[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 167 commits: VERSION: back to git snapshots
Timo Aaltonen
gitlab at salsa.debian.org
Fri Sep 25 08:12:55 BST 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
57034ce2 by Alexander Bokovoy at 2020-06-10T22:30:07+03:00
VERSION: back to git snapshots
- - - - -
7f19fda0 by Florence Blanc-Renaud at 2020-06-11T21:18:09+02:00
ipatests: fix the disable_dnssec_validation method
Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf
When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.
This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.
Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
77fae8c4 by Christian Heimes at 2020-06-11T21:03:47-04:00
Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.
It's necesary to run pre/post installation hooks to make systemd aware
of new files.
Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
32c4df70 by Florence Blanc-Renaud at 2020-06-13T13:27:48+02:00
ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).
Add a check enforcing the options are mutually exclusive.
Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0e325bd0 by Florence Blanc-Renaud at 2020-06-13T13:27:48+02:00
ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file
The options *-cert-file are used for a CA-less replica installation and
are mutually exclusive with --setup-ca.
Add a test for this use case.
Related: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
930f4b3d by Christian Heimes at 2020-06-15T22:15:13+03:00
Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.
root principal alias
-------------------
The principal "root at REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.
Modified user permissions
-------------------------
Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.
New user permission
-------------------
- System: Change Admin User password
The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.
Modified group permissions
--------------------------
Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
Notes
-----
Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.
Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.
Misc changes
------------
Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.
Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
71b8ecde by Alexander Bokovoy at 2020-06-15T22:27:40+03:00
Become FreeIPA 4.8.8
- - - - -
7ca6129f by Alexander Bokovoy at 2020-06-15T22:28:02+03:00
Get back to git snapshots
- - - - -
691b3cdd by Petr Vobornik at 2020-06-16T19:02:31-04:00
webui: hide user attributes for SMB services section if empty
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34b4d9bc by Mohammad Rizwan at 2020-06-16T19:03:49-04:00
ipatests: Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message in /var/log/secure
related: SSSD/sssd#5139
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
40804b5e by Mohammad Rizwan at 2020-06-16T19:03:49-04:00
Xfail test for sssd < 2.3.0
This fix is available in sssd 2.3.0+. On older version
test will fail. Hence added xfail.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3f89bd2c by Armando Neto at 2020-06-17T07:58:58+02:00
ipatests: bump prci templates
New images were necessary to include updated `selinux-policy` package.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
60a58eac by Fraser Tweedale at 2020-06-17T10:08:54+02:00
fix cert-find errors in CA-less deployment
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments. Do not execute the CA sub-search on CA-less
deployments.
Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a090b429 by Petr Vobornik at 2020-06-17T10:10:52+02:00
baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
351f3061 by Christian Heimes at 2020-06-18T14:41:23+02:00
Build ipa-selinux package on RHEL 8
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6de941ce by François Cami at 2020-06-19T08:37:48+02:00
.mailmap: add fcami
Add myself to .mailmap.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
12850019 by Fraser Tweedale at 2020-06-23T11:21:27+10:00
fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5cefc6df by Christian Heimes at 2020-06-23T10:18:57+02:00
Use old uglifyjs on RHEL 8
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.
See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be489835 by Alexander Scheel at 2020-06-23T10:21:37+02:00
Clarify AJP connector creation process
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1e804bf1 by Alexander Scheel at 2020-06-23T10:21:37+02:00
Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.
Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b317222d by Florence Blanc-Renaud at 2020-06-23T14:52:22+02:00
ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"
As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).
There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.
Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ea611c9 by Florence Blanc-Renaud at 2020-06-23T14:52:22+02:00
client install: fix broken sshd config
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.
Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c3bf183 by Peter Keresztes Schmidt at 2020-06-23T15:06:57+02:00
WebUI: move OTP to be the last field in the PW reset form
Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
82475aab by Peter Keresztes Schmidt at 2020-06-23T15:06:57+02:00
WebUI: reword OTP info message displayed during PW reset
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.
Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0320de78 by Peter Keresztes Schmidt at 2020-06-23T15:06:57+02:00
Unify spelling of "One-Time Password"
Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7473bd11 by Christian Heimes at 2020-06-24T18:28:17+02:00
RHEL 8.3 has KRB5 1.18 with KDB 8.0
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
73df4e1b by sumenon at 2020-06-24T18:31:08+02:00
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario
Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e8cd60b by sumenon at 2020-06-24T18:31:08+02:00
Modified YAML to include healthcheck IPA-AD trust scenario
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8c7f54d1 by Florence Blanc-Renaud at 2020-06-24T18:34:15+02:00
Unify spelling of "One-Time Password" (take 2)
The previous fix for the spelling of "One-Time Password"
missed a few lines.
Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
437fc606 by Florence Blanc-Renaud at 2020-06-25T10:42:42+02:00
ipatests: fix the method adding ifp to sssd.conf
The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.
Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.
Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
23e2935e by François Cami at 2020-06-25T17:53:22+02:00
EPN: ship the configuration file.
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3b43950d by François Cami at 2020-06-25T17:53:22+02:00
man pages: fix epn.conf.5 and ipa-epn.1 formatting
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2648c218 by François Cami at 2020-06-25T17:53:22+02:00
ipatests: check that EPN's configuration file is installed.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
06accac8 by François Cami at 2020-06-25T17:53:22+02:00
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5820573d by Armando Neto at 2020-06-26T16:48:36-03:00
ipatests: bump prci templates
Remove all freeipa-* packages from template:
https://github.com/freeipa/freeipa-pr-ci/commit/bdd98c3b9dba2ce563535d0c91dad38b532441e8
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ffe7f7b3 by Serhii Tsymbaliuk at 2020-06-29T12:12:07+03:00
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7bfe6b26 by Fraser Tweedale at 2020-06-30T13:41:36+10:00
Define errors_by_code in ipalib.errors
The errors_by_code mapping could be used in more places. In
particular it will be useful in the Dogtag GSS-API authentication
effort. Move to ipalib.errors.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
494838e8 by Anuja More at 2020-06-30T11:49:09+02:00
ipatests: Test that trusted AD users should not lose their AD domains.
When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.
Related: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
022cd49e by Anuja More at 2020-06-30T11:49:09+02:00
ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
766a80c1 by François Cami at 2020-07-01T14:57:45+02:00
ipatests: increase test_caless_TestReplicaInstall timeout
test_caless_TestReplicaInstall timeout seems too short.
Extend it.
Fixes: https://pagure.io/freeipa/issue/8377
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
f76c56c6 by Zdenek Pytela at 2020-07-03T14:17:58+02:00
Allow ipa-adtrust-install restart sssd and dirsrv services
Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c72ef1ed by Christian Heimes at 2020-07-03T14:17:58+02:00
SELinux: Backport dirsrv_systemctl interface
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
388e793d by Florence Blanc-Renaud at 2020-07-03T14:17:58+02:00
Bump requires for selinux-policy
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c5abea23 by François Cami at 2020-07-03T14:26:59+02:00
ipatests: display SSSD kdcinfo in test_adtrust_install.py
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
krb5_strace shows that this happens when kinit changes servers
between password change and TGT requests.
Display SSSD's kdcinfo to see if kinit should be pinned to one
server.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
42dd1628 by Alexander Bokovoy at 2020-07-06T12:32:13+03:00
selinux: allow oddjobd to set up ipa_helper_t context for execution
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.
Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0d70addb by Alexander Bokovoy at 2020-07-06T12:32:13+03:00
selinux: support running ipa-custodia with PrivateTmp=yes
Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2afe21b8 by François Cami at 2020-07-06T16:56:02+02:00
ipatests: remove dnf workaround from test_epn.py
73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.
Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42ad338c by Peter Keresztes Schmidt at 2020-07-06T19:09:13+03:00
WebUI: Fix rendering of boolean_status_formatter
With commit "WebUI: Apply jQuery patch to fix htmlPrefilter issue" (bc9f3e0557)
jQuery's handling of self-closing elements.
DOM before the above mentioned commit:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
and after:
<div name="nsaccountlock"><i class="fa fa-check"> Enabled</i></div>
Explicitly closing the <i> element fixes the issue:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
Fixes: https://pagure.io/freeipa/issue/8396
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d13a33da by Fraser Tweedale at 2020-07-07T12:11:08+10:00
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf
A failed ipa-ca-install left my installation in an inconsistent
state. Then, 'ipa-server-install --uninstall' also failed when
is_crlgen_enabled() tried to read ipa-pki-proxy.conf, which was
missing.
Update is_crlgen_enabled() to handle missing ipa-pki-proxy.conf, by
raising InconsistentCRLGenConfigException instead of RuntimeError.
As a result, missing ipa-pki-proxy.conf is handled gracefully
because the calling code already catches
InconsistentCRLGenConfigException.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
cb5c094b by Anuja More at 2020-07-07T14:12:14+02:00
ipatests : Test to verify override_gid works with subdomain.
When override_gid is set in sssd.conf in IPA domain section
Then it should also work for subdomain.
Related: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
460fea3c by Anuja More at 2020-07-07T14:12:14+02:00
ipatests: xfail test with older versions of sssd
Related to: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
068646f0 by Anuja More at 2020-07-07T14:12:14+02:00
ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn
As tests was failing <= fedora31
Thus removed certmap-rule in cleanup as
subdomain lookup fails when certmaprule contains DN.
Related: https://pagure.io/SSSD/sssd/issue/3721
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e334415f by Christian Heimes at 2020-07-07T10:10:53-04:00
Add __signature__ to plugins
Auto-generate inspect.Signature from plugin arguments and options. The
signature is used by (amongst others) pydoc / help.
```
$ ipa console
>>> help(api.Command.group_add)
Help on group_add in module ipaserver.plugins.group object:
class group_add(ipaserver.plugins.baseldap.LDAPCreate)
| group_add(cn: str, *, description: str = None, gidnumber: int = None, setattr: List[str] = None, addattr: List[str] = None, nonposix: bool, external: bool, all: bool, raw: bool, version: str = None, no_members: bool) -> Dict[str, Any]
```
Fixes: https://pagure.io/freeipa/issue/8388
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c21d3cf0 by Christian Heimes at 2020-07-07T10:10:53-04:00
Make tab completion in console more useful
tab completion and dir() now show registered plugins in API name spaces.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9ded9e25 by Alexander Scheel at 2020-07-08T12:49:32+02:00
Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.
Point to IPA CA certificate during pkispawn
Bump pki_version to 10.9.0-0.4 (aka -b2)
Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
72d70fa2 by Fraser Tweedale at 2020-07-09T14:02:01+03:00
certupdate: only add LWCA tracking requests on CA servers
ipa-certupdate throws an exception when executed on a non-CA server
in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that
we are on a CA server before attempting to create Certmonger
tracking requests for LWCAs.
HOW TO TEST
1. Install first server (with CA)
2. Install replica without CA
3. Create sub-CA (`ipa ca-add`)
4. Run `ipa-certupdate` on replica. Observe that no stack trace is
produced.
Fixes: https://pagure.io/freeipa/issue/8399
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
668fdc63 by Florence Blanc-Renaud at 2020-07-09T15:51:21+02:00
sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.
Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
92ef9d17 by Peter Keresztes Schmidt at 2020-07-09T14:23:54-04:00
Populate nshardwareplatform and nsosversion during join operation
Fixes: https://pagure.io/freeipa/issue/8370
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c44e233 by Armando Neto at 2020-07-10T10:11:02+02:00
ipatests: bump pr-ci templates
New template images for ci-ipa-4-8-f32 and ci-ipa-4-8-f31 with updated
packages.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
aa54002c by Armando Neto at 2020-07-13T15:12:34+02:00
ipatests: bump pr-ci templates
New template images for ci-ipa-4-8-f32 and ci-ipa-4-8-f31 to include
latest certmonger package (`certmonger-0.79.11-2`).
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4b8da1b7 by Jeremy Frasier at 2020-07-14T17:14:12-04:00
replica: Ensure the ipaapi user is allowed to access ifp on replicas
ipa-server-install executes ipa-client-install with the --on-master
flag set, which causes the ipaclient.install.client.sssd_enable_ifp()
function to be called. This function configures sssd so that the
ipaapi user is allowed to access ifp. Any FreeIPA replica should also
have sssd configured like this, but in that case we cannot simply pass
the --on-master flag to ipa-client-install because it has other side
effects. The solution is to call the
ipaclient.install.client.sssd_enable_ifp() function from inside the
ipaserver.install.server.replicainstall.promote_sssd() function.
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6de4b0fb by Jeremy Frasier at 2020-07-14T17:14:12-04:00
replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas
https://pagure.io/freeipa/issue/8403
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d83b760d by Christian Heimes at 2020-07-15T16:54:24+02:00
Add missing SELinux rule for ipa-custodia.sock
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07d1b9d3 by sumenon at 2020-07-15T13:37:09-04:00
ipatests: Tests to check profile is displayed for getcert request.
test_getcert_list_profile
This test checks that the cert request generated using
getcert utility which is placed in /var/lib/certmonger/requests
directory displays profile name and issuer fields
test_getcert_list_profile_using_subca
This test checks that the cert request generated with -X as
subca and -T <profilename> displays correct profilename
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
9281133c by Michal Polovka at 2020-07-15T13:38:03-04:00
ipatests: test_epn: Fix package installation
EPN functionality is provided as separate package
freeipa-client-epn, but it is not installed during setup. This resolves
this behaviour.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8318b2b3 by Michal Polovka at 2020-07-15T13:44:40-04:00
ipatests: test_epn: test_EPN_config_file: Package name fix
Fix package name to respect different conventions in particular streams.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
abfe4bfe by Christian Heimes at 2020-07-20T08:33:40-04:00
Teach pylint how dnspython 2.x works
pylint does not understand pylint's
globals().update(RdataType.__members__) trick.
Fixes: https://pagure.io/freeipa/issue/8419
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ab36d79a by sumenon at 2020-07-21T14:39:38-04:00
ipatests: Test for ipa-nis-manage CLI tool.
The testcases added check the various options of ipa-nis-manage CLI
tool as below
1. ipa-nis-mange enable
2. ipa-nis-manage disable
3. Enabling NIS pluging with invalid admin password
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f205b89 by sumenon at 2020-07-21T14:41:16-04:00
ipatests: Increase timeout value in test_getcert_list_profile_using_subca
test_getcert_list_profile_using_subca test had a timeout value of 50
waiting for the cert to be in MONITORING state, this has now been
replaced with 300, since the certmonger request was in state SUBMITTING
instead of MONITORING causing the test to fail.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a52aa06e by sumenon at 2020-07-24T14:10:06-04:00
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed
This testcase checks that ERROR message is displayed
by IPACAChainExpirationCheck when ipa ca crt file is renamed.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
02090533 by François Cami at 2020-07-24T14:11:04-04:00
ipatests: xfail TestIpaClientAutomountFileRestore's final test
Due to a change in authselect, rolling back the installation
does not produce the same nsswitch.conf as on a clean install.
Mark the test xfail until ipa-client-install is enhanced to
use authselect profile backup/restore.
Related: https://pagure.io/freeipa/issue/8189
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
819bcacb by Florence Blanc-Renaud at 2020-07-28T09:00:46+02:00
ipatests: fix TestUnprivilegedUserPermissions
A new test has been added to TestUnprivilegedUserPermissions that
duplicates the steps done in the precedent test. As the tests
are usually run sequentially, no need to duplicate.
Fixes: https://pagure.io/freeipa/issue/8413
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
3c53c703 by Florence Blanc-Renaud at 2020-07-28T09:00:46+02:00
ipatests: Fix TestReplicaPromotionLevel1
A new test was added to TestReplicaPromotionLevel1 but was run
after the replica uninstallation. As the new test checks
the content of /etc/sssd/sssd.conf on the replica, merge it with the
previous test, when the replica is still installed.
Fixes: https://pagure.io/freeipa/issue/8414
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
cc063619 by Rob Crittenden at 2020-07-29T06:09:36+02:00
Add fips-mode-setup to ipaplatform.paths to determine FIPS status
This will be used by freeipa-healthcheck to report FIPS config
status. It is added here to avoid duplicating platform independence
in a sister project.
https://pagure.io/freeipa/issue/8429
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1502cb47 by Serhii Tsymbaliuk at 2020-07-29T17:11:10+02:00
WebUI: Fix issue with opening links in new tab/window
- fix table item links reference
- fix global menu links reference
- fix API browser side panel links
- fix tab links reference
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a9e3e40f by Serhii Tsymbaliuk at 2020-07-29T17:11:10+02:00
WebUI tests: Change navigation tests to find menu items using data-name instead of href
Since menu pseudo-links was replaced with real one, navigation tests must be changed to not use href
for searching items.
Ticket: https://pagure.io/freeipa/issue/7137
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
59ad3ae4 by François Cami at 2020-07-29T17:17:15+02:00
ipatests: re-enable test_sss_ssh_authorizedkeys
Re-enable test_sss_ssh_authorizedkeys.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
cf6877a4 by François Cami at 2020-07-29T17:17:15+02:00
ipatests: test_sss_ssh_authorizedkeys
Add debug information to the ssh invocation.
Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
64ef1a8e by François Cami at 2020-07-29T17:22:32+02:00
ipatests: test_commands: test_login_wrong_password: look farther in time
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow.
Broaden the window by looking at the past 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8432
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
66216e90 by Stanislav Levin at 2020-07-30T10:52:57+02:00
ipatests: Don't turn Pytest IPA deprecation warnings into errors
With new Pytest 6.0 [0]:
> PytestDeprecationWarning are now errors by default.
Following our plan to remove deprecated features with as little disruption as
possible, all warnings of type PytestDeprecationWarning now generate errors
instead of warning messages.
PytestWarnings are no longer marked as the part of public API, but as
internal warnings. It's unsafe to use bare PytestDeprecationWarning,
which is turned into the error on major releases.
[0]: https://github.com/pytest-dev/pytest/releases/tag/6.0.0
Fixes: https://pagure.io/freeipa/issue/8435
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
66a5a0ef by Rob Crittenden at 2020-07-30T13:00:52+02:00
Replace SSLCertVerificationError with CertificateError for py36
This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.
https://bugzilla.redhat.com/show_bug.cgi?id=1858318
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
90ae22b8 by Christian Heimes at 2020-07-30T13:06:01+02:00
Allow to override ipaplatform with env var
The ipaplatform provider module can now be overriden by setting
IPAPLATFORM_OVERRIDE environment variable.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
61807788 by Christian Heimes at 2020-07-30T13:06:01+02:00
Add ipaplatform for Fedora and RHEL container
Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c3bf50b1 by Christian Heimes at 2020-07-30T13:06:01+02:00
Write state dir to smb.conf
smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
305deb45 by Christian Heimes at 2020-07-30T13:06:01+02:00
Explicitly pass keytab to ipa-join
ipa-join defaults to /etc/krb5.keytab. Use ``-k paths.KRB5_KEYTAB`` to
write the keytab to /data share in containers.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c68d14b6 by Christian Heimes at 2020-07-30T13:06:01+02:00
Convert ipa-httpd-pwdreader into Python script
and use paths from ipaplatform.
Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
06b33007 by sumenon at 2020-07-30T15:53:04+02:00
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert
This test modifies the trust attribute of Server-Cert
and checks that healthcheck tool reports correct status
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca880cfb by Florence Blanc-Renaud at 2020-07-30T15:54:48+02:00
ipa-client-install: use the authselect backup during uninstall
When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.
Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.
Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3eaab97e by Florence Blanc-Renaud at 2020-07-30T15:54:48+02:00
ipatests: remove the xfail for test_nfs.py
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
4baf6b29 by Florence Blanc-Renaud at 2020-07-30T15:54:48+02:00
ipatests: fix test_authselect
Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.
Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.
Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
034526a4 by François Cami at 2020-07-30T18:02:19+02:00
tasks: add run_ssh_cmd
Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
326ddff2 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_key_connection to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
26e58031 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
262a7121 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_commands: test_ssh_from_controller: refactor
test_ssh_from_controller does not use methods provided by tasks.py.
Refactor using those methods.
Related: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
ee57dd23 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_ssh_from_controller to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
17759ec7 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH
Paramiko is not compatible with FIPS.
Migrate test_login_wrong_password to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
027d0bbe by François Cami at 2020-07-30T18:02:19+02:00
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate run_cmd_on_ui_host to the OpenSSH CLI SSH(1) using
tasks.py's run_ssh_cmd.
Rationale: this is exactly what clients use.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
b0d4db54 by François Cami at 2020-07-30T18:02:19+02:00
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd
Paramiko is not compatible with FIPS.
Migrate test_2fa_enable_single_prompt to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Also add a warning when test_2fa_disable_single_prompt is executed in FIPS mode.
Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3d3e8a4e by Rob Crittenden at 2020-07-30T18:09:12+02:00
ipatests: Test cases for healthcheck File checker(s)
These check for modified file ownership (user and group) and
too permissive and restrictive permissions across the three
types of files checked by the healthcheck FileCheck.
This replaces an existing test for TomcatFileCheck which adds
more functionality and consolidates all file checks together.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
f6c460ae by Serhii Tsymbaliuk at 2020-07-30T18:10:31+02:00
WebUI: Fix error "unknown command 'idoverrideuser_add_member'"
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e35739b7 by Serhii Tsymbaliuk at 2020-07-30T18:10:31+02:00
WebUI tests: Add test case to cover user ID override feature
The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
40fe3542 by Rob Crittenden at 2020-07-30T17:24:49-04:00
ipatests: Test that healthcheck detects and reports expiration
Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.
This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bdd0c4a7 by Rob Crittenden at 2020-07-31T09:11:28+02:00
ipatests: verify that all services can be detected by healthcheck
Add fixture to handle restarting services so that if something
goes wrong in the test the service(s) will all be restarted
so that subsequent tests can pass. Services are restarted in
reverse order.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
81949c2d by Rob Crittenden at 2020-07-31T09:13:08+02:00
ipatests: Add healthcheck test for FileSystemSpaceCheck
Create a large file in one of the checked filesystems beyond
the allowed threshold and ensure that both the minimum space
and minimum percent errors are reported.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d0cdae48 by Rob Crittenden at 2020-07-31T17:40:22-04:00
ipatests: lib389 is now providing healthchecks, update naming
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e91c7bcd by Rob Crittenden at 2020-07-31T17:40:22-04:00
ipatests: Use healthcheck namespacing in stopped server test
The test_run_with_stopped_master() test runs ipactl stop
and then verifies that all the errors relate to the services
not being available. The newly integrated PKI tests also
report errors in this case.
Use the namespacing introduced in freeipa-healthcheck-0.6
to limit the execution to the ipahealthcheck.meta checks
to avoid the spurious PKI errors.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
81c955e5 by Florence Blanc-Renaud at 2020-08-04T09:56:19+02:00
CAless installation: set the perms on KDC cert file
In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.
The fix makes sure that the KDC cert file is saved with 644 perms.
Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
295dd423 by Florence Blanc-Renaud at 2020-08-04T09:56:19+02:00
ipatests: check KDC cert permissions in CA less install
The KDC certificate file must be stored with 644 permissions.
Add a test checking the file permissions on server + replica.
Related: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
55144ab6 by Florence Blanc-Renaud at 2020-08-04T10:06:01+02:00
ipatests: increase test_trust timeout
The integration test test_trust is often failing on timeout.
Add 30 minutes to increase the chances of completion.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0a83d820 by Mark Reynolds at 2020-08-04T14:39:54+03:00
Issue 8407 - Support changelog integration into main database
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
Fixes: https://pagure.io/freeipa/issue/8407
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Fix missing self, and missing arg
Fix copy/paste error
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2fa03c5f by Florence Blanc-Renaud at 2020-08-04T15:52:28-04:00
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck
test_ipa_healthcheck_expiring is assuming that it's executed
on a KRA-less installation, but the test is executed after
test_ipa_healthcheck_no_errors that configures the KRA.
With a KRA install, 12 certs are monitored instead of 9.
Fixes: https://pagure.io/freeipa/issue/8439
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
96aa09b9 by Alexander Bokovoy at 2020-08-04T15:53:12-04:00
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration
Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.
nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.
Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.
In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.
Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e4c753dc by Stanislav Levin at 2020-08-05T11:33:42+03:00
pylint: Fix warning and error
- fixed W0612(unused-variable)
- added missing dependency on python-yaml
Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ea288b01 by Rob Crittenden at 2020-08-05T18:31:38-04:00
ipatests: Test healthcheck revocation checker
Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec2b1462 by Sergey Orlov at 2020-08-05T21:39:32-04:00
Fix password file permission
Invalid permission makes file unreadable by owner if he is not root.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a97145c by Rob Crittenden at 2020-08-06T10:10:50-04:00
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
da2079ce by Rob Crittenden at 2020-08-06T10:10:50-04:00
ipatests: Check permissions of /etc/ipa/ca.crt new installations
It should be 0644 root:root for both CA-ful and CA-less installs.
https://pagure.io/freeipa/issue/8441
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6926131f by Christian Heimes at 2020-08-06T18:46:38+02:00
Don't configure authselect in containers
freeipa-container images come with authselect pre-configured. There is
no need to configure, migrate, or restore authselect. The --mkhomedir
option is not supported, too.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a55ccdb1 by Stanislav Levin at 2020-08-06T18:49:09+02:00
ipatests: Add compatibility against python-cryptography 3.0
The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.
Note: this requires python-cryptography 2.7+.
[0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b
Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1a477484 by Rob Crittenden at 2020-08-07T11:12:43+02:00
Simplify determining if an IPA server installation is complete
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.
Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.
On upgrades existing installations will automatically get this
state.
This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.
The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
80a7e346 by Rob Crittenden at 2020-08-07T11:12:43+02:00
Simplify determining if IPA client configuration is complete
When asking the quesiton "is my IPA client configured?" right now
we look at whether the installation backed up any files and
/etc/ipa/default.conf exists.
Instead set a new state, installation, to True as soon as the
client installation finishes.
Unlike the server there is no upgrade process for clients so this
isn't going to be all that useful for quite some time unless that
changes because upgrading an existing install won't set this
to True.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ee755a58 by Rob Crittenden at 2020-08-07T11:12:43+02:00
Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cb6c48b2 by Rob Crittenden at 2020-08-07T11:12:43+02:00
Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b9e4c686 by Rob Crittenden at 2020-08-07T11:12:43+02:00
Update check_client_configuration to use new client fact
check_client_configuration differs from is_ipa_client_configured
in that it raises an exception if not configured so is a nice
convenience in AdminTool scripts. Port it to call to
is_ipa_client_configured() instead of determining the install
state on its own.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4454af4b by Rob Crittenden at 2020-08-07T11:12:43+02:00
Address legacy pylint issues in sysrestore.py
These were triggered because of the movement of sysrestore.py in
the tree
https://pagure.io/freeipa/issue/8384
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b93f2a70 by Kaleemullah Siddiqui at 2020-08-07T12:40:23+02:00
Tests for fake_mname parameter setup
fake_mname can be set through dnsserver-mod's --soa-mname-override
option which was not doable through same parameter setup in
/etc/named.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1488732
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
c89718a6 by Stanislav Levin at 2020-08-07T14:23:07-04:00
Azure: Switch to dockerhub provider
`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.
registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.
Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
50cf90f0 by Stanislav Levin at 2020-08-07T14:23:07-04:00
ipatests: Skip keyring tests on containerized platforms
The kernel keyrings are not namespaced yet.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9479a393 by François Cami at 2020-08-07T14:24:22-04:00
ipatests: tasks.py: fix ipa-epn invocation
tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.
Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3b8fdd87 by François Cami at 2020-08-07T14:24:22-04:00
ipatests: test_epn: test_EPN_nbdays enhancements
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
508c5e5d by Christian Heimes at 2020-08-07T16:45:39-04:00
Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a0518f7f by Peter Keresztes Schmidt at 2020-08-07T16:48:06-04:00
WebUI: Make object_class_evaluator evaluator compatible with batch responses
Use data adapter in evaluator to be able to deal with batch
RPC responses.
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
6f9c20ba by Peter Keresztes Schmidt at 2020-08-07T16:48:06-04:00
WebUI: Unify adapter property definition for state evaluators
Move adapter property definition to IPA.state_evaluator since it
is used by all evaluators
Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b95817e3 by François Cami at 2020-08-10T12:06:59+02:00
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry
Allow for empty attributes.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8e810d8c by François Cami at 2020-08-10T12:06:59+02:00
IPA-EPN: fix configuration file typo
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1b1dbcbe by Rob Crittenden at 2020-08-10T12:06:59+02:00
IPA-EPN: Test that users without givenname and/or mail are handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c4bd1f17 by Florence Blanc-Renaud at 2020-08-10T13:41:27+02:00
ipatests: fix TestIpaHealthCheckWithoutDNS failure
TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.
When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.
In order to avoid this issue, reset the date to the value saved at the
beginning of the test.
Fixes: https://pagure.io/freeipa/issue/8447
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3cf7fb10 by François Cami at 2020-08-10T11:52:07-04:00
ipatests: test_epn: add test_EPN_connection_refused
Add a test for EPN behavior when the configured SMTP does not
accept connections.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
53f330b0 by François Cami at 2020-08-10T11:52:07-04:00
IPA-EPN: Fix SMTP connection error handling
Enhance error message when SMTP is down.
Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8e460c68 by Rob Crittenden at 2020-08-10T15:36:47-04:00
ipatests: CLI validation of ipa-healthcheck command
Test for illegal input values.
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
d6c42561 by Rob Crittenden at 2020-08-10T15:36:47-04:00
Added negative test case for --list-sources option
Negative test test_append_arguments_to_list_sources added
to --list-sources
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
b4266023 by François Cami at 2020-08-16T16:11:06-04:00
ipatests: test_epn: update error messages
Update error messages in the test.
Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2809084a by François Cami at 2020-08-16T16:11:06-04:00
IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays
Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8f19233d by sumenon at 2020-08-17T09:59:24-04:00
ipatests: Tests for ipahealthcheck tool with IPA external
This testsuite checks whether the healthcheck tool reports
correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered
IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
4da4dd8d by sumenon at 2020-08-17T09:59:24-04:00
Modified YAML files to include healthcheck externalCA tests
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
dbf1d858 by Stanislav Levin at 2020-08-17T14:32:53-04:00
rpm-spec: Don't fail on missing /etc/ssh/ssh_config
openssh-clients is not a strict requirement of freeipa-client
package and if it's missing then this case should be handled in
post scriptlet of freeipa-client package. Otherwise, the remaining
part of that scriptlet will not be run at all.
Fixes: https://pagure.io/freeipa/issue/8459
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2f8c84a by Mark Reynolds at 2020-08-17T14:35:05-04:00
Issue 8456 - Add new aci's for the new replication changelog entries
Description: We need a read and a write aci for the new changelog location,
which was moved from cn=changelog5,cn=config to
cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config
The read aci allows the replica hostgroup entry to find and
read the changelog confguration, and the write allows the replica
to update the changelog with a proper trimming settings.
Fixes: https://pagure.io/freeipa/issue/8456
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3919c9c8 by Florence Blanc-Renaud at 2020-08-18T11:18:38+02:00
ipatests: remove xfail from test_dnssec
The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
used to fail because of https://github.com/rthalley/dnspython/issues/343,
but the issue has been fixed upstream and does not happen any more since
PRCI is using python3-dns-1.16.0-7.
Remove the xfail.
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
6f09f977 by Rob Crittenden at 2020-08-18T10:01:54-04:00
IPA-EPN: Test that EPN can be install, uninstalled and re-installed
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
602f3f31 by Stanislav Levin at 2020-08-20T11:50:35+03:00
uninstall: Don't fail on missing /var/lib/samba
On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bba69960 by Stanislav Levin at 2020-08-20T11:50:35+03:00
uninstall: Clean up no longer used flag
The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.
Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3084930e by Stanislav Levin at 2020-08-20T11:50:35+03:00
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package
This ns-slapd plugin is used as a CLDAP server which responses to
AD DCs with an information about IPA domain. So, logically it
belongs to freeipa-server-trust-ad package.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aac71798 by Rob Crittenden at 2020-08-20T11:52:34+03:00
Improve performance of ipa-server-guard
* Drop support for python 2
* Only import traceback and syslog when needed
* Only import ipaserver.install.certs when the lock is needed
* Only import ipautil when run is needed
For the unsupported operations case this improves performance by
95%
For the supported operations that don't require a lock the
improvement is about 50%.
For the supported operations that require a lock the improvement
is about 20%
When configuring a CA certmonger calls its helper with the
following operations:
IDENTIFY
FETCH-ROOTS
GET-SUPPORTED-TEMPLATES
GET-DEFAULT-TEMPLATE
GET-NEW-REQUEST-REQUIREMENTS
GET-RENEW-REQUEST-REQUIREMENTS
FETCH-SCEP-CA-CAPS
FETCH-SCEP-CA-CERTS
Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are
supported by ipa-submit, along with the request options SUBMIT and
POLL.
Which means every time the IPA CA in certmonger is updated
eight calls to ipa-server-guard are made so the savings are
cumulative.
The savings when executing these eight operations is a 73% decrease
(.7 sec vs 2.5 sec).
https://pagure.io/freeipa/issue/8425
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
715ec234 by Rob Crittenden at 2020-08-20T11:53:56+03:00
ipatests: stop the CA during healthcheck expiration test
Time is moved during the test to ensure that ipa-healthcheck
finds expired certificates. It's possible that certmonger will also
wake up and renew the certificates before ipa-healthcheck can
execute so shut down the CA during the test.
https://pagure.io/freeipa/issue/8463
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
14f27d28 by Mark Reynolds at 2020-08-20T11:54:41+03:00
Increase replication changelog trimming to 30 days
A long time ago the DS team recommended that the changelog trimming interval be set to 7 days. However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).
It would be better to set the trimming interval to 30 days. This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.
Fixes: https://pagure.io/freeipa/issue/8464
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9b52ba60 by Mohammad Rizwan at 2020-08-20T11:56:01+03:00
ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8492ba16 by Alexander Bokovoy at 2020-08-20T13:10:25+03:00
Add alternative email to the mailmap for myself
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c1fb997 by Alexander Bokovoy at 2020-08-20T13:10:25+03:00
ipa-4-8: update po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
26d82672 by Alexander Bokovoy at 2020-08-20T13:10:25+03:00
ipa-4-8: Add new contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c409fc65 by Alexander Bokovoy at 2020-08-20T13:10:25+03:00
Become FreeIPA 4.8.9
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
530af23a by Timo Aaltonen at 2020-09-02T09:47:13+03:00
copyright: Fix duplicate-globbing-patterns lintian error.
- - - - -
b0fa9953 by Timo Aaltonen at 2020-09-02T11:06:01+03:00
releasing package freeipa version 4.8.8-2
- - - - -
9bb734a8 by Timo Aaltonen at 2020-09-14T14:40:04+03:00
control: Build freeipa-client-epn only where nodejs is available. (Closes: #970230)
- - - - -
54e61a22 by Timo Aaltonen at 2020-09-14T15:11:07+03:00
install: ipa-print-pac belongs to the server instead of -client-epn.
- - - - -
97c3d017 by Timo Aaltonen at 2020-09-17T12:23:43+03:00
Merge tag 'release-4-8-8' into m
Tagging FreeIPA 4.8.8
- - - - -
b84efa82 by Timo Aaltonen at 2020-09-17T12:23:49+03:00
Merge branch 'master' into m
- - - - -
0610bcd0 by Timo Aaltonen at 2020-09-17T12:24:48+03:00
bump the version
- - - - -
30 changed files:
- .gitignore
- .mailmap
- ACI.txt
- API.txt
- Contributors.txt
- VERSION.m4
- client/Makefile.am
- client/man/epn.conf.5
- client/man/ipa-epn.1
- client/share/Makefile.am
- + client/share/epn.conf
- install/share/expire_msg.template → client/share/expire_msg.template
- + client/share/sshd_ipa.conf.template
- + client/systemd/Makefile.am
- init/systemd/ipa-epn.service.in → client/systemd/ipa-epn.service.in
- init/systemd/ipa-epn.timer.in → client/systemd/ipa-epn.timer.in
- configure.ac
- daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/group → daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/group
- daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/passwd → daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/etc/passwd
- debian/changelog
- debian/control
- debian/control.common
- debian/copyright
- debian/freeipa-client-epn.install
- debian/freeipa-server.install
- freeipa.spec.in
- init/systemd/Makefile.am
- install/certmonger/ipa-server-guard.in
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/30ec6c8e393697f97857a8dca0eb4a1dd11533c0...0610bcd0f3d3abccd2524ec9b659133d3ad698a4
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/30ec6c8e393697f97857a8dca0eb4a1dd11533c0...0610bcd0f3d3abccd2524ec9b659133d3ad698a4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200925/6390882a/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list