[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 129 commits: ipatests: Improve test_commands reliability
Timo Aaltonen
gitlab at salsa.debian.org
Tue Mar 17 22:17:14 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa
Commits:
5431dd97 by Armando Neto at 2019-12-14T11:52:38-03:00
ipatests: Improve test_commands reliability
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
21fb038c by Dinesh Prasanth M K at 2019-12-15T13:27:22+02:00
Adding auto COPR builds
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c2cef70 by Thomas Woerner at 2019-12-16T21:37:17+01:00
DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
01173427 by Armando Neto at 2019-12-16T18:31:03-03:00
ipatests: Skip test_sss_ssh_authorizedkeys method
Temporarily skipping test due to unknown time-outs happening regularly.
Issue: https://pagure.io/freeipa/issue/8151
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
44fca092 by Fraser Tweedale at 2019-12-17T14:37:20+01:00
ipatests: assert_error: allow regexp match
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
- - - - -
d833b5ba by Fraser Tweedale at 2019-12-17T14:37:20+01:00
Fix test regressions caused by certificate validation changes
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages. Update the
error message assertions to get these tests going again.
Part of: https://pagure.io/freeipa/issue/8142
- - - - -
71a4d574 by Anuja More at 2019-12-17T15:19:05+01:00
ipatests: filter_users should be applied correctly.
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
a8b52eaf by Alexander Bokovoy at 2019-12-18T18:44:30+01:00
Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
acbd90d9 by Jayesh Garg at 2019-12-19T14:47:16+01:00
Test if ipactl starts services stopped by systemctl
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.
Signed-off-by: Jayesh Garg <jgarg at redhat.com>
- - - - -
25310105 by Fraser Tweedale at 2019-12-20T14:47:54+11:00
ipatests: add test for certinstall with notBefore in the future
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
27a6920d by Anuja More at 2019-12-20T18:47:55+02:00
Add integration test for otp kerberos ticket policy.
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
631054a1 by Jayesh at 2019-12-21T21:39:28+02:00
Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions
Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b19749a by Anuja More at 2019-12-23T13:08:31+01:00
Fix fedora version for xfail for sssd test
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29
Signed-off-by: Anuja More <amore at redhat.com>
- - - - -
e3cff5d1 by François Cami at 2020-01-06T10:58:27-05:00
ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.
Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
578bdce2 by François Cami at 2020-01-06T10:58:27-05:00
ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.
Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e1ff95fc by Jayesh at 2020-01-07T11:58:29+01:00
Test for ipa-ca-install on replica
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4db18be5 by Florence Blanc-Renaud at 2020-01-13T13:08:19+01:00
AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
- - - - -
acbbc529 by Anuja More at 2020-01-13T16:39:42+01:00
Add xmlrpc test with input validation check for kerberos ticket policy.
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.
Signed-off-by: Anuja More <amore at redhat.com>
- - - - -
3d7d58d8 by Rob Crittenden at 2020-01-13T13:41:53-05:00
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1b7cf51e by Florence Blanc-Renaud at 2020-01-15T09:54:13+01:00
ipatests: fix backup and restore
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."
As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.
The fix makes a stricter comparison, looking for /bin/gzip.
Fixes: https://pagure.io/freeipa/issue/8170
- - - - -
86a8d948 by Robbie Harwood at 2020-01-16T08:46:28+01:00
Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
01c1b270 by Robbie Harwood at 2020-01-16T08:46:28+01:00
Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6bdd6b3d by Robbie Harwood at 2020-01-16T08:46:28+01:00
Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4fe1f770 by Christian Heimes at 2020-01-17T17:21:22+01:00
Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9ed8e78 by Christian Heimes at 2020-01-23T09:06:07-05:00
Make assert_error compatible with Python 3.6
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
72e1b135 by Sergey Orlov at 2020-01-24T16:36:32+01:00
ipatests: add test_winsyncmigrate suite to nightly runs
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
37f81cc5 by Rob Crittenden at 2020-01-28T14:45:54-05:00
Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7d81a345 by Rob Crittenden at 2020-01-28T14:45:54-05:00
ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
78827db1 by Rob Crittenden at 2020-01-28T14:45:54-05:00
Add tests for ipa-cacert-manage delete command
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)
As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4b551366 by Fraser Tweedale at 2020-01-30T20:04:44+11:00
Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
577dd1e4 by Sergey Orlov at 2020-01-30T16:08:49+01:00
ipatests: add check for output contents of ipa-client-samba
Check that ipa-client-samba tool reports specific properties of domains:
name, netbios name, sid and id range
Related to https://pagure.io/freeipa/issue/8149
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
875769c7 by Gaurav Talreja at 2020-01-31T14:34:00+01:00
Normalize test definations titles
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d97cfd72 by Robbie Harwood at 2020-02-01T10:09:48+02:00
Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
089c47e2 by Robbie Harwood at 2020-02-01T10:09:48+02:00
Support DAL version 8.0
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
19635044 by Robbie Harwood at 2020-02-01T10:09:48+02:00
Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
99a920cb by Isaac Boukris at 2020-02-02T09:10:48+02:00
Fix DAL v8 support
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0806c158 by Isaac Boukris at 2020-02-02T09:10:48+02:00
Fix legacy S4U2Proxy in DAL v8 support
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d7eac93 by Anuja More at 2020-02-04T10:46:05+01:00
After mounting "Unspecified GSS failure" should not be in logs.
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.
This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
- - - - -
a6dae484 by sumenon at 2020-02-05T10:06:00+01:00
Tier-1 test for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
7a45cd17 by sumenon at 2020-02-05T10:06:00+01:00
Nightly definition for ipa-healthcheck tool
Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
664eed7d by Serhii Tsymbaliuk at 2020-02-05T14:19:59+01:00
WebUI tests: Fix 'Button is not displayed' exception
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.
Ticket: https://pagure.io/freeipa/issue/8169
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
59593194 by Armando Neto at 2020-02-05T14:49:39-03:00
prci: Bump template version
This new image has SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4e1d27c2 by Serhii Tsymbaliuk at 2020-02-06T14:12:45+01:00
WebUI tests: Fix broken reference to parent facet in table record check
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).
Ticket: https://pagure.io/freeipa/issue/8157
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
8e527507 by Florence Blanc-Renaud at 2020-02-12T09:41:42+01:00
ipatests: fix modify_sssd_conf()
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
14dbf041 by Alexander Bokovoy at 2020-02-12T15:16:42+01:00
install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2cd67d5a by Sumedh Sidhaye at 2020-02-13T09:12:08-03:00
Added a test to check if ipa host-find --pkey-only does not return SSH public key
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
87bc3146 by Stanislav Levin at 2020-02-13T15:39:34-03:00
pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
356f907f by Stanislav Levin at 2020-02-13T15:39:34-03:00
pytest: Migrate unittest/nose to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3659b46d by Stanislav Levin at 2020-02-13T15:39:34-03:00
pytest: Warn about unittest/nose/xunit tests
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f4e2acd1 by Alexander Bokovoy at 2020-02-13T15:39:34-03:00
Update Azure Pipelines to use Fedora 31
nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.
[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot
Co-authored-by: Stanislav Levin <slev at altlinux.org>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
294694ad by Stanislav Levin at 2020-02-13T15:39:34-03:00
ipatests: Properly kill gpg-agent
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.
This results in an error like:
```
================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...
> os.unlink(entry.name, dir_fd=topfd)
E FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'
/usr/lib64/python3.7/shutil.py:450: FileNotFoundError
```
The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5939c907 by Stanislav Levin at 2020-02-13T15:39:34-03:00
pylint: Teach Pylint how to handle request.context
With Astroid change [0] a inference for builtin containers
was improved. This means that all the elements of such containers
will be inferred if they are not Python constants (previously
ignored).
This change introduces several issues, one of them is a volatile
error exposed at multi-job Pylinting, but could be guaranteed
produced at single-job mode as:
```
PYTHONPATH=. /usr/bin/python3 -m pylint --rcfile=./pylintrc \
--load-plugins pylint_plugins ipaserver/plugins/dns.py ipalib/request.py
ipalib/request.py:76: [E1101(no-member), destroy_context] Instance of 'bool' has no 'disconnect' member)
-----------------------------------
Your code has been rated at 9.97/10
```
Or even adding 'context.some_attr = True' into ipalib/request.py.
It's should be treated as no one member of `context`'s attrs is a
`Connection` instance and has `destroy_context` member.
To tell Pylint that there are such members the corresponding
transformation is added.
[0] https://github.com/PyCQA/astroid/commit/79d5a3a7
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3460db4e by Stanislav Levin at 2020-02-13T15:39:34-03:00
pylint: Synchronize pylint plugin to ipatests code
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6f488485 by Stanislav Levin at 2020-02-13T15:39:34-03:00
pylint: Clean up comment
I added a comment in @d0b420f6d, later, on refactoring in
@c6769ad12 I forgot to remove it. So, it is just a clean up.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
44a59ff3 by Stanislav Levin at 2020-02-13T15:39:34-03:00
lint: Make Pylint-2.4 happy again
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
936e27f7 by Alexander Bokovoy at 2020-02-14T09:24:58+02:00
adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0ff0ab85 by Sergey Orlov at 2020-02-14T09:27:40+02:00
ipatests: add test_trust suite to nightly runs
The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6332aed9 by François Cami at 2020-02-14T17:38:19+01:00
ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.
Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ae804c7 by François Cami at 2020-02-14T17:38:19+01:00
ipatests: make sure ipa-client-automount reverts sssd.conf
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c35c066a by Stanislav Levin at 2020-02-16T12:13:10+02:00
ipatests: Allow zero-length arguments
Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.
For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
'--norc',
'--noprofile',
'-c',
'--',
"/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
'--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']
Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.
So, a short-termed solution is the quotting of zero-length arguments.
Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b240b54b by Christian Heimes at 2020-02-16T12:15:52+02:00
Remove dependency on custodia package
ipa-server no longer use any files and features from the custodia
package. The python3-custodia package provides all Custodia features for
ipa-custodia.service.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ade60ac by Christian Heimes at 2020-02-16T12:17:45+02:00
dnsrecord: Treat empty list arguments correctly
dnsrecord_del fails when one of the record arguments is an empty list:
AttrValueNotFound("AAAA record does not contain 'None'",)
The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].
The patch maps None to empty list.
Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
30b8c8b9 by Alexander Bokovoy at 2020-02-17T16:40:16+01:00
kdb: make sure audit_as_req callback signature change is preserved
audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.
Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4eb48492 by Alexander Bokovoy at 2020-02-17T16:40:16+01:00
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2d0da2f9 by Anuja More at 2020-02-17T16:49:50+01:00
Update topology for test_integration/test_sssd.py
Added changes in topology for test_sssd.py
As in test it needs client also.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
985c99fc by Anuja More at 2020-02-17T16:49:50+01:00
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name
If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.
Related to: https://bugzilla.redhat.com/1746951
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
f356d573 by Rob Crittenden at 2020-02-18T22:30:55-05:00
Don't fully quality the FQDN in ssbrowser.html for Chrome
The trailing dot causes it to not function as expected, remove
it from the example.
https://pagure.io/freeipa/issue/8201
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d4b8081e by Anuja More at 2020-02-19T17:49:05+01:00
ipatests: SSSD should fetch external groups without any limit.
When there are more external groups than default limit, then
SSSD should fetch all groups.
Related : https://pagure.io/SSSD/sssd/issue/4058
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3ced5532 by Kaleemullah Siddiqui at 2020-02-19T17:52:47+01:00
Tests for backup-restore when pkg required is missing
Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore
https://pagure.io/freeipa/issue/7630
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
61577c85 by Mohammad Rizwan Yusuf at 2020-02-20T10:50:18-05:00
Test AES SHA 256 and 384 Kerberos enctypes enabled
AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.
related: https://pagure.io/freeipa/issue/8110
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
eaf9e79c by Mohammad Rizwan Yusuf at 2020-02-24T15:50:42-05:00
Test if certmonger reads the token in HSM
This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.
related : https://pagure.io/certmonger/issue/125
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
84ae778c by Mohammad Rizwan Yusuf at 2020-02-24T15:50:42-05:00
Add certmonger wait_for_request that uses run_command
Add a little utility function to get the certmonger status
of a request id on a particular host and wait until it is either
failed on the CA or issued (or times out).
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b5dc6a2 by Thomas Woerner at 2020-02-25T15:34:32-05:00
ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels
The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8a5bfaba by Florence Blanc-Renaud at 2020-02-26T08:01:52+01:00
Part2: Don't fully quality the FQDN in ssbrowser.html for Chrome
The web page ssbrowser.html is displayed when the browser doesn't
enable javascript. When js is enabled, the content is taken from
ipaserver/plugins/internal.py.
The commit e4966f9 fixed a string in ssbrowser.html but did not
fix the corresponding string in ipaserver/plugins/internal.py,
resulting in a different page depending on javascript enabled/not
enabled.
This commit makes both contents consistent.
Fixes: https://pagure.io/freeipa/issue/8201
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
11d14530 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Allow to not provide tests to be ignored
As for now, a list of tests which will be ignored by Pytest is
mandatory. But actually, a list of tests to run is explicitly set
in yaml config. And thus, 'ignore' list should be an optional field.
This simplifies tests definitions to drop extra stuff.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a6e3f23 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Allow SSH for Docker environments
IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d33b7d61 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Allow to run integration tests
Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.
This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.
New Azure IPA tests workflow:
+ 1) Azure generate jobs using Matrix strategy
2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ c) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ d) launch IPA tests on tests' controller
e) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
f) publish regular system logs as artifacts
[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
198cd506 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Make it possible to configure distro-specific stuff
This allows to run IPA tests on Azure using any distro.
To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
a) which Docker image to use to build IPA packages (rpm, deb, etc.)
b) how to prepare Build environment
c) how to build IPA packages
d) how to prepare environment to run Tox tests
e) how to prepare environment to run WebUI unittests
f) which base Docker image to use to build the new image to run
IPA tests within it
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2988f5f3 by Stanislav Levin at 2020-02-26T13:07:55+02:00
yamllint: Lint all the YAML files
For now, a list of YAML files' paths is hardcoded (even after
globbing) into Makefile.am. Moreover, Azure templates are not
checked at all until Azure triggered.
With this change, the list of YAMLs is populated automatically
on yamllinting.
Jinja templates are not parseable by a regular yaml module, to
skip such the YAML_TEMPLATE_FILES is utilized.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
685d902c by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Don't collect twice systemd_journal.log
This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
245a9dc9 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Add support for testing multi IPA environments
Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.
Next examples are for 'master-only' topologies.
Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.
Concurrency results for TestInstallMaster:
------------------------------------------
| job concurrency | time/jobs |
------------------------------------------
| 5 | 40/5 |
| 4 | 34/4 |
| 3 | 25/3 |
| 2 | 19/2 |
| 1 | 17/1 |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.
But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.
Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
| job concurrency | time | jobs used | jobs free |
------------------------------------------------------------------
| 5 | 40 | 4 | 6 |
| 4 | 34 | 5 | 5 |
| 3 | 25 | 7 | 3 |
| 2 | 19 | 10 | 0 |
| 1 | 34 | 20 | 0 |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.
New Azure IPA tests workflow:
+ 1) generate-matrix.py script generates JSON from user's YAML [0]
2) Azure generate jobs using Matrix strategy
3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
a) downloads prepared Docker container image (artifact) from Azure cloud
(built on Build Job) and loads the received image into local pool
+ b) GNU 'parallel' launch each IPA environment in parallel:
+ 1) docker-compose creates the Docker environment having a required number
of replicas and/or clients
+ 2) setup_containers.py script does the needed container's changes (DNS,
SSH, etc.)
+ 3) launch IPA tests on tests' controller
c) publish tests results in JUnit format to provide a comprehensive test
reporting and analytics experience via Azure WebUI [1]
d) publish regular system logs as artifacts
[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3fff8675 by Stanislav Levin at 2020-02-26T13:07:55+02:00
pylint: Run Pylint over Azure Python scripts
> Pylint is a tool that checks for errors in Python code, tries to enforce a
> coding standard and looks for code smells. It can also look for certain type
> errors, it can recommend suggestions about how particular blocks can be
> refactored and can offer you details about the code's complexity..
Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fbdb135 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Sync Gating definitions to current PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4e6e0c88 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Preliminary check for provided limits
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b2cdeef by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Free Docker resources after usage
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec21ecc5 by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Skip tests requiring external DNS
An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1fe5c04c by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Rebalance tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8fd1eacf by Stanislav Levin at 2020-02-26T13:07:55+02:00
Azure: Report elapsed time
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
12d6864b by Rob Crittenden at 2020-02-26T15:34:34-05:00
Fix div-by-zero when svc weight is 0 for all masters in location
The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.
Implement the following rules:
1. If all masters have weight == 0 then all are equally
weighted.
2. If any masters have weight == 0 then they have an
extremely small chance of being chosen, percentage is
0.1.
3. Otherwise it's percentage change is based on the sum of
the weights of non-zero masters.
https://pagure.io/freeipa/issue/8135
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c1660a4c by Armando Neto at 2020-03-01T15:24:43-03:00
prci: update fedora used for testing ipa-4-8
* Add nightly definitions to test with latest and previous versions of
Fedora (30 and 31)
* Update gating and temp_commit to use the latest Fedora (31)
* Update templates used to include updated packages
Boxes used:
* https://app.vagrantup.com/freeipa/boxes/ci-ipa-4-8-f31/versions/0.0.3
* https://app.vagrantup.com/freeipa/boxes/ci-ipa-4-8-f30/versions/0.0.4
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3fbbd02b by Mohammad Rizwan Yusuf at 2020-03-03T13:59:17-05:00
Test if server installer lock Bind9 recursion
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well
related : https://pagure.io/freeipa/issue/8079
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dcdcbe37 by Anuja More at 2020-03-04T13:11:26+02:00
ipatests: Added test when 2FA prompting configurations is set.
Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
66154f8b by Florence Blanc-Renaud at 2020-03-06T08:34:10+02:00
Privilege: add a helper checking if a principal has a given privilege
server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
5edc674e by Florence Blanc-Renaud at 2020-03-06T08:34:10+02:00
ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
4afd6e5e by Florence Blanc-Renaud at 2020-03-06T08:34:10+02:00
ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Thanks to sorlov for the nightly test definitions and new test.
Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
4ca10099 by Vit Mojzis at 2020-03-06T08:35:33+02:00
Add freeipa-selinux subpackage
Add freeipa-selinux subpackage containing selinux policy for FreeIPA
server. This policy module will override the distribution policy.
Policy files where extracted from
https://github.com/fedora-selinux/selinux-policy
See Independent policy project guidelines for more details about
shipping custom SELinux policy.
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18ce2033 by Christian Heimes at 2020-03-06T08:35:33+02:00
Integrate SELinux policy into build system
Hook up the new policy to autoconf and automake.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bb6a5a5d by Vit Mojzis at 2020-03-06T08:35:33+02:00
selinux: move BUILD_SELINUX_POLICY definition
BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.
Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
96565414 by Vit Mojzis at 2020-03-06T08:35:33+02:00
selinux: Remove obsolete memcached access
Drop memcached_stream_connect access since memcached is no longer used.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c444f7a3 by Florence Blanc-Renaud at 2020-03-06T08:37:32+02:00
ipatests: fix TestSubCAkeyReplication
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
9cb89841 by Sergey Orlov at 2020-03-10T17:41:38+01:00
ipatests: update docstring to reflect changes in FileBackup.restore()
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ff9b6e2 by Sergey Orlov at 2020-03-10T17:41:38+01:00
ipatests: replace utility for editing sssd.conf
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`
This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
early
* has convenient interface for simple options modification,
both in domain and service sections
* allows sophisticated modifications through SSSDConfig object
Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
32584ed3 by Sergey Orlov at 2020-03-10T17:41:38+01:00
ipatests: use remote_sssd_config to modify sssd.conf
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1695722 by Sergey Orlov at 2020-03-10T17:41:38+01:00
ipatests: remove invalid parameter from sssd.conf
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.
Related to: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
21c923c4 by Florence Blanc-Renaud at 2020-03-11T09:36:15+01:00
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing
When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df0df14b by Florence Blanc-Renaud at 2020-03-11T09:36:15+01:00
selinux policy: add the right context for org.freeipa.server.trust-enable-agent
This commit sets the system_u:object_r:ipa_helper_exec_t:s0 context to the
oddjob script org.freeipa.server.trust-enable-agent.
Without this context, oddjob cannot launch the command
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent
when ipa-adtrust-install --add-agents is run with SElinux enforcing.
Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1deb1010 by Alexander Bokovoy at 2020-03-12T07:50:13+01:00
Tighten permissions on PKI proxy configuration
As we need to store credentials for AJP protocol comminucation,
ensure only root can read the configuration file.
Related: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d4d8b98c by Alexander Bokovoy at 2020-03-12T07:50:13+01:00
Secure AJP connector between Dogtag and Apache proxy
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.
For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x
Fixes: https://pagure.io/freeipa/issue/8221
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d8d9198 by Mohammad Rizwan Yusuf at 2020-03-12T07:56:42+01:00
Move wait_for_request() method to tasks.py
Moved the method so that it can be used by other modules too
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
937fb1d9 by Mohammad Rizwan Yusuf at 2020-03-12T07:56:42+01:00
Test if getcert creates cacert file with -F option
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.
related: https://pagure.io/freeipa/issue/8105
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
87e0d82d by Christian Heimes at 2020-03-12T10:00:35+01:00
Cleanup SELinux policy
* Remove FC for /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains. The
file has been moved to oddjobs/ subdirectory a long time ago.
* Simplify FC for oddjob scripts. All com.redhat.idm.* and org.freeipa.*
scripts are labeled as ipa_helper_exec_t.
* use miscfiles_read_generic_certs() instead of deprecated
miscfiles_read_certs() to address the warning:
```
Warning: miscfiles_read_certs() has been deprecated, please use miscfiles_read_generic_certs() instead.
```
(Also add org.freeipa.server.trust-enable-agent to .gitignore)
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
59bd2fec by sumenon at 2020-03-12T23:17:33-04:00
ipatests: check that ipa-healthcheck warns if no dna range is set
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.
Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f36b8697 by Rob Crittenden at 2020-03-12T23:17:33-04:00
Move execution of ipa-healthcheck to a separate function
This removes a lot of duplication and simplifies the test
code.
It returns the command returncode and the JSON data (if any)
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
23993f58 by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup..
The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.
This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.
Fixes: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5716c3b7 by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cb3b11a by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
With opendnssec 2, read the zone list from file
With OpenDNSSEC 1.4, the code was using the command
$ ods-ksmutil zonelist export
which printed the zonelist as XML in its output.
With OpenDNSSEC 2, the code is using the command
$ ods-enforcer zonelist export
which prints a message instead:
"Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
The code needs to extract the zonelist file name and read the XML
from the file.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc4ccfa5 by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
Support OpenDNSSEC 2.1: new ods-signer protocol
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.
The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).
With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import
The command ods-ksmutil notify must be replace with ods-enforce flush.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
598c55cc by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
DnsSecMaster migration: move the call to zonelist export later
When migrating the DNSSec Master to a replica, the setup of
opendnssec is re-using the database and needs to call zonelist
export.
With opendnssec 1.4 this call is done with ods-ksmutil while
opendnssec 2.1 uses ods-enforcer that communicates with
odsenforcerd that is not started yet.
Move the call after ods-enforcerd is started.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
799ebc8b by Florence Blanc-Renaud at 2020-03-13T07:42:51+01:00
opendnssec2.1 support: move all ods tasks to specific file
Move all the routines run_ods* from tasks to _ods14 or _ods21 module
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d416a5a by Sergey Orlov at 2020-03-13T11:22:26+01:00
ipatests: provide docstrings instead of imporperly placed comments
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
40fd96f2 by Sergey Orlov at 2020-03-13T11:22:26+01:00
ipatests: add test for SSSD updating expired cache items
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.
Related to: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8d6a609d by François Cami at 2020-03-16T09:29:45+01:00
ipa-restore: restart services at the end
When IPA was not installed on the restore target host, and
when httpd was already running, "ipactl stop" does not stop
httpd. "ipactl start" at the end of the restore tool will
therefore not restart httpd either.
Calling "ipactl restart" at the end of the restore fixes the
issue, and as an added bonus, makes sure IPA can restart itself
properly.
Fixes: https://pagure.io/freeipa/issue/8226
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5df2f5d8 by Stanislav Levin at 2020-03-16T13:27:13+01:00
spec: Take the ownership over '/usr/libexec/ipa/custodia'
Ideally, an every file on system has to have an owner.
'/usr/libexec/ipa/custodia' directory was added recently, but:
```
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia/ipa-custodia-dmldap
freeipa-server-4.8.4-2.fc31.x86_64
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia
file /usr/libexec/ipa/custodia is not owned by any package
```
ALTLinux build system warns about files or directories which were
'created' during a package installation but haven't an owner. So,
after the resyncing spec file to upstream's one my build fails.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e4a611ae by Christian Heimes at 2020-03-17T08:48:52+01:00
Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c3053e28 by Anuja More at 2020-03-17T10:58:24+02:00
ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
a9922639 by Anuja More at 2020-03-17T10:58:24+02:00
Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b5989825 by Alexander Bokovoy at 2020-03-17T11:00:38+02:00
Add more contributor emails to the mailmap
- - - - -
1af95368 by Alexander Bokovoy at 2020-03-17T11:00:38+02:00
Add new contributors to the list
- - - - -
5f49e6d1 by Alexander Bokovoy at 2020-03-17T11:00:38+02:00
Become FreeIPA 4.8.5
- - - - -
30 changed files:
- + .copr/Makefile
- .gitignore
- .mailmap
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/ipa-getkeytab.c
- client/ipa-join.c
- configure.ac
- daemons/dnssec/ipa-ods-exporter.in
- daemons/ipa-kdb/README
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_audit_as.c
- daemons/ipa-kdb/ipa_kdb_certauth.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- freeipa.spec.in
- install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
- install/html/ssbrowser.html
- install/oddjob/Makefile.am
- install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
- + install/oddjob/org.freeipa.server.trust-enable-agent.in
- install/share/dns.ldif
- install/share/ipa-pki-proxy.conf.template
- install/share/opendnssec_conf.template
- install/tools/ipa-adtrust-install.in
- install/tools/man/ipa-cacert-manage.1
- install/updates/40-dns.update
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/83db8ab1754b52cd6143e0f01e520bbc9e9ff454...5f49e6d1aaab56f8dd72e991f16ff575b7f4c9ee
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/83db8ab1754b52cd6143e0f01e520bbc9e9ff454...5f49e6d1aaab56f8dd72e991f16ff575b7f4c9ee
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200317/e2c00b3b/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list