[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 65 commits: pki-proxy: Don't rely on running apache until it's configured

Tue Mar 31 05:24:34 BST 2020

Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa

Commits:
24c6ea3c by Stanislav Levin at 2020-03-19T12:48:28+02:00
pki-proxy: Don't rely on running apache until it's configured

This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.

Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
79058913 by Florence Blanc-Renaud at 2020-03-19T16:31:30+01:00
idviews: prevent applying to a master

Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.

Fixes: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c37a8462 by Florence Blanc-Renaud at 2020-03-19T16:31:30+01:00
xmlrpc tests: add a test for idview-apply on a master

Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.

Related: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7d468792 by sumenon at 2020-03-20T11:05:23+01:00
ipatests: Added testcase to check logrotate is added for healthcheck tool

Issue: freeipa/freeipa-healthcheck#35

- - - - -
04cc0450 by Christian Heimes at 2020-03-21T07:31:22+02:00
Integrate ipa_custodia policy

ipa-custodia is an internal service for IPA. The upstream SELinux policy
has a separate module for ipa_custodia. Fold the current policy from
Fedora rawhide into ipa's SELinux policy.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7d525ab4 by Christian Heimes at 2020-03-21T07:31:22+02:00
Move freeipa-selinux dependency to freeipa-common

The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
127b8d9c by Alexander Bokovoy at 2020-03-21T07:32:52+02:00
Prevent adding IPA objects as external members of external groups

The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.

RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.

Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ebb3c22d by Florence Blanc-Renaud at 2020-03-21T12:20:55+02:00
ipatests: wait for SSSD to become online in backup/restore tests

The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.

Fixes: https://pagure.io/freeipa/issue/8228

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
7974ac9f by Rob Crittenden at 2020-03-23T09:17:06+01:00
Test that ipa-healthcheck human output translates error strings

The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.

https://bugzilla.redhat.com/show_bug.cgi?id=1752849

Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0e9b020d by Sergey Orlov at 2020-03-24T12:25:01+01:00
ipatests: remove test_ordering

The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.

The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f99cfa14 by Vit Mojzis at 2020-03-24T13:33:08+01:00
selinux: disable ipa_custodia when installing custom policy

Since ipa_custodia got integrated into ipa policy package, the upstream policy
module needs to be disabled before ipa module installation (in order to be able
to make changes to the ipa_custodia policy definitions).
Upstream ipa module gets overridden automatically because of higher priority of
the custom module, but there is no mechanism to automatically disable
ipa_custodia.

Related: https://pagure.io/freeipa/issue/6891
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
42aa86fa by Christian Heimes at 2020-03-24T14:02:20+01:00
Add pytest OpenSSH transport with password

The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.

The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f1855dd5 by Serhii Tsymbaliuk at 2020-03-24T14:13:42+01:00
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1

Ticket: https://pagure.io/freeipa/issue/8239

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
210619a9 by Mohammad Rizwan Yusuf at 2020-03-24T15:44:54+01:00
Test if schema-compat-entry-attribute is set

This is to ensure if said entry is set after installation with AD.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
3f3fa403 by Mohammad Rizwan Yusuf at 2020-03-24T15:44:54+01:00
Test if schema-compat-entry-attribute is set

This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
814b47e8 by Sergey Orlov at 2020-03-25T09:45:55+02:00
ipatests: provide AD admin password when trying to establish trust

`ipa trust-add --password` command requires that user provides a password..

Related to: https://pagure.io/freeipa/issue/7895

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
9ff7b4a4 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
Keep ipa.pot translation file in git for weblate

Weblate tool sends pull requests that update translations directly.
For this to work, we need to keep ipa.pot in the tree.

Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 92e36258cee838a378729d06fc4134b5c4428f87)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
831f4dd3 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
Update translation infrastructure

1. Build po/ipa.pot every time we update PO files (each build)

2. Drop any rebuilt PO changes if the only difference is in the
   translation file's header in a timestamp or timestamp+bug report
   link.

3. Only apply the logic for dropping the changes if we are operating on
   a git tree checkout because there is no otherwise an easy way to
   detect the changes.

4. Hook strip-po target to the cleanup target to allow dropping unneeded
   translation changes automatically.

5. Finally, strip ipaclient/remote_plugins/* locations from the ipa.pot
   template. This saves us around 23,000 lines from the ipa.pot file and
   reduces visual clutter in the translation files.

This approach allows to avoid unneccesary commits because even when
there are no changes to translation files, po/ipa.pot header would be
updated with a new translation update timestamp.

Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit b4722f3917d6c2a6849931e9c68896f83a0cc09b)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e23ba779 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update ipa.pot template

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 3fc932a2a859898d718d850fbcd558a1e960e91f)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
16d9556c by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update Bengali translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 0be22a6ae71a3261c9e9333a01dc028f55554924)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
29e3ade0 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update Catalan translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 6cd244da6be890e577bf381c6303363e2a6f237f)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c8ba436c by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update Czech translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 68cc049124f2acf66b4fdd4588e1fb25d50a9364)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0d053d8b by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update German translation

Several translated strings were splitted into smaller ones. The older
translation either is a duplicate of the new one or does not apply
anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 117893f03e4f26044e7b15053e336b8d42b4f180)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
37a1e927 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update English (United Kingdom) translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 439c488f04b857cfb83f779e450c34b93f7c38bb)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7af52df7 by Alexander Bokovoy at 2020-03-25T09:49:28+02:00
po: update Spanish translation