write out only one CA certificate per file
ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.
'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.
With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.
The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.
The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.
These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.
As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.
Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ba162b9b by Stanislav Levin at 2020-04-08T16:33:35+02:00
ipatests: Mark firewalld commands as no-op on non-firewalld distros
The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.
Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
8a793b7d by François Cami at 2020-04-09T09:08:57+03:00
ipatests: increase test_ipahealthcheck timeout
test_ipahealthcheck tends to take more than 3600s to run.
Increate timeout to 4800s.
Fixes: https://pagure.io/freeipa/issue/8262
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
dbf5df4a by Alexander Bokovoy at 2020-04-14T12:36:01+03:00
CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
Users should be encouraged to make their passwords as lengthy as they
want, within reason. Since the size of a hashed password is independent
of its length, there is no reason not to permit the use of lengthy
passwords (or pass phrases) if the user wishes. Extremely long passwords
(perhaps megabytes in length) could conceivably require excessive
processing time to hash, so it is reasonable to have some limit.
FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.
MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.
To prevent silent cut off for user passwords, use limit of 1000
characters.
Thus, this patch enforces common limit of 1000 characters everywhere:
- LDAP-based password changes
- LDAP password change control
- LDAP ADD and MOD operations on clear-text userPassword
- Keytab setting with ipa-getkeytab
- Kerberos password setting and changing
Fixes: https://pagure.io/freeipa/issue/8268
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
306adf6b by François Cami at 2020-04-14T14:11:11+02:00
ipatests: increase test_webui_server timeout
test_webui_server tends to take more than 3600s to run.
Increase timeout to 7200s.
Fixes: https://pagure.io/freeipa/issue/8266
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
bdf11371 by Christian Heimes at 2020-04-15T18:48:50+02:00
Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.
Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3e8c5192 by Stasiek Michalski at 2020-04-15T18:50:45+02:00
Support for SUSE/openSUSE ipaplatform
Co-authored-by: Howard Guo <hguo at suse.com>
Co-authored-by: Daniel Molkentin <dmolkentin at suse.com>
Co-authored-by: Marcus Rückert <darix at nordisch.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ac60a87 by Florence Blanc-Renaud at 2020-04-16T14:01:03+02:00
Man pages: fix syntax issues
Fix the syntax in ipa-cacert-manage.1 and default.conf.5
Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3a64ac08 by Michal Polovka at 2020-04-17T08:54:13-04:00
Test for healthcheck being run on replica with stopped master
Test checks whether healthcheck reports only that master is stopped
with no other false positives when services on IPA master are stopped.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2c54609d by Mohammad Rizwan Yusuf at 2020-04-20T08:44:00-04:00
ipatests: Test to check password leak in apache error log
Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.
related: https://pagure.io/freeipa/issue/8017
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ffb1db56 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Bump required Pytest
Ipatests utilize the 'timeout' arg for 'testdir.run()', which is
available since Pytest 3.9.1 [0]
[0]: https://github.com/pytest-dev/pytest/issues/4073
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
d67846fa by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove deprecated yield_fixture
'yield_fixture' is deprecated since Pytest3 [0].
FreeIPA requires at least 3.9.1. So, it can be safely removed.
[0]: https://docs.pytest.org/en/latest/yieldfixture.html
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
be6ac7d4 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'get_marker'
'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
f6b088ef by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'capture' compatibility
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
18500a3d by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'skip' compatibility
Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
6d8d1670 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Specify Pytest XML report schema
Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
_issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```
For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.
The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.
[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
97439570 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Specify shell implementation
The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
51d15176 by François Cami at 2020-04-21T14:59:02+02:00
Makefile.am: add doclint to fastcheck
Add doclint to fastcheck so that documentation syntax issues
are caught sooner (before they hit CI).
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7558e141 by François Cami at 2020-04-21T14:59:02+02:00
doc/Makefile: use sphinx-build -W by default
Use -W with sphinx-build by default to turn warnings into errors.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10aaef03 by Serhii Tsymbaliuk at 2020-04-21T19:03:23+02:00
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2
- upgrade dojo.js bundle
- fix prepare-dojo.sh
- update Dojo version in package.json (reference purpose only)
Ticket: https://pagure.io/freeipa/issue/8222
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e881e357 by Christian Heimes at 2020-04-21T21:37:06+02:00
Fix various OpenDNSSEC 2.1 issues
Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)
Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.
Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.
Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1717b5b0 by Christian Heimes at 2020-04-22T09:47:14+02:00
Improve Sphinx building and linting
Run sphinx-builder with -W (fail on error), --keep-going, and -j auto.
Auto-job scaling speeds up sphinx-builder a LOT.
Add make lint target to doc/Makefile. The -E and -a option ensure that
all files are always re-read and rewritten.
Add option to run sphinx-builder from a virtual env that mimics RTD
builds closer than Fedora packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
29fd9602 by sumenon at 2020-04-23T10:29:33-04:00
ipatests: Test for ipahealthcheck.ds.ruv check
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
a0494bc3 by Serhii Tsymbaliuk at 2020-04-24T09:17:59+02:00
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1
Ticket: https://pagure.io/freeipa/issue/8284
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b6476f59 by Christian Heimes at 2020-04-27T10:15:58+02:00
servrole: takes_params must be a tuple
The definition of servrole.takes_params was missing a comma.
Related: https://pagure.io/freeipa/issue/8290
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bba41dc8 by Kaleemullah Siddiqui at 2020-04-27T09:09:10-04:00
Test for check of HostKeyAlgorithms option in ssh_config
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.
https://pagure.io/freeipa/issue/8082
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
ba213aa4 by sumenon at 2020-04-27T09:18:56-04:00
ipatests: Test for ipahealthcheck tool for IPADomainCheck.
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49f909c9 by Christian Heimes at 2020-04-27T14:59:07-04:00
Fix APIVersion.__getnewargs__
``__getnewargs__()`` must return a tuple.
Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
__getnewargs__ does not return a tuple)``.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
24cc13db by Christian Heimes at 2020-04-27T14:59:07-04:00
Fix exception escape warning
W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bb24641e by Christian Heimes at 2020-04-28T11:28:29+02:00
Use api.env.container_sysaccounts
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')
Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ca6d6781 by Christian Heimes at 2020-04-28T11:28:29+02:00
Define default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.
The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.
Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7d657c6f by Timo Aaltonen at 2020-04-28T14:39:42+02:00
Debian: Use enable/disable_ldap_automount() from base
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7ed5374c by Timo Aaltonen at 2020-04-28T14:39:42+02:00
Debian: Use parse_ipa_version from redhat.
Needs librpm8 installed.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
158257c4 by Timo Aaltonen at 2020-04-28T14:39:42+02:00
ipatests/test_commands: Check sssd version like on test_sssd
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2e85b480 by Timo Aaltonen at 2020-04-28T14:39:42+02:00
ipatests/test_installation: Use knownservices to map the service name.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4d2272f9 by François Cami at 2020-04-28T09:32:19-04:00
IPA-EPN: Add design draft
The design draft lists the user stories, implementation choices,
implementation details, limitations, and changes for the new
Expired Password Notifications (EPN) feature.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c2608cfe by Christian Heimes at 2020-04-28T15:33:57+02:00
Add skip_if_platform marker
Make it easier to skip tests based on platform ID and platform LIKE_ID.
Skip some tests that are not working on Debian-like platforms
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
43ac2d9a by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Cleanup 'collect_logs' decorator
The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e9. So, it could be safely removed.
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5da309ee by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Pretty print multihost config
The printing of string representation of multihost config is useless.
For example,
```
<ipatests.pytest_ipa.integration.config.Config object at 0x7fe017d9dc70>
```
The dictionary representation of such looks better:
```
[ipatests.pytest_ipa.integration] {'ad_admin_name': 'Administrator',
'ad_admin_password': 'Secret123',
'admin_name': 'admin',
'admin_password': 'Secret123',
'dirman_dn': 'cn=Directory Manager',
'dirman_password': 'Secret123',
'dns_forwarder': '8.8.8.8',
'domain_level': 1,
'domains': [{'hosts': [{'external_hostname': 'master1.ipa.test',
'ip': '172.19.0.2',
'name': 'master1.ipa.test',
'role': 'master'},
{'external_hostname': 'replica1.ipa.test',
'ip': '172.19.0.3',
'name': 'replica1.ipa.test',
'role': 'replica'},
...
```
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
63747bc0 by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Collect all logs on all Unix hosts
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
```
class TestFoo(IntegrationTest):
def test_foo(self):
pass
def test_bar(self, integration_logs):
integration_logs.collect_method_log(self.master, '/logfile')
```
Collected logs:
1) 'test_foo' - default logs
2) 'test_bar' - default logs + /logfile
3) 'TestFoo' - default logs
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
87408ee7 by Stanislav Levin at 2020-04-28T17:50:10+02:00
Azure: Increase memory limit
Azure host has 6 GB of physical memory + 7 GB of swap.
FreeIPA CI runs at least 5 masters on each Azure's host.
Thus, swap is intensively used.
Based on the available *physical* memory 389-ds performs db tweaks
and in future may fail to start in case of memory shortage.
Current memory limit for Azure Docker containers(master/replica):
- Physical
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
1610612736
- Physical + swap:
$ cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
3221225472
In the meantime, installation of master + ca + kra + dnssec requires:
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
1856929792
Some test environments require more memory.
For example, 'ipatests.test_integration.test_commands.TestIPACommand':
$ cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
2232246272
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
2232246272
Fixes: https://pagure.io/freeipa/issue/8264
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e00dc40f by Christian Heimes at 2020-04-28T20:03:21+02:00
Create ipasphinx package for Sphinx plugins
Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d34db063 by Christian Heimes at 2020-04-28T20:04:27+02:00
Fix /doc/workshop subtree merge
Something went wrong with git subtree merge of the external
freeipa-workshop repository. A couple of files accidently ended up
in / instead of /doc/workshop/.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b7415c3d by Christian Heimes at 2020-04-29T12:36:34+02:00
Require Sphinx >2.1
RTD comes with Sphinx 1.8 that is missing some APIs.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9941c9ee by Christian Heimes at 2020-04-30T09:41:41+02:00
Address issues found by new pylint 2.5.0
* fix multiple exception-escape
* fix function signatures of DsInstance start/stop/restart
* silence f-string-without-interpolation
* fix too-many-function-args in host plugin
Fixes: https://pagure.io/freeipa/issue/8297
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
40b8174c by Armando Neto at 2020-04-30T12:05:35+02:00
prci: update templates for new Fedora release
"previous" updated to Fedora 31
"latest" updated to Fedora 32
"rawhide" based on Fedora 33
389ds, testing and pki definitions updated to Fedora 32
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1632827c by François Cami at 2020-04-30T12:06:58+02:00
tox.ini: switch from W503 to W504
PEP8 recently changed from W503 to W504.
Line breaks should therefore come before operators.
See: https://www.python.org/dev/peps/pep-0008/#should-a-line-break-before-or-after-a-binary-operator
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f4892d42 by Serhii Tsymbaliuk at 2020-04-30T15:03:49+02:00
WebUI tests: cover membership management with UI tests
Test cases:
- admin can add member manager for user/host group
- admin can add member manager group to user/host group
- member manager can add user to group
- member manager can remove user from group
- member manager can add host to host group
- member manager can remove host from host group
Ticket: https://pagure.io/freeipa/issue/8298
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
35e1ebb2 by Miro Hrončok at 2020-05-04T08:12:58+02:00
Fix a syntax typo
This worked for now, but is SyntaxError in Python 3.9.0a6:
File "/usr/lib/python3.9/site-packages/ipapython/cookie.py", line 222
return'/'
^
SyntaxError: invalid string prefix
(The Python change might actually be reverted before 3.9 final,
but this can be fixed anyway.)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
273ed153 by Viktor Ashirov at 2020-05-04T20:49:23+02:00
Update ACIs with the correct syntax
The value of the first character in target* keywords
is expected to be a double quote.
Fixes: https://pagure.io/freeipa/issue/8301
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
86d76efc by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E266 too many leading '#' for block comment
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
96618073 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E711 comparison to None
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
690b5519 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E712 comparison to True / False
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d0818e18 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E713 test for membership should be 'not in'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8c9bba8e by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E714 test for object identity should be 'is not'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
31fa527e by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E721 do not compare types, use 'isinstance()'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
186d739d by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E722 do not use bare 'except'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c544d18f by Christian Heimes at 2020-05-05T10:42:46+02:00
Silence W601 .has_key() is deprecated
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6386c0cb by Christian Heimes at 2020-05-05T10:42:46+02:00
Manually reformat ipapython/version.py.in
Add whitespaces around assignment operator and use consistent double
quotes.
https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f6be6612 by Christian Heimes at 2020-05-05T10:42:46+02:00
Reconfigure pycodestyle
Disable some warnings that are not PEP-8 compatible.
Disable warnings E731 and E741. IPA code uses ``l`` as variable names
and assignment of lambda expressions a lot.
Ignore auto-generated remote plugins and build directories.
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
490682ac by Christian Heimes at 2020-05-05T11:47:16+02:00
Make ipaplatform a regular top-level package
ipaplatform was made a namespace package so that 3rd party OS
distributors can easily define their own distribution subpackage. Since
major distributions have contributed to FreeIPA project and no 3rd party
ipaplatform subpackage was uploaded to PyPI, it doesn't make much sense
to keep ipaplatform a namespace package.
The ipaplatform-*-nspkg.pth file for namespace package definition is
causing trouble with local testing on developer boxes.
Fixes: https://pagure.io/freeipa/issue/8309
See: https://pagure.io/freeipa/issue/6474
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fefd1153 by Christian Heimes at 2020-05-05T11:48:04+02:00
Make check_required_principal() case-insensitive
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.
Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
19ea1b97 by Christian Heimes at 2020-05-05T11:49:10+02:00
Simplify pki proxy conf
``pkispawn`` is being modified to use PKI CLI for installation.
Add ``/pki/rest`` to proxied routes and simplify location matching with
a prefix regular expression.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
edcfba60 by Florence Blanc-Renaud at 2020-05-05T11:50:01+02:00
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found
when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.
By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).
Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0cadf40f by Mohammad Rizwan Yusuf at 2020-05-05T15:56:03+02:00
Display principal name while del required principal
Fix is to display the proper principal in error message
while attempting to delete required principal.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
340a50b7 by Mohammad Rizwan Yusuf at 2020-05-05T15:56:03+02:00
ipatests: Test deletion of required principal throws proper error
ipa service-del <Principal name> did not display proper principal
name which is being deleted in error message.
This test check if it throws error having proper principal name.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5c52bfe by Christian Heimes at 2020-05-06T09:13:32+02:00
Fix make devcheck
A new test case was not picking up ``ipa-run-tests`` script.
Fixes: https://pagure.io/freeipa/issue/8307
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a009b9e0 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Add pytest.skip_if_container()
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8a1d130 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Azure Pipelines: Override services known to not work in containers
Chrony daemon tries to use adjtimex() which doesn't work in the
container we run in Docker environment on Azure Pipelines.
nis-domainname also tries to modify kernel-specific parameter that
doesn't really work in runc-based containers.
Use systemd container detection to avoid starting these services in the
containers.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f66ef848 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Azure Pipelines: switch to Fedora 32
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4b83c2a9 by Mohammad Rizwan Yusuf at 2020-05-06T12:02:51+02:00
webui: check if notification area doesn't intercept menu button
Notification used to intercept the click on page for some element.
This test ensures that element is clickable.
related: https://pagure.io/freeipa/issue/8120
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
0c029205 by Mohammad Rizwan Yusuf at 2020-05-06T12:02:51+02:00
WebUI tests: fix PEP8 issues in test_webui/test_user.py
PEP8 fix for teat_webui/test_user.py. Errors involved:
- line > 79 character
- 2 blank line needed before class
- single space was needed between # and comment
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
cf642957 by Christian Heimes at 2020-05-06T20:17:01+02:00
Let GH auto-notify and auto-close stale PRs
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
2bfe5ff6 by Christian Heimes at 2020-05-07T11:00:55-04:00
Use httpd 2.4 syntax for access control
The httpd options Allow, Deny, Order, and Satisfy are deprecated in
Apache httpd 2.4. These options are provided by the mod_access_compat
module and should no longer be used.
Replace "Allow from all" with "Require all granted".
Removal of "Satisfy Any" needs more investigation.
See: httpd.apache.org/docs/2.4/upgrading.html
See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html
Fixes: pagure.io/freeipa/issue/8305
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1b923361 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
kdb: initialize flags in ipadb_delete_principal()
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
999af8e2 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
kdb: fix memory handling in ipadb_find_principal
BER structure representing a string might not have termination '\0'
character, thus we should use length-bound functions to operate on it.
Memory handling of LDAP values was leaving previous vals over iteration.
Also, when freeing vals, we need to explicitly set it to NULL.
Fixes: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
6fc213d1 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
test_smb: test that we can auth as NetBIOS alias
cifs/... principal on SMB server side has NetBIOS name of the SMB server
as its alias. Test that we can actually initialize credentials using
this alias. We don't need to use it anywhere in Samba, just verify that
alias works.
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
aa341020 by Christian Heimes at 2020-05-11T14:36:39+02:00
Disable password schema update on LDAP bind
389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind..
See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d986e844 by Alexander Bokovoy at 2020-05-12T09:50:28+02:00
WebUI: use python3-rjsmin to minify JavaScript files
Fedora 33+ deprecated uglify-js. There are other alternatives which seem
to be fine for the minify task. Use python-rjsmin instead.
Fixes: https://pagure.io/freeipa/issue/8300
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
958e2458 by Stanislav Levin at 2020-05-12T09:51:50+02:00
Azure: Add custom seccomp profile
This allows to override the default seccomp profile.
Custom profile was generated from the default one [0] by adding one
allowed system call 'clock_adjtime'. This one is indirectly used by
chronyd with recent glibc2.31.
[0]: https://github.com/containers/libpod/blob/master/seccomp.json
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8882fc49 by Stanislav Levin at 2020-05-12T09:51:50+02:00
Azure: Allow chronyd to sync time
Though time namespace support was added in Linux kernel 5.6, it
is not landed on Azure VM (Ubuntu) yet.
The syncing time stuff is required by IPA NTP tests. it's
acceptable for testing 1 IPA environment on 1 Azure VM for such
tests.
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b6fbee53 by Stanislav Levin at 2020-05-13T11:04:45+02:00
Azure: Always update apt cache
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
555f8a03 by sumenon at 2020-05-14T09:05:03+02:00
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8
Issue: https://pagure.io/freeipa/issue/8066
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
82ba4db1 by Christian Heimes at 2020-05-14T17:55:59+02:00
Make api.env.mode consistent
* use "developer" in Azure
* fix man page: "development" to "developer"
* list known modes in API bootstrap methods
Other values for mode are still supported to avoid breaking existing
installations.
Fixes: https://pagure.io/freeipa/issue/8313
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
13c3997b by Christian Heimes at 2020-05-14T18:16:20+02:00
Fix detection logic for api.env.in_tree
The logic to detect in-tree builds was broken and ipatests/conftest.py
had hard-coded in_tree=True.
IPA now considers an environment as in-tree when the parent directory of
the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
present in source and never installed.
API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
because the function call can be expensive and would require path
normalization, too. The function is also missing from venv site module.
Fixes: https://pagure.io/freeipa/issue/8312
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0fa31ef1 by Christian Heimes at 2020-05-14T18:16:20+02:00
Hard-code in_tree=True for tests
Some integration tests use internal option ``force``. Re-add
``in_tree=True`` to make the tests pass until Pagure#8317 is fixed.
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1f82d281 by Alexander Bokovoy at 2020-05-14T21:47:17+03:00
service delegation: allow to add and remove host principals
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.
Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.
To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.
The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.
RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.
Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8de73c15 by Christian Heimes at 2020-05-15T14:24:00+02:00
Check for freeipa-server-dns package early
The ``--setup-dns`` knob and interactive installer now check for
presence of freeipa-server-dns early and stop the installer with an
error.
```
$ ipa-server-install
...
Do you want to configure integrated DNS (BIND)? [no]: yes
Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
```
$ ipa-server-install --setup-dns
Usage: ipa-server-install [options]
ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed.
```
Fixes: https://pagure.io/freeipa/issue/7577
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
33ca0745 by Serhii Tsymbaliuk at 2020-05-15T18:03:01+02:00
WebUI: Add confirmation dialog for changing default user/host group
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.
Ticket: https://pagure.io/freeipa/issue/8322
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3645854c by Serhii Tsymbaliuk at 2020-05-15T18:03:01+02:00
WebUI tests: Add confirmation step after changing default group in automember tests
Ticket: https://pagure.io/freeipa/issue/8322
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f3e11715 by Christian Heimes at 2020-05-18T14:45:31+02:00
Explain the effect of OPT_X_TLS_PROTOCOL_MIN
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
47bddf4f by Sumedh Sidhaye at 2020-05-19T15:11:54+02:00
Test for removing a subgroup
Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups
The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc
user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.
If one removes the direct membership to 'groupb' again,
nothing should change as well
Pagure Link: https://pagure.io/SSSD/sssd/issue/3636
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
32c6b02e by Alexander Bokovoy at 2020-05-19T11:58:56-04:00
baseldap: de-duplicate passed attributes when checking for limits
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.
Use set of attribute names to deduplicate the list.
Fixes: https://pagure.io/freeipa/issue/8328
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3dd5053c by Florence Blanc-Renaud at 2020-05-20T09:23:11+02:00
ipatests: Check if user with 'User Administrator' role can delete group.
Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group
Related: https://pagure.io/freeipa/issue/6884
Co-authored-by: Nikhil Dehadrai <ndehadra at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
26f96595 by Stanislav Levin at 2020-05-22T21:12:03+03:00
Azure: Make dnf repos consistent
Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
has two more dnf repos enabled compared to Tests container(image
fedora:32). This results in the packages built within the Build
container can have dependencies which are unresolvable(missing)
within Tests container.
This enables updates-testing and updates-testing-modular,
disables fedora-cisco-openh264 for Tests container.
Fixes: https://pagure.io/freeipa/issue/8330
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7bef36de by Serhii Tsymbaliuk at 2020-05-26T13:33:57+02:00
WebUI: Add authentication indicator specific fields to "Kerberos Ticket Policy" page
Ticket: https://pagure.io/freeipa/issue/8207
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
e668b61f by Serhii Tsymbaliuk at 2020-05-26T13:33:57+02:00
WebUI tests: Test all available fields on "Kerberos Ticket Policy" page
Ticket: https://pagure.io/freeipa/issue/8207
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
0317255b by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add UPN_DNS_INFO PAC structure
UPN_DNS_INFO structure contains the client's user principal name (UPN)
and a fully qualified domain name. It is used to provide the UPN and the
FQDN that corresponds to the client of the ticket.
The structure is defined in MS-PAC section 2.10. MS-KILE specification
says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
further clarifies in section 3.3.5.2 that if the user account object has no
userPrincipalName attribute, UPN_DNS_INFO should be constructed by
concatenating user name, the "@" symbol, and the DNS name of the domain.
IPA users don't really have userPrincipalName attribute. Instead, we
always construct their account names in LOGON Info3 structure by
unparsing the canonical principal name without realm, meaning that user
principal can be recovered by concatenating the account name and the
realm (domain).
Unless the account name and unparsed client principal name are different
or the primary Info3 gid (group RID) is the one for machine accounts,
mark the UPN as constructed.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
23a49538 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.
1. Direct ticket acquisition
In direct ticket acquisition mode the utility first does one of the
following actions:
- obtain a TGT ticket for a user principal using supplied password
- import existing TGT from a default credentials cache
Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.
If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.
2. S4U2Self protocol transition
In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.
If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.
If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0f881ca0 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-tests: add a test to make sure MS-PAC is produced by KDC
When ipa-adtrust-install is used, IPA KDC will be configured to issue
tickets with MS-PAC record in them for users and services that have
ipaNTSecurityIdentifier (SID) attribute in the LDAP record.
Test that a newly added user can kinit and obtain a ticket that has
a PAC structure.
Test that a service can impersonate a user and the resulting S4U2Self
requested service ticket also has PAC structure.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
44a255d4 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
kdb: add minimal server referrals support for enterprise principals
Implement minimal server referrals support for enterprise principals as
defined in RFC 6806.
Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
S4U extensions. We have to verify/sign PAC and take the realm into
account for S4U in these cases.
The use of extended functions require krb5 1.17+.
For PAC verification, we have to filter existing PAC CLIENT-INFO
structure in cross-realm S4U case because otherwise old CLIENT-INFO
would change the PAC principal due to adding or ommiting the realm in
transition. Since a new PAC CLIENT-INFO will be provided by
k5_insert_client_info() anyway, we can filter it in all cases.
Generate PAC only for the first S4U2Self request to the client realm
(client != NULL). Otherwise, use the PAC from the cross-realm ticket.
The latter PAC belongs to the impersonated user.
Foreign (inner) principal look up in non-AS request returns
KRB5_KDB_NOENTRY.
Finally, in PAC signing we have to take the realm into account as well
for S4U2Self cross-realm operation. This does not work when compiling
against krb5 1.17 at the moment because sign_authdata() callback does
not know whether we are dealing with an issuing referral or not. In 1.18
a KDC will set a special client flag to signify this when asking KDB
driver to sign a PAC record.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
015ae275 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add asserted identity SIDs
Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:
- S-1-18-1 is a SID for an Authentication Authority Asserted Identity
- S-1-18-2 is a SID for a Service Asserted Identity
This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".
In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3e20a96c by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: Always allow services to get PAC if needed
Previously, FreeIPA only allowed to issue PAC record in a ticket
for the following principal types:
- for IPA users
- for a host principal of one of IPA masters
- for a cifs/ or HTTP/ service on one of IPA masters
To allow S4U2Self operations over trust to AD, an impersonating service
must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
ticket. It means any IPA service performing S4U2Self would need to have
PAC record and the constraints above prevent it from doing so.
However, depending on whether the service or host principal belongs to
one of IPA masters, we need to set proper primary RID to 516 (domain
controllers) or 515 (domain computers).
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3611fc50 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add primary group to list of groups in MS-PAC
Somehow, we weren't adding primary group of the user to the list of
groups in the PAC Logon Info structure.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ef59cb84 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: cache local TGS in the driver context
For Kerberos principal lookup we always need to check whether principal
is from our realm. Keep the reference to our realm TGS handy to avoid
memory allocations on every lookup.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b5876f30 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: refactor principal lookup to support S4U2Self correctly
Restructure logic of ipadb_get_principal() to separate retrieval of a
principal by a name and by an alias. Separate enterprise principal name
type processing into a helper function to be able to reuse it for own
aliases.
Unify code in client referrals part to do the same and use krb5 API to
deal with principals rather than parsing strings. The end result is the
same but we follow common rules in MIT Kerberos to process principals.
An enterprise principal is typically "name at SOMEREALM@REALM", but any
principal might be parsed as enterprise principal, so we could get
"name at REALM" marked as such. When unparsing the enterprise principal,
re-parse it again with default realm values, to get our realm
normalization.
This behavior would fix situations when GSSAPI calls are operating on a
non-qualified principal name that was imported as a
GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
52da0d6a by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
test_smb: test S4U2Self operation by IPA service
Kerberos service might request a ticket to itself on behalf of a user
to perform protocol transition, so-called S4U2Self extension defined
in [MS-SFU] specification. Processing of this request by KDC differs for
in-realm and cross-realm configurations.
Use SMB service to test S4U2Self performed against AD and IPA users.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ff972c2 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
azure: do not run test_commands due to failures in low memory cases
389-ds memory autotuning doesn't really work well in containerized
environment as it only looks into host-wide /proc/meminfo. It gets
fooled by 'missing' memory while there is still enough swap space..
This is in particular affects test_commands test suite where
ipa-adtrust-install cannot fully proceed and fails. We plan to rebalance
test containers' memory split but right now just disable test_commands
in Azure CI.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bc9f3e05 by Serhii Tsymbaliuk at 2020-05-28T13:20:52+02:00
WebUI: Apply jQuery patch to fix htmlPrefilter issue
Manually backport corresponding changes from jQuery 3.5.0:
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
with Bootstrap 3.4.1 which we currently use.
Ticket: https://pagure.io/freeipa/issue/8325
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
16061744 by Peter Keresztes Schmidt at 2020-06-02T09:39:42+02:00
Remove remains of unused config options
Options removed:
* ca_ee_port
* ca_agent_install_port
* ca_ee_install_port
Closes: https://pagure.io/freeipa/issue/6708
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6a7fa03f by sumenon at 2020-06-02T09:53:11-04:00
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck
This test checks that when pki-tomcat service is stopped,
DogtagCertsConnectivityCheck displays the result as ERROR
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ddd061c0 by sumenon at 2020-06-03T09:21:00+02:00
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck
This test checks that healthcheck tools reports correct information
when permissions of Tomcat config file are modified.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
ad8e0af0 by Christian Heimes at 2020-06-03T09:25:12+02:00
Allow dnsrecord-add --force on clients
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
7de1a93c by Peter Keresztes Schmidt at 2020-06-03T09:27:48+02:00
WebUI: Fix invalid RPC calls when link widget has no pkey passed
Fixes: https://pagure.io/freeipa/issue/8338
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
517c7ab2 by Peter Keresztes Schmidt at 2020-06-03T09:30:27+02:00
WebUI: Use data adapter to load facet header data
Fixes: https://pagure.io/freeipa/issue/8339
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
c1c6ee7d by Christian Heimes at 2020-06-04T14:29:59+02:00
Add ipa-print-pac to gitignore
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0d0dc73a by sumenon at 2020-06-04T09:01:07-04:00
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files
This testcase changes the ownership of the tomcat config files
on an IPA Master and then checks if healthcheck tools
reports the status as WARNING
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f5964b71 by Christian Heimes at 2020-06-05T09:23:57+02:00
Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.
DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.
Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d20cda21 by Christian Heimes at 2020-06-05T09:34:46+02:00
make: serialize strip-po / strip-pot
The strip-po target modifies files in place. This sometimes creates
conflicts with other make targets when make is run in parallel mode.
* split strip-po into strip-po and strip-pot
* move strip-po[t] from dependency to explicit, serial execution
* declare dependencies on POT/POFILES
* don't run strip on clean
Fixes: https://pagure.io/freeipa/issue/8323
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d2cd3a2 by Peter Keresztes Schmidt at 2020-06-07T10:08:19+03:00
WebUI: Refresh DNS record data correctly after mod operation
Fixes: https://pagure.io/freeipa/issue/8359
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
187968d4 by Peter Keresztes Schmidt at 2020-06-07T10:09:35+03:00
WebUI: Expose TTL of DNS records
Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5f239aeb by Peter Keresztes Schmidt at 2020-06-07T10:10:48+03:00
WebUI: Add units to some DNS zone and IPA config fields
Add also tooltips to ipasearchrecordslimit and ipasearchtimelimit
to clarify the special value 0/-1.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
373f8cdc by Peter Keresztes Schmidt at 2020-06-07T10:14:05+03:00
Specify min and max values for TTL of a DNS record
Fixes: https://pagure.io/freeipa/issue/8358
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9dda004f by Christian Heimes at 2020-06-07T10:18:03+03:00
Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.
Example
-------
Allow users to modify their own fasTimezone and fasIRCNick attributes:
```
managed_permissions = {
"System: Self-Modify FAS user attributes": {
"ipapermright": {"write"},
"ipapermtargetfilter": ["(objectclass=fasuser)"],
"ipapermbindruletype": "self",
"ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
}
}
```
See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6603648 by Peter Keresztes Schmidt at 2020-06-07T10:19:47+03:00
Use ipaldap exceptions rather than ldap error codes in LDAP updater
The code in ipaldap got changed with df4ed77 but ldapupdate was never updated.
Closes: https://pagure.io/freeipa/issue/7610
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0f232a30 by Peter Keresztes Schmidt at 2020-06-07T10:21:01+03:00
Remove unused support for dm_password arg from ldapupdate.connect
Related: https://pagure.io/freeipa/issue/7610
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
894b3f1d by Peter Keresztes Schmidt at 2020-06-07T10:29:00+03:00
po: remove zanata config since translation was moved to weblate
Related: https://pagure.io/freeipa/issue/8159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d79a7a96 by Christian Heimes at 2020-06-07T10:33:15+03:00
Handle DatabaseError in RPC-Server connect()
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.
Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.
Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2d85488 by Peter Keresztes Schmidt at 2020-06-08T12:54:19+03:00
util: add unit test for pw hashing
Related: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
68af4f39 by Peter Keresztes Schmidt at 2020-06-08T12:54:19+03:00
util: replace NSS usage with OpenSSL
Fixes: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
88d1dcc5 by Peter Keresztes Schmidt at 2020-06-08T14:23:56+02:00
lite-server: Fix werkzeug deprecation warnings
Fixes: https://pagure.io/freeipa/issue/8360
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a5cbdb57 by Peter Keresztes Schmidt at 2020-06-08T15:53:40+03:00
Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.
Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.
Move dnssec-enable directive to custom named config
Move comment named config being managed by FreeIPA to the top
Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.
Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6e5d40e2 by Christian Heimes at 2020-06-08T15:53:40+03:00
Include named config files in backup
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e071933e by Sergio Oliveira Campos at 2020-06-08T10:34:18-03:00
Add test for sssd ad trust lookup with dn in certmaprule
Related to https://pagure.io/SSSD/sssd/issue/3721
Signed-off-by: Sergio Oliveira Campos <seocam at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
b9a60274 by Alexander Bokovoy at 2020-06-08T18:06:16+02:00
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
"Kerberos principal expiration" is set in UTC and when server is in
different timezone, the time difference between timezone is respected by
the IPA server/client for Kerberos authentication.
The problem is due to mktime() assuming default time zone but since we
parse the time using Zulu (UTC+0) timezone, mktime() forces current time
zone offset added.
The method is using mktime() and comparing to the current time obtained
with time(NULL). According to its man page, mktime is considering the
time as local time:
The mktime() function converts a broken-down time structure, expressed
as local time, to calendar time representation.
Instead mktime() we should use timegm(). The problem is that it is
non-standard GNU extension and it is recommended (in the man page for
timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
mktime(), unset TZ, but since we are running in a multi-threaded
environment this is problematic.
On the other hand, we already rely on GNU extensions and enable them
with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.
The fix, therefore, is to use timegm() instead of mktime() in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
ipapwd_write_krb_keys()).
Fixes: https://pagure.io/freeipa/issue/8362
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
676774d3 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
kdb: handle enterprise principal lookup in AS_REQ
Refactoring of the get_principal() code in commit
b5876f30d4000424cc8122498c411f812b3a0959 broke handling of enterprise
principal lookup for AS request (kinit -E user at ipa.test@IPA.TEST).
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
28389fe8 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Add design page for managing IPA resources as a user from a trusted Active Directory forest
Fixes: https://pagure.io/freeipa/issue/8357
Fixes: https://pagure.io/freeipa/issue/7816
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ecc0a96d by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
support using trust-related operations in the server console
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.
Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.
Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.
Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
973e0c04 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
idviews: handle unqualified ID override lookups from Web UI
First part of the required changes to merge a plugin to manage IPA as
a trusted Active Directory user.
It is not possible to omit ID view in IPA API but a client might specify
empty ID view. Up right now the empty view was considered an error. This
prevented Web UI from resolving ID overrides in a group member adder
dialog.
Default to 'Default Trust View' if the ID view is None or empty string
(''). Do this only for user ID overrides, as we do not support adding
group ID overrides as group members in a plugin to manage IPA as a
trusted Active Directory user[1].
Being a group member means an object in LDAP must have an object class
that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
attempt to link back to the object from the group. Allow use of
'nsMemberOf' object class in ID overrides.
Fixes: https://pagure.io/freeipa/issue/7255
[1] https://github.com/abbra/freeipa-adusers-admins
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bee42040 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Support adding user ID overrides as group and role members
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.
Treat user ID overrides as members of groups and roles.
For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.
We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.
With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.
Fixes: https://pagure.io/freeipa/issue/7255
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
306304bb by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
tests: account for ID overrides as members of groups and roles
Fixes: https://pagure.io/freeipa/issue/7255
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0ba64b1a by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Web UI: allow users from trusted Active Directory forest manage IPA
Extend Web UI logic to decide whether default Web UI view should have a
full menu or should be confined to a self-service interface. Standard
logic in FreeIPA Web UI is to combine two facts:
* for IPA users membership in `admins` group is used to indicate full
menu should be shown
* for AD users the fact that ID override object is presented by IPA
`whoami` command is used to confine to a self-service interface
With the change to allow user ID overrides from a default trust view to
be members of groups and roles, we can unify the administrative
privileges checks for both IPA and AD users.
Fixed: https://pagure.io/freeipa/issue/8335
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9248d23a by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
ipatests: test that adding Active Directory user to a role makes it an administrator
Fixes: https://pagure.io/freeipa/issue/8357
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
be47ec97 by Christian Heimes at 2020-06-08T20:04:18+03:00
libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.
Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7319f62 by François Cami at 2020-06-08T22:36:49+03:00
tasks.py: add krb5_trace to create_active_user and kinit_as_user
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails when resetting a user's password using kinit in create_active_user.
Add krb5_trace (default: False) to create_active_user and kinit_as_user.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
8f8c560f by François Cami at 2020-06-08T22:36:49+03:00
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
Use krb5_trace to catch the required debug information.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
b8886c3e by François Cami at 2020-06-09T08:43:45+02:00
IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.
EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.
EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.
EPN does not keep state. The list of affected users is built at runtime
but never kept.
TLS/STARTTLS SMTP code is untested and unlikely to work as-is.
Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3805eff4 by François Cami at 2020-06-09T08:43:45+02:00
IPA-EPN: Test suite.
Initial test suite for EPN.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
03caa7f9 by Rob Crittenden at 2020-06-09T08:43:45+02:00
Add a jinja2 e-mail template for EPN
Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.
Collect first and last name as well for each user in order to
provide more options for the template engine.
Make the From address configurable, defaulting to noreply at ipa_domain
Make Subject configurable too.
Don't rely on the MTA to set Message-Id: set it using the email
module.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
451cbae1 by Rob Crittenden at 2020-06-09T08:43:45+02:00
Add index for krbPasswordExpiration for EPN
Expiring Password Notifications search for expiring passwords
between dates. Add an equality index for this attribute.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9d9012f6 by Fraser Tweedale at 2020-06-10T22:27:26+10:00
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
e6fda6f0 by Fraser Tweedale at 2020-06-10T22:27:26+10:00
upgrade: avoid stopping certmonger when fixing requests
During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed. This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems. For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).
Suppress the unnecessary restart(s) of certmonger during tracking
request update.
Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
379b560c by Christian Heimes at 2020-06-10T16:07:07+02:00
Fix named.conf update bug NAMED_DNSSEC_VALIDATION
Commit a5cbdb57e50cfc62f61affda19ce878b2abd33de introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.
Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cddd07f6 by Christian Heimes at 2020-06-10T16:07:07+02:00
Remove named_validate_dnssec update step
The upgrade step used to add "dnssec-validation no" to named.conf IFF
named.conf did not contain "dnssec-validation" option at all. The
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
only removes the upgrade state.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
996a2209 by Christian Heimes at 2020-06-10T16:07:07+02:00
Fix named.conf named_conf_include_re
Actually match one or more characters
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
43dd1e8a by Christian Heimes at 2020-06-10T16:07:07+02:00
More upgrade tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f52a15b8 by Christian Heimes at 2020-06-10T16:07:07+02:00
Overhaul bind upgrade process
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.
This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.
During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cc844834 by Christian Heimes at 2020-06-10T16:16:13+02:00
Auto-generated ipa-epn files to gitignore
memcached has been removed a loooong time ago.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c3cbaed9 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions
Tested security mode with none, starttls and ssl security.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1760ad48 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add tests for sending real mail with auth and templates
Send e-mail using postfix on localhost and read the contents to
verify that the mail was delivered and that the template was
applied correctly.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
7e621cf8 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add test for starttls mode
Get a certificate for postfix and configure it to allow starttls
connections.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
41e3d58a by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: test using SSL against port 465
Enable the postfix SSL listener on port 465. The certifiates
and other configuration is already in place.
Test that sending mail is successful.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a2728c75 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add mail-test option for testing sending live email
To make testing easier for administrators the --mail-test option
can be used to send live e-mail from ipa-epn. It sends mail
to the smtp_admin user processing the template with dummy data.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
759ab312 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add tests for --mail-test option
Test sending a default template email to the smtp_admin user.
Test that --mail-test and --dry-run cannot be used together.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3b266d39 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.
Default to no wait, value in milliseconds.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
cb205cc5 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: add test to validate smtp_delay value
Configuration test to ensure that smtp_delay validation is
properly enforced.
Also reset the epn configuration when the tests are run.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ba7974bf by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
81f7863b by Alexander Bokovoy at 2020-06-10T22:27:31+03:00
Update translation files
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
296ddcd3 by Alexander Bokovoy at 2020-06-10T22:28:56+03:00
update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
14876657 by Florence Blanc-Renaud at 2020-06-11T10:33:33+02:00
ipatests: fix the disable_dnssec_validation method
Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf
When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.
This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.
Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
a18d406b by Christian Heimes at 2020-06-11T17:27:31+02:00
Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
51cb631d by Florence Blanc-Renaud at 2020-06-12T08:34:51+02:00
ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).
Add a check enforcing the options are mutually exclusive.
Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
98c1017c by Florence Blanc-Renaud at 2020-06-12T08:34:51+02:00
ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file
The options *-cert-file are used for a CA-less replica installation and
are mutually exclusive with --setup-ca.
Add a test for this use case.
Related: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c358f8db by Florence Blanc-Renaud at 2020-06-15T14:13:55+02:00
ipatests: Update the pki-master-f32 image version
There is a new Vagrant image for pki-master-f32, that contains
jss 4.7.0-0 instead of jss 4.7.0-1.
This change is required because the copr repo @pki/master initially
provided 4.7.0-1 but went backwards in the version number, and
critical fixes are available in 4.7.0-0.
Without this change, the vagrant image is using 4.7.0-1 and tries to
update (not downgrade), hence does not install the most recent version
with the fixes.
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e33ffab5 by Mohammad Rizwan at 2020-06-15T14:22:56+02:00
ipatests: Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message in /var/log/secure
related: SSSD/sssd#5139
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
32a5359e by Mohammad Rizwan at 2020-06-15T14:22:56+02:00
Xfail test for sssd < 2.3.0
This fix is available in sssd 2.3.0+. On older version
test will fail. Hence added xfail.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4911a3f0 by Christian Heimes at 2020-06-15T22:44:42+03:00
Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.
root principal alias
-------------------
The principal "root at REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
Notes
-----
Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.
Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.
Misc changes
------------
Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.
Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6707a71 by Petr Vobornik at 2020-06-16T11:39:55+03:00
webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
19544d53 by Fraser Tweedale at 2020-06-16T15:37:08-04:00
fix cert-find errors in CA-less deployment
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments. Do not execute the CA sub-search on CA-less
deployments.
Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3912e8e6 by Petr Vobornik at 2020-06-16T19:06:02-04:00
baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
04ce1a41 by Armando Neto at 2020-06-17T08:03:17+02:00
ipatests: bump prci templates
New images were necessary to include updated `selinux-policy` package.
Rawhide image based on `Fedora-Rawhide-20200607.n.0` compose.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5a3b5f3a by Christian Heimes at 2020-06-17T13:38:59+02:00
Build ipa-selinux package on RHEL 8
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
533ec754 by François Cami at 2020-06-17T15:40:47-04:00
.mailmap: add fcami
Add myself to .mailmap.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6e3346f0 by Christian Heimes at 2020-06-19T08:40:15+02:00
Use old uglifyjs on RHEL 8
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.
See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2ba333b by Serhii Tsymbaliuk at 2020-06-22T09:31:34+02:00
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68ada5f2 by Fraser Tweedale at 2020-06-23T10:22:38+10:00
fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5e9bd61 by Alexander Scheel at 2020-06-23T09:20:24+02:00
Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ecea780 by Alexander Scheel at 2020-06-23T09:20:24+02:00
Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
13b17782 by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
WebUI: move OTP to be the last field in the PW reset form
Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
d63a91da by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
WebUI: reword OTP info message displayed during PW reset
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.
Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
ea5c0a1f by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
Unify spelling of "One-Time Password"
Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
523f70ae by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: CA renewal
The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c09dcdb by Christian Heimes at 2020-06-23T10:16:29+02:00
Grammar: whitespace is a word
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3ce816ba by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: use allow list
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3ec1b77f by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: use block list
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5e6fe05 by François Cami at 2020-06-23T10:38:24+02:00
ipatests: increase test_caless_TestReplicaInstall timeout
test_caless_TestReplicaInstall timeout seems too short.
Extend it.
Fixes: https://pagure.io/freeipa/issue/8377
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3cf9979a by Florence Blanc-Renaud at 2020-06-23T11:11:46+02:00
ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"
As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).
There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.
Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
511f5194 by Florence Blanc-Renaud at 2020-06-23T11:11:46+02:00
client install: fix broken sshd config
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.
Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
769c87f5 by sumenon at 2020-06-24T10:23:26+02:00
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario
Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f1b2d7b6 by sumenon at 2020-06-24T10:23:26+02:00
Modified YAML to include healthcheck AD tests
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1144da5d by Christian Heimes at 2020-06-24T13:49:14+02:00
RHEL 8.3 has KRB5 1.18 with KDB 8.0
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dc11b98e by Florence Blanc-Renaud at 2020-06-24T14:55:27+02:00
Unify spelling of "One-Time Password" (take 2)
The previous fix for the spelling of "One-Time Password"
missed a few lines.
Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a3c648bd by Florence Blanc-Renaud at 2020-06-24T17:22:24-04:00
ipatests: fix the method adding ifp to sssd.conf
The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.
Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.
Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1f6ca418 by Alexander Bokovoy at 2020-06-25T09:18:02+03:00
handle Y2038 in timestamp to datetime conversions
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:
datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)
Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.
[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: https://pagure.io/freeipa/issue/8378
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6efe9917 by François Cami at 2020-06-25T15:20:21+02:00
EPN: ship the configuration file.
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1d7aeaeb by François Cami at 2020-06-25T15:20:21+02:00
man pages: fix epn.conf.5 and ipa-epn.1 formatting
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0d4f022b by François Cami at 2020-06-25T15:20:21+02:00
ipatests: check that EPN's configuration file is installed.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
73c02f63 by François Cami at 2020-06-25T15:20:21+02:00
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc624fb1 by Armando Neto at 2020-06-26T16:47:54-03:00
ipatests: bump prci templates
Remove all freeipa-* packages from template:
https://github.com/freeipa/freeipa-pr-ci/commit/bdd98c3b9dba2ce563535d0c91dad38b532441e8
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c7766ebb by Fraser Tweedale at 2020-06-29T12:03:16+10:00
Define errors_by_code in ipalib.errors
The errors_by_code mapping could be used in more places. In
particular it will be useful in the Dogtag GSS-API authentication
effort. Move to ipalib.errors.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0cb0056f by Anuja More at 2020-06-30T09:09:13+02:00
ipatests: Test that trusted AD users should not lose their AD domains.
When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.
Related: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
d39786c0 by Anuja More at 2020-06-30T09:09:13+02:00
ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
- - - - -
0c0061ba by Fraser Tweedale at 2020-06-30T11:47:29+02:00
extract virtual operation access check subroutine
Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation. Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.
Add the 'check_operation_access' method for explicit virtual
operation access checks. Refactor 'VirtualCommand.check_access()'
to use it.
Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7f3a0b2 by Fraser Tweedale at 2020-06-30T16:18:21+02:00
ra.get_certificate: use REST API
Update ra.get_certificate to use the Dogtag REST API. This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).
Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).
Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2e75623e by Zdenek Pytela at 2020-07-01T08:14:17+02:00
Allow ipa-adtrust-install restart sssd and dirsrv services
Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b56fa015 by Christian Heimes at 2020-07-01T08:14:17+02:00
SELinux: Backport dirsrv_systemctl interface
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9858e863 by Florence Blanc-Renaud at 2020-07-01T08:14:17+02:00
Bump requires for selinux-policy
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0df4e881 by François Cami at 2020-07-01T12:05:14+02:00
ipatests: display SSSD kdcinfo in test_adtrust_install.py
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
krb5_strace shows that this happens when kinit changes servers
between password change and TGT requests.
Display SSSD's kdcinfo to see if kinit should be pinned to one
server.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
630c408f by François Cami at 2020-07-03T15:33:49+02:00
ipatests: remove dnf workaround from test_epn.py
73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.
Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6055e6c by Alexander Bokovoy at 2020-07-06T10:47:18+03:00
selinux: allow oddjobd to set up ipa_helper_t context for execution
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.
Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
91713f4f by Alexander Bokovoy at 2020-07-06T10:47:18+03:00
selinux: support running ipa-custodia with PrivateTmp=yes
Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a90eefaf by Christian Heimes at 2020-07-06T09:50:57+02:00
Run test_fips in DS and PKI nightly
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
459bc6ba by Peter Keresztes Schmidt at 2020-07-06T14:38:58+03:00
WebUI: Fix rendering of boolean_status_formatter
With commit "WebUI: Apply jQuery patch to fix htmlPrefilter issue" (bc9f3e0557)
jQuery's handling of self-closing elements.
DOM before the above mentioned commit:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
and after:
<div name="nsaccountlock"><i class="fa fa-check"> Enabled</i></div>
Explicitly closing the <i> element fixes the issue:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
Fixes: https://pagure.io/freeipa/issue/8396
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0dfb44c3 by Anuja More at 2020-07-06T15:33:53+02:00
ipatests : Test to verify override_gid works with subdomain.
When override_gid is set in sssd.conf in IPA domain section
Then it should also work for subdomain.
Related: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4247fb9c by Anuja More at 2020-07-06T15:33:53+02:00
ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ea7b8d66 by Anuja More at 2020-07-06T15:33:53+02:00
ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn
As tests was failing <= fedora31
Thus removed certmap-rule in cleanup as
subdomain lookup fails when certmaprule contains DN.
Related: https://pagure.io/SSSD/sssd/issue/3721
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
dcdcd1ce by Florence Blanc-Renaud at 2020-07-06T17:01:54+02:00
ipa cert-show: fix the code setting revocation reason
ipa cert-show wrongly displays all certs as Revoked.
The dogtag plugin code is checking if the JSON data received
from dogtag contains a RevocationReason with:
if 'RevocationReason' in resp:
but the value can be None.
Replace the check with
if 'RevocationReason' in resp and esp['RevocationReason'] is not None:
as this will execute the code only if there is a value
and it is not None.
Fixes: https://pagure.io/freeipa/issue/8394
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
51d5ec17 by Fraser Tweedale at 2020-07-06T19:13:00+03:00
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf
A failed ipa-ca-install left my installation in an inconsistent
state. Then, 'ipa-server-install --uninstall' also failed when
is_crlgen_enabled() tried to read ipa-pki-proxy.conf, which was
missing.
Update is_crlgen_enabled() to handle missing ipa-pki-proxy.conf, by
raising InconsistentCRLGenConfigException instead of RuntimeError.
As a result, missing ipa-pki-proxy.conf is handled gracefully
because the calling code already catches
InconsistentCRLGenConfigException.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
069f41a0 by Christian Heimes at 2020-07-07T12:36:10+02:00
Add __signature__ to plugins
Auto-generate inspect.Signature from plugin arguments and options. The
signature is used by (amongst others) pydoc / help.
```
$ ipa console
>>> help(api.Command.group_add)
Help on group_add in module ipaserver.plugins.group object:
class group_add(ipaserver.plugins.baseldap.LDAPCreate)
| group_add(cn: str, *, description: str = None, gidnumber: int = None, setattr: List[str] = None, addattr: List[str] = None, nonposix: bool, external: bool, all: bool, raw: bool, version: str = None, no_members: bool) -> Dict[str, Any]
```
Fixes: https://pagure.io/freeipa/issue/8388
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
80794f6b by Christian Heimes at 2020-07-07T12:36:10+02:00
Make tab completion in console more useful
tab completion and dir() now show registered plugins in API name spaces.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ab24ddf by Fraser Tweedale at 2020-07-07T10:07:48-04:00
ca-del: require CA to already be disabled
Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete. A user with delete permission does not necessarily have
modify permission.
As we head toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation shall fail if the user does not have modify
permission. Although it introduces an additional step for
administrators, the process is consistent, required permissions map
1:1 to the operations, and the error messages make it clear what
needs to happen (i.e. disable first).
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6da63e3b by Fraser Tweedale at 2020-07-07T10:07:48-04:00
ca plugin: improve doc
Update 'ca' plugin doc to mention which permissions are required for
the various commands. Also mention that CAs must first be disabled
before they can be deleted.
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6a0901f6 by Fraser Tweedale at 2020-07-07T10:07:48-04:00
tests: fix cleanup for CATracker
With ca-del now requiring disablement first, CATracker cleanup fails
because the CA is not yet disabled. Implement auto disable before
delete in CATracker, with an option to suppress. This suppress
option is used when testing the "disable first" option.
The patch also includes a tweak to EnableTracker cleanup. In case
the CA already got deleted (and in the case of CATracker, also
disabled), this avoids an attempt to re-enable the already-deleted
object.
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a087d82e by Alexander Scheel at 2020-07-08T11:50:37+02:00
Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.
Point to IPA CA certificate during pkispawn
Bump pki_version to 10.9.0-0.4 (aka -b2)
Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
17cf8edb by Florence Blanc-Renaud at 2020-07-08T15:14:47+02:00
Add test_dnssec to 389ds nightly tests
Rationale:
DNSSec relies on syncrepl plugin, provided by 389ds.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e4462a94 by Fraser Tweedale at 2020-07-09T10:22:50+10:00
certupdate: only add LWCA tracking requests on CA servers
ipa-certupdate throws an exception when executed on a non-CA server
in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that
we are on a CA server before attempting to create Certmonger
tracking requests for LWCAs.
HOW TO TEST
1. Install first server (with CA)
2. Install replica without CA
3. Create sub-CA (`ipa ca-add`)
4. Run `ipa-certupdate` on replica. Observe that no stack trace is
produced.
Fixes: https://pagure.io/freeipa/issue/8399
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
797a64b3 by Florence Blanc-Renaud at 2020-07-09T14:00:29+03:00
sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.
Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
67d4517f by Armando Neto at 2020-07-09T14:03:40+03:00
ipatests: bump pr-ci templates
New template images for ci-master-f32 and ci-master-f31 with updated
packages.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f640f86 by Peter Keresztes Schmidt at 2020-07-09T14:12:24+03:00
Populate nshardwareplatform and nsosversion during join operation
Fixes: https://pagure.io/freeipa/issue/8370
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6e414d22 by Alexandre Mulatinho at 2020-07-09T14:17:47+03:00
ipa-join: allowing call with jsonrpc into freeipa API
Adding JSON-C and LibCURL library into configure.ac and Makefile.am
Creating a API call with option '-j' or '--jsonrpc' to make host join
on FreeIPA with JSONRPC and libCURL.
Related: https://pagure.io/freeipa/issue/7966
Signed-off-by: Alexandre Mulatinho <alex at mulatinho.net>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5e7e4f0e by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: don't set TLS related curl options for JSON-RPC
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c197918e by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: improve curl error handling in JSON-RPC code
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c905f94f by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: buffer curl response before parsing json
CURLOPT_WRITEFUNCTION is not guaranteed to be called only
once per request and receive all data at once.
Use a dynamic buffer to cope with that case.
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
25205f44 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: switch to jansson for json handling
Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
677659c8 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function
Also fix some some memleaks on the way.
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
62503e4f by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: implement JSON-RPC based unenrollment
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6940772 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: select {JSON,XML}-RPC at build time
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1b117a2 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: Use bool type where appropriate
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7cc977b9 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: Generalize XML-RPC references in man page
The used RPC protocol (JSON or XML) is defined
at build time.
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b6faa36 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: ipa-pki-proxy: proxy /acme to Dogtag
Update ipa-pki-proxy.conf to proxy requests to the /acme resource
namespace to Dogtag.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd301a45 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: set up ACME service when configuring CA
When configuring the CA, create, configure and deploy the PKI ACME
service instance. This includes creation (if necessary) of the LDAP
container object heirarchy in which ACME-related objects will be
stored.
Dogtag ACME RA account management will be added in a subsequent
commit, removing the use of the 'uid=admin' account (which as of
this commit just has a bogus password).
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5883cff0 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
dogtaginstance: extract user creation to subroutine.
Extract the user and group membership creation behaviour from
DogtagInstance.setup_admin to its own method, 'create_user'. The
ACME setup routine will use it to create ACME RA accounts.
The @staticmethod decorator documents that 'create_user' does not
use 'self' or 'cls'. I preferred not to lift to a top-level def
because it is very much a "DogtagInstance" behaviour.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a21823da by Fraser Tweedale at 2020-07-10T08:33:22-04:00
dogtaginstance: add ensure_group method
Add a method for creating a group (if it does not exist). This will
be used to create a group for ACME RA accounts.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b3565290 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: create ACME RA account
The ACME certificate profile will require the (Dogtag) user
interacting with the CA to be a member of the (Dogtag) "ACME Agents"
group. Therefore for each CA server, as part of the ACME setup
routine create a dedicated ACME agent account and make it a member
of this group.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c309d4a4 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add Dogtag ACL to allow ACME agents to revoke certs
Add an ACL to allow ACME agents to revoke certificates. Although
the operation "execute" sounds quite scary (as though it would have
a wide scope), in fact it only allows revocation (and unrevocation).
See CertResource.java and base/ca/shared/conf/acl.properties in the
Dogtag source.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3c8352f9 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certificate profile
Add a default certificate profile to be used with the ACME service.
The profile requires the (Dogtag) user interacting with the CA to be
a member of the (Dogtag) "ACME Agents" group. For each CA server we
create a dedicated ACME agent account, make it a member of this
group, and configure the ACME issuer component to use that account.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d15000be by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: configure ACME service on upgrade
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
00a84464 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: configure engine.conf and disable by default
When deploying ACME set up configsources.conf to retrieve engine
configuration from engine.conf. In the initial configuration, the
ACME service is disabled (i.e. it will refuse to service requests).
A subsequent commit will add command(s) for flipping the ACME
service on or off (on a per-server basis). Later we will move to
LDAP configuration so that management of the ACME service is
deployment-wide.
The default configuration also disables issuance of wildcard
certificates.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
083c6aed by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add ipa-acme-manage command
Add the ipa-acme-manage command which can be used to enable or
disable the IPA ACME service. It must be used on each server. In
the future we will implement deployment-wide configuration
(including enable/disable) of the ACME service via IPA API, with
configuration stored in and replicated by LDAP. But until then, we
need a simple command for administrators to use.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7b000357 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration test
Add a preliminary integration test for the FreeIPA ACME service. It
only tests Certbot and the http-01 challenge. Testing of DNS
challenge could come later.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ab7226dc by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration test to nightly CI
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bb6d8490 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration tests to gating
Because the FreeIPA ACME service is a new feature and may require
stabilisation, including it in gating CI. This is done as a
separate commit so that it can be reverted more easily.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
85d02720 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add mod_md integration test
Add a test that configures a client to use mod_md Apache httpd
module to acquire a certificate from FreeIPA ACME service. This
test is currently skipped on Fedora because the package needs a fix
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f9f3b3b1 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: handle alternative schema ldif location
pki-server-10.9.0-0.3 relocates the ACME schema LDIF file. Look for
the file in both the old and new locations to smooth the transition.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e976dde8 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add revocation test
Add an integration test that tests revocation via Certbot.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a83eaa8b by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certbot dns script
Add a script to use as a certbot hook for satisfying the dns-01
challenge. It will be used during testing, and may be useful or
instructive for users of FreeIPA.
It is installed as part of the freeipa-client package under
/usr/libexec/ipa/acme. Future ACME-related scripts can be added in
the same place.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
678b8e68 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certbot dns-01 test
Add a test for the dns-01 challenge using Certbot. This test uses
the new hook scripts distributed in the freeipa-client package.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
525b946b by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: enable mod_md tests on Fedora
The Fedora mod_md package has received the required fixes
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).
We can now enable the mod_md tests on Fedora.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1f720560 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: delete ACME RA account on server uninstall
For each CA server, a Dogtag user account is created for the ACME
service to use to authenticate to the CA subsystem. This commit
cleans up the Dogtag account upon server uninstallation.
The user deletion behaviour is extracted to a common method used for
both ACME RA account deletion (on uninstall) and removal of the
temporary admin account (during replica install).
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7de20e8e by Armando Neto at 2020-07-13T15:11:44+02:00
ipatests: bump pr-ci templates
New template images for ci-master-f32 and ci-master-f31 to include
latest certmonger package (`certmonger-0.79.11-2`).
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3c18f94b by Michal Polovka at 2020-07-14T13:04:32-04:00
ipatests: test_epn: Fix package installation
EPN functionality is provided as separate package
freeipa-client-epn, but it is not installed during setup. This resolves
this behaviour.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
12529d7e by Jeremy Frasier at 2020-07-14T13:05:56-04:00
replica: Ensure the ipaapi user is allowed to access ifp on replicas
ipa-server-install executes ipa-client-install with the --on-master
flag set, which causes the ipaclient.install.client.sssd_enable_ifp()
function to be called. This function configures sssd so that the
ipaapi user is allowed to access ifp. Any FreeIPA replica should also
have sssd configured like this, but in that case we cannot simply pass
the --on-master flag to ipa-client-install because it has other side
effects. The solution is to call the
ipaclient.install.client.sssd_enable_ifp() function from inside the
ipaserver.install.server.replicainstall.promote_sssd() function.
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2ff1d6b4 by Jeremy Frasier at 2020-07-14T13:05:56-04:00
replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8e05a8a8 by sumenon at 2020-07-15T10:23:45+02:00
ipatests: Tests to check profile is displayed for getcert request.
test_getcert_list_profile
This test checks that the cert request generated using
getcert utility which is placed in /var/lib/certmonger/requests
directory displays profile name and issuer fields
test_getcert_list_profile_using_subca
This test checks that the cert request generated with -X as
subca and -T <profilename> displays correct profilename
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
69da03b4 by Christian Heimes at 2020-07-15T14:03:40+02:00
Add missing SELinux rule for ipa-custodia.sock
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
4696644f by Peter Keresztes Schmidt at 2020-07-15T14:19:18+02:00
ipa-join: extract common JSON-RPC response parsing to common function
In preparation for handling JSON-RPC error codes.
Related: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6dfefc97 by Peter Keresztes Schmidt at 2020-07-15T14:19:18+02:00
ipa-join: handle JSON-RPC error codes
Error code 2100 (ACIError) is handled explicitly to match XML-RPC behaviour.
Fixes: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
147b808f by Michal Polovka at 2020-07-15T14:47:12+02:00
ipatests: test_epn: test_EPN_config_file: Package name fix
Fix package name to respect different conventions in particular streams.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2fcc260c by Fraser Tweedale at 2020-07-16T15:30:53+10:00
cainstance.update_ipa_conf: allow specifying ca_host
Enhance cainstance.update_ipa_conf() to allow specifying the
ca_host. This will be used to update replica configurations when a
CA-less deployment gets promoted to CA-ful.
Part of: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a1b3b34b by Fraser Tweedale at 2020-07-16T15:30:53+10:00
cainstance: extract function import_ra_key
After upgrading a deployment from CA-less to CA-ful it is necessary
to install the RA Agent credential on non-CA servers. To facilitate
this, extract this behaviour from CAInstance so that it is callable
from other code.
Several other methods became @staticmethod as a result of this
change. This makes those methods callable without an instance of
CAInstance and also documents that those methods do not use 'self'.
Part of: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
53d472b4 by Fraser Tweedale at 2020-07-16T15:30:53+10:00
certupdate: update config after deployment becomes CA-ful
When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate. Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.
The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s). So by using ipa-certupdate
we avoid introducing additional steps for administrators.
It is necessary to choose a CA master to use as the ca_host. We use
the first server returned by LDAP. A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.
Finally, defer the httpd service restart until after the possible
update of default.conf so that the IPA API executes with the new
configuration.
This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.
HOW TO TEST:
1. Install a CA-less server (first server).
2. Install a CA-less replica.
3. Run 'ipa-ca-install' on first server, promoting deployment from
CA-less to CA-ful.
4. Run 'ipa-certupdate' on second server.
5. Exceute 'ipa cert-show 5' on second server. Should succeed,
because ra-agent credential was retrieved and default.conf
updated at step #4.
Fixes: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
04d25dd2 by sumenon at 2020-07-17T16:46:01+02:00
ipatests: Increase timeout value in test_getcert_list_profile_using_subca
test_getcert_list_profile_using_subca test had a timeout value of 50
waiting for the cert to be in MONITORING state, this has now been
replaced with 300, since the certmonger request was in state SUBMITTING
instead of MONITORING causing the test to fail.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
28caa22a by Rob Crittenden at 2020-07-17T14:49:41-04:00
Don't delegate the TGT in ipa-join
Pre 3.0.0 IPA delegated the TGT to enforce access control in
389-ds. At the point that S4U2Proxy support was added there
were still IPA 2.0.x servers in use so this delegation was
left in place in ipa-join so that enrollment would work.
Those days are long gone, remove that support in the XML and
JSON RPC requests.
https://pagure.io/freeipa/issue/8405
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
eff65495 by Christian Heimes at 2020-07-20T09:46:16+02:00
Teach pylint how dnspython 2.x works
pylint does not understand pylint's
globals().update(RdataType.__members__) trick.
Fixes: https://pagure.io/freeipa/issue/8419
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6ff31dbf by sumenon at 2020-07-20T22:45:45-04:00
ipatests: Test for ipa-nis-manage CLI tool.
The testcases added check the various options of ipa-nis-manage CLI
tool as below
1. ipa-nis-mange enable
2. ipa-nis-manage disable
3. Enabling NIS pluging with invalid admin password
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
27e9988f by François Cami at 2020-07-23T23:32:11+02:00
ipatests: xfail TestIpaClientAutomountFileRestore's final test
Due to a change in authselect, rolling back the installation
does not produce the same nsswitch.conf as on a clean install.
Mark the test xfail until ipa-client-install is enhanced to
use authselect profile backup/restore.
Related: https://pagure.io/freeipa/issue/8189
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fcc99813 by sumenon at 2020-07-24T08:48:17-04:00
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed
This testcase checks that ERROR message is displayed
by IPACAChainExpirationCheck when ipa ca crt file is renamed.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
78acf0bc by Rob Crittenden at 2020-07-27T09:47:27-04:00
Add fips-mode-setup to ipaplatform.paths to determine FIPS status
This will be used by freeipa-healthcheck to report FIPS config
status. It is added here to avoid duplicating platform independence
in a sister project.
https://pagure.io/freeipa/issue/8429
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1fc1947c by Florence Blanc-Renaud at 2020-07-27T15:58:15-04:00
ipatests: fix TestUnprivilegedUserPermissions
A new test has been added to TestUnprivilegedUserPermissions that
duplicates the steps done in the precedent test. As the tests
are usually run sequentially, no need to duplicate.
Fixes: https://pagure.io/freeipa/issue/8413
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
062e18c4 by Florence Blanc-Renaud at 2020-07-27T15:58:15-04:00
ipatests: Fix TestReplicaPromotionLevel1
A new test was added to TestReplicaPromotionLevel1 but was run
after the replica uninstallation. As the new test checks
the content of /etc/sssd/sssd.conf on the replica, merge it with the
previous test, when the replica is still installed.
Fixes: https://pagure.io/freeipa/issue/8414
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3546fef0 by François Cami at 2020-07-28T19:33:11+02:00
ipatests: test_commands: test_login_wrong_password: look farther in time
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow.
Broaden the window by looking at the past 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8432
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f7ed1597 by François Cami at 2020-07-29T09:00:26+02:00
ipatests: re-enable test_sss_ssh_authorizedkeys
Re-enable test_sss_ssh_authorizedkeys.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
178d8096 by François Cami at 2020-07-29T09:00:26+02:00
ipatests: test_sss_ssh_authorizedkeys
Add debug information to the ssh invocation.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d5148c65 by François Cami at 2020-07-29T13:53:52+02:00
tasks: add run_ssh_cmd
Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
73ae4c77 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_key_connection to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
5cc7a2b7 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
27ed8260 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_from_controller: refactor
test_ssh_from_controller does not use methods provided by tasks.py.
Refactor using those methods.
Related: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
112386f7 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_from_controller to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
326e1334 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_login_wrong_password to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
a9f05578 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate run_cmd_on_ui_host to the OpenSSH CLI SSH(1) using
tasks.py's run_ssh_cmd.
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
763d3b05 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate test_2fa_enable_single_prompt to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Also add a warning when test_2fa_disable_single_prompt is executed in FIPS mode.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
b25bccc5 by Serhii Tsymbaliuk at 2020-07-29T14:06:55+02:00
WebUI: Fix issue with opening links in new tab/window
- fix table item links reference
- fix global menu links reference
- fix API browser side panel links
- fix tab links reference
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
d452e45f by Serhii Tsymbaliuk at 2020-07-29T14:06:55+02:00
WebUI tests: Change navigation tests to find menu items using data-name instead of href
Since menu pseudo-links was replaced with real one, navigation tests must be changed to not use href
for searching items.
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
55b7787e by Stanislav Levin at 2020-07-29T15:10:00-04:00
ipatests: Don't turn Pytest IPA deprecation warnings into errors
With new Pytest 6.0 [0]:
> PytestDeprecationWarning are now errors by default.
Following our plan to remove deprecated features with as little disruption as
possible, all warnings of type PytestDeprecationWarning now generate errors
instead of warning messages.
PytestWarnings are no longer marked as the part of public API, but as
internal warnings. It's unsafe to use bare PytestDeprecationWarning,
which is turned into the error on major releases.
[0]: https://github.com/pytest-dev/pytest/releases/tag/6.0.0
Fixes: https://pagure.io/freeipa/issue/8435
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5dd56695 by Rob Crittenden at 2020-07-30T10:57:35+02:00
Replace SSLCertVerificationError with CertificateError for py36
This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
eec5c9d8 by Christian Heimes at 2020-07-30T11:38:25+02:00
Allow to override ipaplatform with env var
The ipaplatform provider module can now be overriden by setting
IPAPLATFORM_OVERRIDE environment variable.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
02986ff4 by Christian Heimes at 2020-07-30T11:38:25+02:00
Add ipaplatform for Fedora and RHEL container
Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
64b20aad by Christian Heimes at 2020-07-30T11:38:25+02:00
Write state dir to smb.conf
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
664007e0 by Christian Heimes at 2020-07-30T11:38:25+02:00
Explicitly pass keytab to ipa-join
ipa-join defaults to /etc/krb5.keytab. Use ``-k paths.KRB5_KEYTAB`` to
write the keytab to /data share in containers.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8f6502db by Christian Heimes at 2020-07-30T11:38:25+02:00
Convert ipa-httpd-pwdreader into Python script
and use paths from ipaplatform.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
bb2dfbbf by sumenon at 2020-07-30T13:03:46+02:00
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert
This test modifies the trust attribute of Server-Cert
and checks that healthcheck tool reports correct status
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
550fbc0b by Rob Crittenden at 2020-07-30T13:08:18+02:00
ipatests: Test cases for healthcheck File checker(s)
These check for modified file ownership (user and group) and
too permissive and restrictive permissions across the three
types of files checked by the healthcheck FileCheck.
This replaces an existing test for TomcatFileCheck which adds
more functionality and consolidates all file checks together.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
f12d3772 by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipa-client-install: use the authselect backup during uninstall
When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.
Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.
Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
aac570bb by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipatests: remove the xfail for test_nfs.py
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
143b23cb by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipatests: fix test_authselect
Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.
Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5d9d6348 by Serhii Tsymbaliuk at 2020-07-30T14:24:26+03:00
WebUI: Fix error "unknown command 'idoverrideuser_add_member'"
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bcae2094 by Serhii Tsymbaliuk at 2020-07-30T14:24:26+03:00
WebUI tests: Add test case to cover user ID override feature
The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c84b1db8 by Rob Crittenden at 2020-07-30T18:15:05+02:00
ipatests: Test that healthcheck detects and reports expiration
Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.
This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
07bc5e25 by Rob Crittenden at 2020-07-30T23:02:24+02:00
ipatests: Add healthcheck test for FileSystemSpaceCheck
Create a large file in one of the checked filesystems beyond
the allowed threshold and ensure that both the minimum space
and minimum percent errors are reported.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e1027cc8 by Rob Crittenden at 2020-07-30T23:04:03+02:00
ipatests: verify that all services can be detected by healthcheck
Add fixture to handle restarting services so that if something
goes wrong in the test the service(s) will all be restarted
so that subsequent tests can pass. Services are restarted in
reverse order.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d238fb4f by Rob Crittenden at 2020-07-31T12:47:00-04:00
ipatests: lib389 is now providing healthchecks, update naming
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
61c71e4a by Rob Crittenden at 2020-07-31T12:47:00-04:00
ipatests: Use healthcheck namespacing in stopped server test
The test_run_with_stopped_master() test runs ipactl stop
and then verifies that all the errors relate to the services
not being available. The newly integrated PKI tests also
report errors in this case.
Use the namespacing introduced in freeipa-healthcheck-0.6
to limit the execution to the ipahealthcheck.meta checks
to avoid the spurious PKI errors.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
cf8ef6fd by Peter Keresztes Schmidt at 2020-07-31T17:38:39-04:00
ipa-backup/restore: remove remaining chdir calls
Closes: https://pagure.io/freeipa/issue/7416
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0a3c98d2 by Florence Blanc-Renaud at 2020-08-03T19:16:32+02:00
ipatests: increase test_trust timeout
The integration test test_trust is often failing on timeout.
Add 30 minutes to increase the chances of completion.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9335bd92 by Florence Blanc-Renaud at 2020-08-03T18:00:08-04:00
CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a26e0ba5 by Florence Blanc-Renaud at 2020-08-03T18:00:08-04:00
ipatests: check KDC cert permissions in CA less install
The KDC certificate file must be stored with 644 permissions.
Add a test checking the file permissions on server + replica.
Related: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
44259e8e by Mark Reynolds at 2020-08-04T10:54:57+03:00
Issue 8407 - Support changelog integration into main database
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
Fixes: https://pagure.io/freeipa/issue/8407
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Fix missing self, and missing arg
Fix copy/paste error
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3a42bc09 by Alexander Bokovoy at 2020-08-04T18:43:22+03:00
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration
Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.
nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.
Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.
In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.
Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d55e339d by Florence Blanc-Renaud at 2020-08-04T13:34:56-04:00
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck
test_ipa_healthcheck_expiring is assuming that it's executed
on a KRA-less installation, but the test is executed after
test_ipa_healthcheck_no_errors that configures the KRA.
With a KRA install, 12 certs are monitored instead of 9.
Fixes: https://pagure.io/freeipa/issue/8439
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c81cac70 by Stanislav Levin at 2020-08-04T13:47:28-04:00
pylint: Fix warning and error
- fixed W0612(unused-variable)
- added missing dependency on python-yaml
Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
606f1abd by Florence Blanc-Renaud at 2020-08-05T14:02:37-04:00
ipatests: collect IPA_RENEWAL_LOCK file
In order to troubleshoot certmonger timeouts, collect the
file /run/ipa/renewal.lock that is used as cross-process lock
by ipa-server-guard.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
61db3527 by Rob Crittenden at 2020-08-05T14:04:57-04:00
ipatests: Test healthcheck revocation checker
Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
07341990 by Sergey Orlov at 2020-08-05T18:33:22-04:00
Fix password file permission
Invalid permission makes file unreadable by owner if he is not root.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec367aa4 by Rob Crittenden at 2020-08-06T12:49:51+02:00
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7e37b45e by Rob Crittenden at 2020-08-06T12:49:51+02:00
ipatests: Check permissions of /etc/ipa/ca.crt new installations
It should be 0644 root:root for both CA-ful and CA-less installs.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fa86869 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Simplify determining if an IPA server installation is complete
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.
Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.
On upgrades existing installations will automatically get this
state.
This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.
The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4758db12 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Simplify determining if IPA client configuration is complete
When asking the quesiton "is my IPA client configured?" right now
we look at whether the installation backed up any files and
/etc/ipa/default.conf exists.
Instead set a new state, installation, to True as soon as the
client installation finishes.
Unlike the server there is no upgrade process for clients so this
isn't going to be all that useful for quite some time unless that
changes because upgrading an existing install won't set this
to True.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
d7a4756d by Rob Crittenden at 2020-08-06T14:11:27+02:00
Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5e027134 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2c3a042c by Rob Crittenden at 2020-08-06T14:11:27+02:00
Update check_client_configuration to use new client fact
check_client_configuration differs from is_ipa_client_configured
in that it raises an exception if not configured so is a nice
convenience in AdminTool scripts. Port it to call to
is_ipa_client_configured() instead of determining the install
state on its own.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
99948590 by Christian Heimes at 2020-08-06T14:20:54+02:00
Don't configure authselect in containers
freeipa-container images come with authselect pre-configured. There is
no need to configure, migrate, or restore authselect. The --mkhomedir
option is not supported, too.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
06a344a5 by Stanislav Levin at 2020-08-06T10:13:52-04:00
ipatests: Add compatibility against python-cryptography 3.0
The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.
Note: this requires python-cryptography 2.7+.
[0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b
Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
592f3fe6 by Kaleemullah Siddiqui at 2020-08-06T18:43:53+02:00
Tests for fake_mname parameter setup
fake_mname can be set through dnsserver-mod's --soa-mname-override
option which was not doable through same parameter setup in
/etc/named.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1488732
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
df5526fb by Peter Keresztes Schmidt at 2020-08-07T12:42:50+02:00
WebUI: Make object_class_evaluator evaluator compatible with batch responses
Use data adapter in evaluator to be able to deal with batch
RPC responses.
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2d87cd4a by Peter Keresztes Schmidt at 2020-08-07T12:42:50+02:00
WebUI: Unify adapter property definition for state evaluators
Move adapter property definition to IPA.state_evaluator since it
is used by all evaluators
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
e1750e2a by François Cami at 2020-08-07T12:50:25+02:00
ipatests: tasks.py: fix ipa-epn invocation
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.
Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
41333b63 by François Cami at 2020-08-07T12:50:25+02:00
ipatests: test_epn: test_EPN_nbdays enhancements
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2b85bfb0 by Stanislav Levin at 2020-08-07T17:49:31+03:00
Azure: Switch to dockerhub provider
`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.
registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.
Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e5c09675 by Stanislav Levin at 2020-08-07T17:49:31+03:00
ipatests: Skip keyring tests on containerized platforms
The kernel keyrings are not namespaced yet.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e89b4007 by Christian Heimes at 2020-08-07T17:54:06+03:00
Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0dc084a3 by Rob Crittenden at 2020-08-07T16:44:28-04:00
Address legacy pylint issues in sysrestore.py
These were triggered because of the movement of sysrestore.py in
the tree
https://pagure.io/freeipa/issue/8384
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5fc526b1 by François Cami at 2020-08-07T17:14:24-04:00
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry
Allow for empty attributes.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3bd03ea9 by François Cami at 2020-08-07T17:14:24-04:00
IPA-EPN: fix configuration file typo
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a2bf5958 by Rob Crittenden at 2020-08-07T17:14:24-04:00
IPA-EPN: Test that users without givenname and/or mail are handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f2711321 by Florence Blanc-Renaud at 2020-08-10T12:04:41+02:00
ipatests: fix TestIpaHealthCheckWithoutDNS failure
TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.
When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.
In order to avoid this issue, reset the date to the value saved at the
beginning of the test.
Fixes: https://pagure.io/freeipa/issue/8447
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6edf648d by François Cami at 2020-08-10T09:02:59-04:00
ipatests: test_epn: add test_EPN_connection_refused
Add a test for EPN behavior when the configured SMTP does not
accept connections.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
22cf65b0 by François Cami at 2020-08-10T09:02:59-04:00
IPA-EPN: Fix SMTP connection error handling
Enhance error message when SMTP is down.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5853768 by Rob Crittenden at 2020-08-10T11:49:57-04:00
ipatests: CLI validation of ipa-healthcheck command
Test for illegal input values.
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
143dea18 by Rob Crittenden at 2020-08-10T11:49:57-04:00
Added negative test case for --list-sources option
Negative test test_append_arguments_to_list_sources added
to --list-sources
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
97006786 by François Cami at 2020-08-12T09:02:08-04:00
IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5452f020 by François Cami at 2020-08-12T09:02:08-04:00
ipatests: test_epn: update error messages
Update error messages in the test.
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
400ef3aa by sumenon at 2020-08-17T09:07:12+02:00
ipatests: Tests for ipahealthcheck tool with IPA external
This testsuite checks whether the healthcheck tool reports
correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered
IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
7642ce35 by sumenon at 2020-08-17T09:07:12+02:00
Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
777147e0 by Stanislav Levin at 2020-08-17T10:40:44+02:00
rpm-spec: Don't fail on missing /etc/ssh/ssh_config
openssh-clients is not a strict requirement of freeipa-client
package and if it's missing then this case should be handled in
post scriptlet of freeipa-client package. Otherwise, the remaining
part of that scriptlet will not be run at all.
Fixes: https://pagure.io/freeipa/issue/8459
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b9ae7c45 by Mark Reynolds at 2020-08-17T10:44:03+02:00
Issue 8456 - Add new aci's for the new replication changelog entries
Description: We need a read and a write aci for the new changelog location,
which was moved from cn=changelog5,cn=config to
cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and
read the changelog confguration, and the write allows the replica
to update the changelog with a proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
89d86dac by Stanislav Levin at 2020-08-17T10:46:23+02:00
uninstall: Don't fail on missing /var/lib/samba
On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5c1e4483 by Stanislav Levin at 2020-08-17T10:46:23+02:00
uninstall: Clean up no longer used flag
The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
03a5e5f3 by Stanislav Levin at 2020-08-17T10:46:23+02:00
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package
This ns-slapd plugin is used as a CLDAP server which responses to
AD DCs with an information about IPA domain. So, logically it
belongs to freeipa-server-trust-ad package.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7a6c468 by Florence Blanc-Renaud at 2020-08-17T14:36:16-04:00
ipatests: remove xfail from test_dnssec
The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
used to fail because of https://github.com/rthalley/dnspython/issues/343,
but the issue has been fixed upstream and does not happen any more since
PRCI is using python3-dns-1.16.0-7.
Remove the xfail.
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
af5138c2 by Rob Crittenden at 2020-08-18T11:06:04+02:00
IPA-EPN: Test that EPN can be install, uninstalled and re-installed
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
a8d5e6bb by Rob Crittenden at 2020-08-18T11:11:26+02:00
Fall back to old server installation detection when needed
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
2bdb18d5 by Rob Crittenden at 2020-08-18T11:11:26+02:00
Use is_ipa_configured from ipalib.facts
A couple of places still used the deprecated installutils version.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
25e042d3 by Rob Crittenden at 2020-08-18T11:11:26+02:00
ipatests: Add test for is_ipa_configured
Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
18a8a415 by Rob Crittenden at 2020-08-19T13:59:11-04:00
Improve performance of ipa-server-guard
* Drop support for python 2
* Only import traceback and syslog when needed
* Only import ipaserver.install.certs when the lock is needed
* Only import ipautil when run is needed
For the unsupported operations case this improves performance by
95%
For the supported operations that don't require a lock the
improvement is about 50%.
For the supported operations that require a lock the improvement
is about 20%
When configuring a CA certmonger calls its helper with the
following operations:
IDENTIFY
FETCH-ROOTS
GET-SUPPORTED-TEMPLATES
GET-DEFAULT-TEMPLATE
GET-NEW-REQUEST-REQUIREMENTS
GET-RENEW-REQUEST-REQUIREMENTS
FETCH-SCEP-CA-CAPS
FETCH-SCEP-CA-CERTS
Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are
supported by ipa-submit, along with the request options SUBMIT and
POLL.
Which means every time the IPA CA in certmonger is updated
eight calls to ipa-server-guard are made so the savings are
cumulative.
The savings when executing these eight operations is a 73% decrease
(.7 sec vs 2.5 sec).
https://pagure.io/freeipa/issue/8425
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
454e023a by Rob Crittenden at 2020-08-19T14:01:01-04:00
ipatests: stop the CA during healthcheck expiration test
Time is moved during the test to ensure that ipa-healthcheck
finds expired certificates. It's possible that certmonger will also
wake up and renew the certificates before ipa-healthcheck can
execute so shut down the CA during the test.
https://pagure.io/freeipa/issue/8463
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
c08c7e11 by Mark Reynolds at 2020-08-19T14:02:27-04:00
Increase replication changelog trimming to 30 days
A long time ago the DS team recommended that the changelog trimming interval be set to 7 days. However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).
It would be better to set the trimming interval to 30 days. This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.
Fixes: https://pagure.io/freeipa/issue/8464
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
abd0cbfc by Mohammad Rizwan at 2020-08-19T14:04:43-04:00
ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
20ece52b by Alexander Bokovoy at 2020-08-20T13:01:49+03:00
master: update po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4fdf69ad by Alexander Bokovoy at 2020-08-20T13:05:57+03:00
Add alternative email to the mailmap for myself
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
11a64478 by Alexander Bokovoy at 2020-08-20T13:09:14+03:00
Add new contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
de105aa8 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Teach pylint about more RRs types
There are many types of RRs which are provided by dnspython.
This is not all, but enough for now to fix linting errors
caused by new dnspython 2.0.
Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6e858725 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Fix warning W0612(unused-variable)
New warnings were found by new pylint (2.5.3).
Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec6369ca by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Ignore `super-with-arguments`
Pylint 2.6.0 added new check:
> Add super-with-arguments check for flagging instances of Python 2
style super calls.
According to PEP 3135 this form of `super` is syntactic sugar and
is not mandatory. Right now there are 566 affected `super`s.
http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3135/
Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8831b9b6 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Ignore `raise-missing-from`
Pylint 2.6.0 introduces new check:
> Add raise-missing-from check for exceptions that should have a
cause.
According to PEP 3134 the implicit exception chaining is valid and
can be used.
http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3134/
Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b3d7a70e by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
ipatests: Add PTR record for IP SAN
If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
bddbfb79 by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
ipatests: add --skip-overlap-check option to prepare_reverse_zone()
add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
1abeb85f by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
PEP8 fixes
PEP8 fixes for visual indent, line > 79, blank line required etc
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
3f5f68e7 by Sumedh Sidhaye at 2020-08-24T10:22:02+02:00
test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run
Failing test run:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/249e30e4-e349-11ea-ac03-fa163e1ffcbd
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0a01f576 by Alexander Bokovoy at 2020-08-24T11:55:46+02:00
test_smb: make sure both smbserver and smbclient use IPA master for DNS
test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.
Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.
Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.
Fixes: https://pagure.io/freeipa/issue/8344
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b279b3a7 by Armando Neto at 2020-08-24T09:03:41-03:00
ipatests: Bump PR-CI templates
New template images for ci-master-f32 to include latest packages.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
4a89da53 by Rob Crittenden at 2020-08-25T10:31:19-04:00
ipatests: Add option/arg parsing tests for the cli
A typo in passing in options would result in an exception.
For example -verbose was treated as: -v -e rbose
-v and -e are valid options. rbose on its own has no value in the
name-value pair so an exception would result.
https://pagure.io/freeipa/issue/6115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
12dfb0fc by Rob Crittenden at 2020-08-25T10:31:19-04:00
cli: When parsing options require name/value pairs
If single-option values are combined together with invalid options
an exception would be raised.
For example -verbose was treated as -v -e rbose. Since rbose isn't
a name/value pair things would blow up. This is now caught and
a somewhat more reable error returned. The -v and -e are consumed,
not much we can do about that, but at least a more usable error is
returned.
https://pagure.io/freeipa/issue/6115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4420ae81 by Sergey Orlov at 2020-08-26T13:30:19-04:00
ipatests: refactor test for login using cifs alias principal
The test had two problems:
* if it was failing, samba services were not started and all other
tests also failed
* Utility for copying keys obscured fatal problems i.e. if file does not
exist or can not be parsed.
Fixed by moving the check to separate test and raising exceptions in
KerberosKeyCopier on any unexpected problem.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6da5cc32 by Sergey Orlov at 2020-08-26T13:30:19-04:00
ipatests: simplify fixture
Fixture enable_smb_client_dns_lookup_kdc had an unobvious structure
"contextmanage inside pytest fixture". Replaced with simple pytest
fixture.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec67022a by Florence Blanc-Renaud at 2020-08-28T14:45:15+02:00
ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
The test is changing the date back and forth. Due to PRCI
infra issue, chronyd is not able to connect to the default
NTP servers from the fedora pool, and the date is not
synchronized any more after this test.
To avoid polluting other tests, run this one separately.
Fixes: https://pagure.io/freeipa/issue/8472
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
2c15e996 by Florence Blanc-Renaud at 2020-08-28T14:45:15+02:00
ipatests: add missing healthcheck test in PRCI nightlies
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
173cd9b9 by Stanislav Levin at 2020-08-31T09:42:31+03:00
spec: Require ldns-utils
drill util helps to get information about DNSSEC for testing.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a9334ce5 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Remove no longer used paths
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5c907e34 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Allow using of a custom OpenSSL engine for BIND
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bed09b7f by Stanislav Levin at 2020-08-31T09:42:31+03:00
DNSKeySyncInstance: Populate named/ods uid/gid on instantiation
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
85ed106d by Stanislav Levin at 2020-08-31T09:42:31+03:00
upgrade: Handle migration of BIND OpenSSL engine
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
721435cf by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Make use of 'pkcs11' OpenSSL engine for BIND on Fedora31
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
53b341f9 by Stanislav Levin at 2020-08-31T09:42:31+03:00
spec: Bump required openssl-pkcs11 and softhsm
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8716881f by Stanislav Levin at 2020-08-31T09:42:31+03:00
service: Allow service to clean up its state
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ecfaf897 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Don't override custom command line options for named
Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.
Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:M:m:n:N:p:P:sS:t:T:U:u:vVx:X:"
If there are several same options the last passed wins.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e2030b8c by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Include crypto policy in openssl config
On platforms which have system-wide crypto policy the latter has
to be included in openssl config.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
92157bc8 by Stanislav Levin at 2020-08-31T09:42:31+03:00
ipa-dnskeysyncd: Raise loglevel to DEBUG
Previously, the logging level of StreamHandler for ipa-dnskeysyncd
was restricted to INFO via `standard_logging_setup(verbose=False)`.
Thus, it was impossible to get messages having lower level.
This also sets the loglevel for ipa-dnskeysyncd to DEBUG for
troubleshooting.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0d326a90 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Add Rawhide definitions
- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.
- add Rawhide templates
- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
60ff2841 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Drop dependency on UsePythonVersion task
Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a5b23287 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: base: Collect both install and uninstall logs
Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a102cfe5 by Stanislav Levin at 2020-08-31T09:46:03+03:00
nss: Raise exception earlier on unsupported DB type
For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.
With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.
Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f3d10871 by Stanislav Levin at 2020-08-31T09:46:03+03:00
deps: Require `nss-tools` for make's fasttest target
Otherwise, tests fail with:
```
E FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
30cf59d0 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Increase verbosity for Tox task
This allows to debug issues happened during packages installation:
> -v, --verbose increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fdb227e5 by Stanislav Levin at 2020-08-31T09:46:03+03:00
tox: Don't expand symlinks
`virtualenv` < 20.0.0 copies system python binary into virt
environment and then links `python` to it. While
`virtualenv` >= 20.0.0 directly links `python` to system python
binary (without copying).
`realpath` by default expands symlinks. Thereby, pip attempts to
install packages into the system's site-packages and
fails with 'Permission denied' (non-privileged user).
Fixes: https://pagure.io/freeipa/issue/8475
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
49e64378 by Stanislav Levin at 2020-08-31T09:46:03+03:00
dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b450c9bd by Stanislav Levin at 2020-08-31T17:24:40+03:00
dns: Make use of `resolve_address` of a current resolver instead of the global one
For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b54d9364 by Fraser Tweedale at 2020-09-03T13:56:45+02:00
delete unused subroutine get_host_name()
Commit a42a711394178a459bde006e6b49ed799a7cce1a, from September
2018, removed the only call site of installutils.get_host_name().
Delete the definition.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9094dfc2 by Fraser Tweedale at 2020-09-03T13:58:59+02:00
install: simplify host name verification
Perform a small refactor to the installer code that chooses and
verifies the hostname. In particular:
- choice of hostname is separate from validation
- read_host_name no longer performs validation
- verify_fqdn is now called from one place
- if/else branches are now "balanced"
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
15f168c1 by Sudhir Menon at 2020-09-03T15:56:15+02:00
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust
Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.
Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
50fdc808 by Florence Blanc-Renaud at 2020-09-07T09:25:25+02:00
ipatests: fix bind service name
With the commit 721435cf7f2ed41fe807c34022fed31c792b4497
the service name for bind is now 'named' instead of
'named-pkcs11' on fedora. The ipa-healthcheck test was hardcoding
the service name but it should instead use the name stored in
knownservices.named.systemd_name as it varies depending on
the OS.
Fixes: https://pagure.io/freeipa/issue/8482
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68328299 by François Cami at 2020-09-09T17:49:23-04:00
SELinux Policy: let custodia replicate keys
Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;
Found by: test_replica_promotion::TestSubCAkeyReplication
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dbc7881e by Florence Blanc-Renaud at 2020-09-10T09:14:50+02:00
dnsforwardzone-add: support dnspython 2.0
The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.
As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.
Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
040d48fa by Rob Crittenden at 2020-09-10T09:21:25+02:00
ipatests: test ipa_server_certinstall with an IPA-issued cert
ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.
This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.
https://pagure.io/freeipa/issue/8204
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f249c51b by Rob Crittenden at 2020-09-10T09:21:25+02:00
Set the certmonger subject with a string, not an object
ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.
https://pagure.io/freeipa/issue/8204
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
d00106b3 by Alexander Bokovoy at 2020-09-10T11:57:14-04:00
ipa-kdb: support getprincs request in kadmin.local
kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.
The whole filter looks like this
(&(|
(objectclass=krbprincipalaux)
(objectclass=krbprincipal)
(objectclass=ipakrbprincipal))
(|(ipakrbprincipalalias=*)
(krbprincipalname:caseIgnoreIA5Match:=*)))
There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:
extensible = ( attr [dnattrs]
[matchingrule] COLON EQUALS assertionvalue )
/ ( [dnattrs]
matchingrule COLON EQUALS assertionvalue )
In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ba1a7b97 by Alexander Bokovoy at 2020-09-10T11:57:14-04:00
ipa-kdb: test kadmin.local getprincs command
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
21186540 by Armando Neto at 2020-09-10T18:36:25+02:00
ipatests: Bump PR-CI templates
New templates with a previously working version of `geckodriver`.
Issue: https://pagure.io/freeipa/issue/8473
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0a2b6ca6 by Christian Heimes at 2020-09-11T13:22:42-04:00
Only restart DS when duplicate cacrt was found
The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.
Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2265cb86 by Rob Crittenden at 2020-09-14T09:14:37+03:00
Don't allow both a zone name and --name-from-ip to be provided
--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.
https://pagure.io/freeipa/issue/8446
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
e92a4ba4 by Rob Crittenden at 2020-09-14T09:14:37+03:00
ipatests: test that a zone name and name-from-ip will be rejected
If a zone name is provided then name-from-ip makes little sense,
don't allow it.
https://pagure.io/freeipa/issue/8446
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
cdf830af by Rob Crittenden at 2020-09-14T09:15:59+03:00
De-duplicate ACI attributes and permissions
Ensure uniqueuess in attributes and permissions in the ACI class.
A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2656c468 by Rob Crittenden at 2020-09-14T09:15:59+03:00
Use ACI class set_permissions() method to set permissions
This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2e4431af by Rob Crittenden at 2020-09-14T09:15:59+03:00
ipatests: Add test for ACI attribute and permission uniqueness
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cfad7af3 by Rob Crittenden at 2020-09-14T09:17:33+03:00
Require at least 1.6Gb of available RAM to install the server
Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.
Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).
There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.
Add a switch to skip this memory test if the user is sure they
know what they are doing.
is_hidepid() contributed by Stanislav Levin <slev at altlinux.org>
https://pagure.io/freeipa/issue/8404
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
fc271a55 by Rob Crittenden at 2020-09-14T09:17:33+03:00
ipatests: Add tests for checking available memory
The tests always force container or no container so they should
run the same in any environment.
The following cases are handled:
- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM
https://pagure.io/freeipa/issue/8404
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
20b55f40 by Rob Crittenden at 2020-09-14T09:19:01+03:00
Add index for more trust-related attributes
Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname
https://pagure.io/freeipa/issue/8491
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
31bc0df6 by Alexander Bokovoy at 2020-09-14T14:00:20+03:00
Specify memory limits as strings for docker compose
Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:
[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string
Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
05da1f7f by Christian Heimes at 2020-09-15T08:58:28+03:00
Add krbPrincipalName pres index correctly
See: 20b55f4017ab42113f1ced829a4b4afa17839b55
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
26ae95f4 by Armando Neto at 2020-09-15T09:11:21-03:00
ipatests: Add nightly definitions for enforcing mode
Duplicates the scenario for nightly_latest.yaml and
nightly_latest_testing.yaml setting `selinux_enforcing` parameter
as True.
Indentation for all definitions have been fixed.
Issue: https://github.com/freeipa/freeipa-pr-ci/issues/391
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c31bf3d4 by François Cami at 2020-09-17T15:59:00+02:00
ipatests: check that pkispawn log is not empty
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
be7bf98b by François Cami at 2020-09-17T15:59:00+02:00
dogtaginstance.py: add --debug to pkispawn
Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c0461eb3 by Fraser Tweedale at 2020-09-18T14:17:03-04:00
spec: require pki-acme if pki-ca >= 10.10
We can use conditional dependencies (described at [1]) to require
the pki-acme package if pki-ca >= 10.10.0 (the version at which the
ACME service was separated to a subpackage).
[1] https://rpm.org/user_doc/boolean_dependencies.html
I have tested this with repos having only pki-10.9.x (and therefore
no pki-acme package), and dnf is happy. I have also testing package
installation with pki-10.10 packages installed, but /without/
pki-acme installed. pki-acme was seen as a missing dependency and
installed alongside the freeipa packages. This change seems to
satisfy all the scenarios.
Related: https://github.com/dogtagpki/pki/pull/513
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b606fa6c by Christian Heimes at 2020-09-18T14:20:08-04:00
Duplicate CA CRT: ignore expected cert
When search for duplicate CA certs ignore the one expected entry.
Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8ba15027 by Florence Blanc-Renaud at 2020-09-21T18:12:03-04:00
test_smb: skip test_smb_service_s4u2self for fed31
The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.
Skip the test depending on the fedora version.
Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3c86baf0 by Christian Heimes at 2020-09-21T18:13:51-04:00
Don't create DS SSCA and self-signed cert
Instruct lib389 to not create its self-signed CA and temporary
self-signed certificate. FreeIPA uses local connections and Unix socket
for bootstrapping.
Fixes: https://pagure.io/freeipa/issue/8502
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
87cf2a3c by Christian Heimes at 2020-09-22T09:21:00-04:00
Add ldap_update() helper to service class
The new _ldap_update() helper methods makes it easier to apply LDAP
update files from a service instance.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
99a40cbb by Christian Heimes at 2020-09-22T09:21:00-04:00
Simplify LDAPUpdater
- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
dictionary
- simplify substitution dictionary updates
- remove unused instances vars
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
72fb4e60 by Christian Heimes at 2020-09-22T09:23:18-04:00
Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.
The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b19d20e2 by Christian Heimes at 2020-09-22T09:23:18-04:00
Use new classes for run_command and Service
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.
run_command() and Service class accept either names or User object.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bc128cae by Christian Heimes at 2020-09-22T09:23:18-04:00
Add User and Group to all ipaplatform.constants
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dfeea164 by François Cami at 2020-09-22T18:05:38+02:00
ipatests: enhance TestSubCAkeyReplication
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
7823da06 by François Cami at 2020-09-22T18:05:38+02:00
SELinux: Add dedicated policy for ipa-pki-retrieve-key
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
ea9db4a9 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: let custodia_t map custodia_tmp_t
This is used by the JVM perf counters.
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
820beca4 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
09816f4d by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
4b3c4b84 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f774642b by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: make interfaces for kernel modules non-optional
Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
2f2bce43 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: Allow tomcat_t to read kerberos keytabs
This is required to fix:
avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
Macros suggested by: Ondrej Mosnacek
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
84bbf687 by Rob Crittenden at 2020-09-22T19:30:03-04:00
Require a matching server package for the selinux subpackage
Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.
https://pagure.io/freeipa/issue/8511
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
36c6a2e7 by François Cami at 2020-09-23T14:47:06+02:00
SELinux: do not double-define node_t and pki_tomcat_cert_t
node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.
Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cc5d9a8c by Rob Crittenden at 2020-09-23T14:48:29+02:00
Clean up entire /run/ipa/ccaches directory not just files
If there are any sub-directories in the ccaches directory
then cleaning it up will fail.
Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.
https://pagure.io/freeipa/issue/8248
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9f9dcfe8 by Rob Crittenden at 2020-09-23T14:48:29+02:00
Test that ccaches are cleaned up during installation
Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.
https://pagure.io/freeipa/issue/8248
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
80fca8d7 by Christian Heimes at 2020-09-23T14:49:15+02:00
Delay import of psutil to avoid AVC
Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.
PermissionError: [Errno 13] Permission denied: '/proc/stat'
Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
644bd0e4 by Christian Heimes at 2020-09-23T14:49:56+02:00
Make git a build requirement
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7651d335 by Zdenek Pytela at 2020-09-23T15:23:28+02:00
Add ipa_pki_retrieve_key_exec() interface
The ipa_pki_retrieve_key_exec() interface is needed to allow other
domains execute ipa-pki-retrieve-key.
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
96edff0b by Christian Heimes at 2020-09-23T16:44:26+02:00
Add helpers for resolve1 and nameservers
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.
get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.
get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.
get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.
Also fixes setup.py to include D-Bus for ipalib instead of ipapython.
See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e64f27fd by Christian Heimes at 2020-09-23T16:44:26+02:00
Configure NetworkManager to use systemd-resolved
zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.
See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
528c519c by Christian Heimes at 2020-09-23T16:44:26+02:00
Use new API for auto-forwarders
Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.
See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d12f1b4b by Christian Heimes at 2020-09-23T16:44:26+02:00
Configure systemd-resolved to use IPA's BIND
IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.
Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
79b9982b by Christian Heimes at 2020-09-23T16:44:26+02:00
Create systemd-resolved configuration on update
Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b47ddb01 by Rob Crittenden at 2020-09-24T08:20:48+02:00
Reduce the memory requirement from 1.6 to 1.2 GB
We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
29b41aef by Serhii Tsymbaliuk at 2020-09-24T16:21:04+02:00
WebUI: Fix jQuery DOM manipulation issues
The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
(https://github.com/jquery/jquery/pull/4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
(https://github.com/jquery/jquery/pull/4647)
In addition there is included a script that helps to patch and build
the new version of jQuery:
$ install/ui/util/make-jquery.js 3.4.1
Ticket: https://pagure.io/freeipa/issue/8507
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
69ebe415 by Christian Heimes at 2020-09-24T17:03:00+02:00
Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.
Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
54dff05c by Oğuz Ersen at 2020-09-26T10:25:19+03:00
Translated using Weblate (Turkish)
Currently translated at 7.6% (357 of 4654 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translated using Weblate (Turkish)
Currently translated at 7.3% (342 of 4654 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translated using Weblate (Turkish)
Currently translated at 4.6% (216 of 4654 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translated using Weblate (Turkish)
Currently translated at 0.7% (34 of 4654 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Added translation using Weblate (Turkish)
Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2f7e917 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1eaa5974 by Rafael Fontenelle at 2020-09-26T10:25:19+03:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 3.2% (153 of 4654 strings)
Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
89d85182 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a330adae by Yuri Chornoivan at 2020-09-26T10:25:19+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4654 of 4654 strings)
Translated using Weblate (Ukrainian)
Currently translated at 98.8% (4600 of 4654 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
90c1a00f by Weblate at 2020-09-26T10:25:19+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
11828cf8 by Daniel Lara Souza at 2020-09-26T10:25:19+03:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 3.5% (167 of 4654 strings)
Co-authored-by: Daniel Lara Souza <daniellarasouza at yahoo.com.br>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
afa0f5d1 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
abc41640 by Yuri Chornoivan at 2020-09-26T10:25:19+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4676 of 4676 strings)
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4676 of 4676 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0464a5ff by Oğuz Ersen at 2020-09-26T10:25:19+03:00
Translated using Weblate (Turkish)
Currently translated at 7.6% (358 of 4676 strings)
Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4cc9c942 by Emilio Herrera at 2020-09-26T10:25:19+03:00
Translated using Weblate (Spanish)
Currently translated at 60.8% (2845 of 4676 strings)
Translated using Weblate (Spanish)
Currently translated at 60.8% (2844 of 4676 strings)
Co-authored-by: Emilio Herrera <ehespinosa57 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4e30a48d by Christian Heimes at 2020-09-26T10:41:32+03:00
trust-add: Catch correct exception when chown SSSD
Commit 72fb4e6 introduced a regression. SSSD_USER.chown() raises
ValueError instead of KeyError when SSSD user does not exist.
Fixes: https://pagure.io/freeipa/issue/8516
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6fde06ac by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warning in ipa-pwd-extop
cast const error message to non-const char*. I tried to make errMesg a
const char* but it gets passed down to slapi_send_ldap_result() which
accepts a char*.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7de2c9bc by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warnings in libotp
Remove unused variable declarations
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c52ef2b by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warning in ipa-kdb
Make assertion_value a const char*
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c393c09 by Alexander Bokovoy at 2020-09-28T08:47:31+02:00
Pre-populate IP addresses for the name server upgrades
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
34e47778 by Christian Heimes at 2020-09-28T14:33:15+02:00
Ensure that resolved.conf.d is accessible
systemd-resolved runs as user systemd-resolve. Ensure that
resolved.conf.d drop-in directory is accessible when installer runs with
restricted umask. Also ensure the file and directory has correct SELinux
context.
The parent directory /etc/systemd exists on all platforms.
Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ced1dcb1 by Christian Heimes at 2020-09-28T14:33:15+02:00
Also backup DNS config drop-ins
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e46c3792 by Christian Heimes at 2020-09-29T12:05:20+02:00
Use single update LDIF for indices
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8493
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9f0ec27e by Christian Heimes at 2020-09-29T12:05:20+02:00
Add more indices
ipaCASubjectDN is used by lightweight sub CA feature.
ipaExternalMember is used by KRB driver to assemble MS-PAC records.
ipaNTSecurityIdentifier was only index for "pres" and was missing an
index on "eq". Samba and ipasam perform queries with SID string..
memberPrincipal is used by S4U2Proxy constrained delegation and by
ipa-custodia.
Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and
ipaKeyUsage are currently not index because an index would rarely used
or have a poor selectivity.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1684b0f2 by Christian Heimes at 2020-09-29T12:06:24+02:00
Add missing fedora_container platform members
The fedora_container platform was missing User and Group members.
Add test case to verify that all known platforms define correct module
API.
Fixes: https://pagure.io/freeipa/issue/8519
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa67177f by Christian Heimes at 2020-09-30T09:52:08+02:00
Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b79191f7 by Christian Heimes at 2020-09-30T09:52:08+02:00
Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.
request_and_wait_for_cert() now uses correct certmonger_wait_timeout
instead of http_timeout.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1921d33d by Christian Heimes at 2020-09-30T09:52:08+02:00
Drop unused extended sleep feature from Sleeper
The extended sleep feature is not used at the moment.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
38d083e3 by Christian Heimes at 2020-09-30T09:56:04+02:00
configure_dns_resolver: call self.restore_context
Use the platform implementation of restore_context() instead of the base
implementation.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ab3ed5f by Christian Heimes at 2020-09-30T17:01:01+02:00
Retry chronyc waitsync only once
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Perform more
retries with smaller timeout.
This speed up installer by 11 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a96b8938 by Piotr Drąg at 2020-09-30T11:18:37-04:00
Translated using Weblate (Polish)
Currently translated at 9.6% (451 of 4676 strings)
Co-authored-by: Piotr Drąg <piotrdrag at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fbb6484d by Christian Heimes at 2020-10-05T14:24:55+02:00
Check ca_wrapped in ipa-custodia-check
ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.
Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9a9cd302 by Christian Heimes at 2020-10-05T14:24:55+02:00
Verify freeipa-selinux's ipa module is loaded
ipa-custodia tests will fail if the ipa.pp override module from
freeipa-selinux is not correctly installed, loaded, and enabled.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
37a0af6a by Christian Heimes at 2020-10-05T15:02:14+02:00
Remove root-autobind configuration
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root. nsslapd-ldapiautobind is enabled by lib389.
cn=root-autobind,cn=config entry is no longer needed.
nsslapd-ldapimaptoentries is kept enabled for future use.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
daec8049 by Christian Heimes at 2020-10-05T15:02:14+02:00
Remove magic sleep from create_index_task
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9eccaf62 by Christian Heimes at 2020-10-05T15:02:14+02:00
Skip offline dse.ldif patching by default
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.
This speeds up installer by 4 or more seconds on a fast system.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8882680e by Christian Heimes at 2020-10-05T15:04:43+02:00
Dogtag: Remove set_audit_renewal step
The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see
https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7d91c1
The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
942fe07e by Christian Heimes at 2020-10-05T15:04:43+02:00
Spawn PKI: Execute more steps early
Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6860c637 by Christian Heimes at 2020-10-06T15:35:35+02:00
Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.
Add AD-Trust, DNS, KRA, and replica log files to backups.
Fixes: https://pagure.io/freeipa/issue/8528
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4ed21bba by Christian Heimes at 2020-10-07T15:14:16+02:00
Replace sudo with runuser
runuser is in util-linux and does not require sudo package.
Related: https://pagure.io/freeipa/issue/8530
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6ba5a6a4 by Christian Heimes at 2020-10-08T08:32:08+02:00
Require(post) systemd with resolved enabled on F33
FreeIPA's systemd-resolved integration for Fedora 33 depends on a
working and fully configured systemd-resolved service. Ensure that
systemd's post installation RPM hook runs before FreeIPA's post hook.
Note: Other systemd version numbers are current versions on Fedora 32 and
RHEL 8.2.0.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
814328ea by Christian Heimes at 2020-10-08T08:32:08+02:00
Don't add 127.0.0.1 to resolv.conf twice
On systems with multiple IP addresses the update code could add
::1 and 127.0.0.1 multiple times.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a3abae82 by Christian Heimes at 2020-10-08T08:32:08+02:00
Simplify update code
resolve_ip_addresses_nss(host) is equivalent to
get_server_ip_address(api.env.host, True, False, []). The function
get_server_ip_address() is designed to perform interactive checks that
should not be triggered in automatic upgrade code.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
01c6b8a8 by Sudhir Menon at 2020-10-09T08:48:12+02:00
ipatests: ipa-healthcheck test fixes running on RHEL
1. Added function in tasks.py to get healthcheck version.
2. Added if else condition to certain tests to
check healthcheck version and then assert the expected test output
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a63eeaae by François Cami at 2020-10-09T08:51:02+02:00
ipatests: add check_if_sssd_is_online
Split wait_for_sssd_domain_status_online so that we can easily check
that SSSD considers the IPA domain online with check_if_sssd_is_online.
Related: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
884e0d36 by François Cami at 2020-10-09T08:51:02+02:00
ipatests: add get_kdcinfo
get_kdcinfo(host) retrieves /var/lib/sss/pubconf/kdcinfo.$REALM on host.
It also logs whether SSSD considers the IPA domain as Online or not before
and after retrieving the file.
Related: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e0586f33 by François Cami at 2020-10-09T08:51:02+02:00
ipatests: create_active_user improvements
Use get_kdcinfo before and after kinit if krb5_trace in create_active_user.
This will help determine how SSSD was selecting which KRB5KDC to use.
Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5d95794e by François Cami at 2020-10-09T08:51:02+02:00
ipatests: kinit_as_user improvements
Use get_kdcinfo before and after kinit if krb5_trace in kinit_as_user.
This will help determine how SSSD was selecting which KRB5KDC to use.
Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
731c5b21 by Christian Heimes at 2020-10-10T12:54:06+02:00
Lookup ipa-ca record with NSS
DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.
Reduce timeout to 15 seconds and tighten timeout loop.
The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.
Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
58d8af04 by Florence Blanc-Renaud at 2020-10-13T09:57:32+02:00
ipatests: add tests to 389ds regression
The following tests can be used to detect regressions with 389-ds:
- test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
- test_integration/test_dns_locations.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fbd7d771 by Florence Blanc-Renaud at 2020-10-13T10:03:47+02:00
rpmspec: ensure ipa snippet for sshd is always included
Whn openssh-server > 8.2 is installed, ipa rpmspec moves its
configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf
but doesn't check that the 04-ipa.conf is included from
/etc/ssh/sshd_config.
The fixes ensures that the snippet is always included, either
through the line Include /etc/ssh/sshd_config.d/*.conf or
directly with Include /etc/ssh/sshd_config.d/04-ipa.conf
Fixes: https://pagure.io/freeipa/issue/8535
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7bbb9971 by François Cami at 2020-10-13T10:07:45+02:00
ipatests: tasks: add user_del
Add an "ipa user-del" frontend to tasks.py.
Related: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
5de67028 by François Cami at 2020-10-13T10:07:45+02:00
ipatests: run freeipa-healthcheck on hidden replica
Run freeipa-healthcheck on a FreeIPA clusters with a
hidden replica to make sure a hidden replica is considered
fully healthy.
Fixes: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
cb7d0964 by Florence Blanc-Renaud at 2020-10-13T16:51:32+02:00
ipatests: properly handle journalctl return code
The test test_installation.py::TestInstallMaster::test_selinux_avcs
is failing when no AVCs are detected because it is calling
journalctl --full --grep=AVC--since=yesterday
and the command exits with return code 1.
Call the command with raiseonerr=False to support this case.
Fixes: https://pagure.io/freeipa/issue/8541
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a9d34c8e by Christian Heimes at 2020-10-19T09:53:29+02:00
Speed up cainstance.migrate_profiles_to_ldap
The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.
Skip all profiles that have been imported by Dogtag already.
Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fa580712 by Christian Heimes at 2020-10-19T09:53:29+02:00
Reuse main LDAP connection
cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
139d60d7 by Rob Crittenden at 2020-10-19T12:56:22-04:00
Don't restart certmonger after stopping tracking in uninstall
certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.
certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.
https://pagure.io/freeipa/issue/8533
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
41021c27 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add LDAP schema for new libpwquality attributes
Add new attributes for the maxrepeat, maxsequence, dictcheck and
usercheck features of libpwquality.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6b452e54 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Extend IPA pwquality plugin to include libpwquality support
Add options to support maxrepeat, maxsequence, dictcheck and
usercheck pwquality options.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c03b4862 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add new pwpolicy objectclass to test_xmprpc/objectclasses.py
This defines the expected set of objectclasses in the XMLRPC
tests.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3fc2eda4 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Require libpwolicy and configure it in the build system
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c4cca53e by Rob Crittenden at 2020-10-23T09:32:52-04:00
Extend password policy to evaluate passwords using libpwpolicy
Enable checking:
maxrepeat - reject passwrods which contain more than N consecutive
characters.
maxsequence - rejected passwords which contain character sequences
(abcde).
dictcheck - check passwords using cracklib
usercheck - check whether the password contains the user name.
The class checking provided by libpwpolicy is not used because this
overlaps with the existing IPA checking. This includes the options
dcredit, ucredit, lcredit, ocredit, minclass and maxclassrepeat.
The pwquality min length is fixed at 6 so if there is a conflict between
the system policy and pwquality log that length is enforced at 6.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
46d00962 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add a unit test for libpwquality-based password policy
- with all policies disabled passwords are not evaluated
- the pwpolicy minimum overrides the existing IPA minimum
- max character repeats
- max character sequences (12345)
- palindrome
- dictionary check
- user name in the password check
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6da070e6 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Pass the user to the password policy check in the kdb driver
If the entry contains a uid then pass that into the policy checker
for the usercheck policy check.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
be2efc12 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add a raiseonerr option to ldappasswd_user_change
This is so on tests for bad password one can catch the error
message.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fe448359 by Rob Crittenden at 2020-10-23T09:32:52-04:00
ipatests: add test for password policies
Primarily testing integration of libpwpolicy but it also
exercises some of the existing policy.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
68aa7c05 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add SELinux policy so kadmind can read the crackdb dictionary
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f602da4b by Rob Crittenden at 2020-10-23T09:32:52-04:00
Requirements and design for libpwquality integration
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5155280b by Rob Crittenden at 2020-10-23T09:32:52-04:00
ipatests: Add test_pwpolicy to nightly runs
389ds testing is included since this exercises LDAP password
policy. pki testing is skipped since this is unrelated to
whether there is a CA or not.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e28ec768 by Christian Heimes at 2020-10-26T17:11:19+11:00
Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
5d4ed65b by Christian Heimes at 2020-10-26T17:11:19+11:00
Replace nodename with ipa_gethostfqdn()
ipa_kdb and ipa-join now use ipa_gethostfqdn() instead of uname()'s nodename.
The code for hostname in ipa-join is simplified. Now the hostname is
auto-detected and verified in main(). All sub functions can now use the
hostname without additional checks. This removes a bunch of strdup(),
NULL checks, and free() calls.
Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
b66b961f by Christian Heimes at 2020-10-26T17:11:19+11:00
Remove problematic optimization from gethostfqdn()
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3d796a7e by Christian Heimes at 2020-10-26T17:11:19+11:00
Update debug strings to reflect new calls
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
727a2ffb by Christian Heimes at 2020-10-26T17:11:19+11:00
Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.
Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().
Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3f59118f by Fraser Tweedale at 2020-10-26T17:11:19+11:00
ipa_sam: do not modify static buffer holding fqdn
ipa_sam was modifying the buffer returned by ipa_gethostfqdn().
Subsequent calls to ipa_gethostfqdn() returned the corrupt data,
causing other operations to fail.
Update ipa_sam to copy the string and modify the copy. Also
document this characteristic of ipa_gethostfqdn() and explain that
callers must not modify the returned data.
Part of: https://pagure.io/freeipa/issue/8501
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
8b6d1ab8 by Alexander Bokovoy at 2020-10-26T15:55:02-04:00
ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
2f8eb73f by Rob Crittenden at 2020-10-27T15:50:19-04:00
Use a state to determine if a 389-ds upgrade is in progress
When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.
We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.
What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.
Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.
The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9ba0494c by Alexander Bokovoy at 2020-10-30T12:48:22-04:00
pylint: remove unused variable
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b8b46779 by Alexander Bokovoy at 2020-10-30T12:48:22-04:00
rpcserver: fallback to non-armored kinit in case of trusted domains
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.
FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.
Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.
In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
abefd6e1 by Sudhir Menon at 2020-10-30T12:50:22-04:00
ipatests: ipa-healthcheck fixes for tests running on RHEL
Below tests have been modified accordingly
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_group
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_too_restrictive
TestIpaHealthCheckFileCheck::test_ipa_filecheck_too_permissive
TestIpaHealthCheckFileCheck::test_nssdb_filecheck_bad_owner
TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
TestIpaHealthCheckWithExternalCA::test_nsschainvalidation_ipa_invalid_chain
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent_bad_serial
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9a41966a by Sudhir Menon at 2020-10-30T12:52:01-04:00
ipatests: ipa-healthcheck test for DS BackendsCheck
This testcase checks that the BackendsCheck reports
the CRITICAL status when dse.ldif present in the
DS instance directory is renamed/moved.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
563d0a07 by Alexander Bokovoy at 2020-10-30T19:06:11+02:00
rpcserver: fix exception handling for FAST armor failure
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b8a2a0f3 by Sudhir Menon at 2020-10-30T15:24:03-04:00
ipatests: ipa-healthcheck test for EncryptionCheck
This testcase checks that EncryptionCheck reports ERROR status when DS tls version is
modified to TLS1.0
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
686414d2 by Sudhir Menon at 2020-11-02T11:24:12+01:00
ipatests: ipa-healthcheck test for DS RIPluginCheck
This testcase modifies the update value set on RI Plugin
to -1 as a result checks that RIPluginCheck reports warning message
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2ef53196 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Enable importing LDIF files not shipped by IPA
This is to be able to import ACME schema provided by dogtag.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
e13d058a by Rob Crittenden at 2020-11-02T10:43:57-05:00
Let dogtag.py be imported if the api is not initialized
This allows non-plugin components to import the RestClient
classes.
Removed code that only imported pki if in_server was True. This
was legacy code from when the plugins were also loaded in the
client.
Left the ra_plugin stanza for now. This is part of the old
abstraction that allowed for different CA plugins.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
c0d55ce6 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Centralize enable/disable of the ACME service
The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.
dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.
It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.
A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.
The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.
Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md
ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
92c3ea4e by Rob Crittenden at 2020-11-02T10:43:57-05:00
Don't install ACME if full support is not available
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.
Parse the VERSION file shipped with PKI to determine the version.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
69ae48c8 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Add a status option to ipa-acme-manage
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
e7fd7915 by Mohammad Rizwan at 2020-11-02T10:43:57-05:00
ipatests: Check if ACME is enabled on all CA servers
Test if ACME service is enabled on replica if eabled on
server. This is to check the centralize enable/disable
from single host.
ipatests: Test if ACME is enabled on replica when converted from CA-less to CA-full
Deployment where one server is deployed as CA-less and acme is enabled, when converted
to CA full, should have ACME enabled by default.
ipatests: Test ACME with CA-less replica when converted to CA-full
Deployment have one ca-less replica and ACME is not enabled.
After converting ca-less replica to ca-full, ACME can be
enabled or disabled.
related:
https://pagure.io/freeipa/issue/8524
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
d4ef64b2 by Rob Crittenden at 2020-11-02T10:43:57-05:00
ipatests: Collect the let's encrypt log
Collect the let's encrypt client log for any potential
debug purposes.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
43ea80ae by Sudhir Menon at 2020-11-02T17:34:38+01:00
ipatests: Fix for test_ipahealthcheck_ds_encryption
Nightly test failure was seen for test_ipahealthcheck_ds_encryption
The test was failing since @pytest.fixture was not specified before
the function modify_tls
Ref: https://pagure.io/freeipa/issue/8560
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9c4785f0 by Mark Reynolds at 2020-11-02T13:42:37-05:00
Reorder creation of the CA mapping tree and database backend
New validation efforts in 389-ds-base require that the backend entry for
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.
For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()
Fixes: https://pagure.io/freeipa/issue/8558
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2768b0db by Rob Crittenden at 2020-11-02T14:01:05-05:00
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
https://pagure.io/freeipa/issue/8498
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
e0ff82c8 by Rob Crittenden at 2020-11-02T14:01:05-05:00
Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.
https://pagure.io/freeipa/issue/8498
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
c8f13cd8 by Rob Crittenden at 2020-11-02T14:01:05-05:00
ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled
Test that:
1. With ACME enabled, SAN is required
2. With ACME disabled, SAN is not required
Also verify the ipa-acme-manage status command.
https://pagure.io/freeipa/issue/8498
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
c053b5e0 by Florence Blanc-Renaud at 2020-11-03T09:49:22+02:00
ipatests: curl outputs the cookie in stderr and not in sdtout
The integration test test_trust.py::TestTrust::test_password_login_as_aduser
is expecting curl to output the cookie obtained after password login
in stdout but should use stderr instead.
Fixes: https://pagure.io/freeipa/issue/8559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2b1230e5 by Sudhir Menon at 2020-11-04T09:23:41+01:00
ipatests: Fix for test_ipahealthcheck_ds_riplugincheck
Fix for Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
Pagure: https://pagure.io/freeipa/issue/8563
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b60d2d97 by Rob Crittenden at 2020-11-06T16:29:41-05:00
Add ipwpwdpolicy objectclass to all policies on upgrade
ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.
https://pagure.io/freeipa/issue/8555
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f86250a9 by Rob Crittenden at 2020-11-06T16:29:41-05:00
Test that ipapwpolicy objectclass is added on upgrade
Use ldapmodify to remove the objectclass from the default
global policy then run ipa-server-upgrade to confirm
that it is properly added.
https://pagure.io/freeipa/issue/8555
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
69b42f0c by Rob Crittenden at 2020-11-06T16:29:41-05:00
Catch EmptyResult exception in update_idranges
If no results are returned then find_entries will raise
EmptyResult and not NotFound. NotFound is returned if
the search base doesn't exist.
The test for not entries can be removed as well since this
is the EmptyResult case. In case of a NotFound this will
be handled by the ExecutionError clause.
Found with https://pagure.io/freeipa/issue/8555
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
81cbee4e by Alexander Bokovoy at 2020-11-06T16:32:42-05:00
ipa-kdb: fix crash in MS-PAC cache init code
When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.
Add unit test for multiple UPN suffixes.
Fixes: https://pagure.io/freeipa/issue/8566
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
91706690 by Alexander Bokovoy at 2020-11-06T16:38:37-05:00
wgi/plugins.py: ignore empty plugin directories
Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.
Check that 'foo/foo.js' actual exists when including a plugin into the
registry.
Test the registry generator by creating fake plugins and removing them
during the test.
Fixes: https://pagure.io/freeipa/issue/8567
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b7be1a24 by Sudhir Menon at 2020-11-09T09:06:11+01:00
ipatests: ipa-healthcheck tests for DS checks
1. test_ipahealthcheck_ds_configcheck
checks ensures that warning message is displayed by ConfigCheck
when high resolution timestamp is disabled
2. test_ipahealthcheck_ds_fschecks
Test has been now moved under Class TestIpaHealthCheckFileCheck
This testcase checks that when permission of pwdfile.txt is changed
to other than 400, FSCheck returns CRITICAL status
3. test_ds_configcheck_passwordstorage
This test checks that critical status is displayed by
ConfigCheck when rootpwstoragescheme is set to MD5 instead
of the required PBKDF2_SHA256
4. test_ipahealthcheck_topology_with_ipactl_stop
This testcase ensures that ipahealthcheck.ipa.topology check
doesnot display 'source not found' on a system when ipactl
stop is run
5. Modified testcase name
the testcase name and description have been modified to match
the actual testcase executed
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
617f7824 by Sudhir Menon at 2020-11-09T09:06:11+01:00
Added nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table
In ipa-healthcheck ds-related tests i.e
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_configcheck
there exists a scenario of modifying the "nsslapd-logging-hr-timestamps-enabled" attribute to off
The tests are failing with the below error
"ipalib.errors.MidairCollision: change collided with another change"
The test audit log displays that the attribute is deleted first and then added.
changetype: modify
delete: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: on
-
add: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: off
Adding the nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table
to check if we generate a replace instead of add and delete.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
26b9a697 by Rob Crittenden at 2020-11-09T09:41:27-05:00
Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test
libpwquality is only needed when building a server. Don't test
for it in a client build.
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab9ef13f by Florence Blanc-Renaud at 2020-11-09T16:05:43-05:00
ipatests: IPADNSSystemRecordsCheck also checks for AAAA records
With commit 02c3b27 that has been included in ipa-healthcheck 0.7,
IPADNSSystemRecordsCheck also checks the presence of an AAAA record
for ipa-ca.
The test needs to handle this case and expect an error message for
missing ipa-ca AAAA record.
Fixes: https://pagure.io/freeipa/issue/8573
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3d2a4f25 by Florence Blanc-Renaud at 2020-11-09T16:06:40-05:00
ipatests: ipa-acme-manage status returns 3 on a CA-less server
test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica is
running ipa-acme-manage status on a CA-less server and wrongly
expects retcode =1. According to the man page, the command returns 3
when executed on a server where the CA is not installed.
Fixes: https://pagure.io/freeipa/issue/8572
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
59150318 by Andika Triwidada at 2020-11-11T10:20:47+02:00
Translated using Weblate (Indonesian)
Currently translated at 6.8% (321 of 4676 strings)
Translated using Weblate (Indonesian)
Currently translated at 2.9% (136 of 4676 strings)
Co-authored-by: Andika Triwidada <andika at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b153b23c by Fraser Tweedale at 2020-11-11T10:24:38+02:00
dns: allow PTR records in arbitrary zones
PTR records in zones other than in-addr.arpa and in6.arpa are legal,
e.g. DNS-SD [RFC6763] uses such records. If in a reverse zone
proceed with the existing checks, otherwise just accept the record.
Fixes: https://pagure.io/freeipa/issue/5566
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ab3578b by Rob Crittenden at 2020-11-11T10:29:25+02:00
On password reset also set krbLastAdminUnlock to unlock account
This fixes the case where an account is locked on one or more servers
and the password is reset by an administrator. The account would
remain locked on those servers for the duration of the lockout.
This is done by setting krbLastAdminUnlock to the current date and
time. The lockout plugin will see this and unlock the account. Since
the value should be replicated along with the password any server
that has the new password will also be unlocked.
This does incur an additional attribute that must be replicated,
whether it is needed or not, but since lockout is computed
per-server this is the only guaranteed way to be sure that the
account will be unlocked everywhere.
My original thought was to grab password replication events and detect
whether the user was locked out and unlock them. On any given server
you can only know if the user is locked out on that server by
computing it. Doing this would require generalizing the lockout code
so it could be computed on password change. krbLastFailedAuth could
be wiped which would unlock the account on that master (the attribute
is not replicated by default).
So it is complexity vs additional replication. Assuming that admin
reset is relatively rare let's start with that. This doesn't lock
us into this solution for the future.
We could set this attribute on user-driven password changes as
well but the original ask and my thinking are that if you forgot
your password and got locked out, how can you change it yourself?
Upon reflection I guess a user could fat-finger it a bunch of times
against one IPA server then have a revelation and log in against a
different server. So they would still be locked out for the duration
on the first one. I'm not sure the extra replication is worth it for
user-generated password changes or that users would be saavy enough
to try another server for the change.
https://pagure.io/freeipa/issue/8551
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ca6fc689 by Rob Crittenden at 2020-11-11T10:29:25+02:00
ipatests: Test that password reset unlocks users too
The basic idea is:
* add a user with a password
* kinit with a bad password for the user until lockout
* on another server administratively reset the password
* wait for replication to finish
* kinit on the original server again and the user should
be able to kinit again meaning the lockout was removed
https://pagure.io/freeipa/issue/8551
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bbe99012 by Fraser Tweedale at 2020-11-11T14:08:35+02:00
mailmap: add ftweedal
I noticed from draft release notes that some commits with a
different email address slipped in. Add myself to mailmap so that I
do not have doppelganger.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9dccf17a by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
External-CA scenarios for ACME service
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cbbfcd9b by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
PEP8 fixes for test_acme.py
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c4a6b0e5 by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
Move acme client installation part to classmethod
Moved the acme client installation part to classmethod
so that it can be leveraged further.
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3722013d by Armando Neto at 2020-11-16T09:26:48-03:00
ipatests: Update PRCI Fedora 32 templates
Updating templates with upgraded packages installed.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1512acc7 by Serhii Tsymbaliuk at 2020-11-16T16:04:40+01:00
WebUI: Fix topology graph navigation crash
Add get_navigation_options method to all facet variations to unify forming facet links.
Ticket: https://pagure.io/freeipa/issue/8523
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
69368fcc by Serhii Tsymbaliuk at 2020-11-16T16:04:40+01:00
WebUI tests: Add simple test to check topology graph page is available
Ticket: https://pagure.io/freeipa/issue/8523
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a33530f2 by Florence Blanc-Renaud at 2020-11-17T08:39:59+01:00
ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating
The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.
In the meantime, remove the test from gating to avoid blocking the PRs.
Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be006ad6 by Stanislav Levin at 2020-11-17T14:25:39+02:00
ipatests: Respect platform's openssl dir
There are different build configurations of OpenSSL from one distro
to another. For example,
Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94adee3c by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Don't downgrade security
If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.
Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
977063a5 by Stanislav Levin at 2020-11-17T14:25:39+02:00
test_epn: Standardize EPN configs for deduplication
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
32aa1540 by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Enable certificate validation and hostname checking
https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
17f430ef by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].
Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.
[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain
Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
82e69008 by Stanislav Levin at 2020-11-17T14:25:39+02:00
ipatests: Collect EPN log for debugging
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
249097c6 by Robbie Harwood at 2020-11-17T14:27:28+02:00
Update kdcpolicy design doc for jitter implementation
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0d67180f by Robbie Harwood at 2020-11-17T14:27:28+02:00
ipa-kdb: implement AS-REQ lifetime jitter
Jitter is always enabled, so there is no additional configuration.
An earlier version of this patch was authored by Becky Shanley.
Fixes: https://pagure.io/freeipa/issue/8010
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f513a55d by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-kdb: fix gcc complaints
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from ipa_kdb.h:37,
from ipa_kdb_mspac.c:26:
In function 'strncpy',
inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc11c565 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-kdb: fix gcc complaints in kdb tests
We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.
In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d99b7d0b by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-sam: fix gcc complaints on Rawhide
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from ipa_sam.c:12:
In function 'strncpy',
inlined from 'save_sid_to_secret' at ipa_sam.c:4478:2,
inlined from 'pdb_init_ipasam' at ipa_sam.c:4985:12:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b36f2248 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-otpd: fix gcc complaints in Rawhide
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from internal.h:27,
from main.c:31:
In function 'strncpy',
inlined from 'main' at main.c:237:5:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
935a4615 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints
The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.
2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')
Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6e1eaad8 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: use Ubuntu-20.04 image by default
Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1bf0d628 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: use PPA to provide newer libseccomp version
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.
When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).
libseccomp started to support faccessat2() in July 2020 with
https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)
With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e382cdd by Robbie Harwood at 2020-11-17T18:48:24+02:00
Drop upper bound on krb5 version in freeipa.spec
This check is no longer needed now that krb5 exports the KDB version.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
39d0dd33 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
spec: use pkgconf to find out krb5 version
In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).
Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f9776291 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: mask chronyd in the container
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ff79c0ce by Alexander Bokovoy at 2020-11-17T19:00:52+02:00
Add contributors from translations project at Weblate
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
038645d8 by Alexander Bokovoy at 2020-11-17T19:03:07+02:00
Translations: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1f3e3b8 by Alexander Bokovoy at 2020-11-17T19:07:03+02:00
Become FreeIPA 4.9.0 release candidate 1
- - - - -
25eebb21 by Mohammad Rizwan at 2020-11-18T11:44:18-05:00
ipatests: Test certmonger IPA responder switched to JSONRPC
This is to test if certmonger IPA responder swithed to JSONRPC
from XMLRPC
related: https://pagure.io/freeipa/issue/3299
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
1a09ce9f by Rob Crittenden at 2020-11-18T12:40:32-05:00
Use host keytab to obtain credentials needed for ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.
It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.
Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4941d3d4 by Rob Crittenden at 2020-11-18T12:40:32-05:00
ipatests: Test that ipa-certupdate can run without credentials
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
244704cc by Alexander Bokovoy at 2020-11-18T13:32:16-05:00
util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
46f114d9 by Sudhir Menon at 2020-11-20T15:19:24-05:00
ipatests: Tests for ipahealthcheck.ds.nss_ssl
test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring
This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a525b2eb by Rob Crittenden at 2020-11-24T11:14:42-05:00
Create IPA ssh client configuration and move ProxyCommand
The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d89e3abf by Rob Crittenden at 2020-11-24T11:14:42-05:00
ipatests: Test that Match ProxyCommand masks on no shell exec
Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3cd6b81a by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: call the CALess install method to generate the CA
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
de5baf85 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Configure a replica in TestACMEwithExternalCA
This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
5d286e79 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Clean up existing ACME registration and certs
The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
b474b263 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: configure MDStoreDir for mod_md ACME test
This directory defines the location for ACME-related files
used by mod_md. Specify and create it rather than relying
on defaults to both fix a test failure and to make the
files accessable for debugging purposes.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
75ad5757 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: honor class inheritance in TestACMEwithExternalCA
TestACMEwithExternalCA subclasses TestACME which subclasses
CALessBase.
CALessBase is necessary to generate the certificates for the
test_third_party_certs() test.
This means that the TestACME install classmethod needs to be
called by its subclasses. But the install actually does the
installation of the servers as well so needs to be aborted
at that point in the case of a subclass.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
17f293e9 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Increase timeout for ACME in gating.yaml
Increase to 7200 from 3600 to match other executions.
Related: https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
a3c5c719 by Armando Neto at 2020-11-25T20:42:49-03:00
ipatests: Bump PR-CI templates
Update box to force update dependencies on pki-* and
selinux-policy.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
17a4198a by Robbie Harwood at 2020-11-26T14:09:50+01:00
Fix krbtpolicy tests
0d67180f7d2d0c6b5856db7061c44521f6a13c23 introduced the with_admin
fixture using class scope, which caused test failures as pytest
instantiated it before the multihost fixture.
It additionally failed to account for jitter - the issued ticket becomes
within a window of the expected lifetime, so we need to include the
ticket lifetime jitter into that calculation.
Finally, the PKINIT test could not have ever worked because PKINIT is
not set up as part of policy testing.
Related: https://pagure.io/freeipa/issue/8590
Also-authored-by: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7e605e95 by Sudhir Menon at 2020-11-26T16:31:16+01:00
ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
381cc5e8 by Alexander Bokovoy at 2020-11-26T16:31:16+01:00
ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
08bbd0a2 by Antonio Torres Moríñigo at 2020-11-27T08:41:55+01:00
ipa-client-install manpage: add ipa.p11-kit to list of files created
Add missing ipa.p11-kit file to list of files created in
ipa-client-install manpage.
https://pagure.io/freeipa/issue/8424
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
06a7db18 by Florence Blanc-Renaud at 2020-12-01T08:40:36+01:00
Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.
ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.
The fix also improves the method used to verify that a path exists.
Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
826dccc9 by Mark Reynolds at 2020-12-01T11:34:37+01:00
Accept 389-ds JSON replication status messages
389-ds now stores a replication agreement status message in a JSON
string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html
Fixes: https://pagure.io/freeipa/issue/7975
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a9e1c014 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.
dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.
There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bd4771d7 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Test that the KRA profiles can renewal its three certificates
The KRA was previously configured with Internal CA profiles
which did not work with the IPA RA.
Use public, common profiles to manage renewal of the KRA
subsystem certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3e530e93 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Require PKI 10.10+ for KRA profile and ACME support
https://pagure.io/freeipa/issue/8545
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0d6caf5d by Rob Crittenden at 2020-12-02T10:20:31-05:00
Remove test for minimum ACME support and rely on package deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ea67962d by Rob Crittenden at 2020-12-02T10:20:31-05:00
Reorder when ACME is enabled to fix failure on upgrade
On upgrading a server without ACME to one with ACME
the RA Agent DN needs to be added as a member of the
ACME Enterprise Users group. This was previously
done as part of the creation of that entry.
So on upgrade the RA Agent wouldn't be a member so
ipa-acme-manage didn't have access to operate against
the CA REST API.
In order to add the RA Agent to this group during installation
the ACME provisioning has to come after that step so it is
moved from the middle of an installation to the end and
the group addition moved into the setup_acme() method.
https://pagure.io/freeipa/issue/8603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20055dda by Rob Crittenden at 2020-12-02T14:30:38-05:00
Move where the restore state is marked during IPA server upgrade
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.
I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.
If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4ba6a037 by Rob Crittenden at 2020-12-02T14:32:26-05:00
Allow Apache to answer to ipa-ca requests without a redirect
Any request other than the FQDN is redirected with a permanent
move (301). Allowing ipa-ca as a valid name saves a round-trip.
This is only allowed on /ca, /kra, /pki, /acme and /ipa/crl.
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b478bf99 by Rob Crittenden at 2020-12-02T14:32:26-05:00
ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bf1d652f by Florence Blanc-Renaud at 2020-12-03T10:31:45+02:00
ipatests: fix TestTrust::test_subordinate_suffix
The test test_subordinate_suffix is failing when configuring the DNS
for the trust, because the dnsforwardzone already exists. It was
configured during the previous test for nonposix trust.
At the end of the tests for nonposix trust, unconfigure the DNS
and the trust before calling the subordinate_suffix test, and add
a test cleaning up subordinate_suffix test.
Fixes: https://pagure.io/freeipa/issue/8601
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b56a4cb by Alexander Bokovoy at 2020-12-03T16:55:15-05:00
freeipa.spec.in: unify spec files across upstream RHEL, and Fedora
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.
This gives us an opportunity to:
- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
it is better to have macro support in the common spec file.
There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
2e1cbcb7 by Rob Crittenden at 2020-12-03T16:55:15-05:00
VERSION: back to git snapshots
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
848dffb5 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Convert reset_to_default_policy into a pytest fixture
This ensures that the ticket policy will be reset even on
failure.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
51b186b6 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
22fa1a7e by Rob Crittenden at 2020-12-03T19:46:43-05:00
ipatests: test that stale caches are removed using the sweeper
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
068d0857 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Enable the ccache sweep systemd timer
The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
28ed75ca by Rob Crittenden at 2020-12-03T19:46:43-05:00
Increase timeout for krbtpolicy to 4800
The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2d576d5b by Rob Crittenden at 2020-12-04T13:01:49+02:00
Skip the ACME mod_md test when the client is in enforcing mode
mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.
Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.
https://pagure.io/freeipa/issue/8514
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5f36ee51 by Alexander Bokovoy at 2020-12-04T13:11:23+02:00
Update contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e74d6409 by Alexander Bokovoy at 2020-12-04T13:12:54+02:00
Become FreeIPA 4.9.0rc2
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
30 changed files:
- + .copr/Makefile
- − .freeipa-pr-ci.yaml
- + .freeipa-pr-ci.yaml
- + .github/stale.yml
- .gitignore
- + .lgtm.yml
- .mailmap
- − .test_runner_config.yaml
- − .test_runner_config_py3_temp.yaml
- .tox-install.sh
- − .travis.yml
- − .travis_run_task.sh
- ACI.txt
- API.txt
- BUILD.txt
- Contributors.txt
- Makefile.am
- + Makefile.pythonscripts.am
- README.md
- VERSION.m4
- client/Makefile.am
- + client/certbot-dns-ipa.in
- client/config.c
- client/ipa-certupdate → client/ipa-certupdate.in
- + client/ipa-client-automount.in
- client/ipa-client-common.h
- client/ipa-client-install → client/ipa-client-install.in
- + client/ipa-client-samba.in
- install/tools/ipa-replica-prepare → client/ipa-epn.in
- client/ipa-getkeytab.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/f84b3f39edb880183722f4814acc56ae1f8edba7...e74d6409902b83fb81a0aec251280375a90d6f07
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/f84b3f39edb880183722f4814acc56ae1f8edba7...e74d6409902b83fb81a0aec251280375a90d6f07
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201207/37f2eee9/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list