[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 199 commits: Remove Fedora repository fastmirror selection
Timo Aaltonen
gitlab at salsa.debian.org
Tue Jul 28 17:27:59 BST 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
a4ae4562 by Alexander Bokovoy at 2020-03-28T20:12:24-03:00
Remove Fedora repository fastmirror selection
Fast mirror selection somehow stopped working. If disabled, the
difference is around 20 seconds for the 'Prepare build environment' step
(2:49 versus 3:09), so while we are saving, currently it is not a lot.
Also remove explicit nodejs stream choice, it seems to be not needed
anymore (again).
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d847f123 by François Cami at 2020-03-28T20:12:24-03:00
pr-ci templates: update test_fips timeouts
test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.
Fixes: https://pagure.io/freeipa/issue/8247
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
77409e2b by Sumedh Sidhaye at 2020-03-31T11:29:01-04:00
Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state
When a resubmit request is submitted an "invalid cookie"
error message is no longer shown
Earlier an "invlaid cookie" error message was shown when getcert list was called.
The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit
Pagure Issue: https://pagure.io/freeipa/issue/8164
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Fixup for test to verify that POLL will not error out on cookie
Author: Rob Crittenden <rcritten at redhat.com>
Date: Tue Mar 24 15:30:38 2020 -0400
Fixed review comments
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
38e02682 by Alexander Bokovoy at 2020-03-31T11:55:35-04:00
Add 'api' and 'aci' targets to make
'makeapi' and 'makeaci' has to be run in a particular environment that
forces IPA Python modules from the source tree used instead of what
might be installed system-wide.
Create 'make api' and 'make aci' targets to provide easy access to them.
Make sure we run Python interpreter with PYTHONPATH set to force use of
the source tree.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b4fdb833 by Alexander Bokovoy at 2020-03-31T11:55:35-04:00
Allow rename of a host group
RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.
Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f6171fd6 by sumenon at 2020-03-31T13:47:58-04:00
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup
This testcase compares the output of ipahealtcheck.ipa.dns check
with the SRV records displayed by 'ipa dns-update-system-records --dry-run'
command executed on IPA server with integrated DNS setup.
https://bugzilla.redhat.com/show_bug.cgi?id=1695125
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b55bdd21 by Sergey Orlov at 2020-04-01T11:34:09+02:00
ipatests: run test_integration/test_cert.py in PR-CI
Execute test_integration/test_cert.py test in gating and generic
nightly test runs
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d22d55df by Sergey Orlov at 2020-04-01T11:34:09+02:00
ipatests: add missing classes from test_installation in nightly runs
The following test classes were missing in all nightly definitions:
* TestADTrustInstall
* TestADTrustInstallWithDNS_KRA_ADTrust
* TestKRAinstallAfterCertRenew
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cc16712c by Sergey Orlov at 2020-04-01T11:34:09+02:00
ipatests: add AD DC as a DNS forwarder before establishing trust
"ipa trust-add" was not able to establish trust because it could not
find the AD domain controller.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8e1d5244 by Sergey Orlov at 2020-04-01T11:34:09+02:00
ipatests: explicitly save output of certutil
The test setup was failing because output redirection does not work in
run_command() when specifued as list element.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e86558d1 by Sergey Orlov at 2020-04-01T11:34:09+02:00
ipatests: run all cases from test_integration/test_idviews.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
48be293e by François Cami at 2020-04-02T14:33:51+02:00
nightly_ipa-4-8_previous.yaml: fix typo
Fix typo in prci_definitions/nightly_ipa-4-8_previous.yaml.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
00e2a488 by François Cami at 2020-04-03T11:45:28+02:00
ipatests: test ipa-backup with different role configurations.
ipa-backup should refuse to execute if the local IPA server does not
have all the roles used in the cluster.
A --disable-role-check knob should also be provided to bypass the
check.
Add an integration test for the new behavior and the knob.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
69a2b6d7 by François Cami at 2020-04-03T11:45:28+02:00
test_backup_and_restore: add server role verification steps
Add calls to "ipa server-role" to check whether the server role
changes are applied before calling ipa-backup.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
37a60b25 by François Cami at 2020-04-03T11:45:28+02:00
ipa-backup: Make sure all roles are installed on the current master.
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.
With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.
Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
90eef2f8 by Mohammad Rizwan Yusuf at 2020-04-03T11:49:05+02:00
ipatests:Test if proper error thrown when AD user tries to run IPA commands
Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.
related: https://pagure.io/freeipa/issue/8163
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
80fe55d7 by Michal Polovka at 2020-04-03T18:48:59+02:00
Test for output being indented by default value if not stated implicitly.
Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.
Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fed6ad20 by Sergey Orlov at 2020-04-03T18:59:23+02:00
ipatests: add test for sssd behavior with disabled trustdomains
When a trusted subdomain is disabled in ipa, users from this domain
should not be able to access ipa resources.
Related to: https://pagure.io/SSSD/sssd/issue/4078
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
edbb913f by Sergey Orlov at 2020-04-03T18:59:23+02:00
update prci definitions for test_sssd.py
The test now requires AD domain + subdomain
Related to: https://pagure.io/SSSD/sssd/issue/4078
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3e81b0f3 by Sergey Orlov at 2020-04-03T18:59:23+02:00
ipatests: add utility for getting sssd version on remote host
This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fc253fe4 by Sergey Orlov at 2020-04-03T18:59:23+02:00
ipatests: add context manager for declaring part of test as xfail
This function provides functionality similar to pytest.mark.xfail
but for a block of code instead of the whole test function. This has
two benefits:
1) you can mark single line as expectedly failing without suppressing
all other errors in the test function
2) you can use conditions which can not be evaluated before the test start.
The check is always done in "strict" mode, i.e. if test is expected to
fail but succeeds then it will be marked as failing.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8c68b920 by Sergey Orlov at 2020-04-03T18:59:23+02:00
ipatests: mark test_trustdomain_disable test as expectedly failing
The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed
Fedora 30 version yet.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8691e5f8 by François Cami at 2020-04-06T18:17:34+02:00
ipatests: move ipa_backup to tasks
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
both the path to the backup and the whole result from run_command ;
The path to the backup can be determined from the result.
Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
435e2bee by Rob Crittenden at 2020-04-06T15:00:28-04:00
Perform baseline healthcheck
Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.
https://bugzilla.redhat.com/show_bug.cgi?id=1774032
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
60d6defe by Stanislav Levin at 2020-04-08T11:26:17+03:00
Azure: Allow distros to install Python they want
The platforms may have different Pythons.
But due to [0] the Python installed via the 'UsePythonVersion at 0'
task should be compatible with the container's 'libpythonxx.so'.
'AZURE_PYTHON_VERSION' platform variable is introduced to cover
this. So, if your distro has Python3.8, set the mentioned variable
to '3.8', later, this version will be installed by the
'UsePythonVersion at 0' Azure task for 'WebUI_Unit_Tests' and 'Tox'
jobs.
To allow tox to run any Python3 environment the 'py3' one is used..
'py3' is the well-known Tox's environment, which utilizes 'python3'
executable.
[0]: https://github.com/microsoft/azure-pipelines-tasks/issues/11070
Fixes: https://pagure.io/freeipa/issue/8254
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5325c723 by Stanislav Levin at 2020-04-08T14:09:00+03:00
Azure: Gather coredumps
Applications may crash.
If a crash happens on a remote system during CI run it's sometimes
very hard to understand the reason. The most important means to
analyze such is a stack trace. It's also very important to check
whether there was a core dump or not, even a test passed.
For Docker environment, the core dumps are collected by the host's
systemd-coredump, which knows nothing about such containers (for
now). To build an informative thread stack trace debuginfo packages
should be installed. But they can't be installed on the host OS
(ubuntu), That's why after all the tests completed an additional
container should be up and the host's core dumps and host's journal
should be passed into it.
Even if there weren't enough debuginfo packages at CI-runtime, the
core dump could be analyzed locally later.
Fixes: https://pagure.io/freeipa/issue/8251
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6fcc78b8 by Sam Morris at 2020-04-09T09:05:56+03:00
Debian: write out only one CA certificate per file
ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.
'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.
With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.
The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.
The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.
These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.
As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.
Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d3209978 by Stanislav Levin at 2020-04-09T09:07:14+03:00
ipatests: Mark firewalld commands as no-op on non-firewalld distros
The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.
Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa395cec by François Cami at 2020-04-09T15:12:16-03:00
ipatests: increase test_ipahealthcheck timeout
test_ipahealthcheck tends to take more than 3600s to run.
Increate timeout to 4800s.
Fixes: https://pagure.io/freeipa/issue/8262
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
089a3935 by Alexander Bokovoy at 2020-04-14T18:45:46+03:00
CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
Users should be encouraged to make their passwords as lengthy as they
want, within reason. Since the size of a hashed password is independent
of its length, there is no reason not to permit the use of lengthy
passwords (or pass phrases) if the user wishes. Extremely long passwords
(perhaps megabytes in length) could conceivably require excessive
processing time to hash, so it is reasonable to have some limit.
FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.
MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.
To prevent silent cut off for user passwords, use limit of 1000
characters.
Thus, this patch enforces common limit of 1000 characters everywhere:
- LDAP-based password changes
- LDAP password change control
- LDAP ADD and MOD operations on clear-text userPassword
- Keytab setting with ipa-getkeytab
- Kerberos password setting and changing
Fixes: https://pagure.io/freeipa/issue/8268
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
589c7fd0 by François Cami at 2020-04-15T14:31:37+02:00
ipatests: increase test_webui_server timeout
test_webui_server tends to take more than 3600s to run.
Increase timeout to 7200s.
Fixes: https://pagure.io/freeipa/issue/8266
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
d22ce3d0 by Christian Heimes at 2020-04-15T17:47:12-03:00
Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.
Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f0c6d1e1 by Stasiek Michalski at 2020-04-16T13:58:50+02:00
Support for SUSE/openSUSE ipaplatform
Co-authored-by: Howard Guo <hguo at suse.com>
Co-authored-by: Daniel Molkentin <dmolkentin at suse.com>
Co-authored-by: Marcus Rückert <darix at nordisch.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
98045dc4 by Florence Blanc-Renaud at 2020-04-16T18:12:26+02:00
Man pages: fix syntax issues
Fix the syntax in ipa-cacert-manage.1 and default.conf.5
Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b6b41b34 by Michal Polovka at 2020-04-17T11:57:34-04:00
Test for healthcheck being run on replica with stopped master
Test checks whether healthcheck reports only that master is stopped
with no other false positives when services on IPA master are stopped.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5688dd2c by Timo Aaltonen at 2020-04-18T10:44:47+03:00
use-bind9.16.diff: Fix some paths to what's in bind9 9.16.
- - - - -
cd7dcb19 by Mohammad Rizwan Yusuf at 2020-04-20T13:19:37-04:00
ipatests: Test to check password leak in apache error log
Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.
related: https://pagure.io/freeipa/issue/8017
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa09cc29 by Serhii Tsymbaliuk at 2020-04-22T08:19:30+02:00
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2
- upgrade dojo.js bundle
- fix prepare-dojo.sh
- update Dojo version in package.json (reference purpose only)
Ticket: https://pagure.io/freeipa/issue/8222
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c3f97a9a by Christian Heimes at 2020-04-22T08:24:09+02:00
Fix various OpenDNSSEC 2.1 issues
Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)
Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.
Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.
Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9d10bc8d by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Bump required Pytest
Ipatests utilize the 'timeout' arg for 'testdir.run()', which is
available since Pytest 3.9.1 [0]
[0]: https://github.com/pytest-dev/pytest/issues/4073
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
8c0192ac by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Remove deprecated yield_fixture
'yield_fixture' is deprecated since Pytest3 [0].
FreeIPA requires at least 3.9.1. So, it can be safely removed.
[0]: https://docs.pytest.org/en/latest/yieldfixture.html
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
6e14cfc4 by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Remove no longer needed 'get_marker'
'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
f97341c6 by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Remove no longer needed 'capture' compatibility
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
46518b49 by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Remove no longer needed 'skip' compatibility
Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b62f59fd by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Specify Pytest XML report schema
Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
_issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```
For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.
The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.
[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
9d06a4a2 by Stanislav Levin at 2020-04-22T10:01:25+02:00
ipatests: Specify shell implementation
The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
3244e279 by sumenon at 2020-04-23T14:07:31-04:00
ipatests: Test for ipahealthcheck.ds.ruv check
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
46008f5e by Serhii Tsymbaliuk at 2020-04-24T13:04:03+02:00
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1
Ticket: https://pagure.io/freeipa/issue/8284
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d2ec182 by Christian Heimes at 2020-04-27T11:55:42+02:00
servrole: takes_params must be a tuple
The definition of servrole.takes_params was missing a comma.
Related: https://pagure.io/freeipa/issue/8290
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f812e2cd by Christian Heimes at 2020-04-27T16:48:12-04:00
Fix APIVersion.__getnewargs__
``__getnewargs__()`` must return a tuple.
Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
__getnewargs__ does not return a tuple)``.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
26a9241c by Christian Heimes at 2020-04-27T16:48:12-04:00
Fix exception escape warning
W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7509f425 by Christian Heimes at 2020-04-28T13:13:19+02:00
Use api.env.container_sysaccounts
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')
Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e74cfcc9 by Christian Heimes at 2020-04-28T13:13:19+02:00
Define default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.
The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.
Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ac67dc9d by Kaleemullah Siddiqui at 2020-04-28T09:21:03-04:00
Test for check of HostKeyAlgorithms option in ssh_config
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.
https://pagure.io/freeipa/issue/8082
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
1bec1702 by sumenon at 2020-04-28T09:23:54-04:00
ipatests: Test for ipahealthcheck tool for IPADomainCheck.
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c45d4c8b by Timo Aaltonen at 2020-04-28T16:10:44+02:00
Debian: Use enable/disable_ldap_automount() from base
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fc2e8549 by Timo Aaltonen at 2020-04-28T16:10:44+02:00
Debian: Use parse_ipa_version from redhat.
Needs librpm8 installed.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
af94aad8 by Timo Aaltonen at 2020-04-28T16:10:44+02:00
ipatests/test_commands: Check sssd version like on test_sssd
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
99f4cb01 by Timo Aaltonen at 2020-04-28T16:10:44+02:00
ipatests/test_installation: Use knownservices to map the service name.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c43f3a71 by Christian Heimes at 2020-04-28T19:05:31+02:00
Add skip_if_platform marker
Make it easier to skip tests based on platform ID and platform LIKE_ID.
Skip some tests that are not working on Debian-like platforms
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
e58ca6a4 by Serhii Tsymbaliuk at 2020-04-30T20:26:13+02:00
WebUI tests: cover membership management with UI tests
Test cases:
- admin can add member manager for user/host group
- admin can add member manager group to user/host group
- member manager can add user to group
- member manager can remove user from group
- member manager can add host to host group
- member manager can remove host from host group
Ticket: https://pagure.io/freeipa/issue/8298
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
66818710 by François Cami at 2020-05-04T09:59:07+02:00
tox.ini: switch from W503 to W504
PEP8 recently changed from W503 to W504.
Line breaks should therefore come before operators.
See: https://www.python.org/dev/peps/pep-0008/#should-a-line-break-before-or-after-a-binary-operator
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0392dca5 by Miro Hrončok at 2020-05-04T14:11:47+02:00
Fix a syntax typo
This worked for now, but is SyntaxError in Python 3.9.0a6:
File "/usr/lib/python3.9/site-packages/ipapython/cookie.py", line 222
return'/'
^
SyntaxError: invalid string prefix
(The Python change might actually be reverted before 3.9 final,
but this can be fixed anyway.)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef2a7456 by Christian Heimes at 2020-05-04T15:02:25+02:00
Address issues found by new pylint 2.5.0
* fix multiple exception-escape
* fix function signatures of DsInstance start/stop/restart
* silence f-string-without-interpolation
* fix too-many-function-args in host plugin
Fixes: https://pagure.io/freeipa/issue/8297
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
f289771b by Francisco Trivino at 2020-05-04T20:50:49+02:00
prci_definitions: remove test_smb from ipa-4-8 gating workflow
test_smb is broken. The failing test is blocking gating and fedora32 changes.
This commit removes the test from gating workflow. It will be enabled back once
it is stable and works.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
218e6556 by Viktor Ashirov at 2020-05-05T09:33:20+02:00
Update ACIs with the correct syntax
The value of the first character in target* keywords
is expected to be a double quote.
Fixes: https://pagure.io/freeipa/issue/8301
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b590a674 by Christian Heimes at 2020-05-05T12:24:53+02:00
Make check_required_principal() case-insensitive
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.
Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e3f7d9be by Christian Heimes at 2020-05-05T15:55:18+02:00
Simplify pki proxy conf
``pkispawn`` is being modified to use PKI CLI for installation.
Add ``/pki/rest`` to proxied routes and simplify location matching with
a prefix regular expression.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
033f8dc6 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E266 too many leading '#' for block comment
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c136aab0 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E711 comparison to None
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
01c1cf67 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E712 comparison to True / False
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ef068bd3 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E713 test for membership should be 'not in'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
70dc4482 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E714 test for object identity should be 'is not'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7be2ffea by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E721 do not compare types, use 'isinstance()'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
45ddb4f1 by Christian Heimes at 2020-05-05T19:11:37+02:00
Fix E722 do not use bare 'except'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d44a3925 by Christian Heimes at 2020-05-05T19:11:37+02:00
Silence W601 .has_key() is deprecated
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9c3d00b1 by Christian Heimes at 2020-05-05T19:11:37+02:00
Manually reformat ipapython/version.py.in
Add whitespaces around assignment operator and use consistent double
quotes.
https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d80b98b9 by Christian Heimes at 2020-05-05T19:11:37+02:00
Reconfigure pycodestyle
Disable some warnings that are not PEP-8 compatible.
Disable warnings E731 and E741. IPA code uses ``l`` as variable names
and assignment of lambda expressions a lot.
Ignore auto-generated remote plugins and build directories.
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
787ce455 by Florence Blanc-Renaud at 2020-05-05T19:12:19+02:00
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found
when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.
By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).
Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
07da5abd by Christian Heimes at 2020-05-05T20:19:01+02:00
Make ipaplatform a regular top-level package
ipaplatform was made a namespace package so that 3rd party OS
distributors can easily define their own distribution subpackage. Since
major distributions have contributed to FreeIPA project and no 3rd party
ipaplatform subpackage was uploaded to PyPI, it doesn't make much sense
to keep ipaplatform a namespace package.
The ipaplatform-*-nspkg.pth file for namespace package definition is
causing trouble with local testing on developer boxes.
Fixes: https://pagure.io/freeipa/issue/8309
See: https://pagure.io/freeipa/issue/6474
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b39e5fb by Florence Blanc-Renaud at 2020-05-06T08:55:28+02:00
ipatests: enable 389-ds audit log and collect audit file
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on
and collect the generated audit file. This will help troubleshoot failures
related to DS.
Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
295d2072 by Stanislav Levin at 2020-05-06T08:55:28+02:00
ipatests: Cleanup 'collect_logs' decorator
The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e9. So, it could be safely removed.
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5da643f1 by Stanislav Levin at 2020-05-06T08:55:28+02:00
ipatests: Pretty print multihost config
The printing of string representation of multihost config is useless.
For example,
```
<ipatests.pytest_ipa.integration.config.Config object at 0x7fe017d9dc70>
```
The dictionary representation of such looks better:
```
[ipatests.pytest_ipa.integration] {'ad_admin_name': 'Administrator',
'ad_admin_password': 'Secret123',
'admin_name': 'admin',
'admin_password': 'Secret123',
'dirman_dn': 'cn=Directory Manager',
'dirman_password': 'Secret123',
'dns_forwarder': '8.8.8.8',
'domain_level': 1,
'domains': [{'hosts': [{'external_hostname': 'master1.ipa.test',
'ip': '172.19.0.2',
'name': 'master1.ipa.test',
'role': 'master'},
{'external_hostname': 'replica1.ipa.test',
'ip': '172.19.0.3',
'name': 'replica1.ipa.test',
'role': 'replica'},
...
```
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
736b8ba5 by Stanislav Levin at 2020-05-06T08:55:28+02:00
ipatests: Collect all logs on all Unix hosts
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
```
class TestFoo(IntegrationTest):
def test_foo(self):
pass
def test_bar(self, integration_logs):
integration_logs.collect_method_log(self.master, '/logfile')
```
Collected logs:
1) 'test_foo' - default logs
2) 'test_bar' - default logs + /logfile
3) 'TestFoo' - default logs
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
97581ec6 by Stanislav Levin at 2020-05-06T08:55:28+02:00
Azure: Increase memory limit
Azure host has 6 GB of physical memory + 7 GB of swap.
FreeIPA CI runs at least 5 masters on each Azure's host.
Thus, swap is intensively used.
Based on the available *physical* memory 389-ds performs db tweaks
and in future may fail to start in case of memory shortage.
Current memory limit for Azure Docker containers(master/replica):
- Physical
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
1610612736
- Physical + swap:
$ cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
3221225472
In the meantime, installation of master + ca + kra + dnssec requires:
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
1856929792
Some test environments require more memory.
For example, 'ipatests.test_integration.test_commands.TestIPACommand':
$ cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
2232246272
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
2232246272
Fixes: https://pagure.io/freeipa/issue/8264
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d758b6a4 by Armando Neto at 2020-05-06T09:15:04+02:00
prci: update templates for new Fedora release
"previous" updated to Fedora 31
"latest" updated to Fedora 32
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2893b84 by Christian Heimes at 2020-05-06T11:53:07+02:00
Fix make devcheck
A new test case was not picking up ``ipa-run-tests`` script.
Fixes: https://pagure.io/freeipa/issue/8307
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b68f98aa by Mohammad Rizwan Yusuf at 2020-05-07T10:38:59-04:00
webui: check if notification area doesn't intercept menu button
Notification used to intercept the click on page for some element.
This test ensures that element is clickable.
related: https://pagure.io/freeipa/issue/8120
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b626a79e by Mohammad Rizwan Yusuf at 2020-05-07T10:38:59-04:00
WebUI tests: fix PEP8 issues in test_webui/test_user.py
PEP8 fix for teat_webui/test_user.py. Errors involved:
- line > 79 character
- 2 blank line needed before class
- single space was needed between # and comment
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
89889167 by Alexander Bokovoy at 2020-05-08T09:35:01+03:00
Add pytest.skip_if_container()
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e37b3d8c by Alexander Bokovoy at 2020-05-08T09:35:01+03:00
Azure Pipelines: Override services known to not work in containers
Chrony daemon tries to use adjtimex() which doesn't work in the
container we run in Docker environment on Azure Pipelines.
nis-domainname also tries to modify kernel-specific parameter that
doesn't really work in runc-based containers.
Use systemd container detection to avoid starting these services in the
containers.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
60ed4b09 by Alexander Bokovoy at 2020-05-08T09:35:01+03:00
Azure Pipelines: switch to Fedora 32
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
84d15da5 by Christian Heimes at 2020-05-08T10:48:44+03:00
Use httpd 2.4 syntax for access control
The httpd options Allow, Deny, Order, and Satisfy are deprecated in
Apache httpd 2.4. These options are provided by the mod_access_compat
module and should no longer be used.
Replace "Allow from all" with "Require all granted".
Removal of "Satisfy Any" needs more investigation.
See: httpd.apache.org/docs/2.4/upgrading.html
See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html
Fixes: pagure.io/freeipa/issue/8305
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
27656669 by Christian Heimes at 2020-05-11T17:27:03+02:00
Disable password schema update on LDAP bind
389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind..
See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4de1586e by Alexander Bokovoy at 2020-05-12T09:53:17+02:00
kdb: initialize flags in ipadb_delete_principal()
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5c62fbd2 by Alexander Bokovoy at 2020-05-12T09:53:17+02:00
kdb: fix memory handling in ipadb_find_principal
BER structure representing a string might not have termination '\0'
character, thus we should use length-bound functions to operate on it.
Memory handling of LDAP values was leaving previous vals over iteration.
Also, when freeing vals, we need to explicitly set it to NULL.
Fixes: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
77c2e425 by Alexander Bokovoy at 2020-05-12T09:53:17+02:00
test_smb: test that we can auth as NetBIOS alias
cifs/... principal on SMB server side has NetBIOS name of the SMB server
as its alias. Test that we can actually initialize credentials using
this alias. We don't need to use it anywhere in Samba, just verify that
alias works.
Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
831de842 by Alexander Bokovoy at 2020-05-13T11:06:26+02:00
WebUI: use python3-rjsmin to minify JavaScript files
Fedora 33+ deprecated uglify-js. There are other alternatives which seem
to be fine for the minify task. Use python-rjsmin instead.
Fixes: https://pagure.io/freeipa/issue/8300
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fd58bac1 by Stanislav Levin at 2020-05-13T11:07:43+02:00
Azure: Add custom seccomp profile
This allows to override the default seccomp profile.
Custom profile was generated from the default one [0] by adding one
allowed system call 'clock_adjtime'. This one is indirectly used by
chronyd with recent glibc2.31.
[0]: https://github.com/containers/libpod/blob/master/seccomp.json
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9d01875d by Stanislav Levin at 2020-05-13T11:07:43+02:00
Azure: Allow chronyd to sync time
Though time namespace support was added in Linux kernel 5.6, it
is not landed on Azure VM (Ubuntu) yet.
The syncing time stuff is required by IPA NTP tests. it's
acceptable for testing 1 IPA environment on 1 Azure VM for such
tests.
Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
273f580b by Stanislav Levin at 2020-05-14T09:02:22+02:00
Azure: Always update apt cache
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c59106f0 by sumenon at 2020-05-14T16:19:24+02:00
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8
Issue: https://pagure.io/freeipa/issue/8066
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
32348923 by Christian Heimes at 2020-05-14T19:37:13+02:00
Make api.env.mode consistent
* use "developer" in Azure
* fix man page: "development" to "developer"
* list known modes in API bootstrap methods
Other values for mode are still supported to avoid breaking existing
installations.
Fixes: https://pagure.io/freeipa/issue/8313
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6cd2d447 by Christian Heimes at 2020-05-14T19:39:17+02:00
Fix detection logic for api.env.in_tree
The logic to detect in-tree builds was broken and ipatests/conftest.py
had hard-coded in_tree=True.
IPA now considers an environment as in-tree when the parent directory of
the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
present in source and never installed.
API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
because the function call can be expensive and would require path
normalization, too. The function is also missing from venv site module.
Fixes: https://pagure.io/freeipa/issue/8312
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
834b04b9 by Christian Heimes at 2020-05-14T19:39:17+02:00
Hard-code in_tree=True for tests
Some integration tests use internal option ``force``. Re-add
``in_tree=True`` to make the tests pass until Pagure#8317 is fixed.
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c8009e1c by Alexander Bokovoy at 2020-05-15T09:31:40+03:00
service delegation: allow to add and remove host principals
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.
Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.
To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.
The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.
RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.
Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f16a4b06 by Christian Heimes at 2020-05-15T17:13:45+02:00
Check for freeipa-server-dns package early
The ``--setup-dns`` knob and interactive installer now check for
presence of freeipa-server-dns early and stop the installer with an
error.
```
$ ipa-server-install
...
Do you want to configure integrated DNS (BIND)? [no]: yes
Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
```
$ ipa-server-install --setup-dns
Usage: ipa-server-install [options]
ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed.
```
Fixes: https://pagure.io/freeipa/issue/7577
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d3364a5 by Serhii Tsymbaliuk at 2020-05-18T09:05:02+02:00
WebUI: Add confirmation dialog for changing default user/host group
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.
Ticket: https://pagure.io/freeipa/issue/8322
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d8c8ba7d by Serhii Tsymbaliuk at 2020-05-18T09:05:02+02:00
WebUI tests: Add confirmation step after changing default group in automember tests
Ticket: https://pagure.io/freeipa/issue/8322
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
87377493 by Mohammad Rizwan Yusuf at 2020-05-18T14:46:28+02:00
Display principal name while del required principal
Fix is to display the proper principal in error message
while attempting to delete required principal.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f0ef4180 by Mohammad Rizwan Yusuf at 2020-05-18T14:46:28+02:00
ipatests: Test deletion of required principal throws proper error
ipa service-del <Principal name> did not display proper principal
name which is being deleted in error message.
This test check if it throws error having proper principal name.
related: https://pagure.io/freeipa/issue/7695
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
363cb9fd by Alexander Bokovoy at 2020-05-20T09:16:47+02:00
baseldap: de-duplicate passed attributes when checking for limits
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.
Use set of attribute names to deduplicate the list.
Fixes: https://pagure.io/freeipa/issue/8328
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c39a2e2b by Sumedh Sidhaye at 2020-05-20T09:21:20+02:00
Test for removing a subgroup
Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups
The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc
user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.
If one removes the direct membership to 'groupb' again,
nothing should change as well
Pagure Link: https://pagure.io/SSSD/sssd/issue/3636
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a457b79d by Florence Blanc-Renaud at 2020-05-20T14:30:17+02:00
ipatests: Check if user with 'User Administrator' role can delete group.
Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group
Related: https://pagure.io/freeipa/issue/6884
Co-authored-by: Nikhil Dehadrai <ndehadra at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
7f2bfd9f by Stanislav Levin at 2020-05-23T13:05:18+03:00
Azure: Make dnf repos consistent
Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
has two more dnf repos enabled compared to Tests container(image
fedora:32). This results in the packages built within the Build
container can have dependencies which are unresolvable(missing)
within Tests container.
This enables updates-testing and updates-testing-modular,
disables fedora-cisco-openh264 for Tests container.
Fixes: https://pagure.io/freeipa/issue/8330
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
47231007 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: add UPN_DNS_INFO PAC structure
UPN_DNS_INFO structure contains the client's user principal name (UPN)
and a fully qualified domain name. It is used to provide the UPN and the
FQDN that corresponds to the client of the ticket.
The structure is defined in MS-PAC section 2.10. MS-KILE specification
says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
further clarifies in section 3.3.5.2 that if the user account object has no
userPrincipalName attribute, UPN_DNS_INFO should be constructed by
concatenating user name, the "@" symbol, and the DNS name of the domain.
IPA users don't really have userPrincipalName attribute. Instead, we
always construct their account names in LOGON Info3 structure by
unparsing the canonical principal name without realm, meaning that user
principal can be recovered by concatenating the account name and the
realm (domain).
Unless the account name and unparsed client principal name are different
or the primary Info3 gid (group RID) is the one for machine accounts,
mark the UPN as constructed.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1a01e46a by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.
1. Direct ticket acquisition
In direct ticket acquisition mode the utility first does one of the
following actions:
- obtain a TGT ticket for a user principal using supplied password
- import existing TGT from a default credentials cache
Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.
If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.
2. S4U2Self protocol transition
In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.
If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.
If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ca99bf2a by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-tests: add a test to make sure MS-PAC is produced by KDC
When ipa-adtrust-install is used, IPA KDC will be configured to issue
tickets with MS-PAC record in them for users and services that have
ipaNTSecurityIdentifier (SID) attribute in the LDAP record.
Test that a newly added user can kinit and obtain a ticket that has
a PAC structure.
Test that a service can impersonate a user and the resulting S4U2Self
requested service ticket also has PAC structure.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1990e395 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
kdb: add minimal server referrals support for enterprise principals
Implement minimal server referrals support for enterprise principals as
defined in RFC 6806.
Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
S4U extensions. We have to verify/sign PAC and take the realm into
account for S4U in these cases.
The use of extended functions require krb5 1.17+.
For PAC verification, we have to filter existing PAC CLIENT-INFO
structure in cross-realm S4U case because otherwise old CLIENT-INFO
would change the PAC principal due to adding or ommiting the realm in
transition. Since a new PAC CLIENT-INFO will be provided by
k5_insert_client_info() anyway, we can filter it in all cases.
Generate PAC only for the first S4U2Self request to the client realm
(client != NULL). Otherwise, use the PAC from the cross-realm ticket.
The latter PAC belongs to the impersonated user.
Foreign (inner) principal look up in non-AS request returns
KRB5_KDB_NOENTRY.
Finally, in PAC signing we have to take the realm into account as well
for S4U2Self cross-realm operation. This does not work when compiling
against krb5 1.17 at the moment because sign_authdata() callback does
not know whether we are dealing with an issuing referral or not. In 1.18
a KDC will set a special client flag to signify this when asking KDB
driver to sign a PAC record.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
110812b4 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: add asserted identity SIDs
Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:
- S-1-18-1 is a SID for an Authentication Authority Asserted Identity
- S-1-18-2 is a SID for a Service Asserted Identity
This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".
In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
741f64f4 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: Always allow services to get PAC if needed
Previously, FreeIPA only allowed to issue PAC record in a ticket
for the following principal types:
- for IPA users
- for a host principal of one of IPA masters
- for a cifs/ or HTTP/ service on one of IPA masters
To allow S4U2Self operations over trust to AD, an impersonating service
must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
ticket. It means any IPA service performing S4U2Self would need to have
PAC record and the constraints above prevent it from doing so.
However, depending on whether the service or host principal belongs to
one of IPA masters, we need to set proper primary RID to 516 (domain
controllers) or 515 (domain computers).
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6c844c70 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: add primary group to list of groups in MS-PAC
Somehow, we weren't adding primary group of the user to the list of
groups in the PAC Logon Info structure.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
68a0790b by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: cache local TGS in the driver context
For Kerberos principal lookup we always need to check whether principal
is from our realm. Keep the reference to our realm TGS handy to avoid
memory allocations on every lookup.
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
601151e7 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
ipa-kdb: refactor principal lookup to support S4U2Self correctly
Restructure logic of ipadb_get_principal() to separate retrieval of a
principal by a name and by an alias. Separate enterprise principal name
type processing into a helper function to be able to reuse it for own
aliases.
Unify code in client referrals part to do the same and use krb5 API to
deal with principals rather than parsing strings. The end result is the
same but we follow common rules in MIT Kerberos to process principals.
An enterprise principal is typically "name at SOMEREALM@REALM", but any
principal might be parsed as enterprise principal, so we could get
"name at REALM" marked as such. When unparsing the enterprise principal,
re-parse it again with default realm values, to get our realm
normalization.
This behavior would fix situations when GSSAPI calls are operating on a
non-qualified principal name that was imported as a
GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
eeb70047 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
test_smb: test S4U2Self operation by IPA service
Kerberos service might request a ticket to itself on behalf of a user
to perform protocol transition, so-called S4U2Self extension defined
in [MS-SFU] specification. Processing of this request by KDC differs for
in-realm and cross-realm configurations.
Use SMB service to test S4U2Self performed against AD and IPA users.
Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5f292b29 by Alexander Bokovoy at 2020-05-27T22:19:49+03:00
azure: do not run test_commands due to failures in low memory cases
389-ds memory autotuning doesn't really work well in containerized
environment as it only looks into host-wide /proc/meminfo. It gets
fooled by 'missing' memory while there is still enough swap space..
This is in particular affects test_commands test suite where
ipa-adtrust-install cannot fully proceed and fails. We plan to rebalance
test containers' memory split but right now just disable test_commands
in Azure CI.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
06202299 by Serhii Tsymbaliuk at 2020-05-28T16:18:55+02:00
WebUI: Apply jQuery patch to fix htmlPrefilter issue
Manually backport corresponding changes from jQuery 3.5.0:
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
with Bootstrap 3.4.1 which we currently use.
Ticket: https://pagure.io/freeipa/issue/8325
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
81f924f4 by sumenon at 2020-06-03T09:22:55+02:00
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck
This test checks that when pki-tomcat service is stopped,
DogtagCertsConnectivityCheck displays the result as ERROR
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
c64075b1 by sumenon at 2020-06-03T11:38:59+02:00
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck
This test checks that healthcheck tools reports correct information
when permissions of Tomcat config file are modified.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
7e7d0d83 by Peter Keresztes Schmidt at 2020-06-03T18:31:41+02:00
WebUI: Use data adapter to load facet header data
Fixes: https://pagure.io/freeipa/issue/8339
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
2af2373c by Peter Keresztes Schmidt at 2020-06-03T18:36:11+02:00
WebUI: Fix invalid RPC calls when link widget has no pkey passed
Fixes: https://pagure.io/freeipa/issue/8338
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
c261a6eb by Christian Heimes at 2020-06-04T09:20:42+02:00
Allow dnsrecord-add --force on clients
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
5aa5f678 by Christian Heimes at 2020-06-04T11:04:53-04:00
Add ipa-print-pac to gitignore
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a5710433 by sumenon at 2020-06-04T17:55:57+02:00
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files
This testcase changes the ownership of the tomcat config files
on an IPA Master and then checks if healthcheck tools
reports the status as WARNING
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
91f94612 by Christian Heimes at 2020-06-05T10:46:07+02:00
Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.
DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.
Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8d759d38 by Christian Heimes at 2020-06-05T12:39:49+02:00
make: serialize strip-po / strip-pot
The strip-po target modifies files in place. This sometimes creates
conflicts with other make targets when make is run in parallel mode.
* split strip-po into strip-po and strip-pot
* move strip-po[t] from dependency to explicit, serial execution
* declare dependencies on POT/POFILES
* don't run strip on clean
Fixes: https://pagure.io/freeipa/issue/8323
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0e9b7773 by Fraser Tweedale at 2020-06-07T10:38:27+03:00
certmonger: avoid mutable default argument
certmonger._get_requests has a mutable default argument. Although
at the present time it is never modified, this is an antipattern to
be avoided.
In fact, we don't even need the default argument, because it is
always called with a dict() argument. So just remove it.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ff7d0661 by Fraser Tweedale at 2020-06-07T10:38:27+03:00
certmonger: move 'criteria' description to module docstring
The 'criteria' parameter is used by several subroutines in the
ipalib.install.certmonger module. It has incomplete documentation
spread across several of these subroutines. Move the documentation
to the module docstring and reference it where appropriate.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b127bad8 by Fraser Tweedale at 2020-06-07T10:38:27+03:00
certmonger: support dnsname as request search criterion
We need to be able to filter Certmonger tracking requests by the DNS
names defined for the request. The goal is to add the
'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so
we will use that name as a search criterion. Implement support for
this.
As a result of this commit it will be easy to add support for subset
match of other Certmonger request list properties. Just add the
property name to the ARRAY_PROPERTIES list (and update the
'criteria' description in the module docstring!)
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
52873581 by Fraser Tweedale at 2020-06-07T10:38:27+03:00
httpinstance: add fqdn and ipa-ca alias to Certmonger request
BACKGROUND:
We are implementing ACME support in FreeIPA (umbrella ticket:
https://pagure.io/freeipa/issue/4751). ACME is defined in RFC 8555.
HTTPS is REQUIRED (https://tools.ietf.org/html/rfc8555#section-6.1).
Therefore, every FreeIPA server that provides the ACME service
capability must be reachable by HTTPS.
RFC 8555 does not say anything about which port to use for ACME.
The default HTTPS port of 443 is implied. Therefore, the FreeIPA
ACME service will be reached via the Apache httpd server, which will
be the TLS server endpoint.
As a usability affordance for ACME clients, and as a maintainability
consideration i.e. to allow the topology to change without having to
reconfigure ACME clients, there should be a a single DNS name used
to reach the IPA ACME service.
The question then, is which DNS name to use.
REQUIREMENTS:
Each FreeIPA server that is also an ACME server must:
1. Be reachable via a common DNS name
2. Have an HTTP service certificate with that DNS name as a SAN
dNSName value
DESIGN CONSIDERATION - WHAT DNS NAME TO USE?:
Some unrelated FreeIPA ACME design decisions provide important
context for the DNS name decision:
- The ACME service will be automatically and unconditionally
deployed (but not necessarily *enabled*) on all CA servers.
- Enabling or disabling the ACME service will have topology-wide
effect, i.e. the ACME service is either enabled on all CA
servers, or disabled on all CA servers.
In a CA-ful FreeIPA deployment there is already a DNS name that
resolves to all CA servers: ``ipa-ca.$DOMAIN``, e.g.
``ipa-ca.example.com``. It is expected to point to all CA servers
in the deployment, and *only* to CA servers. If internal DNS is
deployed, the DNS records for ``ipa-ca.$DOMAIN`` are created and
updated automatically. If internal DNS is not deployed,
administrators are required to maintain these DNS records
themselves.
The ``ipa-ca.$DOMAIN`` alias is currently used for OCSP and CRL
access. TLS is not required for these applications (and it can
actually be problematic for OCSP). Enabling TLS for this name
presents some risk of confusion for operators. For example, if they
see that TLS is available and alter the certificate profiles to
include an HTTPS OCSP URL in the Authority Information Access (AIA)
extension, OCSP-using clients may fail to validate such
certificates. But it is possible for administrators to make such a
change to the profile, whether or not HTTPS is available.
One big advantage to using the ``ipa-ca.$DOMAIN`` DNS name is that
there are no new DNS records to manage, either in the FreeIPA
implementation or for administrators in external DNS systems.
The alternative approach is to define a new DNS name, e.g.
``ipa-acme.$DOMAIN``, that ACME clients would use. For internal
DNS, this means the FreeIPA implementation must manage the DNS
records. This is straightforward; whenever we add or remove an
``ipa-ca.$DOMAIN`` record, also add/remove the ``ipa-acme.$DOMAIN``
record. But for CA-ful deployments using external DNS, it is
additional work for adminstrators and, unless automated, additional
room for error.
An advantage of using a different DNS name is ``ipa-ca.$DOMAIN`` can
remain inaccessible over HTTPS. This possibly reduces the risk of
administrator confusion or creation of invalid AIA configuration in
certificate profiles.
Weighing up the advantages and disadvantages, I decided to use the
``ipa-ca.$DOMAIN`` DNS name.
DESIGN CONSIDERATION - CA SERVERS, OR ALL SERVERS?:
A separate decision from which name to use is whether to include it
on the HTTP service certificate for ACME servers (i.e. CA servers)
only, or on all IPA servers.
Combined with the assumption that the chosen DNS name points to CA
servers *only*, there does not seem to be any harm in adding it to
the certificates on all IPA servers.
The alternative is to only include the chosen DNS name on the HTTP
service certificates of CA servers. This approach entails some
additional complexity:
- If a non-CA replica gets promoted to CA replica (i.e. via
``ipa-ca-install``), its HTTP certificate must be re-issued with
the relevant name.
- ipa-server-upgrade code must consider whether the server is a CA
replica when validating (and if necessary re-creating) Certmonger
tracking requests
- IPA Health Check must be made aware of this factor when checking
certificates and Certmonger tracking requests.
Weighing up the options, I decided to add the common DNS name to the
HTTP service certificate on all IPA servers. This avoids the
implementation complexity discussed above.
CHANGES IN THIS COMMIT
When (re-)tracking the HTTP certificate, explicitly add the server
FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.
Related changes follow in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4b24129f by Fraser Tweedale at 2020-06-07T10:38:27+03:00
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~1`.
ACME support requires TLS and we want ACME clients to access the
service via the ipa-ca.$DOMAIN DNS name. So we need to add the
ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To
facilitiate this, add a special case to the cert-request command
processing. The rule is:
- if the dnsName being validated is "ipa-ca.$DOMAIN"
- and the subject principal is an "HTTP/..." service
- and the subject principal's hostname is an IPA server
Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
Otherwise continue with the usual dnsName validation.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5275342b by Fraser Tweedale at 2020-06-07T10:38:27+03:00
httpinstance: add ipa-ca.$DOMAIN alias in initial request
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~2`.
For new server/replica installation, issue the HTTP server
certificate with the 'ipa-ca.$DOMAIN' SAN dNSName. This is
accomplished by adding the name to the Certmonger tracking request.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c445cefa by Fraser Tweedale at 2020-06-07T10:38:27+03:00
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~3`.
If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
resubmit the certificate request to add the name. This action is
performed after the tracking request has already been updated.
Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
request, if it does not immediately succeed (fairly likely during
ipa-server-upgrade) and if the notAfter date of the current cert is
still far off (also likely), then Certmonger will wait 7 days before
trying again (unless restarted). There is not much we can do about
that in the middle of ipa-server-upgrade.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8e92190d by Fraser Tweedale at 2020-06-07T10:38:27+03:00
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname
Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.
For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7dad4a59 by Peter Keresztes Schmidt at 2020-06-08T08:25:52+03:00
WebUI: Refresh DNS record data correctly after mod operation
Fixes: https://pagure.io/freeipa/issue/8359
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df8bcc96 by Peter Keresztes Schmidt at 2020-06-08T08:27:46+03:00
WebUI: Expose TTL of DNS records
Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ca4cc7ab by Peter Keresztes Schmidt at 2020-06-08T08:29:36+03:00
WebUI: Add units to some DNS zone and IPA config fields
Add also tooltips to ipasearchrecordslimit and ipasearchtimelimit
to clarify the special value 0/-1.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ac47599e by Peter Keresztes Schmidt at 2020-06-08T08:31:52+03:00
Specify min and max values for TTL of a DNS record
Fixes: https://pagure.io/freeipa/issue/8358
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2caafb5 by Christian Heimes at 2020-06-08T08:33:42+03:00
Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.
Example
-------
Allow users to modify their own fasTimezone and fasIRCNick attributes:
```
managed_permissions = {
"System: Self-Modify FAS user attributes": {
"ipapermright": {"write"},
"ipapermtargetfilter": ["(objectclass=fasuser)"],
"ipapermbindruletype": "self",
"ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
}
}
```
See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1062caaa by Christian Heimes at 2020-06-08T08:35:02+03:00
Handle DatabaseError in RPC-Server connect()
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.
Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.
Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a29eec33 by Peter Keresztes Schmidt at 2020-06-08T08:36:37+03:00
po: remove zanata config since translation was moved to weblate
Related: https://pagure.io/freeipa/issue/8159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fe645ef by Peter Keresztes Schmidt at 2020-06-08T14:35:03+03:00
util: add unit test for pw hashing
Related: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
41a20fef by Peter Keresztes Schmidt at 2020-06-08T14:35:03+03:00
util: replace NSS usage with OpenSSL
Fixes: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
539d4691 by Peter Keresztes Schmidt at 2020-06-08T17:31:26+03:00
Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.
Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.
Move dnssec-enable directive to custom named config
Move comment named config being managed by FreeIPA to the top
Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.
Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
782ee116 by Christian Heimes at 2020-06-08T17:31:26+03:00
Include named config files in backup
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1f22ae50 by Sergio Oliveira Campos at 2020-06-08T21:37:51+03:00
Add test for sssd ad trust lookup with dn in certmaprule
Related to https://pagure.io/SSSD/sssd/issue/3721
Signed-off-by: Sergio Oliveira Campos <seocam at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
47adde99 by Christian Heimes at 2020-06-08T22:33:17+03:00
libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.
Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6abade3f by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
kdb: handle enterprise principal lookup in AS_REQ
Refactoring of the get_principal() code in commit
b5876f30d4000424cc8122498c411f812b3a0959 broke handling of enterprise
principal lookup for AS request (kinit -E user at ipa.test@IPA.TEST).
Related: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
afe9191f by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
support using trust-related operations in the server console
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.
Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.
Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.
Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2ffb4fd1 by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
idviews: handle unqualified ID override lookups from Web UI
First part of the required changes to merge a plugin to manage IPA as
a trusted Active Directory user.
It is not possible to omit ID view in IPA API but a client might specify
empty ID view. Up right now the empty view was considered an error. This
prevented Web UI from resolving ID overrides in a group member adder
dialog.
Default to 'Default Trust View' if the ID view is None or empty string
(''). Do this only for user ID overrides, as we do not support adding
group ID overrides as group members in a plugin to manage IPA as a
trusted Active Directory user[1].
Being a group member means an object in LDAP must have an object class
that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
attempt to link back to the object from the group. Allow use of
'nsMemberOf' object class in ID overrides.
Fixes: https://pagure.io/freeipa/issue/7255
[1] https://github.com/abbra/freeipa-adusers-admins
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8cce2bb3 by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
Support adding user ID overrides as group and role members
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.
Treat user ID overrides as members of groups and roles.
For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.
We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.
With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.
Fixes: https://pagure.io/freeipa/issue/7255
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5e8df37e by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
tests: account for ID overrides as members of groups and roles
Fixes: https://pagure.io/freeipa/issue/7255
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
99e613e4 by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
Web UI: allow users from trusted Active Directory forest manage IPA
Extend Web UI logic to decide whether default Web UI view should have a
full menu or should be confined to a self-service interface. Standard
logic in FreeIPA Web UI is to combine two facts:
* for IPA users membership in `admins` group is used to indicate full
menu should be shown
* for AD users the fact that ID override object is presented by IPA
`whoami` command is used to confine to a self-service interface
With the change to allow user ID overrides from a default trust view to
be members of groups and roles, we can unify the administrative
privileges checks for both IPA and AD users.
Fixed: https://pagure.io/freeipa/issue/8335
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6b0f8f36 by Alexander Bokovoy at 2020-06-08T15:58:26-04:00
ipatests: test that adding Active Directory user to a role makes it an administrator
Fixes: https://pagure.io/freeipa/issue/8357
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca0a62ea by Alexander Bokovoy at 2020-06-08T16:02:21-04:00
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
"Kerberos principal expiration" is set in UTC and when server is in
different timezone, the time difference between timezone is respected by
the IPA server/client for Kerberos authentication.
The problem is due to mktime() assuming default time zone but since we
parse the time using Zulu (UTC+0) timezone, mktime() forces current time
zone offset added.
The method is using mktime() and comparing to the current time obtained
with time(NULL). According to its man page, mktime is considering the
time as local time:
The mktime() function converts a broken-down time structure, expressed
as local time, to calendar time representation.
Instead mktime() we should use timegm(). The problem is that it is
non-standard GNU extension and it is recommended (in the man page for
timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
mktime(), unset TZ, but since we are running in a multi-threaded
environment this is problematic.
On the other hand, we already rely on GNU extensions and enable them
with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.
The fix, therefore, is to use timegm() instead of mktime() in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
ipapwd_write_krb_keys()).
Fixes: https://pagure.io/freeipa/issue/8362
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
01f27e29 by François Cami at 2020-06-08T16:58:37-04:00
tasks.py: add krb5_trace to create_active_user and kinit_as_user
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails when resetting a user's password using kinit in create_active_user.
Add krb5_trace (default: False) to create_active_user and kinit_as_user.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
2032a619 by François Cami at 2020-06-08T16:58:37-04:00
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
Use krb5_trace to catch the required debug information.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
98bb4e94 by François Cami at 2020-06-09T13:57:38+02:00
IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.
EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.
EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.
EPN does not keep state. The list of affected users is built at runtime
but never kept.
TLS/STARTTLS SMTP code is untested and unlikely to work as-is.
Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3552185c by François Cami at 2020-06-09T13:57:38+02:00
IPA-EPN: Test suite.
Initial test suite for EPN.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
08697655 by Rob Crittenden at 2020-06-09T13:57:38+02:00
Add a jinja2 e-mail template for EPN
Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.
Collect first and last name as well for each user in order to
provide more options for the template engine.
Make the From address configurable, defaulting to noreply at ipa_domain
Make Subject configurable too.
Don't rely on the MTA to set Message-Id: set it using the email
module.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ab444db0 by Rob Crittenden at 2020-06-09T13:57:38+02:00
Add index for krbPasswordExpiration for EPN
Expiring Password Notifications search for expiring passwords
between dates. Add an equality index for this attribute.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ca1c374e by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions
Tested security mode with none, starttls and ssl security.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
bbe33973 by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Add tests for sending real mail with auth and templates
Send e-mail using postfix on localhost and read the contents to
verify that the mail was delivered and that the template was
applied correctly.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
fc2b3aab by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Add test for starttls mode
Get a certificate for postfix and configure it to allow starttls
connections.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6587edd4 by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: test using SSL against port 465
Enable the postfix SSL listener on port 465. The certifiates
and other configuration is already in place.
Test that sending mail is successful.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
dca3f116 by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Add mail-test option for testing sending live email
To make testing easier for administrators the --mail-test option
can be used to send live e-mail from ipa-epn. It sends mail
to the smtp_admin user processing the template with dummy data.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
672c9f55 by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Add tests for --mail-test option
Test sending a default template email to the smtp_admin user.
Test that --mail-test and --dry-run cannot be used together.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
37a4a79c by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.
Default to no wait, value in milliseconds.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4124bb6d by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: add test to validate smtp_delay value
Configuration test to ensure that smtp_delay validation is
properly enforced.
Also reset the epn configuration when the tests are run.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
bf28d4c8 by Rob Crittenden at 2020-06-10T14:35:38-04:00
IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.
https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0fbd29d5 by Christian Heimes at 2020-06-10T14:38:16-04:00
Auto-generated ipa-epn files to gitignore
memcached has been removed a loooong time ago.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
00dd80b7 by Fraser Tweedale at 2020-06-10T14:40:03-04:00
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.
Part of: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f1564cd2 by Fraser Tweedale at 2020-06-10T14:40:03-04:00
upgrade: avoid stopping certmonger when fixing requests
During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed. This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems. For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).
Suppress the unnecessary restart(s) of certmonger during tracking
request update.
Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa2f9326 by Christian Heimes at 2020-06-10T22:14:36+03:00
Fix named.conf update bug NAMED_DNSSEC_VALIDATION
Commit a5cbdb57e50cfc62f61affda19ce878b2abd33de introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.
Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6ddaead3 by Christian Heimes at 2020-06-10T22:14:36+03:00
More upgrade tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
03abb28a by Christian Heimes at 2020-06-10T22:14:36+03:00
Remove named_validate_dnssec update step
The upgrade step used to add "dnssec-validation no" to named.conf IFF
named.conf did not contain "dnssec-validation" option at all. The
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
only removes the upgrade state.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d3649eb by Christian Heimes at 2020-06-10T22:14:36+03:00
Fix named.conf named_conf_include_re
Actually match one or more characters
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b2c3c040 by Christian Heimes at 2020-06-10T22:14:36+03:00
Overhaul bind upgrade process
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.
This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.
During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
07139362 by Alexander Bokovoy at 2020-06-10T22:20:07+03:00
ipa-4-8: Update translation files before 4.8.7 release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
89d5907e by Alexander Bokovoy at 2020-06-10T22:21:52+03:00
ipa-4-8: update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9d1d3547 by Alexander Bokovoy at 2020-06-10T22:24:02+03:00
Become FreeIPA 4.8.7
- - - - -
65c2736b by Christian Heimes at 2020-06-15T22:19:31+03:00
Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.
root principal alias
-------------------
The principal "root at REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
Notes
-----
Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.
Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.
Misc changes
------------
Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.
Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
86ab7590 by Alexander Bokovoy at 2020-06-15T22:25:58+03:00
Become FreeIPA 4.8.8
- - - - -
428d215f by Timo Aaltonen at 2020-07-28T16:56:07+03:00
Merge branch 'upstream'
- - - - -
449cb579 by Timo Aaltonen at 2020-07-28T16:57:28+03:00
bump the version
- - - - -
ad2c3462 by Timo Aaltonen at 2020-07-28T17:28:39+03:00
write-out-only-one-cert-per-file.diff, tasks-fixes.diff: Dropped, upstream.
- - - - -
2bc4ad7d by Timo Aaltonen at 2020-07-28T18:52:12+03:00
control: Replace node-uglify build-dependency with python3-rjsmin.
- - - - -
2b6d7cc8 by Timo Aaltonen at 2020-07-28T19:27:15+03:00
control: Add freeipa-client-epn package.
- - - - -
d5faabcf by Timo Aaltonen at 2020-07-28T19:27:33+03:00
.install: Updated.
- - - - -
30 changed files:
- .gitignore
- .lgtm.yml
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/Makefile.am
- + client/ipa-epn.in
- client/ipa-getkeytab.c
- client/man/Makefile.am
- client/man/default.conf.5
- + client/man/epn.conf.5
- + client/man/ipa-epn.1
- client/man/ipa-getkeytab.1
- configure.ac
- daemons/dnssec/Makefile.am
- daemons/dnssec/ipa-ods-exporter.service.in
- daemons/dnssec/ipa-ods-exporter.socket.in
- daemons/ipa-kdb/Makefile.am
- + daemons/ipa-kdb/ipa-print-pac.c
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_passwords.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-otpd/Makefile.am
- daemons/ipa-sam/Makefile.am
- daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/6dfca154aa2d267cce709d57af76d523fbde2c8a...d5faabcfc3f2f7526173558b3809d1ee3aa805f7
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/6dfca154aa2d267cce709d57af76d523fbde2c8a...d5faabcfc3f2f7526173558b3809d1ee3aa805f7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200728/540a4971/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list