[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 1670 commits: Changing IPA master back to git snapshots

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Jun 17 12:12:13 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa


Commits:
21a5938a by Alexander Bokovoy at 2019-07-03T09:32:41+03:00
Changing IPA master back to git snapshots

- - - - -
56b1b5ac by Alexander Bokovoy at 2019-07-03T09:40:11+03:00
Set git master to 4.9.0

- - - - -
d2c92927 by Christian Heimes at 2019-07-04T10:43:51+02:00
Use nis-domainname.service on all RH platforms

RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.

Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0d15eb78 by Sergey Orlov at 2019-07-04T15:46:59+02:00
ipatests: add test for sudo with runAsUser and domain resolution order.

Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.

Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
47406552 by Sergey Orlov at 2019-07-04T15:46:59+02:00
ipatests: mark test_domain_resolution_order as expectedly failing

SSSD fix have not yet landed in Fedora 29 and below.
Relates to https://pagure.io/SSSD/sssd/issue/3957

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
be7f54d4 by François Cami at 2019-07-08T17:30:24+02:00
ipatests/azure: display actual dnf repo URLs

Display which dnf repositories were available at the
prepare-build step via metalink.
Also display the fastestmirror cache.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ac1ea0ec by Stanislav Levin at 2019-07-15T14:41:23+03:00
Fix `test_webui.test_selinuxusermap`

A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
843f57ab by Sergey Orlov at 2019-07-15T14:35:51+02:00
ipatests: new test for trust with partially unreachable AD topology

Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.

Relates to: https://pagure.io/freeipa/issue/7895.

Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
ef39e1b0 by Florence Blanc-Renaud at 2019-07-15T17:08:21+03:00
upgrade: remove ipaCert and key from /etc/httpd/alias

With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
2312b38a by Stanislav Levin at 2019-07-16T13:23:21+03:00
Simplify ipa-run-tests script

This is a sort of rollback to the pre #93c158b05 state with
several improvements.

For now, the nodeids calculation by ipa-run-tests is not stable,
since it depends on current working directory. Nodeids (tests
addresses) are utilized by the other plugins, for example.

Unfortunately, the `pytest_load_initial_conftests` hook doesn't
correctly work with pytest internal paths, since it is called
after the calculation of rootdir was performed, for example.

Eventually, it's simpler to follow the default convention for
Python test discovery.

There is at least one drawback of new "old" implementation.
The ignore rules don't support globs, because pytest 4.3.0+
has the same facility via `--ignore-glob`:

> Add the `--ignore-glob` parameter to exclude test-modules with
> Unix shell-style wildcards. Add the collect_ignore_glob for
> conftest.py to exclude test-modules with Unix shell-style
> wildcards.

Upon switching to pytest4 it will be possible to utilize this.
Anyway, tests for checking current basic facilities of
ipa-run-tests were added.

Fixes: https://pagure.io/freeipa/issue/8007
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a2d4e2a6 by Stanislav Levin at 2019-07-16T13:23:21+03:00
Make use of Azure Pipeline slicing

The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:

> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.

>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.

Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.

About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)

Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:

ipa-run-tests --slices=2 --slice-num=1 test_cmdline

- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:

ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
    --slice-num=2 test_cmdline

Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c7500220 by Stanislav Levin at 2019-07-16T13:23:21+03:00
Avoid use of '/tmp' for pip operations

`ipa-run-tests` is not an entry_point script, so
pip during an installation of ipatests package checks
if the file path is executable. If not - just don't set
the executable permission bits.

pip's working directory defaults to /tmp/xxx.
Thus, if /tmp is mounted with noexec such scripts lose
their executable ability after an installation into
virtualenv. This was found on Travis +
freeipa/freeipa-test-runner:master-latest docker image.

Build directory of pip could be changed via env variable
PIP_BUILD, for example.

Fixes: https://pagure.io/freeipa/issue/8009
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5530911f by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Fix rpmlint errors for Rawhide

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
d55c9b6d by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Use any nodejs version instead of forcing a version before nodejs 11

Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.

Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0187a746 by Alexander Bokovoy at 2019-07-17T13:10:34+03:00
Use stage and phase attempt counters when saving test artifacts

Azure Pipelines provide counters for running test jobs, these split into
System.StageAttempt and System.PhaseAttempt. Use them to make test
artifacts unique.

For XML test results we don't need to name them differently as they
aren't uploaded as artifacts but rather presented in a separate test
pane.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
5a83eea2 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
Add altSecurityIdentities attribute from MS-WSPP schema definition

Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
72589959 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
Create indexes for altSecurityIdentities and ipaCertmapData attributes

During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.

This is then basically a full-table scan, which applies the filter test
to the contained members.

Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
41ca4d48 by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
certmap rules: altSecurityIdentities should only be used for trusted domains

IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.

Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.

Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
95c2b34c by Alexander Bokovoy at 2019-07-17T17:50:07+03:00
certmaprule: add negative test for altSecurityIdentities

Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.

Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
130e1dc3 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
move MSCSTemplate classes to ipalib

As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
21a9a710 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
install: fix --external-ca-profile option

Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).

Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini.  This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it).  It also allows users to
override the pki_req_ext_* settings.

Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7171142a by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Fix use of incorrect variable

Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b15bd50e by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Add more tests for --external-ca-profile handling

Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.

ipa-ca-install and ipa-cacert-manage remain untested at present.

Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
80e76f09 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
Collapse --external-ca-profile tests into single class

To avoid having to spawn new CI hosts for each kind of
--external-ca-profile argument we are testing, collapse the three
separate test classes into one.  Uninstall the half-installed IPA
after each section of tests.

This change is in response to review comment
https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2c8352fe by Fraser Tweedale at 2019-07-17T17:58:58+03:00
ci: add --external-ca-profile tests to nightly

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
33f39d88 by Fraser Tweedale at 2019-07-17T17:58:58+03:00
ci: add --external-ca-profile tests to gating

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e771fa59 by Rob Crittenden at 2019-07-19T13:13:34-04:00
Remove posixAccount from service_find search filter

This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.

This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.

https://pagure.io/freeipa/issue/8013

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
3c388f5a by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtaginstance: add profile to tracking requests

Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.

To use fresh renewals the tracking request must record the profile
to be used.  Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.

Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger).  So we do not
need any special handling for those certificates.

This commit does not handle upgrade.  It will be handled in a
subsequent commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f6f6f83d by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: add profile to Dogtag tracking requests

To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.

Update the upgrade method that checks tracking requests to look for
the profile.  Tracking requests will be recreated if the expected
data are not found.  The code that actually adds the tracking
requests was updated in a previous commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
858ef599 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
certmonger: use long options when invoking dogtag-ipa-renew-agent

To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.

  -N -> --force-new
  -O -> --approval-option

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1fb6fda0 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtag-ipa-ca-renew-agent: always use profile-based renewal

Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request".  The
latter is brittle in the face of:

- missing certificate record in database

- missing original request record in database (pointed to by
  certificate record)

- "mismatched" certificate or request records (there have been many
  cases of this; it is suspected that request/serial range conflicts,
  or something similar, may be the cause)

The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
588f1ddc by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dogtaginstance: avoid special cases for Server-Cert

The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing.  But there is no real need for this - the only (potential)
difference is the token name.  Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4f4e2f96 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: always add profile to tracking requests

The profile for every Dogtag system cert tracking request is now
explicitly specified.  So remove the code that handled unspecified
profiles.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
482866e4 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: update KRA tracking requests

The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates.  If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.

But the KRA was left out.  Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2d22f568 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: log missing/misconfigured tracking requests

For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fa567558 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
upgrade: fix spurious certmonger re-tracking

The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade.  Replace
'key-storage' with the correct parameter, 'key-file'.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1bf008a6 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
cainstance: add profile to IPA RA tracking request

Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper.  This includes the IPA RA agent certificate.  Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request.  This also covers the upgrade scenario (because
the same method gets invoked).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bb779baa by Fraser Tweedale at 2019-07-22T13:33:24+10:00
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants

Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
65d9a9be by Fraser Tweedale at 2019-07-22T13:33:24+10:00
ipatests: test ipa-server-upgrade in CA-less deployment

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f5822e3a by Rob Crittenden at 2019-07-22T13:33:24+10:00
httpinstance: add pinfile when tracking certificate

When the HTTP certificate gets untracked then tracked again, it
loses its pin file.  Ensure we add the pin file when (re-)tracking
the HTTP certificate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b7ad1157 by Fraser Tweedale at 2019-07-22T13:33:24+10:00
dsinstance: add proflie when tracking certificate

When the DS certificate gets untracked then tracked again (via
dsinstance.start_tracking_certificate()), it loses its profile
configuration.  Although it is the default profile, we want to
retain the explicit reference.  Ensure we add the profile when
re-tracking the DS certificate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6316a006 by Serhii Tsymbaliuk at 2019-07-22T11:28:46+02:00
WebUI tests: Fix timeout issues for reset password tests

- Increase wait timeout after password reset
- Wait for server response after login in TestLoginScreen.test_reset_password_and_login_view

Ticket: https://pagure.io/freeipa/issue/8012

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
94b4af55 by Christian Heimes at 2019-07-25T15:16:33-04:00
Add PKCS#11 module name to p11helper errors

The p11helper module now includes the name of the PKCS#11 shared library
in error messages.

Fixes: https://pagure.io/freeipa/issue/8015
Co-Authored-By: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b52d40b0 by Sumedh Sidhaye at 2019-07-25T15:21:39-04:00
Test: To check ipa replica-manage del <FQDN> does not fail

Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.

ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   changetype: modify
   delete: ipaconfigstring
   ipaconfigstring: enabledService

   dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
   add: ipaconfigstring
   ipaconfigstring: configuredService
4. On master,
   run ipa-replica-manage del <replicaFQDN> --cleanup --force

Related Ticket: https://pagure.io/freeipa/issue/7929

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5e97e800 by Florence Blanc-Renaud at 2019-07-26T10:47:30+02:00
Azure pipeline: report failure in prepare-build step

The azure pipeline defines a "prepare build" step that
installs the FreeIPA development dependencies but the
step does not report failures of the dnf builddep command.

As a consequence, subsequent steps may fail (for instance
because of components not installed such as tox) but are
hard to diagnose.

The fix reports the command failure.

Fixes: https://pagure.io/freeipa/issue/8022
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
68b85703 by François Cami at 2019-07-26T10:49:54+02:00
ipatests: test multiple invocations of ipa-client-samba --uninstall

Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
5b65551b by François Cami at 2019-07-26T10:49:54+02:00
ipa-client-samba: remove and restore smb.conf only on first uninstall

Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
ed6ee90c by François Cami at 2019-07-26T10:49:54+02:00
ipatests: test ipa-client-samba after --uninstall

Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
cd2cbaec by François Cami at 2019-07-26T10:49:54+02:00
ipa-client-samba: remove state on uninstall

The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.

Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>

https://pagure.io/freeipa/issue/8021

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
de1fa7cc by Sumedh Sidhaye at 2019-07-26T15:18:53+02:00
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf

Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing

Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6af723c0 by Serhii Tsymbaliuk at 2019-07-26T18:10:02+02:00
WebUI: Add PKINIT status field to 'Configuration' page

- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'

Ticket: https://pagure.io/freeipa/issue/7305

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f16ea8e6 by Serhii Tsymbaliuk at 2019-07-29T17:38:45+02:00
WebUI tests: Fix request timeout for test_trust

Because of intergration with AD server response can take time more then 1 minute.
So request_timeout is increased to 120s.

Ticket: https://pagure.io/freeipa/issue/8024

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>

- - - - -
11e40336 by Florence Blanc-Renaud at 2019-07-30T09:39:06+02:00
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules

Test scenario:
- create a hostgroup
- create a host
- create an automember rule for the hostgroup with a condition fulfilled
by the host
- delete the hostgroup
- call automember-rebuild (1)
- call automember-find-orphans to remove the orphan automember group
- call automember-rebuild(2)

The test was expecting the first rebuild command to fail but this
assumption is not true if the DS version is >= 1.4.0.22 because of the
fix for https://pagure.io/389-ds-base/issue/50077

Modify the test so that it expects failure only when DS is older.

Fixes: https://pagure.io/freeipa/issue/7902
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
402246a7 by François Cami at 2019-07-30T12:01:27+02:00
ipapython/admintool.py: use SERVER_NOT_CONFIGURED

Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.

Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a66124ba by François Cami at 2019-07-30T18:57:53+02:00
prci_definitions: add master_3client topology

Some tests would benefit from using a multi-client topology.
As PR-CI now supports master_3client, use it.

Fixes: https://pagure.io/freeipa/issue/8026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
21cd9775 by François Cami at 2019-07-30T23:42:54+02:00
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data()

Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.

Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
526b85a6 by François Cami at 2019-07-30T23:42:54+02:00
ipatests: rename config_replica_resolvconf_with_master_data()

config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
80561224 by François Cami at 2019-07-30T23:42:54+02:00
test_nfs.py: switch to master_3repl

test_nfs.py historically used master_2repl_1client.
Now that master_3client exists, switch to that as it allows removal
of custom install/cleanup steps.

Fixes: https://pagure.io/freeipa/issue/8027
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
27baf350 by Florence Blanc-Renaud at 2019-07-31T09:34:34+03:00
user-stage: transfer all attributes from preserved to stage user

The user-stage command is internally implemented as:
- user_show(all=True) in order to read the user attributes
- loop on the attributes defined as possible to add using stageuser-add and
transform them into new options for stageuser_add (for instance stageuser-add
provides the option --shell for the attribute loginshell, but there is no
option for the attribute businesscategory).
- call stageuser_add in order to create a new entry in the active users subtree
- user-del to remove the previous entry in the staged users subtree

The issue is in the 2nd step. Only the attributes with a stageuser-add option
are processed.
The logic of the code should be slightly modified, so that all the attributes
read in the first step are processed:
- if they correspond to an option of stageuser-add, process them like it's
currently done. For instance if the entry contains displayname, then it
should be processed as --displayName=value in the stageuser-add cmd
- if they do not correspond to an option of stageuser-add, add them with
--setattr=<attrname>=<attrvalue>

Note that some attributes may need to be filtered, for instance user-show
returns has_password or has_keytab, which do not correspond to attributes
in the LDAP entry.

Fixes: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8ebbb271 by Florence Blanc-Renaud at 2019-07-31T09:34:34+03:00
xmlrpc test: add test for preserved > stage user

When moving a preserved user to the stage area, check that the
custom attributes are not lost ( = the attr for which there is
no specific user_stage option).

Test scenario:
- add a stage user with --setattr "businesscategory=value"
- activate the user, check that businesscategory is still present
- delete (preserve) the user, check that attr is still present
- stage the user, check that attr is still present

Related: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
44bcf099 by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: Update test tasks for client to be interactive

Related: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2bc7fb7f by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: Add tests for interactive chronyd config

Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.

Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d0efb9ea by Tibor Dudlák at 2019-07-31T14:21:37+02:00
ipatests: refactor TestNTPoptions

Move common and error messages to class scope to be reused again.

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8b7fae30 by Tibor Dudlák at 2019-07-31T14:21:37+02:00
Increase ntp_options test timeout

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
70b96d76 by François Cami at 2019-08-02T20:15:04+02:00
azure-pipelines.yml: switch to Python 3.7

* switch to Python 3.7 (UsePythonVersion at 0 task)
* use "pip install --user"

Fixes: https://pagure.io/freeipa/issue/8030
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
adcf0425 by Theodor van Nahl at 2019-08-06T07:13:37+02:00
Fix UnboundLocalError in ipa-replica-manage on errors

If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
69138c84 by Christian Heimes at 2019-08-06T12:39:46+02:00
Test external CA with DNS name constraints

Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9a440ae8 by Christian Hermann at 2019-08-07T08:18:59+02:00
configure.ac: don't rely on bashisms

93fb037d8409d9d46606c31d8a240e3963b72651 introduced unportable shell
syntax, which led to erros like
./configure: 3179: ./configure: CFLAGS+= -D__STDC_WANT_LIB_EXT1__=1: not found
in case a posix shell is used.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
73c32dbf by Rob Crittenden at 2019-08-07T08:35:28+02:00
Don't return SSH keys with ipa host-find --pkey-only

This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82

https://pagure.io/freeipa/issue/8029

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
802a54bf by Alexander Bokovoy at 2019-08-08T09:46:10+02:00
Change RA agent certificate profile to caSubsystemCert

Currently, RA agent certificate is issued using caServerCert profile.
This has unfortunate side effect of asserting id-pk-serverAuth EKU which
is not really needed for RA agent. If IPA CA certificate adds SAN DNS
constraints into issued certificates, presence of id-pk-serverAuth EKU
forces NSS (and other crypto libraries) to validate CN value with
regards to SAN DNS constraints, due to historical use of CN bearing DNS
name.

Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail
the check.

Default IPA CA configuration does *not* add SAN DNS constraints into RA
agent certificate. However, it is better to be prepared to such
behavior.

Related: https://bugzilla.redhat.com/1670239
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3c82585e by Christian Heimes at 2019-08-08T09:46:10+02:00
Update comments to explain caSubsystemCert switch

Related: https://bugzilla.redhat.com/1670239
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8f969a59 by Alexander Bokovoy at 2019-08-09T11:31:14-04:00
Restore SELinux context for p11-kit config overrides

When 74e09087 started disabling softshm2 module in p11-kit-proxy,
we missed to restore SELinux context on the configuration override
creation.

We don't need an explicit restore_context() when removing the override
because restore_file() already calls restore_context().

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0000fe05 by Timo Aaltonen at 2019-08-11T11:37:29+03:00
install: Add missing scripts to app_DATA.

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
17c2e31f by Christian Heimes at 2019-08-13T11:30:18+02:00
Don't move keys when key backup is disabled

The CA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is
set to False. It's the case when FreeIPA is configured with HSM support.

Related: https://pagure.io/freeipa/issue/7677
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
a36556e1 by Christian Heimes at 2019-08-13T18:43:58+02:00
Allow insecure binds for migration

Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
c9938e3d by Alexander Bokovoy at 2019-08-13T16:45:53-04:00
Add Theodor van Nahl to the Contributors.txt

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
661804b7 by Alexander Bokovoy at 2019-08-14T14:18:17+03:00
Update translations

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ef80a074 by Alexander Bokovoy at 2019-08-14T14:18:17+03:00
Update contributors

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
41e5d465 by Florence Blanc-Renaud at 2019-08-14T14:21:31+03:00
Nightly test definition: add missing tests

The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py

The following tests was missing from nightly_f29:
- test_integration/test_smb.py

The following test was missing from nightly_rawhide:
- test_integration/test_smb.py

Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
076d955b by Christian Heimes at 2019-08-19T09:56:08+02:00
Store HSM token and state

The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.

Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson at polisen.se>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
9fe984fe by Sumit Bose at 2019-08-19T11:20:57+03:00
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT

A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c78cb940 by Alexander Bokovoy at 2019-08-19T11:20:57+03:00
ipa-extdom-extop: test timed out getgrgid_r

Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c709f131 by François Cami at 2019-08-21T11:00:04+02:00
travis-ci: make dnf invocations more resilient

Travis-CI sometimes fails to download repository metadata or
packages. Change dnf configuration and invocation:
* activate dnf fastestmirror
* add more dnf retries
* invoke "dnf makecache" twice

Fixes: https://pagure.io/freeipa/issue/8048
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Scott Poore <spoore at redhat.com>

- - - - -
bebe09f3 by Christian Heimes at 2019-08-21T12:48:36+03:00
Fix ca_initialize_hsm_state

Fixup for commit eb2313920e20bb4a74fc0abc52c496ccf2822dab.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
481c5400 by Armando Neto at 2019-08-22T09:43:51-03:00
prci: update test definitions

Update boxes used in nightlies runs and add new ones.

Based on the changes made in freeipa/freeipa-pr-ci#304.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
24c6ce27 by Alexander Bokovoy at 2019-08-22T09:43:51-03:00
Mark failing test as xfail for use of python-dns make_ds method

https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.

Mark the test as expecting to fail until python-dns is fixed in Fedora.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a71c59c7 by Michal Polovka at 2019-08-27T12:04:45+02:00
ipatests: Test for ipa-backup with ipa not configured

Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.

https://pagure.io/freeipa/issue/6843

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
405dcc6b by François Cami at 2019-08-28T22:15:50-04:00
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time

Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.

Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b27ad6e9 by François Cami at 2019-08-28T22:15:50-04:00
ipa-client-automount: always restore nsswitch.conf at uninstall time

ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c8de3b549d1d284087131da13135e34
would always restore nsswitch.conf to the previous state which in some cases
was wrong.

Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e5af8c19 by Rob Critenden at 2019-08-28T22:15:50-04:00
Move ipachangeconf from ipaclient.install to ipapython

This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
41ef8fba by Rob Critenden at 2019-08-28T22:15:50-04:00
Use tasks to configure automount nsswitch settings

authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b24359ca by sumenon at 2019-08-29T10:07:32+02:00
Added testcase to check capitalization fix while running ipa user-mod

1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of  the user is applied.

2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions

Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
03a228aa by François Cami at 2019-08-29T17:34:27+02:00
ipatests: remove xfail in TestIpaClientAutomountFileRestore

Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.

Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
73f049c7 by François Cami at 2019-08-29T17:34:27+02:00
authconfig.py: restore user-nsswitch.conf at uninstall time

Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.

Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
b20ae34b by Serhii Tsymbaliuk at 2019-08-29T20:16:43+02:00
WebUI tests: Fix login screen loading issue

test_webui/test_loginscreen fails because login screen is rendered with delays.
To solve the issue small pause added after login.

Ticket: https://pagure.io/freeipa/issue/8053

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
b48fe19f by Florence Blanc-Renaud at 2019-08-30T10:16:52+02:00
ipatests: fix wrong xfail in test_domain_resolution_order

The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.

The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.

Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
253779af by Michal Polovka at 2019-08-30T12:20:21+02:00
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions

Topology for TestIpaNotConfigured is changed from ipaserver to
master_1repl in order to prevent aforementioned test suite runner from
configuring ipa-server, which is required by the test itself.

Resolves: https://pagure.io/freeipa/issue/8055
Related: https://pagure.io/freeipa/issue/6843

- - - - -
51836c05 by Christian Heimes at 2019-08-31T00:48:35+02:00
Replace %{_libdir} macro in BuildRequires

The %{_libdir} macro is architecture dependend and therefore does not
correctly work across different platforms. In the past the SRPM was
created on a platform with /usr/lib64. Recent SRPMs have /usr/lib, which
breaks dnf builddep.

Depend on krb5-server directly rather than a file in krb5-server
package:

$ rpm -qf /usr/lib64/krb5/plugins/kdb/db2.so
krb5-server-1.16.1-25.fc29.x86_64

Fixes: https://pagure.io/freeipa/issue/8056
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
02262ac7 by François Cami at 2019-09-02T17:39:11+02:00
ipapython/ipachangeconf.py: change "is not 0" for "!= 0"

Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4a437a3c by Florence Blanc-Renaud at 2019-09-04T08:28:14+02:00
config plugin: replace 'is 0' with '== 0'

Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8d2125f6 by Christian Heimes at 2019-09-04T10:30:07+02:00
Enable literal-comparison linter again

The literal comparison linter checks for "value is 0" or "value is ''".

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0fc4b8c2 by Christian Heimes at 2019-09-04T10:30:07+02:00
Fix wrong use of identity operation

Strings should not be compared with the identity operation 'is' or
'is not'.

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0d7eb0a9 by Christian Heimes at 2019-09-04T10:30:07+02:00
Add new env vars to pylint plugin

The vars api.env.host_princ and smb_princ where introduced a while ago.
Sometimes parallel linting complain about the attributes. Add both to
the list of known members in pylint_plugins.py.

Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
faf34fcd by Rob Crittenden at 2019-09-04T14:52:14+02:00
Replace replication_wait_timeout with certmonger_wait_timeout

The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
54035982 by Rob Crittenden at 2019-09-04T14:52:14+02:00
Log the replication wait timeout for debugging purposes

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
adf2eab2 by Rob Crittenden at 2019-09-04T14:52:14+02:00
Log dogtag auth timeout in install, provide hint to increase it

There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.

In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.

Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5db48f15 by Rob Crittenden at 2019-09-05T09:15:23+02:00
Add missing timeout option to logging statement

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9414b038 by Robbie Harwood at 2019-09-05T14:53:55-04:00
Log INFO message when LDAP connection fails on startup

Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
45b4f537 by Robbie Harwood at 2019-09-05T14:53:55-04:00
Fix NULL pointer dereference in maybe_require_preauth()

ipadb_get_global_config() is permitted to return NULL.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c1af6aa2 by Florence Blanc-Renaud at 2019-09-06T09:05:52+02:00
ipatests: add nightly definition for DS integration tests

This commit is a first step in order to run nightly
integration tests with the 389-ds Directory Server.
It is updating the tests that should be run against
a nightly build of 389-ds.

The vagrant box freeipa/389ds-master-f30 version 0.0.1 has already
been created, available in vagrant cloud.
freeipa-pr-ci workspace also already contains the nightly scheduler
definition for this job (saturdays 00:10, using nightly_master_389ds.yaml)
but the cron job is not scheduled yet.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
074bf285 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: allow to pass additional options for clients installation

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
3fa7865f by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: add utility functions related to using and managing user accounts

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
1fe69f35 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: modify run_command to allow specify successful return codes

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
1d033b04 by Sergey Orlov at 2019-09-06T12:11:04+02:00
ipatests: refactor and extend tests for IPA-Samba integration

Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba

Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
0770254c by Rob Crittenden at 2019-09-06T10:29:43-04:00
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit

Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
65d38af9 by Rob Crittenden at 2019-09-06T10:29:43-04:00
Skip lock and fork in ipa-server-guard on unsupported ops

On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
8ce0e6bf by Michal Polovka at 2019-09-09T12:12:39+02:00
ipatests: add tests for ipa host-add with non-default maxhostnamelength

Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:

    - check that maxhostname cannot be changed to a value < 64
    - check that ipa host-add is refused if the hostname length is > maxhostname
    - check that ipa host-add is OK if the hostname length is <= maxhostname

Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
80e4c18b by Alexander Bokovoy at 2019-09-10T12:25:07+03:00
adtrust: avoid using timestamp in klist output

When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
9c0a35f1 by Changmin Teng at 2019-09-10T12:33:21+03:00
Add new authentication indicators in kdc.conf.template

As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
d0570404 by Changmin Teng at 2019-09-10T12:33:21+03:00
Extend the list of supported pre-auth mechanisms in IPA server API

As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
c7b938a1 by Robbie Harwood at 2019-09-10T12:33:21+03:00
Enable krb5 snippet updates on client update

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
39e3704a by Robbie Harwood at 2019-09-10T12:33:21+03:00
Move certauth configuration into a server krb5.conf template

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
179c8f40 by Robbie Harwood at 2019-09-10T12:33:21+03:00
Add a skeleton kdcpolicy plugin

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
15ff9c8f by Changmin Teng at 2019-09-10T12:33:21+03:00
Implement user pre-authentication control with kdcpolicy plugin

We created a Kerberos kdcpolicy plugin to enforce user
pre-authentication policy for newly added pkinit and hardened policy.

In the past version of freeIPA, password enforcement exists but was done
by removing key data for a principal while parsing LDAP entry for it.
This hack is also removed and is now also enforced by kdcpolicy plugin
instead.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
b66e8a1e by Changmin Teng at 2019-09-10T12:33:21+03:00
Modify webUI to adhere to new IPA server API

Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
952dd2a5 by Changmin Teng at 2019-09-10T12:33:21+03:00
Add design document

This document details authentication indicaters and kerberos ticket
policies implemented in IPA.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
2e0850e7 by Armando Neto at 2019-09-11T18:16:11+02:00
prci: fix typo on nightly test definitions

PR-CI breaks if the class to execute the tests doesn't exist.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
123c93f9 by Serhii Tsymbaliuk at 2019-09-11T18:26:34+02:00
WebUI: Make 'Unlock' option is available only on locked user page

The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
e5f04258 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: plugin doesn't allow @ in group name

Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5f898c3c by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: plugin doesn't use timeout in blocking call

Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
84b6c0f5 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: use sss_nss_*_timeout calls

Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bddf64b9 by Tomas Halman at 2019-09-12T10:48:13+03:00
extdom: add extdom protocol documentation

Add the description of extdom protocol and its versions

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
991d508a by Francisco Trivino at 2019-09-12T11:17:15+02:00
prci: increase gating tasks priority

Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.

This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9aeb6bae by Alexander Bokovoy at 2019-09-12T17:17:53+03:00
add default access control when migrating trust objects

It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0be98884 by Alexander Bokovoy at 2019-09-12T17:17:53+03:00
adtrust: add default read_keys permission for TDO objects

If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
6064365a by ndehadra at 2019-09-13T14:46:46+02:00
Hidden Replica: Add a test for Automatic CRL configuration

Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra <ndehadra at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f1e20b45 by Tibor Dudlák at 2019-09-16T09:44:52+02:00
Add container environment check to replicainstall

Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
75515431 by Serhii Tsymbaliuk at 2019-09-17T08:35:32+02:00
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages

No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.

Ticket: https://pagure.io/freeipa/issue/7961

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
4dbc6926 by Serhii Tsymbaliuk at 2019-09-17T18:12:43-03:00
WebUI: Fix new test initialization on "HBAC Test" page

"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.

New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.

Ticket: https://pagure.io/freeipa/issue/8031

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
7dde3a42 by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: add new utilities for file management

Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4ea9aead by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: refactoring: use library function to check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4ab2842b by Sergey Orlov at 2019-09-19T10:26:58+02:00
ipatests: add tests for cached_auth_timeout in sssd.conf

The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain

Related to: https://bugzilla.redhat.com/1685581

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e5e0693a by Anuja More at 2019-09-19T15:52:51+02:00
Extdom plugin should not return error (32)/'No such object'

Regression test for https://pagure.io/freeipa/issue/8044

If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
48a3f4af by Rob Crittenden at 2019-09-19T10:11:52-04:00
Don't log host passwords when they are set/modified

The host password was defined as a Str type so would be
logged in cleartext in the Apache log.

A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.

The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.

This also removes the search option from passwords.

https://pagure.io/freeipa/issue/8017

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ffb4b624 by Rob Crittenden at 2019-09-19T10:13:26-04:00
Re-order tasks.restore_pkcs11_modules() to run earlier

It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.

By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.

https://pagure.io/freeipa/issue/8034

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a38a3843 by Alexandre Mulatinho at 2019-09-19T10:44:09-04:00
ipa-scripts: fix all ipa command line scripts to operate with -I

Replacing -E flag to -I on all ipa python scripts except tests.

Signed-off-by: Alexandre Mulatinho <alex at mulatinho.net>
Related: https://pagure.io/freeipa/issue/7987
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
78d27f82 by Armando Neto at 2019-09-20T08:12:21-03:00
Update definitions for nightly tests

Update nightly definitions used to test if FreeIPA works when repo
`updates-testing` is enabled.

These changes include all tests currently defined in `nightly_master.yaml`.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
9c20641f by Rafael Guterres Jeffman at 2019-09-20T10:12:09-04:00
Re-add function façades removed by commit 2da9088.

ansible-freeipa breaks if this functions do not exist, so they will be
added back and marked as deprecated.

Related Tickets:
https://pagure.io/freeipa/issue/8062

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5b28c458 by Rob Crittenden at 2019-09-20T10:16:57-04:00
Report if a certmonger CA is missing

If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:

"Failed to get request: bus, object_path and dbus_interface
must not be None."

This was often seen during upgrades.

Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.

https://pagure.io/freeipa/issue/7870

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a2313114 by Florence Blanc-Renaud at 2019-09-20T13:14:18-04:00
ipatests: enable 389-ds audit log and collect audit file

In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on

and collect the generated audit file. This will help troubleshoot failures
related to DS.

Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c11fd328 by Robbie Harwood at 2019-09-22T20:27:25+03:00
Fix segfault in ipadb_parse_ldap_entry()

lcontext may be NULL here, probably due to a restarted 389ds.  Based on
a patch by Rob Crittenden.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
055ea253 by Florence Blanc-Renaud at 2019-09-22T20:29:41+03:00
ipa-backup: backup the PKCS module config files setup by IPA

ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.

The fix adds the file to the list of files to include in a backup.

Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
29192377 by Florence Blanc-Renaud at 2019-09-22T20:29:41+03:00
ipatests: ensure that backup/restore restores pkcs 11 modules config file

In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.

Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
802e54dd by Florence Blanc-Renaud at 2019-09-23T14:36:10+02:00
replica install: enforce --server arg

When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
8da0e2e9 by Rob Crittenden at 2019-09-23T09:27:28-04:00
ipa-restore: Restore ownership and perms on 389-ds log directory

Previously it would end up being owned by root:root mode 0755
instead of dirsrv:dirsrv mode 0770.

https://pagure.io/freeipa/issue/7725

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
98ee5f24 by Armando Neto at 2019-09-23T12:23:37-03:00
prci: update packages for pki and testing nightly runs

This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
90f72324 by Christian Heimes at 2019-09-24T15:23:30+02:00
Don't create log files from help scripts

Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.

This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.

Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7e92e651 by Fraser Tweedale at 2019-09-25T12:42:06+10:00
IPASecStore: support extra key arguments

To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES.  Whereas we currently request a key with the path:

  /keys/ca_wrapped/<nickname>

and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:

  # 2.16.840.1.101.3.4.1.2 = aes128-cbc
  /keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2

This commit only adds the Custodia support for extra handler
arguments.  Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
8fbcc335 by Fraser Tweedale at 2019-09-25T12:42:06+10:00
NSSWrappedCertDB: accept optional symmetric algorithm

Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication).  If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.

The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).

Client-side changes will occur in a subsequent commit.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
bfead9ce by Fraser Tweedale at 2019-09-25T12:42:06+10:00
ipa-pki-retrieve-key: request AES encryption (with fallback)

Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
7c7a827c by Fraser Tweedale at 2019-09-25T12:42:06+10:00
Bump Dogtag min version to 10.7.3

Dogtag 10.7.3 adds AES support for key export, enabling lightweight
CA key replication to use AES.  Bump the Requires min version.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
d0b420f6 by Stanislav Levin at 2019-09-25T20:14:06+10:00
Fixed errors newly exposed by pylint 2.4.0

Newest Pylint introduced additional checks [1]:

- import-outside-toplevel [2]

> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.

- no-else-continue [3]

> These checks highlight unnecessary else and elif blocks after
break and continue statements.

- unnecessary-comprehension [4]

> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.

[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905

Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
feae9de7 by Stanislav Levin at 2019-09-25T20:14:06+10:00
Setup DNS for AP Docker container

Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	ipa.example.test ipa

cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```

As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder..
It's not desirable to rely on this.
Let's clear test environment.

[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c8b0d1d6 by Rob Crittenden at 2019-09-25T11:38:31-04:00
Disable dogtag cert publishing

Dogtag had only one switch, ca.publish.enable, for both CRLs and certs.

Since cert publishing is not used in IPA it should be disabled to
avoid false positives in the logs.

https://pagure.io/freeipa/issue/7522

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6127aa0e by Florence Blanc-Renaud at 2019-09-25T15:59:51-04:00
ipatests: fix fedora29 nightly definition

test_sssd is using a wrong dependency (fedora30 build instead
of fedora29 build). As a result, this test is not triggered
by PRCI because it's waiting forever for a dependency.
(See the status: fedora-30/test_sssd Pending — unassigned)

Fix the version in the fedora 29 nightly definition.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bc53544c by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes rpmlint warning on freeipa.spec.

This patch removes a warning due to mixed usage of spaces and tabs
in freeipa.spec.in file.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c898be1d by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes several pylint warnings.

This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
51e0f564 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removed unnecessary imports after code review.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d4fab336 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removes several pylint warnings.

This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
73529e06 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Removed unnecessary imports after code review.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
883b4424 by Rafael Guterres Jeffman at 2019-09-27T09:38:32+02:00
Fixes pylint errors introduced by version 2.4.0.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b2a2d7f4 by Florence Blanc-Renaud at 2019-09-27T15:33:15+02:00
ipa user_add: do not check group if UPG is disabled

The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.

When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.

Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.

Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
387ee6e6 by Florence Blanc-Renaud at 2019-09-27T15:33:15+02:00
ipatests: add XMLRPC test for user-add when UPG plugin is disabled

Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
  as the default group for new users is not POSIX (ipausers), the
  command is expected to fail
- create a user with the --gid parameter
  The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
  As the UPG plugin is disabled, the user creation will not trigger
  the creation of a group with the same name, and command is
  expected to succeed
- re-enable the UPG plugin for other tests

Related to: https://pagure.io/freeipa/issue/4972

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
121971a5 by Florence Blanc-Renaud at 2019-10-01T09:37:36+02:00
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion

The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.

The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254

As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
    for host in hosts_unexpected:
        value = host.hostname if rtype == 'SRV' else host.ip
>       assert value not in txt
E       AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E         '192.168.121.25' is contained here:
E           ipa-ca.ipa.test. 1 IN A 192.168.121.254
E         ?                         ++++++++++++++

This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.

Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7aec6f10 by Mohammad Rizwan Yusuf at 2019-10-01T08:17:55-04:00
Check file ownership and permission for dirsrv log instance

Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.

related ticket : https://pagure.io/freeipa/issue/7725

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
19d51683 by Alexander Bokovoy at 2019-10-01T10:38:00-04:00
Add local helpers to handle unixid structure

Samba did remove unixid_from_*() helpers in the upstream commit
c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are
very simple, make a local copy instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cf700637 by Cédric Jeanneret at 2019-10-02T15:29:08+02:00
Add new tip for dependencies

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a4ca3426 by Armando Neto at 2019-10-03T09:01:16-03:00
prci: increase timeout for jobs that required AD

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after https://github.com/freeipa/freeipa-pr-ci/commit/380c8b8c78a1ce277b7c1a327bda9d123c117c4d.

This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c2c1000e by Mohammad Rizwan Yusuf at 2019-10-07T08:08:35+02:00
Installation of replica against a specific server

Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.

related ticket: https://pagure.io/freeipa/issue/7566

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c77bbe78 by Mohammad Rizwan Yusuf at 2019-10-07T08:08:35+02:00
Add test to nightly yamls

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0b8c81a5 by Christian Heimes at 2019-10-10T09:20:51+02:00
Don't install a preexec_fn by default

ipautil.run() now only installs a preexec_fn when it is actually needed.
This addresses a compatibility issue with mod_wsgi subinterpreters under
Python 3.8.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
See: https://bugs.python.org/issue37951
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0d7f89c5 by Sergey Orlov at 2019-10-10T13:27:03+02:00
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains

The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1ac7169d by François Cami at 2019-10-14T11:01:40+02:00
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)

660c49 introduced --idmap-domain which sets the Domain option in
idmapd.conf. However the help message for that knob mentioned
idmap.conf which is wrong. Fix that.
Reported by Marc Muehlfeld <mmuehlfe at redhat.com>.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
e6db4980 by François Cami at 2019-10-16T12:14:19+02:00
ipatests: temporarily remove test_smb from gating

test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0fc8562b by Florence Blanc-Renaud at 2019-10-17T08:11:45+02:00
ipa-server-certinstall manpage: add missing options

Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE

Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
326d417d by Fraser Tweedale at 2019-10-17T08:17:46+02:00
krainstance: set correct issuer DN in uid=ipakra entry

If IPA CA has custom subject DN (not "CN=Certificate
Authority,{subject_base}"), the uid=ipakra people entry gets an
incorrect 'description' attribute.  The issuer DN in the
'description' attribute is based on the aforementioned pattern,
instead of the actual IPA CA subject DN.

Update KRAInstance.configure_instance() to require the CA subject DN
argument.  Update ipaserver.install.kra.install() to pass the CA
subject DN.

Fixes: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7ea50ff7 by Fraser Tweedale at 2019-10-17T08:17:46+02:00
upgrade: fix ipakra people entry 'description' attribute

Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e767386e by Fraser Tweedale at 2019-10-17T08:17:46+02:00
test_integration: add tests for custom CA subject DN

Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
16149831 by Stanislav Levin at 2019-10-17T08:29:06+02:00
Restore running of 'test_ipaserver' tests on Azure

`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1ed7dd4b by Stanislav Levin at 2019-10-17T08:29:06+02:00
Install language packs for tests

* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive

* 'en_US' is a commonly used locale
AP warns regularly:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
921f5002 by Florence Blanc-Renaud at 2019-10-17T08:36:54+02:00
ipa-backup: fix python2 issue with os.mkdir

Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)

ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).

Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
3d8a444f by Armando Neto at 2019-10-18T11:27:09-03:00
prci: increase timeout argument for test_sssd.py

Follow-up for commit a4ca34261a55af96e3428822f08f8b2292e6234a.

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci at 380c8b8.

This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.

This also adds a missing but available topology to `temp_commit.yaml`.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
f44b73b9 by François Cami at 2019-10-18T22:40:00+02:00
ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore

The fixes for https://pagure.io/freeipa/issue/8054 and
https://pagure.io/freeipa/issue/8038 are intended for f30.
Given that the fixes will not be backported to f29, disable
that test.

Fixes: https://pagure.io/freeipa/issue/8063
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c6769ad1 by Stanislav Levin at 2019-10-21T18:01:32+11:00
Fix errors found by Pylint-2.4.3

New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
73796c77 by Spencer E. Olson at 2019-11-01T13:46:14-04:00
Fixes debian path for IPA_CUSTODIA_HANDLER

Debian installs into a different directory for libexec files.  This patch
fixes the path to the custodia files for debian.

Signed-off-by: Spencer E. Olson <olsonse at umich.edu>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
14be2715 by Sergey Orlov at 2019-11-01T13:49:09-04:00
ipatests: add test to check that only TLS 1.2 is enabled in Apache

Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
09d5b938 by Rob Crittenden at 2019-11-04T09:45:07-05:00
Enable AES SHA 256 and 384-bit enctypes in Kerberos

https://pagure.io/freeipa/issue/8110

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b10e43c3 by Sergey Orlov at 2019-11-05T17:24:24+01:00
ipatests: strip newline character when getting name of temp file

Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.

Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
f16c08b7 by Sergey Orlov at 2019-11-05T17:24:24+01:00
ipatests: in DNS zone file add A record for name server

Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
bc56642b by Christian Heimes at 2019-11-05T11:48:28-05:00
Block camellia in krbenctypes update in FIPS

Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
560acf37 by Christian Heimes at 2019-11-05T11:48:28-05:00
Skip commented lines after substitution

LDAP updater now ignores commented out lines after substitution.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3cb9444c by Robbie Harwood at 2019-11-06T15:39:51-05:00
Provide modern example enctypes in ipa-getkeytab(1)

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1e3de172 by Rob Crittenden at 2019-11-07T13:00:15-05:00
Add conditional restart (try-restart) capability to services

This will conditionally restart a service if it is active.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>

- - - - -
3593e536 by Rob Crittenden at 2019-11-07T13:00:15-05:00
Conditionally restart certmonger after client installation

If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>

- - - - -
87c24ebd by Florence Blanc-Renaud at 2019-11-08T12:57:54+01:00
smartcard: make the ipa-advise script compatible with authselect/authconfig

"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).

The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.

Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f0a1f084 by Christian Heimes at 2019-11-11T09:31:14+01:00
Add group membership management

A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0f4c41ab by Christian Heimes at 2019-11-11T09:31:14+01:00
Add tests for member management

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
72540c42 by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: refactor FileBackup helper

* `cp` now preserves all attributes of original file, there is no reason
  to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk

Related to: https://pagure.io/freeipa/issue/8115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c2b230ce by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: replace ad hoc backup with FileBackup helper

Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f58fb573 by Sergey Orlov at 2019-11-11T15:09:23+01:00
ipatests: enable test_smb.py in gating.yaml

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6c271044 by Cédric Jeanneret at 2019-11-12T10:49:49+02:00
Prevents DNS Amplification Attack and allow to customize named

While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] https://github.com/freeipa/freeipa/commit/5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
97a31e69 by Christian Heimes at 2019-11-12T12:26:49+01:00
Use default ssh host key algorithms

ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.

The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c62bd160 by Armando Neto at 2019-11-12T09:16:11-03:00
prci: rename definitions files and jobs to change how fedora releases are referenced

Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.

Future changes would only require to update the name and version of the template used.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
99d6845d by Armando Neto at 2019-11-12T09:16:11-03:00
prci: bump fedora release

Fedora 31 is the latest release, Fedora 30 is now the previous release.

New template boxes were built for current tests definitions with
updated dependencies.

Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d317fd4d by Alexander Bokovoy at 2019-11-12T17:08:43+02:00
Update translations

Add Portuguese translation

Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
d243c188 by Alexander Bokovoy at 2019-11-12T20:49:18+02:00
Update contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cd887a48 by Francisco Trivino at 2019-11-14T13:09:24+01:00
prci: bump template version and fix test_smb gating definition

Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.

This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
8124b1bd by Christian Heimes at 2019-11-14T16:01:15+01:00
Test installation with (fake) userspace FIPS

Based on userspace FIPS mode by Ondrej Moris.

Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.

Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e5368244 by Armando Neto at 2019-11-14T12:03:36-03:00
prci: bump template version for temp_commit and nightly_latest

Commit cd887a48b510fe17ed181d61d4fc69eb978c771d did that for gating,
this commit bumps the version for the remaining definitions.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c0b0c6b4 by Serhii Tsymbaliuk at 2019-11-19T13:31:08+01:00
WebUI: Fix adding member manager for groups and host groups

- fix API method call for adding member manager
- fix regressions in host group associated tables

Ticket: https://pagure.io/freeipa/issue/8123

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e08a6de6 by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
DNParam: raise Exception when multiple values provided to a 1-val param

When ipa user-add-certmapdata is called with multiple --subject or
multiple --issuer, the DNParam's _convert_scalar method is called with
a tuple containing all the params and should raise an exception as the
--subject and --issuer are single-value params.

The DNParam _convert_scalar method internally calls the DN init method,
and the DN init method is able to create a DN from a tuple of RDNs.
As such, it won't raise exception if a tuple/list is provided.

Check that _convert_scalar is only provided a single element.

Fixes: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ecdd7dae by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer

ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7893fb9c by Florence Blanc-Renaud at 2019-11-20T11:15:28+01:00
test_ipalib: add test for DNParam class

A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ba466a80 by Alexander Bokovoy at 2019-11-20T16:19:00+01:00
Do not run trust upgrade code if master lacks Samba bindings

If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
b216701d by Christian Heimes at 2019-11-20T17:08:40+01:00
Show group-add/remove-member-manager failures

Commands like ipa group-add-member-manager now show permission
errors on failed operations.

Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ae256fa5 by Cédric Jeanneret at 2019-11-20T17:12:34-05:00
Update selinux-policy minimal requirement

Since 6c2710446718828e6840ac34ea6fc704ae6790db we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
7f6b1c99 by Serhii Tsymbaliuk at 2019-11-21T16:44:11+01:00
WebUI: Fix notification area layout

The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.

Ticket: https://pagure.io/freeipa/issue/8120

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
9db6f65a by Alexander Bokovoy at 2019-11-21T11:13:12-05:00
Allow presence of LDAP attribute options

LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.

When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.

Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c5f32165 by Alexander Bokovoy at 2019-11-21T11:13:12-05:00
Add Authentication Indicator Kerberos ticket policy options

For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.

The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c02cc93c by Rob Crittenden at 2019-11-21T11:13:12-05:00
Add integration test for Kerberos ticket policy

This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
438094f8 by François Cami at 2019-11-23T00:12:24+01:00
DSU: add Design for Disable Stale Users

Add disable-stale-users.md: feature document for the upcoming DSU feature..

Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
04bb8ef2 by Timo Aaltonen at 2019-11-25T12:21:24+01:00
Debian: Fix font-awesome path.

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
094cf629 by Florence Blanc-Renaud at 2019-11-25T12:38:32+01:00
Nightly definition: use right template for krbtpolicy

The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests

Switch to master_1repl template.

Related: https://pagure.io/freeipa/issue/8001
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e8735774 by Sergey Orlov at 2019-11-26T11:14:41+01:00
ipatests: add check that ipa-adtrust-install generates sane smb.conf

Related to: https://pagure.io/freeipa/issue/6951

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4abd2f76 by Simo Sorce at 2019-11-26T11:33:48+01:00
Make sure to have storage space for tag

ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
02ce407f by Rob Crittenden at 2019-11-26T15:24:20+02:00
CVE-2019-10195: Don't log passwords embedded in commands in calls using batch

A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.

Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.

In case of errors log the full value on when the server is in
debug mode.

Reported by Jamison Bennett from Cloudera

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by:  Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
095d3f9b by Christian Heimes at 2019-11-28T16:09:07+01:00
Add test case for OTP login

Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.

Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e8b98555 by Christian Heimes at 2019-11-28T16:09:07+01:00
Fix otptoken_sync plugin

The plugin had two bugs:

For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.

The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.

Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e3ad7853 by Alexander Bokovoy at 2019-11-29T11:14:18+01:00
covscan: free encryption types in case there is an error

Even when a number of translated encryption types is zero, the array
might still be allocated. Call free() in any case as free(NULL) does
nothing.

Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
e9dd7577 by Alexander Bokovoy at 2019-11-29T11:14:18+01:00
covscan: free ucs2-encoded password copy when generating NTLM hash

On successful code path we leak internal copy of the ucs2-encoded
password.

Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
7dfc6e00 by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: generic uninstall should call ipa server-del

At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master

Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8cf4271a by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: fix teardown

The uninstall method of some tests can be skipped as the cleanup is
already done before.

Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b3d65037 by Florence Blanc-Renaud at 2019-11-29T11:17:13+01:00
ipatests: fix test_crlgen_manage

The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.

The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
20ef79c0 by Christian Heimes at 2019-11-29T17:02:16+01:00
Remove FIPS noise from SSHd

When a system is in FIPS mode, SSHd can prints some noise to stderr:

    FIPS mode initialized\r\n

This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
d1539579 by Christian Heimes at 2019-11-29T17:02:16+01:00
FIPS: server key has different name in FIPS mode

Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
6a17a916 by Christian Heimes at 2019-11-29T17:02:16+01:00
Skip paramiko tests in FIPS mode

Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.

See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
0451db9d by Christian Heimes at 2019-12-02T16:48:07+01:00
Enable TLS 1.3 support on the server

urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.

The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.

Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
0198eca7 by Christian Heimes at 2019-12-02T16:48:07+01:00
Update Apache HTTPd for RHBZ#1775146

Fedora 30 update FEDORA-2019-d54e892077 httpd-2.4.41-6.1.fc30
Fedora 31 update FEDORA-2019-ae1dd32c5f httpd-2.4.41-9.fc31
RHEL 8.2 RHEA-2019:47297-02 httpd-2.4.37-21

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
639bb719 by Christian Heimes at 2019-12-02T16:48:07+01:00
Don't hard-code client's TLS versions and ciphers

Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.

Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.

The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.

Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
2319b38c by Armando Neto at 2019-12-02T16:39:01-03:00
travis: Remove CI integration

Removing Travis CI in favour of Azure Pipelines.

All tests previously tested by Travis are also configured in Azure.

Repos [1] and [2] were used to build Docker images for Travis, thus
they are no longer required for branches master and ipa-4-8.

Branches ipa-4-7 and ipa-4-6 don't have Azure pipelines configured,
so Travis will continue to be used by them.

1 - https://github.com/freeipa/ipa-docker-test-runner
2 - https://github.com/freeipa/freeipa-builder

Related: https://pagure.io/freeipa/issue/7323

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
2c9b212c by Florence Blanc-Renaud at 2019-12-04T09:06:56+01:00
trust upgrade: ensure that host is member of adtrust agents

After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname at realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn

Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
28929897 by Christian Heimes at 2019-12-04T10:35:14+01:00
Don't run test_smb in gating tests

test_smb slows down gating and PR turnover. The test takes between 45 and
50 minutes to execute while the other gating tests finish in about or less
than half the time.

The Samba / AD integration tests are still executed in nightly tests.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
dcb33e44 by Christian Heimes at 2019-12-05T15:07:57+01:00
Optimize user-add by caching ldap2.has_upg()

The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.

context is cleared after every request.

Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cf9f9bb3 by Christian Heimes at 2019-12-05T15:09:38+01:00
Fix logic of check_client_configuration

The helper function ipalib.util.check_client_configuration() now
considers a client configured when either:

* confdir is overridden (e.g. with IPA_CONFDIR) and the conf_default
  file exists.
* confdir is /etc/ipa, /etc/ipa/default.conf exists and client
  sysrestore state exists.

The check for sysrestore state is faster than checking for the presence
of the directory and presence of files in the directory. The sysrestore
state is always presence. sysrestore.index may be missing if no files
were backed up.

Fixes: https://pagure.io/freeipa/issue/8133
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c1272e48 by Florence Blanc-Renaud at 2019-12-05T17:48:42+01:00
ipatests: fix TestMigrateDNSSECMaster teardown

The test is installing master +DNSSEC, then replica and migrates the DNSSEC
to the replica.
During teardown, the replica is removed with ipa server-del. This operation
deletes the entries cn=DNS and cn=DNSSEC on the master, but if the
replication is stopped before the operations are replicated on the replica,
the replica may end up with a dangling cn=DNSSEC entry and no cn=DNS entry.
In this case ipa-server-install --uninstall on the replica will fail.

The fix: uninstall the DNSSec master as the last step of teardown

Related: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
dbfb011d by Christian Heimes at 2019-12-06T10:23:15+01:00
Fix lite-server to work with GSS_NAME

The lite-server does no longer work correctly since rpcserver is also
using GSS_NAME. Set up GSS_NAME from ccache.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
836b90f6 by Anuja More at 2019-12-06T15:41:09+01:00
ipatests : Login via ssh using private-key for ipa-user should work.

Added test for : https://pagure.io/SSSD/sssd/issue/3937

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
650db3b8 by MIZUTA Takeshi at 2019-12-10T16:20:24+01:00
Add config that maintains existing content to ipa-client-install manpage

If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained..

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
44b3791b by Christian Heimes at 2019-12-10T16:22:11+01:00
Require idstart to be larger than UID_MAX

ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.

Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3cae7f4e by Christian Heimes at 2019-12-10T16:22:48+01:00
Fix service ldap_disable()

Fix comparison bug that prevents ldap_disable to actually disable a
service.

Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d30dd529 by Christian Heimes at 2019-12-10T16:23:31+01:00
Check valid before/after of external certs

verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.

Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d5dad53e by François Cami at 2019-12-11T16:57:03-05:00
adtrust.py: mention restarting sssd when adding trust agents

After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.

Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c30a0c22 by Christian Heimes at 2019-12-12T09:58:16+01:00
Fix get_trusted_domain_object_from_sid()

DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.

Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6462cc0f by François Cami at 2019-12-12T10:01:25+01:00
ipatests: fix pr-ci templates' indentation

temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
dd7fdaa7 by Alexander Bokovoy at 2019-12-12T18:24:44+01:00
DNS install check: allow overlapping zone to be from the master itself

When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.

Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.

Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d070c595 by Thomas Woerner at 2019-12-12T18:24:44+01:00
Test repeated installation of the primary with DNS enabled and domain set

Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.

The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator..

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a2820bbb by Thomas Woerner at 2019-12-12T18:24:44+01:00
Enable TestInstallMasterDNSRepeatedly in prci_definitions

For fedora-latest, pki-fedora, fedora-previous and fedora-rawhide

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f0d12b7f by Sumit Bose at 2019-12-13T03:49:47+02:00
ipa-kdb: Remove keys if password auth is disabled

With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.

With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.

But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.

In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.

This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.

Related to https://pagure.io/freeipa/issue/8001

Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c8f1ed12 by François Cami at 2019-12-13T04:47:52+02:00
ipatests/test_nfs.py: wait before umount

umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.

Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3d402b69 by Alexander Bokovoy at 2019-12-13T17:33:33+02:00
ipa-client-samba: map domain sid of trust domain properly for display

Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.

Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8a522bed by Florence Blanc-Renaud at 2019-12-13T17:49:22+02:00
ipa-cacert-manage man page: fix indentation

Fix the indentation of the SYNPOSIS section

Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
0926cb87 by Armando Neto at 2019-12-14T14:19:21+02:00
ipatests: Improve test_commands reliability

Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:

```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
  -o StrictHostKeyChecking=no -l testsshuser \
  -i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```

This commit forces the homedir creation and adds a timeout to ssh.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
df59f09e by Dinesh Prasanth M K at 2019-12-14T14:20:34+02:00
Adding auto COPR builds

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f80a6548 by Thomas Woerner at 2019-12-16T18:02:22+01:00
DNS install check: Fix overlapping DNS zone from the master itself

The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.

Both issues have been fixed and the deployment with existing name servers
is properly working again.

Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ef1b8d0f by Armando Neto at 2019-12-16T17:17:37-03:00
ipatests: Skip test_sss_ssh_authorizedkeys method

Temporarily skipping test due to unknown time-outs happening regularly.

Issue: https://pagure.io/freeipa/issue/8151

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
0162f3aa by Anuja More at 2019-12-17T08:29:49+01:00
ipatests: filter_users should be applied correctly.

Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.

Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
aa9340cf by Fraser Tweedale at 2019-12-17T09:18:37+01:00
removed unused function export_pem_p12

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3d779b49 by Fraser Tweedale at 2019-12-17T09:20:43+01:00
ipatests: assert_error: allow regexp match

Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
c4b0cf4d by Fraser Tweedale at 2019-12-17T09:20:43+01:00
Fix test regressions caused by certificate validation changes

Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages.  Update the
error message assertions to get these tests going again.

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
775bbb91 by Gaurav Talreja at 2019-12-17T15:53:31-03:00
prci: bump template version for nightly_rawhide

New template is based on Fedora-Cloud-Base-Vagrant-Rawhide-20191201.n.0.x86_64.vagrant-libvirt.box

Template used : https://app.vagrantup.com/freeipa/boxes/ci-master-frawhide/versions/0.0.10

Tested at : https://github.com/freeipa-pr-ci2/freeipa/pull/94

Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
2ed5eca7 by Alexander Bokovoy at 2019-12-18T14:16:33+01:00
Reset per-indicator Kerberos policy

When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d7b3aafc by Jayesh Garg at 2019-12-18T18:48:36+01:00
Test if ipactl starts services stopped by systemctl

This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.

Signed-off-by: Jayesh Garg <jgarg at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
2a2cc961 by Fraser Tweedale at 2019-12-19T15:50:44+01:00
ipatests: add test for certinstall with notBefore in the future

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
09a5192f by Jayesh at 2019-12-20T16:17:42+02:00
Test ipa-getkeytab quiet mode, encryptons

This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions

Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
83ec9296 by Anuja More at 2019-12-20T16:29:30+02:00
Add integration test for otp kerberos ticket policy.

This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bfc998ea by Anuja More at 2019-12-23T10:21:25+01:00
Fix fedora version for xfail for sssd test

Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ad3bf504 by Jayesh at 2019-12-23T12:56:30+01:00
Test for ipa-ca-install on replica

Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method

Signed-off-by: Jayesh <jgarg at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
fb3c2c14 by Jayesh Garg at 2019-12-23T12:56:30+01:00
Nightly definations commit

Signed-off-by: Jayesh Garg <jgarg at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
a22e8734 by Armando Neto at 2020-01-03T09:43:40-03:00
prci: update packages for rawhide nightly runs

This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5b95d4cc by François Cami at 2020-01-06T09:42:21-05:00
ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output

Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.

Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5fe8fc62 by François Cami at 2020-01-06T09:42:21-05:00
ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output

Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.

Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e2d69380 by Florence Blanc-Renaud at 2020-01-10T17:07:57+01:00
AD user without override receive InternalServerError with API

When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error

The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:

$ kinit aduser at ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized

with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access:  Invalid credentials

Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
f35738ef by Anuja More at 2020-01-13T13:05:47+01:00
Add xmlrpc test with input validation check for kerberos ticket policy.

This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b5b9efeb by Rob Crittenden at 2020-01-13T10:08:38-05:00
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit

A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.

This CA helper can do a number of things:

- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
  LDAP

A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.

There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
   certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
   URL to be passed to dogtag.

For the purposes of clarity "cookie" here is the value within
the JSON.

The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.

This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.

The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.

Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).

There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.

An example of a cookie when retrieving a new RA Agent certificate
is:

{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}

This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857

For a renewal, the reconstructed cookie will consist of:

{"profile": "caServerCert", "cookie": ""}

https://pagure.io/freeipa/issue/8164

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ae140ae4 by Florence Blanc-Renaud at 2020-01-14T16:27:50-05:00
ipatests: fix backup and restore

The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."

As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.

The fix makes a stricter comparison, looking for /bin/gzip.

Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3ccf73bf by Robbie Harwood at 2020-01-15T10:00:08+01:00
Make the coding style explicit

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ab4e910c by Robbie Harwood at 2020-01-15T10:00:08+01:00
Use separate variable for client fetch in kdcpolicy

`client` is not intended to be modified as a parameter of the AS check
function.  Fixes an "incompatible pointer type" compiler warning.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
df6a89be by Robbie Harwood at 2020-01-15T10:00:08+01:00
Fix several leaks in ipadb_find_principal

`vals` is often leaked during early exit.  Refactor function to use a
single exit path to prevent this.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e107b8e4 by Christian Heimes at 2020-01-17T15:47:00+01:00
Print LDAP diagnostic messages on error

ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
10b62ad6 by Christian Heimes at 2020-01-22T13:15:19-05:00
Make assert_error compatible with Python 3.6

The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.

Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
0ad4f4c8 by Sergey Orlov at 2020-01-23T16:38:56+01:00
ipatests: add test_winsyncmigrate suite to nightly runs

The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0a55e82d by Christian Heimes at 2020-01-24T08:35:47-05:00
Add tracemalloc support to profile memory usage

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e9ae7c4b by Christian Heimes at 2020-01-24T08:35:47-05:00
lite-setup: configure lite-server test env

Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.

The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:

    $ contrib/lite-setup.py master.ipa.example
    $ source ~/.ipa/activate.sh
    (ipaenv) $ kinit username
    (ipaenv) $ make lite-server

IPA server UI is available on http://localhost:8888/ipa/

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4a1f56ec by Gaurav Talreja at 2020-01-27T09:38:20-03:00
Normalize test definations titles

Rename job titles to match their test suites and how they are defined in nightly yamls.

Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336

Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
acfb6191 by Rob Crittenden at 2020-01-28T13:05:31-05:00
Add delete option to ipa-cacert-manage to remove CA certificates

Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
6cb4f4bd by Rob Crittenden at 2020-01-28T13:05:31-05:00
ipa-certupdate removes all CA certs from db before adding new ones

This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8e71605c by Rob Crittenden at 2020-01-28T13:05:31-05:00
Add tests for ipa-cacert-manage delete command

This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)

As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
769180c2 by Fraser Tweedale at 2020-01-29T21:47:14+11:00
Do not renew externally-signed CA as self-signed

Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
15fd3661 by Sergey Orlov at 2020-01-30T11:47:54+01:00
ipatests: add check for output contents of ipa-client-samba

Check that ipa-client-samba  tool reports specific properties of domains:
name, netbios name, sid and id range

Related to https://pagure.io/freeipa/issue/8149

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7862e9be by Gaurav Talreja at 2020-01-30T11:53:20+01:00
Normalize title of test external_ca in prci-definition

Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336

Signed-off-by: Gaurav Talreja <gtalreja at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1c787cc3 by Robbie Harwood at 2020-01-31T14:36:31+01:00
Handle the removal of KRB5_KDB_FLAG_ALIAS_OK

In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.

Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ff10f3fa by Robbie Harwood at 2020-01-31T14:36:31+01:00
Support DAL version 8.0

Provide stubs for backward compatibility.  DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
93e81cfd by Robbie Harwood at 2020-01-31T14:36:31+01:00
Drop support for DAL version 5.0

No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d92f21ae by Isaac Boukris at 2020-02-01T10:05:46+02:00
Fix DAL v8 support

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c940f96b by Isaac Boukris at 2020-02-01T10:05:46+02:00
Fix legacy S4U2Proxy in DAL v8 support

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ab1999de by Anuja More at 2020-02-04T07:57:43+01:00
After mounting "Unspecified GSS failure" should not be in logs.

When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.

This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>

- - - - -
edfe95b1 by Endi S. Dewata at 2020-02-04T19:34:26+11:00
Removed hard-coded default profile subsystem class name

Previously in order to enable the LDAP profile subsystem
the ca_enable_ldap_profile_subsystem() would check the
current value of the profile subsystem class parameter in
CS.cfg. If the parameter was still set to the default value
(i.e. ProfileSubsystem), the code would change it to
LDAPProfileSubsystem.

There is a effort in PKI to clean up the profile subsystem
classes which may require changing the default value for
this parameter. However, this improvement is blocked since
the ca_enable_ldap_profile_subsystem() is implicitly assuming
that the default value will always be ProfileSubsystem.

This patch modifies the code such that instead of checking
for a specific value that needs to be changed, it will check
whether it has the desired value already. This mechanism
will reduce potential conflicts with future PKI improvements.

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
b5c8efa3 by sumenon at 2020-02-04T09:20:23-05:00
Tier-1 test for ipa-healthcheck tool

Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
000703c8 by sumenon at 2020-02-04T09:20:23-05:00
Nightly definition for ipa-healthcheck tool

Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
d7830d90 by sumenon at 2020-02-05T10:02:37+01:00
Adding back temp config definition removed

fedora-latest/temp_commit section was removed from
temp_commit.yaml file while working with PR4108, adding it back.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9418042e by Serhii Tsymbaliuk at 2020-02-05T12:04:50+01:00
WebUI tests: Fix 'Button is not displayed' exception

Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.

Ticket: https://pagure.io/freeipa/issue/8169

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
19f0142e by Armando Neto at 2020-02-05T14:48:34-03:00
prci: Bump version of all templates

These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a4634a59 by Serhii Tsymbaliuk at 2020-02-06T10:21:36+01:00
WebUI tests: Fix broken reference to parent facet in table record check

Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).

Ticket: https://pagure.io/freeipa/issue/8157

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
60f746d9 by Florence Blanc-Renaud at 2020-02-10T15:22:54+01:00
ipatests: update packages for rawhide and updates-testing nightlies

The nightly tests for rawhide and updates_testing are expected
to set
        update_packages: True
in all the job definitions to make sure that dnf/yum update is called
before starting the tests.

This tag was missing for some jobs, this commit fixes the issue.

Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
f0f2c264 by Sumedh Sidhaye at 2020-02-11T17:24:37+01:00
Added a test to check if ipa host-find --pkey-only does not return SSH public key

It checks if 'SSH public key fingerprint' is
not present in the output of the command

Related: https://pagure.io/freeipa/issue/8029

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
cec1ddc3 by Florence Blanc-Renaud at 2020-02-11T17:28:19+01:00
ipatests: fix modify_sssd_conf()

The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).

Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.

Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
ff547a27 by Alexander Bokovoy at 2020-02-12T11:45:39+01:00
install/updates: move external members past schema compat update

There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.

Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.

Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
292d686c by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Migrate xunit-style setups to Pytest fixtures

Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
fec66942 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Migrate unittest/nose to Pytest fixtures

Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8c7447fd by Stanislav Levin at 2020-02-12T18:08:32+02:00
pytest: Warn about unittest/nose/xunit tests

This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
  test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated

    def test_foo_bar(self):

test_b/test_unittest.py:7
  test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
    def test_foo_bar(self):
"""

To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
43a97082 by Alexander Bokovoy at 2020-02-12T18:08:32+02:00
Update Azure Pipelines to use Fedora 31

nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.

[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot

Co-authored-by: Stanislav Levin <slev at altlinux.org>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
19462788 by Stanislav Levin at 2020-02-12T18:08:32+02:00
ipatests: Properly kill gpg-agent

There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.

This results in an error like:
```

================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...

>  os.unlink(entry.name, dir_fd=topfd)
E  FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'

/usr/lib64/python3.7/shutil.py:450: FileNotFoundError

```

The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
92b440a0 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Teach Pylint how to handle request.context

With Astroid change [0] a inference for builtin containers
was improved. This means that all the elements of such containers
will be inferred if they are not Python constants (previously
ignored).

This change introduces several issues, one of them is a volatile
error exposed at multi-job Pylinting, but could be guaranteed
produced at single-job mode as:

```
PYTHONPATH=. /usr/bin/python3 -m pylint --rcfile=./pylintrc \
    --load-plugins pylint_plugins ipaserver/plugins/dns.py ipalib/request.py

ipalib/request.py:76: [E1101(no-member), destroy_context] Instance of 'bool' has no 'disconnect' member)

-----------------------------------
Your code has been rated at 9.97/10
```

Or even adding 'context.some_attr = True' into ipalib/request.py.
It's should be treated as no one member of `context`'s attrs is a
`Connection` instance and has `destroy_context` member.

To tell Pylint that there are such members the corresponding
transformation is added.

[0] https://github.com/PyCQA/astroid/commit/79d5a3a7

Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e128e7d6 by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Synchronize pylint plugin to ipatests code

Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.

Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.

A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.

* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation

Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a309de6c by Stanislav Levin at 2020-02-12T18:08:32+02:00
pylint: Clean up comment

I added a comment in @d0b420f6d, later, on refactoring in
@c6769ad12 I forgot to remove it. So, it is just a clean up.

Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ba12165e by Stanislav Levin at 2020-02-12T18:08:32+02:00
lint: Make Pylint-2.4 happy again

This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```

The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```

, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.

Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.

Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4f09416f by Anuja More at 2020-02-12T17:34:32+01:00
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name

If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.

Related to: https://bugzilla.redhat.com/1746951

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
0a4bec2a by Anuja More at 2020-02-12T17:34:32+01:00
Update topology for test_integration/test_sssd.py

Added changes in topology for test_sssd.py
As in test it needs client also.

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
b3dbb368 by Alexander Bokovoy at 2020-02-13T21:20:13+02:00
adtrust: print DNS records for external DNS case after role is enabled

We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.

Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
902821e8 by Stanislav Levin at 2020-02-14T09:29:20+02:00
ipatests: Allow zero-length arguments

Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.

For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
 '--norc',
 '--noprofile',
 '-c',
 '--',
 "/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
 'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
 '--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']

Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.

So, a short-termed solution is the quotting of zero-length arguments.

Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e1b6e3ba by François Cami at 2020-02-14T09:33:43+02:00
ipa-client-automount: call save_domain() for each change

Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.

Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.

Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5f9d5281 by François Cami at 2020-02-14T09:33:43+02:00
ipatests: make sure ipa-client-automount reverts sssd.conf

Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.

Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
87a1d34c by Anuja More at 2020-02-14T09:37:38+02:00
ipatests: SSSD should fetch external groups without any limit.

When there are more external groups than default limit, then
SSSD should fetch all groups.

Related : https://pagure.io/SSSD/sssd/issue/4058

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
209e0ac8 by Christian Heimes at 2020-02-14T09:40:40+02:00
Remove dependency on custodia package

ipa-server no longer use any files and features from the custodia
package. The python3-custodia package provides all Custodia features for
ipa-custodia.service.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
856fdbc1 by Christian Heimes at 2020-02-14T09:42:52+02:00
dnsrecord: Treat empty list arguments correctly

dnsrecord_del fails when one of the record arguments is an empty list:

    AttrValueNotFound("AAAA record does not contain 'None'",)

The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].

The patch maps None to empty list.

Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
273ff270 by Julian Gethmann at 2020-02-14T09:48:50+02:00
Fix typo in idrange.py docstring

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
001de6ee by Sergey Orlov at 2020-02-14T12:48:34+01:00
ipatests: add test_trust suite to nightly runs

The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.

Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e5291963 by Alexander Bokovoy at 2020-02-17T16:03:11+02:00
kdb: make sure audit_as_req callback signature change is preserved

audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.

Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ba904672 by Alexander Bokovoy at 2020-02-17T16:03:11+02:00
Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
10e8e7af by Kaleemullah Siddiqui at 2020-02-17T17:02:32+01:00
Tests for backup-restore when pkg required is missing

Tests for ipa-restore behaviour when dns or adtrust
rpm is missing which is required during ipa-restore

https://pagure.io/freeipa/issue/7630

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e4966f9c by Rob Crittenden at 2020-02-18T09:15:57-05:00
Don't fully quality the FQDN in ssbrowser.html for Chrome

The trailing dot causes it to not function as expected, remove
it from the example.

https://pagure.io/freeipa/issue/8201

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
939ee59c by Kaleemullah Siddiqui at 2020-02-19T10:42:01+01:00
Fix for regression from PR#3962

There was a regression caused in nightly run of test
TestBackupReinstallRestoreWithDNS of test_backup_and_restore
test suite because of PR#3962.

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b0d57d99 by Mohammad Rizwan Yusuf at 2020-02-20T08:40:54-05:00
Test AES SHA 256 and 384 Kerberos enctypes enabled

AES SHA 256 and 384-bit enctypes supported by MIT kerberos but
was not enabled in IPA. This test is to check if these types are
enabled.

related: https://pagure.io/freeipa/issue/8110

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
fe21094c by Mohammad Rizwan Yusuf at 2020-02-24T08:45:06-05:00
Test if certmonger reads the token in HSM

This is to ensure added HSM support for FreeIPA. This test adds
certificate with sofhsm token and checks if certmonger is tracking
it.

related : https://pagure.io/certmonger/issue/125

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
80679542 by Mohammad Rizwan Yusuf at 2020-02-24T08:45:06-05:00
Add certmonger wait_for_request that uses run_command

Add a little utility function to get the certmonger status
of a request id on a particular host and wait until it is either
failed on the CA or issued (or times out).

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
51fcca53 by Thomas Woerner at 2020-02-24T15:02:24+01:00
ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels

The labels for memberservice_hbacsvc and memberservice_hbacsvcgroup are
only "Services" and "Service Groups" but they should be "HBAC Services"
and "HBAC Service Groups".

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9eb1be87 by Florence Blanc-Renaud at 2020-02-24T15:06:04+01:00
Part2: Don't fully quality the FQDN in ssbrowser.html for Chrome

The web page ssbrowser.html is displayed when the browser doesn't
enable javascript. When js is enabled, the content is taken from
ipaserver/plugins/internal.py.

The commit e4966f9 fixed a string in ssbrowser.html but did not
fix the corresponding string in ipaserver/plugins/internal.py,
resulting in a different page depending on javascript enabled/not
enabled.
This commit makes both contents consistent.

Fixes: https://pagure.io/freeipa/issue/8201
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
ecc398c4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow to not provide tests to be ignored

As for now, a list of tests which will be ignored by Pytest is
mandatory. But actually, a list of tests to run is explicitly set
in yaml config. And thus, 'ignore' list should be an optional field.

This simplifies tests definitions to drop extra stuff.

Fixes: https://pagure.io/freeipa/issue/8202

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
157fa59e by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow SSH for Docker environments

IPA integration tests utilize SSH as a transport to communicate
with IPA hosts. To run such tests Docker environments should
have configured SSH.

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
879855ce by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Allow to run integration tests

Azure provides Microsoft-hosted agents having tasty resources [0].
For now (Feb 2020),
- (Linux only) Run steps in a cgroup that offers 6 GB of physical memory and
13 GB of total memory
- Provide at least 10 GB of storage for your source and build outputs.

This is enough to set up IPA environments consisted of not only master but also
replicas and clients and thus, run IPA integration tests.

New Azure IPA tests workflow:

+ 1) Azure generate jobs using Matrix strategy
  2) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
    a) downloads prepared Docker container image (artifact) from Azure cloud
       (built on Build Job) and loads the received image into local pool
  + b) docker-compose creates the Docker environment having a required number
       of replicas and/or clients
  + c) setup_containers.py script does the needed container's changes (DNS,
       SSH, etc.)
  + d) launch IPA tests on tests' controller
    e) publish tests results in JUnit format to provide a comprehensive test
       reporting and analytics experience via Azure WebUI [1]
    f) publish regular system logs as artifacts

[0] https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops
[1] https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b8251556 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Make it possible to configure distro-specific stuff

This allows to run IPA tests on Azure using any distro.

To achieve this, one has to do:
1) place a platform specific template on 'ipatests/azure/templates/'
and make a soft link from 'ipatests/azure/templates/variables.yml' to
the new template.
2) place a configuration templates on these paths
3) templates have to answer the questions such as:
  a) which Docker image to use to build IPA packages (rpm, deb, etc.)
  b) how to prepare Build environment
  c) how to build IPA packages
  d) how to prepare environment to run Tox tests
  e) how to prepare environment to run WebUI unittests
  f) which base Docker image to use to build the new image to run
     IPA tests within it

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fa104daf by Stanislav Levin at 2020-02-25T18:02:12+02:00
yamllint: Lint all the YAML files

For now, a list of YAML files' paths is hardcoded (even after
globbing) into Makefile.am. Moreover, Azure templates are not
checked at all until Azure triggered.

With this change, the list of YAMLs is populated automatically
on yamllinting.

Jinja templates are not parseable by a regular yaml module, to
skip such the YAML_TEMPLATE_FILES is utilized.

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d3f1b9b4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Don't collect twice systemd_journal.log

This log file is collected by azure-run-tests.sh script and then by
Azure 'PublishPipelineArtifact' task. So, the same file gets into
logs artifact.

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31d05650 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Add support for testing multi IPA environments

Currently, only one IPA environment is tested within Docker
containers. This is not efficient because Azure's agent gives
6 GB of physical memory and 13 GB of total memory (Feb 2020),
but limits CPU with 2 cores.

Next examples are for 'master-only' topologies.

Let's assume that only one member of github repo simultaneously
run CI. This allows to get the full strength of Azure.

Concurrency results for TestInstallMaster:
------------------------------------------
|    job concurrency      |  time/jobs   |
------------------------------------------
|             5           |     40/5     |
|             4           |     34/4     |
|             3           |     25/3     |
|             2           |     19/2     |
|             1           |     17/1     |
------------------------------------------
Results prove the limitation of 2 cores. So, in case of jobs'
number not exceeds the max capacity for parallel jobs(10) the
proposed method couldn't save time, but it reduces the used
jobs number up to 2 times. In other words, in this case CI
could pass 2 x tests.

But what if CI was triggered by several PRs? or jobs' number is
bigger than 10. For example, there are 20 tests to be run.

Concurrency results for TestInstallMaster and 20 input jobs:
------------------------------------------------------------------
|    job concurrency      |     time     | jobs used | jobs free |
------------------------------------------------------------------
|             5           |      40      |      4    |     6     |
|             4           |      34      |      5    |     5     |
|             3           |      25      |      7    |     3     |
|             2           |      19      |     10    |     0     |
|             1           |      34      |     20    |     0     |
------------------------------------------------------------------
So, in this case the optimal concurrency would be 4 since it
allows to run two CIs simultaneously (20 tasks on board) and get
results in 34 minutes for both. In other words, two people could
trigger CI from PR and don't wait for each other.

New Azure IPA tests workflow:

+ 1) generate-matrix.py script generates JSON from user's YAML [0]
  2) Azure generate jobs using Matrix strategy
  3) each job is run in parallel (up to 10) within its own VM (Ubuntu-18.04):
    a) downloads prepared Docker container image (artifact) from Azure cloud
       (built on Build Job) and loads the received image into local pool
  + b) GNU 'parallel' launch each IPA environment in parallel:
    + 1) docker-compose creates the Docker environment having a required number
         of replicas and/or clients
    + 2) setup_containers.py script does the needed container's changes (DNS,
         SSH, etc.)
    + 3) launch IPA tests on tests' controller
    c) publish tests results in JUnit format to provide a comprehensive test
       reporting and analytics experience via Azure WebUI [1]
    d) publish regular system logs as artifacts

[0]: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e280a2f0 by Stanislav Levin at 2020-02-25T18:02:12+02:00
pylint: Run Pylint over Azure Python scripts

> Pylint is a tool that checks for errors in Python code, tries to enforce a
> coding standard and looks for code smells. It can also look for certain type
> errors, it can recommend suggestions about how particular blocks can be
> refactored and can offer you details about the code's complexity..

Fixes: https://pagure.io/freeipa/issue/8202
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6daf4d2e by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Sync Gating definitions to current PR-CI

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1fa033c3 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Preliminary check for provided limits

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e925148a by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Free Docker resources after usage

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9203404c by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Skip tests requiring external DNS

An external DNS is not supported yet, but it could be easily
implemented by adding another container with simple DNS server.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
38e0a9f4 by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Rebalance tests

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0a1e98cd by Stanislav Levin at 2020-02-25T18:02:12+02:00
Azure: Report elapsed time

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f589a895 by Rob Crittenden at 2020-02-26T13:42:10-05:00
Fix div-by-zero when svc weight is 0 for all masters in location

The relative service weight output tries to show the relative
chance that any given master in a locaiton will be picked. This
didn't account for all masters having a weight of 0 which would
result in a divide-by-zero error.

Implement the following rules:
1. If all masters have weight == 0 then all are equally
   weighted.
2. If any masters have weight == 0 then they have an
   extremely small chance of being chosen, percentage is
   0.1.
3. Otherwise it's percentage change is based on the sum of
   the weights of non-zero masters.

https://pagure.io/freeipa/issue/8135

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
132ef03a by Armando Neto at 2020-03-01T15:26:13-03:00
prci: bump version for latest and previous templates

Packages updated in the new templates.

Boxes:
* https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.4
* https://app.vagrantup.com/freeipa/boxes/ci-master-f30/versions/0.0.7

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8007cec8 by Anuja More at 2020-03-03T10:23:58+02:00
ipatests: Added test when 2FA prompting configurations is set.

Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1556f3f7 by Mohammad Rizwan Yusuf at 2020-03-03T08:11:51-05:00
Test if server installer lock Bind9 recursion

This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well

related : https://pagure.io/freeipa/issue/8079

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9ee8657c by Florence Blanc-Renaud at 2020-03-05T07:20:15+01:00
ipatests: fix TestSubCAkeyReplication

The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.

Reviewed-By: Sudhir Menon <sumenon at redhat.com>

- - - - -
5b573bb9 by Vit Mojzis at 2020-03-05T09:57:00+01:00
Add freeipa-selinux subpackage

Add freeipa-selinux subpackage containing selinux policy for FreeIPA
server. This policy module will override the distribution policy.
Policy files where extracted from
https://github.com/fedora-selinux/selinux-policy

See Independent policy project guidelines for more details about
shipping custom SELinux policy.
https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9288901f by Christian Heimes at 2020-03-05T09:57:00+01:00
Integrate SELinux policy into build system

Hook up the new policy to autoconf and automake.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0c9949e8 by Vit Mojzis at 2020-03-05T09:57:00+01:00
selinux: move BUILD_SELINUX_POLICY definition

BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.

Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
473f9baf by Vit Mojzis at 2020-03-05T09:57:00+01:00
selinux: Remove obsolete memcached access

Drop memcached_stream_connect access since memcached is no longer used.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
68c72e34 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
Privilege: add a helper checking if a principal has a given privilege

server_conncheck is ensuring that the caller has the expected privilege.
Move the code to a common place in ipaserver/plugins/privilege.py

Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
911992b8 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
ipa-adtrust-install: run remote configuration for new agents

When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
fc4c3ac7 by Florence Blanc-Renaud at 2020-03-05T14:40:58+01:00
ipatests: add test for ipa-adtrust-install --add-agents

Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).

Thanks to sorlov for the nightly test definitions and new test.

Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
888c7ba9 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: update docstring to reflect changes in FileBackup.restore()

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9450aef7 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: replace utility for editing sssd.conf

There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`

This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
  early
* has convenient interface for simple options modification,
  both in domain and service sections
* allows sophisticated modifications through SSSDConfig object

Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3dd679b3 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: use remote_sssd_config to modify sssd.conf

Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e01e7fe6 by Sergey Orlov at 2020-03-09T16:17:13+01:00
ipatests: remove invalid parameter from sssd.conf

`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
233a18b2 by Florence Blanc-Renaud at 2020-03-10T18:21:50+01:00
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing

When the command ipa-adtrust-install --add-agents is run, it executes
remotely the command trust_enable_agent. This command does not require
the package ipa-server-trust-ad to be installed on the remote node, but
fails if it's not the case because dbus is not imported.
Need to move the "import dbus" outside of the try/except related to
dcerpc import.

Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1fbc4e01 by Florence Blanc-Renaud at 2020-03-10T18:21:50+01:00
selinux policy: add the right context for org.freeipa.server.trust-enable-agent

This commit sets the system_u:object_r:ipa_helper_exec_t:s0 context to the
oddjob script org.freeipa.server.trust-enable-agent.
Without this context, oddjob cannot launch the command
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent
when ipa-adtrust-install --add-agents is run with SElinux enforcing.

Related: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
593fac1c by Alexander Bokovoy at 2020-03-11T17:41:17+01:00
Tighten permissions on PKI proxy configuration

As we need to store credentials for AJP protocol comminucation,
ensure only root can read the configuration file.

Related: https://pagure.io/freeipa/issue/8221

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ec73de96 by Alexander Bokovoy at 2020-03-11T17:41:17+01:00
Secure AJP connector between Dogtag and Apache proxy

AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.

For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x

Fixes: https://pagure.io/freeipa/issue/8221

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6739d872 by Mohammad Rizwan Yusuf at 2020-03-11T15:48:42-04:00
Move wait_for_request() method to tasks.py

Moved the method so that it can be used by other modules too

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9bcc57d9 by Mohammad Rizwan Yusuf at 2020-03-11T15:48:42-04:00
Test if getcert creates cacert file with -F option

It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.

related: https://pagure.io/freeipa/issue/8105

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7c059c81 by Sergey Orlov at 2020-03-12T07:39:12+01:00
ipatests: provide docstrings instead of imporperly placed comments

Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8dd663e0 by Sergey Orlov at 2020-03-12T07:39:12+01:00
ipatests: add test for SSSD updating expired cache items

New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.

Related to: https://pagure.io/SSSD/sssd/issue/4012

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b88562b2 by Christian Heimes at 2020-03-12T07:46:59+01:00
Cleanup SELinux policy

* Remove FC for /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains. The
  file has been moved to oddjobs/ subdirectory a long time ago.
* Simplify FC for oddjob scripts. All com.redhat.idm.* and org.freeipa.*
  scripts are labeled as ipa_helper_exec_t.
* use miscfiles_read_generic_certs() instead of deprecated
  miscfiles_read_certs() to address the warning:

```
Warning: miscfiles_read_certs() has been deprecated, please use miscfiles_read_generic_certs() instead.
```

(Also add org.freeipa.server.trust-enable-agent to .gitignore)

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7ae1352c by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Support opendnssec 2.1.6

The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup..

The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.

This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.

Fixes: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c2e355ae by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Remove the <Interval> from opendnssec conf

In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b8578281 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
With opendnssec 2, read the zone list from file

With OpenDNSSEC 1.4, the code was using the command
$ ods-ksmutil zonelist export
which printed the zonelist as XML in its output.
With OpenDNSSEC 2, the code is using the command
$ ods-enforcer zonelist export
which prints a message instead:
"Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
The code needs to extract the zonelist file name and read the XML
from the file.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8080bf7b by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
Support OpenDNSSEC 2.1: new ods-signer protocol

The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.

The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).

With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import

The command ods-ksmutil notify must be replace with ods-enforce flush.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b6865831 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
DnsSecMaster migration: move the call to zonelist export later

When migrating the DNSSec Master to a replica, the setup of
opendnssec is re-using the database and needs to call zonelist
export.
With opendnssec 1.4 this call is done with ods-ksmutil while
opendnssec 2.1 uses ods-enforcer that communicates with
odsenforcerd that is not started yet.
Move the call after ods-enforcerd is started.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
682b59c8 by Florence Blanc-Renaud at 2020-03-12T21:48:25+01:00
opendnssec2.1 support: move all ods tasks to specific file

Move all the routines run_ods* from tasks to _ods14 or _ods21 module

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4e3a2bd6 by sumenon at 2020-03-12T17:24:33-04:00
ipatests: check that ipa-healthcheck warns if no dna range is set

Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.

Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
44e73428 by Rob Crittenden at 2020-03-12T17:24:33-04:00
Move execution of ipa-healthcheck to a separate function

This removes a lot of duplication and simplifies the test
code.

It returns the command returncode and the JSON data (if any)

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1eb6a9bf by François Cami at 2020-03-13T15:30:09+01:00
ipa-restore: restart services at the end

When IPA was not installed on the restore target host, and
when httpd was already running, "ipactl stop" does not stop
httpd. "ipactl start" at the end of the restore tool will
therefore not restart httpd either.
Calling "ipactl restart" at the end of the restore fixes the
issue, and as an added bonus, makes sure IPA can restart itself
properly.

Fixes: https://pagure.io/freeipa/issue/8226
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9c9c6a70 by Stanislav Levin at 2020-03-13T11:27:36-04:00
spec: Take the ownership over '/usr/libexec/ipa/custodia'

Ideally, an every file on system has to have an owner.

'/usr/libexec/ipa/custodia' directory was added recently, but:

```
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia/ipa-custodia-dmldap
freeipa-server-4.8.4-2.fc31.x86_64
[root at dc ~]# LANG=C rpm -qf /usr/libexec/ipa/custodia
file /usr/libexec/ipa/custodia is not owned by any package
```

ALTLinux build system warns about files or directories which were
'created' during a package installation but haven't an owner. So,
after the resyncing spec file to upstream's one my build fails.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7a9ac1f5 by Christian Heimes at 2020-03-16T13:04:17+01:00
Allow hosts to read DNS records for IP SAN

For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.

Allow all hosts to read some entries from active DNS records.

Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b2ab2863 by Anuja More at 2020-03-17T09:13:16+02:00
ipatests: User and group with same name should not break reading AD user data.

Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
6018ccaa by Anuja More at 2020-03-17T09:13:16+02:00
Mark test to skip sssd-2.2.2

Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
14c9cf99 by Stanislav Levin at 2020-03-18T16:36:36+02:00
pki-proxy: Don't rely on running apache until it's configured

This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.

Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e08f7a9e by Florence Blanc-Renaud at 2020-03-19T10:55:11+01:00
idviews: prevent applying to a master

Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.

Fixes: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
20d601e9 by Florence Blanc-Renaud at 2020-03-19T10:55:11+01:00
xmlrpc tests: add a test for idview-apply on a master

Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.

Related: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2997a74a by Alexander Bokovoy at 2020-03-19T13:27:30+01:00
Prevent adding IPA objects as external members of external groups

The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.

RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.

Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
c77f4213 by sumenon at 2020-03-20T08:20:56+01:00
ipatests: Added testcase to check logrotate is added for healthcheck tool

Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
a55a7222 by Christian Heimes at 2020-03-20T15:18:30+01:00
Integrate ipa_custodia policy

ipa-custodia is an internal service for IPA. The upstream SELinux policy
has a separate module for ipa_custodia. Fold the current policy from
Fedora rawhide into ipa's SELinux policy.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d2332243 by Christian Heimes at 2020-03-20T15:18:30+01:00
Move freeipa-selinux dependency to freeipa-common

The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
37538624 by Florence Blanc-Renaud at 2020-03-21T07:37:05+02:00
ipatests: wait for SSSD to become online in backup/restore tests

The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.

Fixes: https://pagure.io/freeipa/issue/8228

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
080a5831 by Christian Heimes at 2020-03-21T07:40:33+02:00
Bootstrap Sphinx documentation

Run sphinx-quickstart and include sphinx dependencies.

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
d267d434 by Christian Heimes at 2020-03-21T07:40:33+02:00
Introduce FreeIPA

Copied from https://www.freeipa.org/page/About

- - - - -
a4456b01 by Christian Heimes at 2020-03-21T07:40:33+02:00
Include design documentation

- - - - -
a4efb302 by Christian Heimes at 2020-03-21T07:40:33+02:00
Test documentation builds in Azure

- - - - -
f8638e96 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
fix osdc2015 and lca2016 dates

- - - - -
71ec597c by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add initial workshop modules

- - - - -
64109d5a by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: external authnz module (WIP); minor fixes

- - - - -
96f93687 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add rpmfusion instructions

- - - - -
26f4be58 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
sudo make me a sandwich

- - - - -
70ec83dd by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add mod_auth_gssapi section

- - - - -
ea16b853 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections

- - - - -
aafbbd9b by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: selinux and other minor fixes

- - - - -
0417063d by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes

- - - - -
c90fabd6 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview

- - - - -
4c5db754 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: add Windows prep details

- - - - -
1445311e by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: update f22 installation steps

- - - - -
77cb86bc by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: incorporate wibrown\'s feedback

- - - - -
e76d1726 by Fraser Tweedale at 2020-03-21T07:40:33+02:00
osdc-freeipa-workshop: update troubleshooting doc

- - - - -
514f4c29 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: clarify prep goals and VirtualBox version

- - - - -
fe03beb0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add missing dnf install vagrant

- - - - -
7a865b7f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: remove definition list of VMs

- - - - -
31676d7c by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: typospotting

- - - - -
69b2fd6f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: presentation, minor curriculum edits

- - - - -
9c2072c6 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: support vagrant-libvirt on Fedora

- - - - -
326011da by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add debian/ubuntu prep instructions

- - - - -
855556e0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details

- - - - -
32b37185 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
osdc-freeipa-workshop: add certificate management module

- - - - -
a209cb9d by Fraser Tweedale at 2020-03-21T07:40:34+02:00
20151029-osdc-freeipa-workshop: add app.py

- - - - -
37b38ead by zdover at 2020-03-21T07:40:34+02:00
making a list's items agree with one another

- - - - -
dd22a3c2 by zdover at 2020-03-21T07:40:34+02:00
first tranche of edits

- - - - -
2012713c by zdover at 2020-03-21T07:40:34+02:00
thirty percent edited

- - - - -
e8c9efed by zdover at 2020-03-21T07:40:34+02:00
sixty percent edited

- - - - -
39d1715c by zdover at 2020-03-21T07:40:34+02:00
100 percent complete edit

- - - - -
df311568 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
merge (most of) zdover's edits

- - - - -
1723910a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
freeipa-workshop: fix mod_authnz_pam link

- - - - -
fb5ab1d4 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add copyright notice

- - - - -
73da5802 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
remove proposal

- - - - -
4a48fe31 by Abhijeet at 2020-03-21T07:40:34+02:00
Update workshop.rst

Correction in Windows hosts file path.
- - - - -
638d9862 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
initial commit

- - - - -
3ed5610f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting

- - - - -
08a96bdf by Fraser Tweedale at 2020-03-21T07:40:34+02:00
enable and start httpd on client

- - - - -
17b87fbc by Fraser Tweedale at 2020-03-21T07:40:34+02:00
workshop: remove references to freeipa-workshop-vagrantfile repo

- - - - -
05ab50a1 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add vagrant box building instructions

- - - - -
25e55198 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update to f23

- - - - -
40f6a1b7 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add replica installation module

- - - - -
73b1b05a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
symlink README to workshop.rst

- - - - -
88b77080 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add internal links to modules

- - - - -
1e1de65e by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update clone url

- - - - -
73d8f7bb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
update feedback url

- - - - -
f8d94388 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
bump libvirt vm mem to 1G; other fixes

- - - - -
ae56b9a2 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
building: note disk and memory requirements

- - - - -
9cf59656 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add facilitator notes; remove feedback link

- - - - -
49c48aa9 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added vagrant-libvirt-doc rpm and polkit rule

- - - - -
0db3a569 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added --mkhomedir option for server and replica.

- - - - -
7f187146 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Added bash-completion rpm to build instructions.

- - - - -
18c0ef42 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting

- - - - -
681f8ae5 by Robert Collins at 2020-03-21T07:40:34+02:00
Note sss_cache -E.

- - - - -
2f9c9c87 by Ariel O. Barria at 2020-03-21T07:40:34+02:00
vagrant user does not have permission to write to /etc/resolv.conf
detect through DNS autodiscovery.

- - - - -
65489291 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
updates for FreeIPA 4.3

- - - - -
3be3ca97 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
certs: request SAN DNS name

- - - - -
44b6c2be by Fraser Tweedale at 2020-03-21T07:40:34+02:00
prep: updates for f24, box version 0.0.7

- - - - -
77eea677 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
Change workshop "Modules" to "Units"

Because the term "module" is used in various parts of the curriculum
in a technical context, for clarity refer to the sections of the
curriculum as "units" instead.

- - - - -
0f7a460f by Fraser Tweedale at 2020-03-21T07:40:34+02:00
minor editoral improvements

- - - - -
d14dc294 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add sudorule unit

- - - - -
7a6b9147 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add selinuxusermap unit

- - - - -
a097485e by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add sudorule and selinux units to TOC

- - - - -
c14042dc by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Module added about ssh pubkey management

- - - - -
33cd0bb6 by Armando Neto at 2020-03-21T07:40:34+02:00
Update instructions for Fedora 28 / FreeIPA 4.6.90

- - - - -
b6c50da0 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
split workshop into separate files

- - - - -
66ff3675 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add inter-module links

- - - - -
bc1c5a84 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add more prerequisites and fix some links

- - - - -
345850eb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
Vagrantfile: set DNS configuration in network-scripts

The Vagrantfile puts the server's address in /etc/resolv.conf but
this configuration will not survive a reboot or network restart.
Add configuration to /etc/sysconfig/network-scripts/ to ensure the
correct resolver is always used.

- - - - -
0678ed56 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
rename certificates module

- - - - -
3a0f8a11 by Fraser Tweedale at 2020-03-21T07:40:34+02:00
lots of minor tweaks and updates

- - - - -
8e0d4bcc by Fraser Tweedale at 2020-03-21T07:40:34+02:00
suggest `ipa help topics`

- - - - -
a2f3088a by Fraser Tweedale at 2020-03-21T07:40:34+02:00
typospotting

- - - - -
8ff19cdb by Fraser Tweedale at 2020-03-21T07:40:34+02:00
add resources section

- - - - -
416d87b9 by Thorsten Scherf at 2020-03-21T07:40:34+02:00
Corrected some typos and added improvements to some setup instructions

- - - - -
3bd27cfe by François Cami at 2020-03-21T07:40:34+02:00
8-sudorule.rst: add sudo and su-l as services for bob's HBAC rule.

Add a note about the behavior change of passwordless sudo
in sudo 1.8.23 and newer.

- - - - -
265d064b by Sam Bristow at 2020-03-21T07:40:34+02:00
Workaround networking issues with Libvirt

Vagrant 2.2 on Fedora 30 enables QEMU Session by default [1] which causes
problems with setting up the private network.

Explicitly telling Vagrant not to use the QEMU session if we're running on
Libvirt is the suggested workaround for now.

[1] https://fedoraproject.org/wiki/Changes/Vagrant_2.2_with_QEMU_Session
- - - - -
acfe34e2 by Alexander Bokovoy at 2020-03-21T07:40:34+02:00
Add unit 11: Kerberos ticket policy

Kerberos ticket policy unit describes ways of control of Kerberos
tickets in FreeIPA with the help of ticket policies.

- - - - -
c4a55522 by Christian Heimes at 2020-03-21T07:40:34+02:00
Fix codestyle

- - - - -
145afd68 by Christian Heimes at 2020-03-21T07:40:34+02:00
Include workshop in sphinx build

- - - - -
a9a225d7 by Christian Heimes at 2020-03-21T07:40:34+02:00
Use m2r instead of recommonmark

recommonmark does not support markdown tables.

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
9f2553c6 by Christian Heimes at 2020-03-21T07:42:20+02:00
Add explicit syntax language to code blocks

m2r converts code blocks into ReST code blocks with syntax highlighting.
Auto-detection of the language does not work correctly, though.
Explicitly set the language for console, ini, and Python blocks.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c6a379c4 by Alexander Bokovoy at 2020-03-21T07:57:06+02:00
Move workshop documents to doc/workshop

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
34b961dc by Alexander Bokovoy at 2020-03-21T08:04:45+02:00
Override master document for ReadTheDocs

ReadTheDocs.org engine assumes master document is 'contents.rst', we use
'index.rst'. Specify the master document explicitly.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
452ef8cc by Alexander Bokovoy at 2020-03-21T08:10:31+02:00
Do not force any particular sphinx theme

This allows ReadTheDocs to use own theme.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4a3b7bae by Rob Crittenden at 2020-03-21T09:36:40+01:00
Test that ipa-healthcheck human output translates error strings

The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.

https://bugzilla.redhat.com/show_bug.cgi?id=1752849

Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3aad16a7 by Vit Mojzis at 2020-03-24T10:17:14+02:00
selinux: disable ipa_custodia when installing custom policy

Since ipa_custodia got integrated into ipa policy package, the upstream policy
module needs to be disabled before ipa module installation (in order to be able
to make changes to the ipa_custodia policy definitions).
Upstream ipa module gets overridden automatically because of higher priority of
the custom module, but there is no mechanism to automatically disable
ipa_custodia.

Related: https://pagure.io/freeipa/issue/6891
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
99a62f29 by Serhii Tsymbaliuk at 2020-03-24T10:19:13+02:00
Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1

Ticket: https://pagure.io/freeipa/issue/8239

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9e47799c by Sergey Orlov at 2020-03-24T10:20:39+02:00
ipatests: remove test_ordering

The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.

The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e8602b15 by Christian Heimes at 2020-03-24T10:22:18+02:00
Add pytest OpenSSH transport with password

The pytest_multihost transport does not provide password-based
authentication for OpenSSH transport. The OpenSSH command line tool has
no API to pass in a password securely.

The patch implements a custom transport that uses sshpass hack. It is
not recommended for production but good enough for testing.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
92e36258 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
Keep ipa.pot translation file in git for weblate

Weblate tool sends pull requests that update translations directly.
For this to work, we need to keep ipa.pot in the tree.

Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b4722f39 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
Update translation infrastructure

1. Build po/ipa.pot every time we update PO files (each build)

2. Drop any rebuilt PO changes if the only difference is in the
   translation file's header in a timestamp or timestamp+bug report
   link.

3. Only apply the logic for dropping the changes if we are operating on
   a git tree checkout because there is no otherwise an easy way to
   detect the changes.

4. Hook strip-po target to the cleanup target to allow dropping unneeded
   translation changes automatically.

5. Finally, strip ipaclient/remote_plugins/* locations from the ipa.pot
   template. This saves us around 23,000 lines from the ipa.pot file and
   reduces visual clutter in the translation files.

This approach allows to avoid unneccesary commits because even when
there are no changes to translation files, po/ipa.pot header would be
updated with a new translation update timestamp.

Fixes: https://pagure.io/freeipa/issue/8159
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3fc932a2 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update ipa.pot template

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0be22a6a by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Bengali translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6cd244da by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Catalan translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
68cc0491 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Czech translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
117893f0 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update German translation

Several translated strings were splitted into smaller ones. The older
translation either is a duplicate of the new one or does not apply
anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
439c488f by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update English (United Kingdom) translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2859216b by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Spanish translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e6574914 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Basque translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1a0232a6 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update French translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
35c1da83 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Hindi translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f18a4f8d by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Hungarian translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
347d9c78 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Indonesian translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
60d69a87 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Japanese translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
1c30d186 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Kannada translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0c9066e8 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Marathi translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7f3cc11a by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Dutch translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3e636959 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Punjabi translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
047c8cc5 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Polish translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
baf1a721 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Portuguese translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
45dede73 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Portuguese (Brazil) translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ad3ef9de by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Russian translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ed55c408 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Slovak translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e50c2500 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Tajik translation timestamp

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9fcae159 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Ukrainian translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
42e86692 by Alexander Bokovoy at 2020-03-24T13:40:06+01:00
po: update Chinese (China) translation

Several translated strings were splitted and old translations do not
apply directly anymore.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9120d65e by Mohammad Rizwan Yusuf at 2020-03-24T13:49:57+01:00
Test if schema-compat-entry-attribute is set

This is to ensure if said entry is set after installation with AD.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
312d00df by Mohammad Rizwan Yusuf at 2020-03-24T13:49:57+01:00
Test if schema-compat-entry-attribute is set

This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
aae30eb7 by Sergey Orlov at 2020-03-24T18:26:03+01:00
ipatests: provide AD admin password when trying to establish trust

`ipa trust-add --password` command requires that user provides a password..

Related to: https://pagure.io/freeipa/issue/7895

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0711c4a0 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: avoid mutable default argument

certmonger._get_requests has a mutable default argument.  Although
at the present time it is never modified, this is an antipattern to
be avoided.

In fact, we don't even need the default argument, because it is
always called with a dict() argument.  So just remove it.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e0fb3816 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: move 'criteria' description to module docstring

The 'criteria' parameter is used by several subroutines in the
ipalib.install.certmonger module.  It has incomplete documentation
spread across several of these subroutines.  Move the documentation
to the module docstring and reference it where appropriate.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
18ebd111 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
certmonger: support dnsname as request search criterion

We need to be able to filter Certmonger tracking requests by the DNS
names defined for the request.  The goal is to add the
'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so
we will use that name as a search criterion.  Implement support for
this.

As a result of this commit it will be easy to add support for subset
match of other Certmonger request list properties.  Just add the
property name to the ARRAY_PROPERTIES list (and update the
'criteria' description in the module docstring!)

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4cf9c868 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
httpinstance: add fqdn and ipa-ca alias to Certmonger request

BACKGROUND:

We are implementing ACME support in FreeIPA (umbrella ticket:
https://pagure.io/freeipa/issue/4751).  ACME is defined in RFC 8555.
HTTPS is REQUIRED (https://tools.ietf.org/html/rfc8555#section-6.1).
Therefore, every FreeIPA server that provides the ACME service
capability must be reachable by HTTPS.

RFC 8555 does not say anything about which port to use for ACME.
The default HTTPS port of 443 is implied.  Therefore, the FreeIPA
ACME service will be reached via the Apache httpd server, which will
be the TLS server endpoint.

As a usability affordance for ACME clients, and as a maintainability
consideration i.e. to allow the topology to change without having to
reconfigure ACME clients, there should be a a single DNS name used
to reach the IPA ACME service.

The question then, is which DNS name to use.

REQUIREMENTS:

Each FreeIPA server that is also an ACME server must:

1. Be reachable via a common DNS name

2. Have an HTTP service certificate with that DNS name as a SAN
   dNSName value

DESIGN CONSIDERATION - WHAT DNS NAME TO USE?:

Some unrelated FreeIPA ACME design decisions provide important
context for the DNS name decision:

- The ACME service will be automatically and unconditionally
  deployed (but not necessarily *enabled*) on all CA servers.

- Enabling or disabling the ACME service will have topology-wide
  effect, i.e. the ACME service is either enabled on all CA
  servers, or disabled on all CA servers.

In a CA-ful FreeIPA deployment there is already a DNS name that
resolves to all CA servers: ``ipa-ca.$DOMAIN``, e.g.
``ipa-ca.example.com``.  It is expected to point to all CA servers
in the deployment, and *only* to CA servers.  If internal DNS is
deployed, the DNS records for ``ipa-ca.$DOMAIN`` are created and
updated automatically.  If internal DNS is not deployed,
administrators are required to maintain these DNS records
themselves.

The ``ipa-ca.$DOMAIN`` alias is currently used for OCSP and CRL
access.  TLS is not required for these applications (and it can
actually be problematic for OCSP).  Enabling TLS for this name
presents some risk of confusion for operators.  For example, if they
see that TLS is available and alter the certificate profiles to
include an HTTPS OCSP URL in the Authority Information Access (AIA)
extension, OCSP-using clients may fail to validate such
certificates.  But it is possible for administrators to make such a
change to the profile, whether or not HTTPS is available.

One big advantage to using the ``ipa-ca.$DOMAIN`` DNS name is that
there are no new DNS records to manage, either in the FreeIPA
implementation or for administrators in external DNS systems.

The alternative approach is to define a new DNS name, e.g.
``ipa-acme.$DOMAIN``, that ACME clients would use.  For internal
DNS, this means the FreeIPA implementation must manage the DNS
records.  This is straightforward; whenever we add or remove an
``ipa-ca.$DOMAIN`` record, also add/remove the ``ipa-acme.$DOMAIN``
record.  But for CA-ful deployments using external DNS, it is
additional work for adminstrators and, unless automated, additional
room for error.

An advantage of using a different DNS name is ``ipa-ca.$DOMAIN`` can
remain inaccessible over HTTPS.  This possibly reduces the risk of
administrator confusion or creation of invalid AIA configuration in
certificate profiles.

Weighing up the advantages and disadvantages, I decided to use the
``ipa-ca.$DOMAIN`` DNS name.

DESIGN CONSIDERATION - CA SERVERS, OR ALL SERVERS?:

A separate decision from which name to use is whether to include it
on the HTTP service certificate for ACME servers (i.e. CA servers)
only, or on all IPA servers.

Combined with the assumption that the chosen DNS name points to CA
servers *only*, there does not seem to be any harm in adding it to
the certificates on all IPA servers.

The alternative is to only include the chosen DNS name on the HTTP
service certificates of CA servers.  This approach entails some
additional complexity:

- If a non-CA replica gets promoted to CA replica (i.e. via
  ``ipa-ca-install``), its HTTP certificate must be re-issued with
  the relevant name.

- ipa-server-upgrade code must consider whether the server is a CA
  replica when validating (and if necessary re-creating) Certmonger
  tracking requests

- IPA Health Check must be made aware of this factor when checking
  certificates and Certmonger tracking requests.

Weighing up the options, I decided to add the common DNS name to the
HTTP service certificate on all IPA servers.  This avoids the
implementation complexity discussed above.

CHANGES IN THIS COMMIT

When (re-)tracking the HTTP certificate, explicitly add the server
FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request.

Related changes follow in subsequent commits.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f7c45641 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~1`.

ACME support requires TLS and we want ACME clients to access the
service via the ipa-ca.$DOMAIN DNS name.  So we need to add the
ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates.  To
facilitiate this, add a special case to the cert-request command
processing.  The rule is:

- if the dnsName being validated is "ipa-ca.$DOMAIN"
- and the subject principal is an "HTTP/..." service
- and the subject principal's hostname is an IPA server

Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed.
Otherwise continue with the usual dnsName validation.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4d5b5a90 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
httpinstance: add ipa-ca.$DOMAIN alias in initial request

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~2`.

For new server/replica installation, issue the HTTP server
certificate with the 'ipa-ca.$DOMAIN' SAN dNSName.  This is
accomplished by adding the name to the Certmonger tracking request.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cf4c2c64 by Fraser Tweedale at 2020-03-25T11:13:03+11:00
upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~3`.

If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName,
resubmit the certificate request to add the name.  This action is
performed after the tracking request has already been updated.

Note: due to https://pagure.io/certmonger/issue/143, the resubmitted
request, if it does not immediately succeed (fairly likely during
ipa-server-upgrade) and if the notAfter date of the current cert is
still far off (also likely), then Certmonger will wait 7 days before
trying again (unless restarted).  There is not much we can do about
that in the middle of ipa-server-upgrade.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
45b5384b by Fraser Tweedale at 2020-03-25T11:13:03+11:00
ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c1c45df4 by Alexander Bokovoy at 2020-03-25T09:39:01+02:00
ipatests: always skip additional input for group-add-member --external

'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.

Do not wait for the entry that would never come by using 'ipa -n'..

Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
e913fdc8 by Christian Heimes at 2020-03-25T09:52:59+02:00
SELinux: apache_manage_pid_files for F30

SELinux policy on F30 doesn't have the interface
apache_manage_pid_files(). Define the interface conditionally.

Fixes: https://pagure.io/freeipa/issue/8241
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
38204856 by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
Fix indentation levels

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8c191ddf by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipatests: allow changing sysaccount passwords as cn=Directory Manager

Extend ldappasswd_sysaccount_change() helper to allow changing
passwords as a cn=Directory Manager.

Related to: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a620ac0f by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipatests: test sysaccount password change with a password policy applied

ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.

The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
 - as a user: must succeeed
 - as a cn=Directory Manager: must succeed even with a password re-use
 - as a user again: must fail due to password re-use

Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
527f30be by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN

SLAPI_BIND_TARGET_DN is deprecated since 2011 by 389-ds team,
see commit f6397113666f06848412bb12f754f04258cfa5fa in 389-ds:
https://pagure.io/389-ds-base/c/f6397113666f06848412bb12f754f04258cfa5fa?branch=master

Use SLAPI_BIND_TARGET_SDN instead and move internal ipa-pwd-extop
helpers to accept Slapi_DN references rather than strings.

Related: https://pagure.io/freeipa/issue/7181

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d9c41df6 by Alexander Bokovoy at 2020-03-25T10:11:48+01:00
ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager

Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.

As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.

Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.

Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
132a0f87 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Don't save password history on non-Kerberos accounts

While other password policies were properly ignored the password
history was always being saved if the global history size was
non-zero.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ff6984e2 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Add ability to change a user password as the Directory Manager

This is to confirm that the Directory Manager is not affected by
password policy.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
89066892 by Rob Crittenden at 2020-03-25T10:11:48+01:00
Test that pwpolicy only applied on Kerberos entries

Also test that a normal user has password history enforcement

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ac5cb426 by Christian Heimes at 2020-03-25T14:44:52+01:00
po: fix LINGUAS to use whitespace separation

The po/LINGUAS file contains a list of all avilable translations.
According to the GNU gettext documentation it's is a whitespace
separated list. Our LINGUAS file used newline separated list with inline
comments. This conflicts with weblate automation.

Fixes: https://pagure.io/freeipa/issue/8159
See: https://www.gnu.org/software/gettext/manual/html_node/po_002fLINGUAS.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d07da417 by Mohammad Rizwan Yusuf at 2020-03-25T15:18:57+01:00
ipatests: Skip test using paramiko when FIPS is enabled

Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f9804558 by François Cami at 2020-03-26T13:18:14+01:00
ipatests: test_replica_promotion.py: test KRA on Hidden Replica

The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.

Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
77ed0918 by Alexander Bokovoy at 2020-03-28T19:55:10+01:00
Remove Fedora repository fastmirror selection

Fast mirror selection somehow stopped working. If disabled, the
difference is around 20 seconds for the 'Prepare build environment' step
(2:49 versus 3:09), so while we are saving, currently it is not a lot.

Also remove explicit nodejs stream choice, it seems to be not needed
anymore (again).

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
ee80d0db by François Cami at 2020-03-28T19:55:10+01:00
pr-ci templates: update test_fips timeouts

test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.

Fixes: https://pagure.io/freeipa/issue/8247
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
58ad7b74 by Sumedh Sidhaye at 2020-03-30T15:07:48-04:00
Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state

When a resubmit request is submitted an "invalid cookie"
error message is no longer shown

Earlier an "invlaid cookie" error message was shown when getcert list was called.

The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit

Pagure Issue: https://pagure.io/freeipa/issue/8164

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>

Fixup for test to verify that POLL will not error out on cookie

Author:    Rob Crittenden <rcritten at redhat.com>
Date:      Tue Mar 24 15:30:38 2020 -0400

Fixed review comments

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
01b207bc by Alexander Bokovoy at 2020-03-31T09:21:37+03:00
Add 'api' and 'aci' targets to make

'makeapi' and 'makeaci' has to be run in a particular environment that
forces IPA Python modules from the source tree used instead of what
might be installed system-wide.

Create 'make api' and 'make aci' targets to provide easy access to them.

Make sure we run Python interpreter with PYTHONPATH set to force use of
the source tree.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6472a107 by Alexander Bokovoy at 2020-03-31T09:21:37+03:00
Allow rename of a host group

RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.

Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fd9f1b3d by sumenon at 2020-03-31T11:52:42-04:00
Test for ipahealthcheck.ipa.idns check when integrated DNS is setup

This testcase compares the output of ipahealtcheck.ipa.dns check
with the SRV records displayed by 'ipa dns-update-system-records --dry-run'
command executed on IPA server with integrated DNS setup.

https://bugzilla.redhat.com/show_bug.cgi?id=1695125

Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
3a9b66b5 by François Cami at 2020-04-01T12:09:16+02:00
ipatests: test ipa-backup with different role configurations.

ipa-backup should refuse to execute if the local IPA server does not
have all the roles used in the cluster.
A --disable-role-check knob should also be provided to bypass the
check.

Add an integration test for the new behavior and the knob.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
9324bba6 by François Cami at 2020-04-01T12:09:16+02:00
test_backup_and_restore: add server role verification steps

Add calls to "ipa server-role" to check whether the server role
changes are applied before calling ipa-backup.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
3665ba92 by François Cami at 2020-04-01T12:09:16+02:00
ipa-backup: Make sure all roles are installed on the current master.

ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.

With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.

Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
5e44fc80 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add test_fips to testing-fedora nightly run

test_integration/test_fips.py was missing in nightly_latest_testing.yaml
for no obvious reason.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e9273968 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add test_automember to "previous" nightly run

test_integration/test_smb.py was missing in nightly_previous.yaml
for no obvious reason.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a2dee05b by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add AD DC as a DNS forwarder before establishing trust

"ipa trust-add" was not able to establish trust because it could not
find the AD domain controller.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
98b6326a by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: explicitly save output of certutil

The test setup was failing because output redirection does not work in
run_command() when specifued as list element.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b8e1a7d5 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: run all cases from test_integration/test_idviews.py in nightlies

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
99a322a4 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: run test_integration/test_cert.py in PR-CI

Execute test_integration/test_cert.py test in gating and generic
nightly test runs

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1c4aa66b by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add missing classes from test_installation in nightly runs

The following test classes were missing in all nightly definitions:
* TestADTrustInstall
* TestADTrustInstallWithDNS_KRA_ADTrust
* TestKRAinstallAfterCertRenew

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9b3c3202 by Sergey Orlov at 2020-04-01T14:34:40+02:00
ipatests: add missing classes from test_nfs in nightly_previous run

Test class test_integration/test_nfs.py::TestIpaClientAutomountFileRestore
was missing in nightly_previous.yaml

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a02df530 by Mohammad Rizwan Yusuf at 2020-04-02T14:30:52+02:00
ipatests:Test if proper error thrown when AD user tries to run IPA commands

Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.

related: https://pagure.io/freeipa/issue/8163

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0fb0d2f1 by François Cami at 2020-04-02T16:10:27+02:00
pr-ci templates: update test_fips timeouts

test_fips takes between 45 and ~80 mins to run.
The templates' timeout was 3600s which is too short for
successful execution. 7200s should do.

Fixes: https://pagure.io/freeipa/issue/8247
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
d8135b73 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add test for sssd behavior with disabled trustdomains

When a trusted subdomain is disabled in ipa, users from this domain
should not be able to access ipa resources.

Related to: https://pagure.io/SSSD/sssd/issue/4078

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b238812b by Sergey Orlov at 2020-04-03T11:15:57+02:00
update prci definitions for test_sssd.py

The test now requires AD domain + subdomain

Related to: https://pagure.io/SSSD/sssd/issue/4078

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3ae0d0d7 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add utility for getting sssd version on remote host

This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
84c94f73 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: add context manager for declaring part of test as xfail

This function provides functionality similar to pytest.mark.xfail
but for a block of code instead of the whole test function. This has
two benefits:
1) you can mark single line as expectedly failing without suppressing
   all other errors in the test function
2) you can use conditions which can not be evaluated before the test start.

The check is always done in "strict" mode, i.e. if test is expected to
fail but succeeds then it will be marked as failing.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
26233c88 by Sergey Orlov at 2020-04-03T11:15:57+02:00
ipatests: mark test_trustdomain_disable test as expectedly failing

The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed
Fedora 30 version yet.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f5f960ed by Michal Polovka at 2020-04-03T08:32:20-04:00
Test for output being indented by default value if not stated implicitly.

Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.

Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a087fd92 by François Cami at 2020-04-06T16:53:31+02:00
ipatests: move ipa_backup to tasks

* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
  both the path to the backup and the whole result from run_command ;
  The path to the backup can be determined from the result.

Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
  the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
  returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3022bb5f by Rob Crittenden at 2020-04-06T12:54:20-04:00
Perform baseline healthcheck

Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.

https://bugzilla.redhat.com/show_bug.cgi?id=1774032

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
aa5a3336 by Stanislav Levin at 2020-04-07T15:22:47-04:00
Azure: Allow distros to install Python they want

The platforms may have different Pythons.
But due to [0] the Python installed via the 'UsePythonVersion at 0'
task should be compatible with the container's 'libpythonxx.so'.
'AZURE_PYTHON_VERSION' platform variable is introduced to cover
this. So, if your distro has Python3.8, set the mentioned variable
to '3.8', later, this version will be installed by the
'UsePythonVersion at 0' Azure task for 'WebUI_Unit_Tests' and 'Tox'
jobs.

To allow tox to run any Python3 environment the 'py3' one is used..
'py3' is the well-known Tox's environment, which utilizes 'python3'
executable.

[0]: https://github.com/microsoft/azure-pipelines-tasks/issues/11070

Fixes: https://pagure.io/freeipa/issue/8254
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
d1b53ded by Stanislav Levin at 2020-04-08T11:27:45+03:00
Azure: Gather coredumps

Applications may crash.
If a crash happens on a remote system during CI run it's sometimes
very hard to understand the reason. The most important means to
analyze such is a stack trace. It's also very important to check
whether there was a core dump or not, even a test passed.

For Docker environment, the core dumps are collected by the host's
systemd-coredump, which knows nothing about such containers (for
now). To build an informative thread stack trace debuginfo packages
should be installed. But they can't be installed on the host OS
(ubuntu), That's why after all the tests completed an additional
container should be up and the host's core dumps and host's journal
should be passed into it.

Even if there weren't enough debuginfo packages at CI-runtime, the
core dump could be analyzed locally later.

Fixes: https://pagure.io/freeipa/issue/8251
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3985183d by Sam Morris at 2020-04-08T14:17:31+03:00
Debian: write out only one CA certificate per file

ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.

'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.

With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.

The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.

The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.

These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.

As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.

Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ba162b9b by Stanislav Levin at 2020-04-08T16:33:35+02:00
ipatests: Mark firewalld commands as no-op on non-firewalld distros

The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.

Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
8a793b7d by François Cami at 2020-04-09T09:08:57+03:00
ipatests: increase test_ipahealthcheck timeout

test_ipahealthcheck tends to take more than 3600s to run.
Increate timeout to 4800s.

Fixes: https://pagure.io/freeipa/issue/8262
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
dbf5df4a by Alexander Bokovoy at 2020-04-14T12:36:01+03:00
CVE-2020-1722: prevent use of too long passwords

NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
306adf6b by François Cami at 2020-04-14T14:11:11+02:00
ipatests: increase test_webui_server timeout

test_webui_server tends to take more than 3600s to run.
Increase timeout to 7200s.

Fixes: https://pagure.io/freeipa/issue/8266
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
bdf11371 by Christian Heimes at 2020-04-15T18:48:50+02:00
Use /run and /run/lock instead of /var

Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3e8c5192 by Stasiek Michalski at 2020-04-15T18:50:45+02:00
Support for SUSE/openSUSE ipaplatform

Co-authored-by: Howard Guo <hguo at suse.com>
Co-authored-by: Daniel Molkentin <dmolkentin at suse.com>
Co-authored-by: Marcus Rückert <darix at nordisch.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7ac60a87 by Florence Blanc-Renaud at 2020-04-16T14:01:03+02:00
Man pages: fix syntax issues

Fix the syntax in ipa-cacert-manage.1 and default.conf.5

Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3a64ac08 by Michal Polovka at 2020-04-17T08:54:13-04:00
Test for healthcheck being run on replica with stopped master

Test checks whether healthcheck  reports only that master is stopped
with no other false positives when services on IPA master are stopped.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2c54609d by Mohammad Rizwan Yusuf at 2020-04-20T08:44:00-04:00
ipatests: Test to check password leak in apache error log

Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.

related: https://pagure.io/freeipa/issue/8017

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ffb1db56 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Bump required Pytest

Ipatests utilize the 'timeout' arg for 'testdir.run()', which is
available since Pytest 3.9.1 [0]

[0]: https://github.com/pytest-dev/pytest/issues/4073
Fixes: https://pagure.io/freeipa/issue/8101

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
d67846fa by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove deprecated yield_fixture

'yield_fixture' is deprecated since Pytest3 [0].
FreeIPA requires at least 3.9.1. So, it can be safely removed.

[0]: https://docs.pytest.org/en/latest/yieldfixture.html

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
be6ac7d4 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'get_marker'

'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
f6b088ef by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'capture' compatibility

Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
18500a3d by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Remove no longer needed 'skip' compatibility

Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
6d8d1670 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Specify Pytest XML report schema

Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
  /root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
  Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
    _issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```

For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.

The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.

[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
97439570 by Stanislav Levin at 2020-04-21T13:24:50+02:00
ipatests: Specify shell implementation

The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
51d15176 by François Cami at 2020-04-21T14:59:02+02:00
Makefile.am: add doclint to fastcheck

Add doclint to fastcheck so that documentation syntax issues
are caught sooner (before they hit CI).

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7558e141 by François Cami at 2020-04-21T14:59:02+02:00
doc/Makefile: use sphinx-build -W by default

Use -W with sphinx-build by default to turn warnings into errors.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
10aaef03 by Serhii Tsymbaliuk at 2020-04-21T19:03:23+02:00
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2

- upgrade dojo.js bundle
- fix prepare-dojo.sh
- update Dojo version in package.json (reference purpose only)

Ticket: https://pagure.io/freeipa/issue/8222

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
e881e357 by Christian Heimes at 2020-04-21T21:37:06+02:00
Fix various OpenDNSSEC 2.1 issues

Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)

Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.

Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.

Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
1717b5b0 by Christian Heimes at 2020-04-22T09:47:14+02:00
Improve Sphinx building and linting

Run sphinx-builder with -W (fail on error), --keep-going, and -j auto.
Auto-job scaling speeds up sphinx-builder a LOT.

Add make lint target to doc/Makefile. The -E and -a option ensure that
all files are always re-read and rewritten.

Add option to run sphinx-builder from a virtual env that mimics RTD
builds closer than Fedora packages.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
29fd9602 by sumenon at 2020-04-23T10:29:33-04:00
ipatests: Test for ipahealthcheck.ds.ruv check

This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result

Signed-off-by: sumenon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
a0494bc3 by Serhii Tsymbaliuk at 2020-04-24T09:17:59+02:00
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1

Ticket: https://pagure.io/freeipa/issue/8284

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b6476f59 by Christian Heimes at 2020-04-27T10:15:58+02:00
servrole: takes_params must be a tuple

The definition of servrole.takes_params was missing a comma.

Related: https://pagure.io/freeipa/issue/8290
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bba41dc8 by Kaleemullah Siddiqui at 2020-04-27T09:09:10-04:00
Test for check of HostKeyAlgorithms option in ssh_config

Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.

https://pagure.io/freeipa/issue/8082

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
ba213aa4 by sumenon at 2020-04-27T09:18:56-04:00
ipatests: Test for ipahealthcheck tool for IPADomainCheck.

This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
49f909c9 by Christian Heimes at 2020-04-27T14:59:07-04:00
Fix APIVersion.__getnewargs__

``__getnewargs__()`` must return a tuple.

Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
 __getnewargs__ does not return a tuple)``.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
24cc13db by Christian Heimes at 2020-04-27T14:59:07-04:00
Fix exception escape warning

W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bb24641e by Christian Heimes at 2020-04-28T11:28:29+02:00
Use api.env.container_sysaccounts

Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')

Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ca6d6781 by Christian Heimes at 2020-04-28T11:28:29+02:00
Define default password policy for sysaccounts

cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.

The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.

Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7d657c6f by Timo Aaltonen at 2020-04-28T14:39:42+02:00
Debian: Use enable/disable_ldap_automount() from base

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7ed5374c by Timo Aaltonen at 2020-04-28T14:39:42+02:00
Debian: Use parse_ipa_version from redhat.

Needs librpm8 installed.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
158257c4 by Timo Aaltonen at 2020-04-28T14:39:42+02:00
ipatests/test_commands: Check sssd version like on test_sssd

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2e85b480 by Timo Aaltonen at 2020-04-28T14:39:42+02:00
ipatests/test_installation: Use knownservices to map the service name.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4d2272f9 by François Cami at 2020-04-28T09:32:19-04:00
IPA-EPN: Add design draft

The design draft lists the user stories, implementation choices,
implementation details, limitations, and changes for the new
Expired Password Notifications (EPN) feature.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c2608cfe by Christian Heimes at 2020-04-28T15:33:57+02:00
Add skip_if_platform marker

Make it easier to skip tests based on platform ID and platform LIKE_ID.

Skip some tests that are not working on Debian-like platforms

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
43ac2d9a by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Cleanup 'collect_logs' decorator

The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e9. So, it could be safely removed.

Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5da309ee by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Pretty print multihost config

The printing of string representation of multihost config is useless.
For example,
```
<ipatests.pytest_ipa.integration.config.Config object at 0x7fe017d9dc70>
```

The dictionary representation of such looks better:
```
[ipatests.pytest_ipa.integration] {'ad_admin_name': 'Administrator',
 'ad_admin_password': 'Secret123',
 'admin_name': 'admin',
 'admin_password': 'Secret123',
 'dirman_dn': 'cn=Directory Manager',
 'dirman_password': 'Secret123',
 'dns_forwarder': '8.8.8.8',
 'domain_level': 1,
 'domains': [{'hosts': [{'external_hostname': 'master1.ipa.test',
                         'ip': '172.19.0.2',
                         'name': 'master1.ipa.test',
                         'role': 'master'},
                        {'external_hostname': 'replica1.ipa.test',
                         'ip': '172.19.0.3',
                         'name': 'replica1.ipa.test',
                         'role': 'replica'},
...
```

Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
63747bc0 by Stanislav Levin at 2020-04-28T17:50:10+02:00
ipatests: Collect all logs on all Unix hosts

Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
    In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
    The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
    ```
    class TestFoo(IntegrationTest):
        def test_foo(self):
            pass

        def test_bar(self, integration_logs):
            integration_logs.collect_method_log(self.master, '/logfile')
    ```
    Collected logs:
    1) 'test_foo' - default logs
    2) 'test_bar' - default logs + /logfile
    3) 'TestFoo' - default logs

Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
87408ee7 by Stanislav Levin at 2020-04-28T17:50:10+02:00
Azure: Increase memory limit

Azure host has 6 GB of physical memory + 7 GB of swap.
FreeIPA CI runs at least 5 masters on each Azure's host.
Thus, swap is intensively used.

Based on the available *physical* memory 389-ds performs db tweaks
and in future may fail to start in case of memory shortage.

Current memory limit for Azure Docker containers(master/replica):
- Physical
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
1610612736
- Physical + swap:
$ cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
3221225472

In the meantime, installation of master + ca + kra + dnssec requires:
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
1856929792

Some test environments require more memory.
For example, 'ipatests.test_integration.test_commands.TestIPACommand':
$ cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
2232246272
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
2232246272

Fixes: https://pagure.io/freeipa/issue/8264
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e00dc40f by Christian Heimes at 2020-04-28T20:03:21+02:00
Create ipasphinx package for Sphinx plugins

Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d34db063 by Christian Heimes at 2020-04-28T20:04:27+02:00
Fix /doc/workshop subtree merge

Something went wrong with git subtree merge of the external
freeipa-workshop repository. A couple of files accidently ended up
in / instead of /doc/workshop/.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b7415c3d by Christian Heimes at 2020-04-29T12:36:34+02:00
Require Sphinx >2.1

RTD comes with Sphinx 1.8 that is missing some APIs.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9941c9ee by Christian Heimes at 2020-04-30T09:41:41+02:00
Address issues found by new pylint 2.5.0

* fix multiple exception-escape
* fix function signatures of DsInstance start/stop/restart
* silence f-string-without-interpolation
* fix too-many-function-args in host plugin

Fixes: https://pagure.io/freeipa/issue/8297
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
40b8174c by Armando Neto at 2020-04-30T12:05:35+02:00
prci: update templates for new Fedora release

"previous" updated to Fedora 31
"latest" updated to Fedora 32
"rawhide" based on Fedora 33

389ds, testing and pki definitions updated to Fedora 32

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1632827c by François Cami at 2020-04-30T12:06:58+02:00
tox.ini: switch from W503 to W504

PEP8 recently changed from W503 to W504.
Line breaks should therefore come before operators.
See: https://www.python.org/dev/peps/pep-0008/#should-a-line-break-before-or-after-a-binary-operator

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f4892d42 by Serhii Tsymbaliuk at 2020-04-30T15:03:49+02:00
WebUI tests: cover membership management with UI tests

Test cases:
- admin can add member manager for user/host group
- admin can add member manager group to user/host group
- member manager can add user to group
- member manager can remove user from group
- member manager can add host to host group
- member manager can remove host from host group

Ticket: https://pagure.io/freeipa/issue/8298

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
35e1ebb2 by Miro Hrončok at 2020-05-04T08:12:58+02:00
Fix a syntax typo

This worked for now, but is SyntaxError in Python 3.9.0a6:

  File "/usr/lib/python3.9/site-packages/ipapython/cookie.py", line 222
    return'/'
         ^
SyntaxError: invalid string prefix

(The Python change might actually be reverted before 3.9 final,
but this can be fixed anyway.)

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
273ed153 by Viktor Ashirov at 2020-05-04T20:49:23+02:00
Update ACIs with the correct syntax

The value of the first character in target* keywords
is expected to be a double quote.

Fixes: https://pagure.io/freeipa/issue/8301

Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
86d76efc by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E266 too many leading '#' for block comment

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
96618073 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E711 comparison to None

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
690b5519 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E712 comparison to True / False

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d0818e18 by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E713 test for membership should be 'not in'

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8c9bba8e by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E714 test for object identity should be 'is not'

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
31fa527e by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E721 do not compare types, use 'isinstance()'

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
186d739d by Christian Heimes at 2020-05-05T10:42:46+02:00
Fix E722 do not use bare 'except'

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c544d18f by Christian Heimes at 2020-05-05T10:42:46+02:00
Silence W601 .has_key() is deprecated

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
6386c0cb by Christian Heimes at 2020-05-05T10:42:46+02:00
Manually reformat ipapython/version.py.in

Add whitespaces around assignment operator and use consistent double
quotes.

https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f6be6612 by Christian Heimes at 2020-05-05T10:42:46+02:00
Reconfigure pycodestyle

Disable some warnings that are not PEP-8 compatible.

Disable warnings E731 and E741. IPA code uses ``l`` as variable names
and assignment of lambda expressions a lot.

Ignore auto-generated remote plugins and build directories.

Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
490682ac by Christian Heimes at 2020-05-05T11:47:16+02:00
Make ipaplatform a regular top-level package

ipaplatform was made a namespace package so that 3rd party OS
distributors can easily define their own distribution subpackage. Since
major distributions have contributed to FreeIPA project and no 3rd party
ipaplatform subpackage was uploaded to PyPI, it doesn't make much sense
to keep ipaplatform a namespace package.

The ipaplatform-*-nspkg.pth file for namespace package definition is
causing trouble with local testing on developer boxes.

Fixes: https://pagure.io/freeipa/issue/8309
See: https://pagure.io/freeipa/issue/6474
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fefd1153 by Christian Heimes at 2020-05-05T11:48:04+02:00
Make check_required_principal() case-insensitive

service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.

Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
19ea1b97 by Christian Heimes at 2020-05-05T11:49:10+02:00
Simplify pki proxy conf

``pkispawn`` is being modified to use PKI CLI for installation.

Add ``/pki/rest`` to proxied routes and simplify location matching with
a prefix regular expression.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
edcfba60 by Florence Blanc-Renaud at 2020-05-05T11:50:01+02:00
ipa-advise: fallback to /usr/libexec/platform-python if python3 not found

when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.

By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).

Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0cadf40f by Mohammad Rizwan Yusuf at 2020-05-05T15:56:03+02:00
Display principal name while del required principal

Fix is to display the proper principal in error message
while attempting to delete required principal.

related: https://pagure.io/freeipa/issue/7695

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
340a50b7 by Mohammad Rizwan Yusuf at 2020-05-05T15:56:03+02:00
ipatests: Test deletion of required principal throws proper error

ipa service-del <Principal name> did not display proper principal
name which is being deleted in error message.
This test check if it throws error having proper principal name.

related: https://pagure.io/freeipa/issue/7695

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c5c52bfe by Christian Heimes at 2020-05-06T09:13:32+02:00
Fix make devcheck

A new test case was not picking up ``ipa-run-tests`` script.

Fixes: https://pagure.io/freeipa/issue/8307
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a009b9e0 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Add pytest.skip_if_container()

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
b8a1d130 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Azure Pipelines: Override services known to not work in containers

Chrony daemon tries to use adjtimex() which doesn't work in the
container we run in Docker environment on Azure Pipelines.

nis-domainname also tries to modify kernel-specific parameter that
doesn't really work in runc-based containers.

Use systemd container detection to avoid starting these services in the
containers.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f66ef848 by Alexander Bokovoy at 2020-05-06T09:14:29+02:00
Azure Pipelines: switch to Fedora 32

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
4b83c2a9 by Mohammad Rizwan Yusuf at 2020-05-06T12:02:51+02:00
webui: check if notification area doesn't intercept menu button

Notification used to intercept the click on page for some element.
This test ensures that element is clickable.

related: https://pagure.io/freeipa/issue/8120

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
0c029205 by Mohammad Rizwan Yusuf at 2020-05-06T12:02:51+02:00
WebUI tests: fix PEP8 issues in test_webui/test_user.py

PEP8 fix for teat_webui/test_user.py. Errors involved:
- line > 79 character
- 2 blank line needed before class
- single space was needed between # and comment

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
cf642957 by Christian Heimes at 2020-05-06T20:17:01+02:00
Let GH auto-notify and auto-close stale PRs

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
2bfe5ff6 by Christian Heimes at 2020-05-07T11:00:55-04:00
Use httpd 2.4 syntax for access control

The httpd options Allow, Deny, Order, and Satisfy are deprecated in
Apache httpd 2.4. These options are provided by the mod_access_compat
module and should no longer be used.

Replace "Allow from all" with "Require all granted".

Removal of "Satisfy Any" needs more investigation.

See: httpd.apache.org/docs/2.4/upgrading.html
See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html
Fixes: pagure.io/freeipa/issue/8305
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1b923361 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
kdb: initialize flags in ipadb_delete_principal()

Related: https://pagure.io/freeipa/issue/8291

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
999af8e2 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
kdb: fix memory handling in ipadb_find_principal

BER structure representing a string might not have termination '\0'
character, thus we should use length-bound functions to operate on it.

Memory handling of LDAP values was leaving previous vals over iteration.
Also, when freeing vals, we need to explicitly set it to NULL.

Fixes: https://pagure.io/freeipa/issue/8291

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
6fc213d1 by Alexander Bokovoy at 2020-05-08T09:37:37+03:00
test_smb: test that we can auth as NetBIOS alias

cifs/... principal on SMB server side has NetBIOS name of the SMB server
as its alias. Test that we can actually initialize credentials using
this alias. We don't need to use it anywhere in Samba, just verify that
alias works.

Related: https://pagure.io/freeipa/issue/8291
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>

- - - - -
aa341020 by Christian Heimes at 2020-05-11T14:36:39+02:00
Disable password schema update on LDAP bind

389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind..

See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d986e844 by Alexander Bokovoy at 2020-05-12T09:50:28+02:00
WebUI: use python3-rjsmin to minify JavaScript files

Fedora 33+ deprecated uglify-js. There are other alternatives which seem
to be fine for the minify task. Use python-rjsmin instead.

Fixes: https://pagure.io/freeipa/issue/8300
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
958e2458 by Stanislav Levin at 2020-05-12T09:51:50+02:00
Azure: Add custom seccomp profile

This allows to override the default seccomp profile.
Custom profile was generated from the default one [0] by adding one
allowed system call 'clock_adjtime'. This one is indirectly used by
chronyd with recent glibc2.31.

[0]: https://github.com/containers/libpod/blob/master/seccomp.json

Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8882fc49 by Stanislav Levin at 2020-05-12T09:51:50+02:00
Azure: Allow chronyd to sync time

Though time namespace support was added in Linux kernel 5.6, it
is not landed on Azure VM (Ubuntu) yet.

The syncing time stuff is required by IPA NTP tests. it's
acceptable for testing 1 IPA environment on 1 Azure VM for such
tests.

Fixes: https://pagure.io/freeipa/issue/8316
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b6fbee53 by Stanislav Levin at 2020-05-13T11:04:45+02:00
Azure: Always update apt cache

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
555f8a03 by sumenon at 2020-05-14T09:05:03+02:00
ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8

Issue: https://pagure.io/freeipa/issue/8066
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
82ba4db1 by Christian Heimes at 2020-05-14T17:55:59+02:00
Make api.env.mode consistent

* use "developer" in Azure
* fix man page: "development" to "developer"
* list known modes in API bootstrap methods

Other values for mode are still supported to avoid breaking existing
installations.

Fixes: https://pagure.io/freeipa/issue/8313
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
13c3997b by Christian Heimes at 2020-05-14T18:16:20+02:00
Fix detection logic for api.env.in_tree

The logic to detect in-tree builds was broken and ipatests/conftest.py
had hard-coded in_tree=True.

IPA now considers an environment as in-tree when the parent directory of
the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
present in source and never installed.

API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
because the function call can be expensive and would require path
normalization, too. The function is also missing from venv site module.

Fixes: https://pagure.io/freeipa/issue/8312
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0fa31ef1 by Christian Heimes at 2020-05-14T18:16:20+02:00
Hard-code in_tree=True for tests

Some integration tests use internal option ``force``. Re-add
``in_tree=True`` to make the tests pass until Pagure#8317 is fixed.

See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1f82d281 by Alexander Bokovoy at 2020-05-14T21:47:17+03:00
service delegation: allow to add and remove host principals

Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.

Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.

To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.

The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.

RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.

Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8de73c15 by Christian Heimes at 2020-05-15T14:24:00+02:00
Check for freeipa-server-dns package early

The ``--setup-dns`` knob and interactive installer now check for
presence of freeipa-server-dns early and stop the installer with an
error.

```
$ ipa-server-install
...
Do you want to configure integrated DNS (BIND)? [no]: yes
Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```

```
$ ipa-server-install --setup-dns
Usage: ipa-server-install [options]

ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed.
```

Fixes: https://pagure.io/freeipa/issue/7577
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
33ca0745 by Serhii Tsymbaliuk at 2020-05-15T18:03:01+02:00
WebUI: Add confirmation dialog for changing default user/host group

Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.

Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3645854c by Serhii Tsymbaliuk at 2020-05-15T18:03:01+02:00
WebUI tests: Add confirmation step after changing default group in automember tests

Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f3e11715 by Christian Heimes at 2020-05-18T14:45:31+02:00
Explain the effect of OPT_X_TLS_PROTOCOL_MIN

OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
47bddf4f by Sumedh Sidhaye at 2020-05-19T15:11:54+02:00
Test for removing a subgroup

Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups

The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc

user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.

If one removes the direct membership to 'groupb' again,
nothing should change as well

Pagure Link: https://pagure.io/SSSD/sssd/issue/3636

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
32c6b02e by Alexander Bokovoy at 2020-05-19T11:58:56-04:00
baseldap: de-duplicate passed attributes when checking for limits

LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.

Use set of attribute names to deduplicate the list.

Fixes: https://pagure.io/freeipa/issue/8328

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3dd5053c by Florence Blanc-Renaud at 2020-05-20T09:23:11+02:00
ipatests: Check if user with 'User Administrator' role can delete group.

Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group

Related: https://pagure.io/freeipa/issue/6884

Co-authored-by: Nikhil Dehadrai <ndehadra at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
26f96595 by Stanislav Levin at 2020-05-22T21:12:03+03:00
Azure: Make dnf repos consistent

Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
has two more dnf repos enabled compared to Tests container(image
fedora:32). This results in the packages built within the Build
container can have dependencies which are unresolvable(missing)
within Tests container.

This enables updates-testing and updates-testing-modular,
disables fedora-cisco-openh264 for Tests container.

Fixes: https://pagure.io/freeipa/issue/8330
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7bef36de by Serhii Tsymbaliuk at 2020-05-26T13:33:57+02:00
WebUI: Add authentication indicator specific fields to "Kerberos Ticket Policy" page

Ticket: https://pagure.io/freeipa/issue/8207

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
e668b61f by Serhii Tsymbaliuk at 2020-05-26T13:33:57+02:00
WebUI tests: Test all available fields on "Kerberos Ticket Policy" page

Ticket: https://pagure.io/freeipa/issue/8207

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
0317255b by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add UPN_DNS_INFO PAC structure

UPN_DNS_INFO structure contains the client's user principal name (UPN)
and a fully qualified domain name. It is used to provide the UPN and the
FQDN that corresponds to the client of the ticket.

The structure is defined in MS-PAC section 2.10. MS-KILE specification
says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
further clarifies in section 3.3.5.2 that if the user account object has no
userPrincipalName attribute, UPN_DNS_INFO should be constructed by
concatenating user name, the "@" symbol, and the DNS name of the domain.

IPA users don't really have userPrincipalName attribute. Instead, we
always construct their account names in LOGON Info3 structure by
unparsing the canonical principal name without realm, meaning that user
principal can be recovered by concatenating the account name and the
realm (domain).

Unless the account name and unparsed client principal name are different
or the primary Info3 gid (group RID) is the one for machine accounts,
mark the UPN as constructed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
23a49538 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-print-pac: acquire and print PAC record for a user

Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.

1. Direct ticket acquisition

In direct ticket acquisition mode the utility first does one of the
following actions:
 - obtain a TGT ticket for a user principal using supplied password
 - import existing TGT from a default credentials cache

Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.

If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.

2. S4U2Self protocol transition

In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.

If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.

If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0f881ca0 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-tests: add a test to make sure MS-PAC is produced by KDC

When ipa-adtrust-install is used, IPA KDC will be configured to issue
tickets with MS-PAC record in them for users and services that have
ipaNTSecurityIdentifier (SID) attribute in the LDAP record.

Test that a newly added user can kinit and obtain a ticket that has
a PAC structure.

Test that a service can impersonate a user and the resulting S4U2Self
requested service ticket also has PAC structure.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
44a255d4 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
kdb: add minimal server referrals support for enterprise principals

Implement minimal server referrals support for enterprise principals as
defined in RFC 6806.

Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
S4U extensions. We have to verify/sign PAC and take the realm into
account for S4U in these cases.

The use of extended functions require krb5 1.17+.

For PAC verification, we have to filter existing PAC CLIENT-INFO
structure in cross-realm S4U case because otherwise old CLIENT-INFO
would change the PAC principal due to adding or ommiting the realm in
transition.  Since a new PAC CLIENT-INFO will be provided by
k5_insert_client_info() anyway, we can filter it in all cases.

Generate PAC only for the first S4U2Self request to the client realm
(client != NULL). Otherwise, use the PAC from the cross-realm ticket.
The latter PAC belongs to the impersonated user.

Foreign (inner) principal look up in non-AS request returns
KRB5_KDB_NOENTRY.

Finally, in PAC signing we have to take the realm into account as well
for S4U2Self cross-realm operation. This does not work when compiling
against krb5 1.17 at the moment because sign_authdata() callback does
not know whether we are dealing with an issuing referral or not. In 1.18
a KDC will set a special client flag to signify this when asking KDB
driver to sign a PAC record.

Fixes: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
015ae275 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add asserted identity SIDs

Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:

 - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
 - S-1-18-2 is a SID for a Service Asserted Identity

This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".

In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3e20a96c by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: Always allow services to get PAC if needed

Previously, FreeIPA only allowed to issue PAC record in a ticket
for the following principal types:
   - for IPA users
   - for a host principal of one of IPA masters
   - for a cifs/ or HTTP/ service on one of IPA masters

To allow S4U2Self operations over trust to AD, an impersonating service
must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
ticket. It means any IPA service performing S4U2Self would need to have
PAC record and the constraints above prevent it from doing so.

However, depending on whether the service or host principal belongs to
one of IPA masters, we need to set proper primary RID to 516 (domain
controllers) or 515 (domain computers).

Fixes: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3611fc50 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: add primary group to list of groups in MS-PAC

Somehow, we weren't adding primary group of the user to the list of
groups in the PAC Logon Info structure.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ef59cb84 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: cache local TGS in the driver context

For Kerberos principal lookup we always need to check whether principal
is from our realm. Keep the reference to our realm TGS handy to avoid
memory allocations on every lookup.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b5876f30 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
ipa-kdb: refactor principal lookup to support S4U2Self correctly

Restructure logic of ipadb_get_principal() to separate retrieval of a
principal by a name and by an alias. Separate enterprise principal name
type processing into a helper function to be able to reuse it for own
aliases.

Unify code in client referrals part to do the same and use krb5 API to
deal with principals rather than parsing strings. The end result is the
same but we follow common rules in MIT Kerberos to process principals.

An enterprise principal is typically "name at SOMEREALM@REALM", but any
principal might be parsed as enterprise principal, so we could get
"name at REALM" marked as such. When unparsing the enterprise principal,
re-parse it again with default realm values, to get our realm
normalization.

This behavior would fix situations when GSSAPI calls are operating on a
non-qualified principal name that was imported as a
GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
52da0d6a by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
test_smb: test S4U2Self operation by IPA service

Kerberos service might request a ticket to itself on behalf of a user
to perform protocol transition, so-called S4U2Self extension defined
in [MS-SFU] specification. Processing of this request by KDC differs for
in-realm and cross-realm configurations.

Use SMB service to test S4U2Self performed against AD and IPA users.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4ff972c2 by Alexander Bokovoy at 2020-05-27T17:57:39+03:00
azure: do not run test_commands due to failures in low memory cases

389-ds memory autotuning doesn't really work well in containerized
environment as it only looks into host-wide /proc/meminfo. It gets
fooled by 'missing' memory while there is still enough swap space..

This is in particular affects test_commands test suite where
ipa-adtrust-install cannot fully proceed and fails. We plan to rebalance
test containers' memory split but right now just disable test_commands
in Azure CI.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Isaac Boukris <iboukris at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bc9f3e05 by Serhii Tsymbaliuk at 2020-05-28T13:20:52+02:00
WebUI: Apply jQuery patch to fix htmlPrefilter issue

Manually backport corresponding changes from jQuery 3.5.0:
https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77

A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
with Bootstrap 3.4.1 which we currently use.

Ticket: https://pagure.io/freeipa/issue/8325

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
16061744 by Peter Keresztes Schmidt at 2020-06-02T09:39:42+02:00
Remove remains of unused config options

Options removed:
 * ca_ee_port
 * ca_agent_install_port
 * ca_ee_install_port

Closes: https://pagure.io/freeipa/issue/6708
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6a7fa03f by sumenon at 2020-06-02T09:53:11-04:00
ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck

This test checks that when pki-tomcat service is stopped,
DogtagCertsConnectivityCheck displays the result as ERROR

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ddd061c0 by sumenon at 2020-06-03T09:21:00+02:00
ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck

This test checks that healthcheck tools reports correct information
when permissions of Tomcat config file are modified.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
ad8e0af0 by Christian Heimes at 2020-06-03T09:25:12+02:00
Allow dnsrecord-add --force on clients

See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
7de1a93c by Peter Keresztes Schmidt at 2020-06-03T09:27:48+02:00
WebUI: Fix invalid RPC calls when link widget has no pkey passed

Fixes: https://pagure.io/freeipa/issue/8338
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
517c7ab2 by Peter Keresztes Schmidt at 2020-06-03T09:30:27+02:00
WebUI: Use data adapter to load facet header data

Fixes: https://pagure.io/freeipa/issue/8339
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
c1c6ee7d by Christian Heimes at 2020-06-04T14:29:59+02:00
Add ipa-print-pac to gitignore

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0d0dc73a by sumenon at 2020-06-04T09:01:07-04:00
ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files

This testcase changes the ownership of the tomcat config files
on an IPA Master and then checks if healthcheck tools
reports the status as WARNING

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f5964b71 by Christian Heimes at 2020-06-05T09:23:57+02:00
Remove obsolete BIND named.conf options

``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.

DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.

Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d20cda21 by Christian Heimes at 2020-06-05T09:34:46+02:00
make: serialize strip-po / strip-pot

The strip-po target modifies files in place. This sometimes creates
conflicts with other make targets when make is run in parallel mode.

* split strip-po into strip-po and strip-pot
* move strip-po[t] from dependency to explicit, serial execution
* declare dependencies on POT/POFILES
* don't run strip on clean

Fixes: https://pagure.io/freeipa/issue/8323
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4d2cd3a2 by Peter Keresztes Schmidt at 2020-06-07T10:08:19+03:00
WebUI: Refresh DNS record data correctly after mod operation

Fixes: https://pagure.io/freeipa/issue/8359
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
187968d4 by Peter Keresztes Schmidt at 2020-06-07T10:09:35+03:00
WebUI: Expose TTL of DNS records

Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5f239aeb by Peter Keresztes Schmidt at 2020-06-07T10:10:48+03:00
WebUI: Add units to some DNS zone and IPA config fields

Add also tooltips to ipasearchrecordslimit and ipasearchtimelimit
to clarify the special value 0/-1.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
373f8cdc by Peter Keresztes Schmidt at 2020-06-07T10:14:05+03:00
Specify min and max values for TTL of a DNS record

Fixes: https://pagure.io/freeipa/issue/8358
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9dda004f by Christian Heimes at 2020-06-07T10:18:03+03:00
Allow permissions with 'self' bindruletype

Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e6603648 by Peter Keresztes Schmidt at 2020-06-07T10:19:47+03:00
Use ipaldap exceptions rather than ldap error codes in LDAP updater

The code in ipaldap got changed with df4ed77 but ldapupdate was never updated.

Closes: https://pagure.io/freeipa/issue/7610
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0f232a30 by Peter Keresztes Schmidt at 2020-06-07T10:21:01+03:00
Remove unused support for dm_password arg from ldapupdate.connect

Related: https://pagure.io/freeipa/issue/7610
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
894b3f1d by Peter Keresztes Schmidt at 2020-06-07T10:29:00+03:00
po: remove zanata config since translation was moved to weblate

Related: https://pagure.io/freeipa/issue/8159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d79a7a96 by Christian Heimes at 2020-06-07T10:33:15+03:00
Handle DatabaseError in RPC-Server connect()

DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.

Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.

Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f2d85488 by Peter Keresztes Schmidt at 2020-06-08T12:54:19+03:00
util: add unit test for pw hashing

Related: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
68af4f39 by Peter Keresztes Schmidt at 2020-06-08T12:54:19+03:00
util: replace NSS usage with OpenSSL

Fixes: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
88d1dcc5 by Peter Keresztes Schmidt at 2020-06-08T14:23:56+02:00
lite-server: Fix werkzeug deprecation warnings

Fixes: https://pagure.io/freeipa/issue/8360
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a5cbdb57 by Peter Keresztes Schmidt at 2020-06-08T15:53:40+03:00
Split named custom config to allow changes in options stanza

Upgrade path to add additional include to named.conf is not handled.

Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.

Move dnssec-enable directive to custom named config

Move comment named config being managed by FreeIPA to the top

Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.

Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6e5d40e2 by Christian Heimes at 2020-06-08T15:53:40+03:00
Include named config files in backup

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e071933e by Sergio Oliveira Campos at 2020-06-08T10:34:18-03:00
Add test for sssd ad trust lookup with dn in certmaprule

Related to https://pagure.io/SSSD/sssd/issue/3721

Signed-off-by: Sergio Oliveira Campos <seocam at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>

- - - - -
b9a60274 by Alexander Bokovoy at 2020-06-08T18:06:16+02:00
ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset

"Kerberos principal expiration" is set in UTC and when server is in
different timezone, the time difference between timezone is respected by
the IPA server/client for Kerberos authentication.

The problem is due to mktime() assuming default time zone but since we
parse the time using Zulu (UTC+0) timezone, mktime() forces current time
zone offset added.

The method is using mktime() and comparing to the current time obtained
with time(NULL). According to its man page, mktime is considering the
time as local time:

   The mktime() function converts a broken-down time structure,  expressed
   as  local  time, to calendar time representation.

Instead mktime() we should use timegm(). The problem is that it is
non-standard GNU extension and it is recommended (in the man page for
timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
mktime(), unset TZ, but since we are running in a multi-threaded
environment this is problematic.

On the other hand, we already rely on GNU extensions and enable them
with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.

The fix, therefore, is to use timegm() instead of mktime() in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
ipapwd_write_krb_keys()).

Fixes: https://pagure.io/freeipa/issue/8362

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
676774d3 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
kdb: handle enterprise principal lookup in AS_REQ

Refactoring of the get_principal() code in commit
b5876f30d4000424cc8122498c411f812b3a0959 broke handling of enterprise
principal lookup for AS request (kinit -E user at ipa.test@IPA.TEST).

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
28389fe8 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Add design page for managing IPA resources as a user from a trusted Active Directory forest

Fixes: https://pagure.io/freeipa/issue/8357
Fixes: https://pagure.io/freeipa/issue/7816

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ecc0a96d by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
support using trust-related operations in the server console

When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.

Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.

Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.

Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
973e0c04 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
idviews: handle unqualified ID override lookups from Web UI

First part of the required changes to merge a plugin to manage IPA as
a trusted Active Directory user.

It is not possible to omit ID view in IPA API but a client might specify
empty ID view. Up right now the empty view was considered an error. This
prevented Web UI from resolving ID overrides in a group member adder
dialog.

Default to 'Default Trust View' if the ID view is None or empty string
(''). Do this only for user ID overrides, as we do not support adding
group ID overrides as group members in a plugin to manage IPA as a
trusted Active Directory user[1].

Being a group member means an object in LDAP must have an object class
that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
attempt to link back to the object from the group. Allow use of
'nsMemberOf' object class in ID overrides.

Fixes: https://pagure.io/freeipa/issue/7255

[1] https://github.com/abbra/freeipa-adusers-admins

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bee42040 by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Support adding user ID overrides as group and role members

Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.

Treat user ID overrides as members of groups and roles.

For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.

We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.

With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.

Fixes: https://pagure.io/freeipa/issue/7255

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
306304bb by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
tests: account for ID overrides as members of groups and roles

Fixes: https://pagure.io/freeipa/issue/7255

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0ba64b1a by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
Web UI: allow users from trusted Active Directory forest manage IPA

Extend Web UI logic to decide whether default Web UI view should have a
full menu or should be confined to a self-service interface. Standard
logic in FreeIPA Web UI is to combine two facts:

 * for IPA users membership in `admins` group is used to indicate full
   menu should be shown

 * for AD users the fact that ID override object is presented by IPA
   `whoami` command is used to confine to a self-service interface

With the change to allow user ID overrides from a default trust view to
be members of groups and roles, we can unify the administrative
privileges checks for both IPA and AD users.

Fixed: https://pagure.io/freeipa/issue/8335
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9248d23a by Alexander Bokovoy at 2020-06-08T12:39:34-04:00
ipatests: test that adding Active Directory user to a role makes it an administrator

Fixes: https://pagure.io/freeipa/issue/8357

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
be47ec97 by Christian Heimes at 2020-06-08T20:04:18+03:00
libotp: Replace NSS with OpenSSL HMAC

Use OpenSSL's HMAC API instead of NSS.

Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e7319f62 by François Cami at 2020-06-08T22:36:49+03:00
tasks.py: add krb5_trace to create_active_user and kinit_as_user

The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails when resetting a user's password using kinit in create_active_user.
Add krb5_trace (default: False) to create_active_user and kinit_as_user.

Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
8f8c560f by François Cami at 2020-06-08T22:36:49+03:00
ipatests: add KRB5_TRACE to kinit in test_adtrust_install.py

The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
Use krb5_trace to catch the required debug information.

Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
b8886c3e by François Cami at 2020-06-09T08:43:45+02:00
IPA-EPN: First version.

EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.

EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.

EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.

EPN does not keep state. The list of affected users is built at runtime
but never kept.

TLS/STARTTLS SMTP code is untested and unlikely to work as-is.

Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3805eff4 by François Cami at 2020-06-09T08:43:45+02:00
IPA-EPN: Test suite.

Initial test suite for EPN.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
03caa7f9 by Rob Crittenden at 2020-06-09T08:43:45+02:00
Add a jinja2 e-mail template for EPN

Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.

Collect first and last name as well for each user in order to
provide more options for the template engine.

Make the From address configurable, defaulting to noreply at ipa_domain
Make Subject configurable too.

Don't rely on the MTA to set Message-Id: set it using the email
module.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
451cbae1 by Rob Crittenden at 2020-06-09T08:43:45+02:00
Add index for krbPasswordExpiration for EPN

Expiring Password Notifications search for expiring passwords
between dates. Add an equality index for this attribute.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9d9012f6 by Fraser Tweedale at 2020-06-10T22:27:26+10:00
httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure

In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
e6fda6f0 by Fraser Tweedale at 2020-06-10T22:27:26+10:00
upgrade: avoid stopping certmonger when fixing requests

During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed.  This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems.  For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).

Suppress the unnecessary restart(s) of certmonger during tracking
request update.

Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
379b560c by Christian Heimes at 2020-06-10T16:07:07+02:00
Fix named.conf update bug NAMED_DNSSEC_VALIDATION

Commit a5cbdb57e50cfc62f61affda19ce878b2abd33de introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.

Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cddd07f6 by Christian Heimes at 2020-06-10T16:07:07+02:00
Remove named_validate_dnssec update step

The upgrade step used to add "dnssec-validation no" to named.conf IFF
named.conf did not contain "dnssec-validation" option at all. The
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
only removes the upgrade state.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
996a2209 by Christian Heimes at 2020-06-10T16:07:07+02:00
Fix named.conf named_conf_include_re

Actually match one or more characters

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
43dd1e8a by Christian Heimes at 2020-06-10T16:07:07+02:00
More upgrade tests

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f52a15b8 by Christian Heimes at 2020-06-10T16:07:07+02:00
Overhaul bind upgrade process

/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.

This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.

During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cc844834 by Christian Heimes at 2020-06-10T16:16:13+02:00
Auto-generated ipa-epn files to gitignore

memcached has been removed a loooong time ago.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
c3cbaed9 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions

Tested security mode with none, starttls and ssl security.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1760ad48 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add tests for sending real mail with auth and templates

Send e-mail using postfix on localhost and read the contents to
verify that the mail was delivered and that the template was
applied correctly.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
7e621cf8 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add test for starttls mode

Get a certificate for postfix and configure it to allow starttls
connections.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
41e3d58a by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: test using SSL against port 465

Enable the postfix SSL listener on port 465. The certifiates
and other configuration is already in place.

Test that sending mail is successful.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a2728c75 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add mail-test option for testing sending live email

To make testing easier for administrators the --mail-test option
can be used to send live e-mail from ipa-epn. It sends mail
to the smtp_admin user processing the template with dummy data.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
759ab312 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Add tests for --mail-test option

Test sending a default template email to the smtp_admin user.

Test that --mail-test and --dry-run cannot be used together.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
3b266d39 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: add smtp_delay to limit the velocity of e-mails sent

Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.

Default to no wait, value in milliseconds.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
cb205cc5 by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: add test to validate smtp_delay value

Configuration test to ensure that smtp_delay validation is
properly enforced.

Also reset the epn configuration when the tests are run.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
ba7974bf by Rob Crittenden at 2020-06-10T11:22:58-04:00
IPA-EPN: Don't treat givenname differently

This was returning givenname as a list and not as a single
string which messed up the templating.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
81f7863b by Alexander Bokovoy at 2020-06-10T22:27:31+03:00
Update translation files

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
296ddcd3 by Alexander Bokovoy at 2020-06-10T22:28:56+03:00
update list of contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
14876657 by Florence Blanc-Renaud at 2020-06-11T10:33:33+02:00
ipatests: fix the disable_dnssec_validation method

Bind configuration now includes 2 snippet config files, in
/etc/named/ipa-ext.conf and /etc/named/ipa-options-ext.conf

When a test needs to disable dnssec-validation, it needs to edit
the snippet ipa-options-ext.conf instead of /etc/named.conf.

This commit fixes the method tasks.disable_dnssec_validation so that it
correctly updates the snippet.

Fixes: https://pagure.io/freeipa/issue/8364
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
a18d406b by Christian Heimes at 2020-06-11T17:27:31+02:00
Move ipa-epn systemd files and run RPM hooks

The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.

It's necesary to run pre/post installation hooks to make systemd aware
of new files.

Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
51cb631d by Florence Blanc-Renaud at 2020-06-12T08:34:51+02:00
ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive

ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).

Add a check enforcing the options are mutually exclusive.

Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
98c1017c by Florence Blanc-Renaud at 2020-06-12T08:34:51+02:00
ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file

The options *-cert-file are used for a CA-less replica installation and
are mutually exclusive with --setup-ca.
Add a test for this use case.

Related: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c358f8db by Florence Blanc-Renaud at 2020-06-15T14:13:55+02:00
ipatests: Update the pki-master-f32 image version

There is a new Vagrant image for pki-master-f32, that contains
jss 4.7.0-0 instead of jss 4.7.0-1.
This change is required because the copr repo @pki/master initially
provided 4.7.0-1 but went backwards in the version number, and
critical fixes are available in 4.7.0-0.

Without this change, the vagrant image is using 4.7.0-1 and tries to
update (not downgrade), hence does not install the most recent version
with the fixes.

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
e33ffab5 by Mohammad Rizwan at 2020-06-15T14:22:56+02:00
ipatests: Test ipa user login with wrong password

When ipa user login to machine using wrong password, it
should log proper message in /var/log/secure

related: SSSD/sssd#5139

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
32a5359e by Mohammad Rizwan at 2020-06-15T14:22:56+02:00
Xfail test for sssd < 2.3.0

This fix is available in sssd 2.3.0+. On older version
test will fail. Hence added xfail.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4911a3f0 by Christian Heimes at 2020-06-15T22:44:42+03:00
Prevent local account takeover

It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root at REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f6707a71 by Petr Vobornik at 2020-06-16T11:39:55+03:00
webui: hide user attributes for SMB services section if empty

This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.

Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.

We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.

For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.

fixes: https://pagure.io/freeipa/issue/8336

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>

- - - - -
19544d53 by Fraser Tweedale at 2020-06-16T15:37:08-04:00
fix cert-find errors in CA-less deployment

Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments.  Do not execute the CA sub-search on CA-less
deployments.

Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3912e8e6 by Petr Vobornik at 2020-06-16T19:06:02-04:00
baseuser: fix ipanthomedirectorydrive option name

It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.

This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
04ce1a41 by Armando Neto at 2020-06-17T08:03:17+02:00
ipatests: bump prci templates

New images were necessary to include updated `selinux-policy` package.

Rawhide image based on `Fedora-Rawhide-20200607.n.0` compose.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
5a3b5f3a by Christian Heimes at 2020-06-17T13:38:59+02:00
Build ipa-selinux package on RHEL 8

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
533ec754 by François Cami at 2020-06-17T15:40:47-04:00
.mailmap: add fcami

Add myself to .mailmap.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6e3346f0 by Christian Heimes at 2020-06-19T08:40:15+02:00
Use old uglifyjs on RHEL 8

RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.

See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c2ba333b by Serhii Tsymbaliuk at 2020-06-22T09:31:34+02:00
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association

Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.

Ticket: https://pagure.io/freeipa/issue/8335

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
68ada5f2 by Fraser Tweedale at 2020-06-23T10:22:38+10:00
fix iPAddress cert issuance for >1 host/service

The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names.  Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases).  When a DNS name maps to a
"alternative" principal (i.e.  not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.

To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.

Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c5e9bd61 by Alexander Scheel at 2020-06-23T09:20:24+02:00
Clarify AJP connector creation process

We do two things:

 1. Fix the xpath for AJP connector verification. An AJP connector is
    one which has protocol="AJP/1.3", NOT one that has port="8009". An
    AJP connector can exist on any port and port 8009 can have any
    protocol. Secrets only make sense on AJP connectors, so make the
    xpath match the existing comment.

 2. Add some background in-line documentation about AJP secret
    provisioning. This should help future developers understand why this
    was added to IPA and what limitations there are in what PKI or IPA
    can do. Most notably, explain why Dogtag can't upgrade the AJP
    connector to have a secret in the general case.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3ecea780 by Alexander Scheel at 2020-06-23T09:20:24+02:00
Configure PKI AJP Secret with 256-bit secret

By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
13b17782 by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
WebUI: move OTP to be the last field in the PW reset form

Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.

Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
d63a91da by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
WebUI: reword OTP info message displayed during PW reset

The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.

Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
ea5c0a1f by Peter Keresztes Schmidt at 2020-06-23T10:11:09+02:00
Unify spelling of "One-Time Password"

Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.

Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
523f70ae by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: CA renewal

The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5c09dcdb by Christian Heimes at 2020-06-23T10:16:29+02:00
Grammar: whitespace is a word

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3ce816ba by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: use allow list

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3ec1b77f by Christian Heimes at 2020-06-23T10:16:29+02:00
Terminology improvements: use block list

Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c5e6fe05 by François Cami at 2020-06-23T10:38:24+02:00
ipatests: increase test_caless_TestReplicaInstall timeout

test_caless_TestReplicaInstall timeout seems too short.
Extend it.

Fixes: https://pagure.io/freeipa/issue/8377
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
3cf9979a by Florence Blanc-Renaud at 2020-06-23T11:11:46+02:00
ipa-client-install: use sshd drop-in configuration

sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"

As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).

There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.

Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
511f5194 by Florence Blanc-Renaud at 2020-06-23T11:11:46+02:00
client install: fix broken sshd config

If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.

Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
769c87f5 by sumenon at 2020-06-24T10:23:26+02:00
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario

Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f1b2d7b6 by sumenon at 2020-06-24T10:23:26+02:00
Modified YAML to include healthcheck AD tests

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1144da5d by Christian Heimes at 2020-06-24T13:49:14+02:00
RHEL 8.3 has KRB5 1.18 with KDB 8.0

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dc11b98e by Florence Blanc-Renaud at 2020-06-24T14:55:27+02:00
Unify spelling of "One-Time Password" (take 2)

The previous fix for the spelling of "One-Time Password"
missed a few lines.

Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a3c648bd by Florence Blanc-Renaud at 2020-06-24T17:22:24-04:00
ipatests: fix the method adding ifp to sssd.conf

The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.

Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.

Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1f6ca418 by Alexander Bokovoy at 2020-06-25T09:18:02+03:00
handle Y2038 in timestamp to datetime conversions

According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:

  datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)

Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.

[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Fixes: https://pagure.io/freeipa/issue/8378

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6efe9917 by François Cami at 2020-06-25T15:20:21+02:00
EPN: ship the configuration file.

Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1d7aeaeb by François Cami at 2020-06-25T15:20:21+02:00
man pages: fix epn.conf.5 and ipa-epn.1 formatting

Fix formatting issues found with mandoc.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0d4f022b by François Cami at 2020-06-25T15:20:21+02:00
ipatests: check that EPN's configuration file is installed.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
73c02f63 by François Cami at 2020-06-25T15:20:21+02:00
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn

Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cc624fb1 by Armando Neto at 2020-06-26T16:47:54-03:00
ipatests: bump prci templates

Remove all freeipa-* packages from template:
https://github.com/freeipa/freeipa-pr-ci/commit/bdd98c3b9dba2ce563535d0c91dad38b532441e8

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
c7766ebb by Fraser Tweedale at 2020-06-29T12:03:16+10:00
Define errors_by_code in ipalib.errors

The errors_by_code mapping could be used in more places.  In
particular it will be useful in the Dogtag GSS-API authentication
effort.  Move to ipalib.errors.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0cb0056f by Anuja More at 2020-06-30T09:09:13+02:00
ipatests: Test that trusted AD users should not lose their AD domains.

When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.

Related: https://pagure.io/SSSD/sssd/issue/4173

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
d39786c0 by Anuja More at 2020-06-30T09:09:13+02:00
ipatests: xfail test with older versions of sssd

Related to: https://pagure.io/SSSD/sssd/issue/4173

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>

- - - - -
0c0061ba by Fraser Tweedale at 2020-06-30T11:47:29+02:00
extract virtual operation access check subroutine

Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation.  Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.

Add the 'check_operation_access' method for explicit virtual
operation access checks.  Refactor 'VirtualCommand.check_access()'
to use it.

Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d7f3a0b2 by Fraser Tweedale at 2020-06-30T16:18:21+02:00
ra.get_certificate: use REST API

Update ra.get_certificate to use the Dogtag REST API.  This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).

Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2e75623e by Zdenek Pytela at 2020-07-01T08:14:17+02:00
Allow ipa-adtrust-install restart sssd and dirsrv services

Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b56fa015 by Christian Heimes at 2020-07-01T08:14:17+02:00
SELinux: Backport dirsrv_systemctl interface

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
9858e863 by Florence Blanc-Renaud at 2020-07-01T08:14:17+02:00
Bump requires for selinux-policy

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0df4e881 by François Cami at 2020-07-01T12:05:14+02:00
ipatests: display SSSD kdcinfo in test_adtrust_install.py

The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
krb5_strace shows that this happens when kinit changes servers
between password change and TGT requests.
Display SSSD's kdcinfo to see if kinit should be pinned to one
server.

Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
630c408f by François Cami at 2020-07-03T15:33:49+02:00
ipatests: remove dnf workaround from test_epn.py

73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.

Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f6055e6c by Alexander Bokovoy at 2020-07-06T10:47:18+03:00
selinux: allow oddjobd to set up ipa_helper_t context for execution

On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.

Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.

In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.

Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
91713f4f by Alexander Bokovoy at 2020-07-06T10:47:18+03:00
selinux: support running ipa-custodia with PrivateTmp=yes

Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a90eefaf by Christian Heimes at 2020-07-06T09:50:57+02:00
Run test_fips in DS and PKI nightly

Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
459bc6ba by Peter Keresztes Schmidt at 2020-07-06T14:38:58+03:00
WebUI: Fix rendering of boolean_status_formatter

With commit "WebUI: Apply jQuery patch to fix htmlPrefilter issue" (bc9f3e0557)
jQuery's handling of self-closing elements.

DOM before the above mentioned commit:
  <div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
and after:
  <div name="nsaccountlock"><i class="fa fa-check"> Enabled</i></div>

Explicitly closing the <i> element fixes the issue:
  <div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>

Fixes: https://pagure.io/freeipa/issue/8396
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0dfb44c3 by Anuja More at 2020-07-06T15:33:53+02:00
ipatests : Test to verify override_gid works with subdomain.

When override_gid is set in sssd.conf in IPA domain section
Then it should also work for subdomain.

Related: https://pagure.io/SSSD/sssd/issue/4061

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4247fb9c by Anuja More at 2020-07-06T15:33:53+02:00
ipatests: xfail test with older versions of sssd

Related to: https://pagure.io/SSSD/sssd/issue/4061

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ea7b8d66 by Anuja More at 2020-07-06T15:33:53+02:00
ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn

As tests was failing <= fedora31
Thus removed certmap-rule in cleanup as
subdomain lookup fails when certmaprule contains DN.

Related: https://pagure.io/SSSD/sssd/issue/3721

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
dcdcd1ce by Florence Blanc-Renaud at 2020-07-06T17:01:54+02:00
ipa cert-show: fix the code setting revocation reason

ipa cert-show wrongly displays all certs as Revoked.
The dogtag plugin code is checking if the JSON data received
from dogtag contains a RevocationReason with:
   if 'RevocationReason' in resp:
but the value can be None.
Replace the check with
   if 'RevocationReason' in resp and esp['RevocationReason'] is not None:
as this will execute the code only if there is a value
and it is not None.

Fixes: https://pagure.io/freeipa/issue/8394
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
51d5ec17 by Fraser Tweedale at 2020-07-06T19:13:00+03:00
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf

A failed ipa-ca-install left my installation in an inconsistent
state.  Then, 'ipa-server-install --uninstall' also failed when
is_crlgen_enabled() tried to read ipa-pki-proxy.conf, which was
missing.

Update is_crlgen_enabled() to handle missing ipa-pki-proxy.conf, by
raising InconsistentCRLGenConfigException instead of RuntimeError.
As a result, missing ipa-pki-proxy.conf is handled gracefully
because the calling code already catches
InconsistentCRLGenConfigException.

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
069f41a0 by Christian Heimes at 2020-07-07T12:36:10+02:00
Add __signature__ to plugins

Auto-generate inspect.Signature from plugin arguments and options. The
signature is used by (amongst others) pydoc / help.

```
$ ipa console
>>> help(api.Command.group_add)
Help on group_add in module ipaserver.plugins.group object:

class group_add(ipaserver.plugins.baseldap.LDAPCreate)
 |  group_add(cn: str, *, description: str = None, gidnumber: int = None, setattr: List[str] = None, addattr: List[str] = None, nonposix: bool, external: bool, all: bool, raw: bool, version: str = None, no_members: bool) -> Dict[str, Any]
```

Fixes: https://pagure.io/freeipa/issue/8388
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
80794f6b by Christian Heimes at 2020-07-07T12:36:10+02:00
Make tab completion in console more useful

tab completion and dir() now show registered plugins in API name spaces.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5ab24ddf by Fraser Tweedale at 2020-07-07T10:07:48-04:00
ca-del: require CA to already be disabled

Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete.  A user with delete permission does not necessarily have
modify permission.

As we head toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation shall fail if the user does not have modify
permission.  Although it introduces an additional step for
administrators, the process is consistent, required permissions map
1:1 to the operations, and the error messages make it clear what
needs to happen (i.e. disable first).

Part of: https://fedorahosted.org/freeipa/ticket/5011

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6da63e3b by Fraser Tweedale at 2020-07-07T10:07:48-04:00
ca plugin: improve doc

Update 'ca' plugin doc to mention which permissions are required for
the various commands.  Also mention that CAs must first be disabled
before they can be deleted.

Part of: https://fedorahosted.org/freeipa/ticket/5011

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6a0901f6 by Fraser Tweedale at 2020-07-07T10:07:48-04:00
tests: fix cleanup for CATracker

With ca-del now requiring disablement first, CATracker cleanup fails
because the CA is not yet disabled.  Implement auto disable before
delete in CATracker, with an option to suppress.  This suppress
option is used when testing the "disable first" option.

The patch also includes a tweak to EnableTracker cleanup.  In case
the CA already got deleted (and in the case of CATracker, also
disabled), this avoids an attempt to re-enable the already-deleted
object.

Part of: https://fedorahosted.org/freeipa/ticket/5011

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a087d82e by Alexander Scheel at 2020-07-08T11:50:37+02:00
Specify cert_paths when calling PKIConnection

PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.

Point to IPA CA certificate during pkispawn

Bump pki_version to 10.9.0-0.4 (aka -b2)

Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
17cf8edb by Florence Blanc-Renaud at 2020-07-08T15:14:47+02:00
Add test_dnssec to 389ds nightly tests

Rationale:
DNSSec relies on syncrepl plugin, provided by 389ds.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e4462a94 by Fraser Tweedale at 2020-07-09T10:22:50+10:00
certupdate: only add LWCA tracking requests on CA servers

ipa-certupdate throws an exception when executed on a non-CA server
in a CA-ful deployment with lightweight sub-CAs (LWCAs).  Check that
we are on a CA server before attempting to create Certmonger
tracking requests for LWCAs.

HOW TO TEST

1. Install first server (with CA)
2. Install replica without CA
3. Create sub-CA (`ipa ca-add`)
4. Run `ipa-certupdate` on replica.  Observe that no stack trace is
   produced.

Fixes: https://pagure.io/freeipa/issue/8399
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
797a64b3 by Florence Blanc-Renaud at 2020-07-09T14:00:29+03:00
sshd template must be part of client package

The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.

Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
67d4517f by Armando Neto at 2020-07-09T14:03:40+03:00
ipatests: bump pr-ci templates

New template images for ci-master-f32 and ci-master-f31 with updated
packages.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8f640f86 by Peter Keresztes Schmidt at 2020-07-09T14:12:24+03:00
Populate nshardwareplatform and nsosversion during join operation

Fixes: https://pagure.io/freeipa/issue/8370
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6e414d22 by Alexandre Mulatinho at 2020-07-09T14:17:47+03:00
ipa-join: allowing call with jsonrpc into freeipa API

Adding JSON-C and LibCURL library into configure.ac and Makefile.am

Creating a API call with option '-j' or '--jsonrpc' to make host join
on FreeIPA with JSONRPC and libCURL.

Related: https://pagure.io/freeipa/issue/7966
Signed-off-by: Alexandre Mulatinho <alex at mulatinho.net>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5e7e4f0e by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: don't set TLS related curl options for JSON-RPC

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c197918e by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: improve curl error handling in JSON-RPC code

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c905f94f by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: buffer curl response before parsing json

CURLOPT_WRITEFUNCTION is not guaranteed to be called only
once per request and receive all data at once.
Use a dynamic buffer to cope with that case.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
25205f44 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: switch to jansson for json handling

Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
677659c8 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function

Also fix some some memleaks on the way.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
62503e4f by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: implement JSON-RPC based unenrollment

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f6940772 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: select {JSON,XML}-RPC at build time

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a1b117a2 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: Use bool type where appropriate

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7cc977b9 by Peter Keresztes Schmidt at 2020-07-09T14:17:47+03:00
ipa-join: Generalize XML-RPC references in man page

The used RPC protocol (JSON or XML) is defined
at build time.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2b6faa36 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: ipa-pki-proxy: proxy /acme to Dogtag

Update ipa-pki-proxy.conf to proxy requests to the /acme resource
namespace to Dogtag.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd301a45 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: set up ACME service when configuring CA

When configuring the CA, create, configure and deploy the PKI ACME
service instance.  This includes creation (if necessary) of the LDAP
container object heirarchy in which ACME-related objects will be
stored.

Dogtag ACME RA account management will be added in a subsequent
commit, removing the use of the 'uid=admin' account (which as of
this commit just has a bogus password).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5883cff0 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
dogtaginstance: extract user creation to subroutine.

Extract the user and group membership creation behaviour from
DogtagInstance.setup_admin to its own method, 'create_user'.  The
ACME setup routine will use it to create ACME RA accounts.

The @staticmethod decorator documents that 'create_user' does not
use 'self' or 'cls'.  I preferred not to lift to a top-level def
because it is very much a "DogtagInstance" behaviour.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a21823da by Fraser Tweedale at 2020-07-10T08:33:22-04:00
dogtaginstance: add ensure_group method

Add a method for creating a group (if it does not exist).  This will
be used to create a group for ACME RA accounts.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b3565290 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: create ACME RA account

The ACME certificate profile will require the (Dogtag) user
interacting with the CA to be a member of the (Dogtag) "ACME Agents"
group.  Therefore for each CA server, as part of the ACME setup
routine create a dedicated ACME agent account and make it a member
of this group.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c309d4a4 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add Dogtag ACL to allow ACME agents to revoke certs

Add an ACL to allow ACME agents to revoke certificates.  Although
the operation "execute" sounds quite scary (as though it would have
a wide scope), in fact it only allows revocation (and unrevocation).
See CertResource.java and base/ca/shared/conf/acl.properties in the
Dogtag source.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3c8352f9 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certificate profile

Add a default certificate profile to be used with the ACME service.

The profile requires the (Dogtag) user interacting with the CA to be
a member of the (Dogtag) "ACME Agents" group.  For each CA server we
create a dedicated ACME agent account, make it a member of this
group, and configure the ACME issuer component to use that account.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d15000be by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: configure ACME service on upgrade

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
00a84464 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: configure engine.conf and disable by default

When deploying ACME set up configsources.conf to retrieve engine
configuration from engine.conf.  In the initial configuration, the
ACME service is disabled (i.e. it will refuse to service requests).

A subsequent commit will add command(s) for flipping the ACME
service on or off (on a per-server basis).  Later we will move to
LDAP configuration so that management of the ACME service is
deployment-wide.

The default configuration also disables issuance of wildcard
certificates.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
083c6aed by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add ipa-acme-manage command

Add the ipa-acme-manage command which can be used to enable or
disable the IPA ACME service.  It must be used on each server.  In
the future we will implement deployment-wide configuration
(including enable/disable) of the ACME service via IPA API, with
configuration stored in and replicated by LDAP.  But until then, we
need a simple command for administrators to use.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7b000357 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration test

Add a preliminary integration test for the FreeIPA ACME service.  It
only tests Certbot and the http-01 challenge.  Testing of DNS
challenge could come later.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ab7226dc by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration test to nightly CI

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bb6d8490 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add integration tests to gating

Because the FreeIPA ACME service is a new feature and may require
stabilisation, including it in gating CI.  This is done as a
separate commit so that it can be reverted more easily.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
85d02720 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add mod_md integration test

Add a test that configures a client to use mod_md Apache httpd
module to acquire a certificate from FreeIPA ACME service.  This
test is currently skipped on Fedora because the package needs a fix
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f9f3b3b1 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: handle alternative schema ldif location

pki-server-10.9.0-0.3 relocates the ACME schema LDIF file.  Look for
the file in both the old and new locations to smooth the transition.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e976dde8 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add revocation test

Add an integration test that tests revocation via Certbot.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a83eaa8b by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certbot dns script

Add a script to use as a certbot hook for satisfying the dns-01
challenge.  It will be used during testing, and may be useful or
instructive for users of FreeIPA.

It is installed as part of the freeipa-client package under
/usr/libexec/ipa/acme.  Future ACME-related scripts can be added in
the same place.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
678b8e68 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: add certbot dns-01 test

Add a test for the dns-01 challenge using Certbot.  This test uses
the new hook scripts distributed in the freeipa-client package.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
525b946b by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: enable mod_md tests on Fedora

The Fedora mod_md package has received the required fixes
(see https://bugzilla.redhat.com/show_bug.cgi?id=1832841).
We can now enable the mod_md tests on Fedora.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1f720560 by Fraser Tweedale at 2020-07-10T08:33:22-04:00
acme: delete ACME RA account on server uninstall

For each CA server, a Dogtag user account is created for the ACME
service to use to authenticate to the CA subsystem.  This commit
cleans up the Dogtag account upon server uninstallation.

The user deletion behaviour is extracted to a common method used for
both ACME RA account deletion (on uninstall) and removal of the
temporary admin account (during replica install).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7de20e8e by Armando Neto at 2020-07-13T15:11:44+02:00
ipatests: bump pr-ci templates

New template images for ci-master-f32 and ci-master-f31 to include
latest certmonger package (`certmonger-0.79.11-2`).

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3c18f94b by Michal Polovka at 2020-07-14T13:04:32-04:00
ipatests: test_epn: Fix package installation

EPN functionality is provided as separate package
freeipa-client-epn, but it is not installed during setup. This resolves
this behaviour.

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
12529d7e by Jeremy Frasier at 2020-07-14T13:05:56-04:00
replica: Ensure the ipaapi user is allowed to access ifp on replicas

ipa-server-install executes ipa-client-install with the --on-master
flag set, which causes the ipaclient.install.client.sssd_enable_ifp()
function to be called.  This function configures sssd so that the
ipaapi user is allowed to access ifp.  Any FreeIPA replica should also
have sssd configured like this, but in that case we cannot simply pass
the --on-master flag to ipa-client-install because it has other side
effects.  The solution is to call the
ipaclient.install.client.sssd_enable_ifp() function from inside the
ipaserver.install.server.replicainstall.promote_sssd() function.

https://pagure.io/freeipa/issue/8403

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2ff1d6b4 by Jeremy Frasier at 2020-07-14T13:05:56-04:00
replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas

https://pagure.io/freeipa/issue/8403

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8e05a8a8 by sumenon at 2020-07-15T10:23:45+02:00
ipatests: Tests to check profile is displayed for getcert request.

test_getcert_list_profile
This test checks that the cert request generated using
getcert utility which is placed in /var/lib/certmonger/requests
directory displays profile name and issuer fields

test_getcert_list_profile_using_subca
This test checks that the cert request generated with -X as
subca and -T <profilename> displays correct profilename

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
69da03b4 by Christian Heimes at 2020-07-15T14:03:40+02:00
Add missing SELinux rule for ipa-custodia.sock

A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.

Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
4696644f by Peter Keresztes Schmidt at 2020-07-15T14:19:18+02:00
ipa-join: extract common JSON-RPC response parsing to common function

In preparation for handling JSON-RPC error codes.

Related: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6dfefc97 by Peter Keresztes Schmidt at 2020-07-15T14:19:18+02:00
ipa-join: handle JSON-RPC error codes

Error code 2100 (ACIError) is handled explicitly to match XML-RPC behaviour.

Fixes: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
147b808f by Michal Polovka at 2020-07-15T14:47:12+02:00
ipatests: test_epn: test_EPN_config_file: Package name fix

Fix package name to respect different conventions in particular streams.

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
2fcc260c by Fraser Tweedale at 2020-07-16T15:30:53+10:00
cainstance.update_ipa_conf: allow specifying ca_host

Enhance cainstance.update_ipa_conf() to allow specifying the
ca_host.  This will be used to update replica configurations when a
CA-less deployment gets promoted to CA-ful.

Part of: https://pagure.io/freeipa/issue/7188

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a1b3b34b by Fraser Tweedale at 2020-07-16T15:30:53+10:00
cainstance: extract function import_ra_key

After upgrading a deployment from CA-less to CA-ful it is necessary
to install the RA Agent credential on non-CA servers.  To facilitate
this, extract this behaviour from CAInstance so that it is callable
from other code.

Several other methods became @staticmethod as a result of this
change.  This makes those methods callable without an instance of
CAInstance and also documents that those methods do not use 'self'.

Part of: https://pagure.io/freeipa/issue/7188

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
53d472b4 by Fraser Tweedale at 2020-07-16T15:30:53+10:00
certupdate: update config after deployment becomes CA-ful

When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate.  Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.

The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s).  So by using ipa-certupdate
we avoid introducing additional steps for administrators.

It is necessary to choose a CA master to use as the ca_host.  We use
the first server returned by LDAP.  A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.

Finally, defer the httpd service restart until after the possible
update of default.conf so that the IPA API executes with the new
configuration.

This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.

HOW TO TEST:

1. Install a CA-less server (first server).

2. Install a CA-less replica.

3. Run 'ipa-ca-install' on first server, promoting deployment from
   CA-less to CA-ful.

4. Run 'ipa-certupdate' on second server.

5. Exceute 'ipa cert-show 5' on second server.  Should succeed,
   because ra-agent credential was retrieved and default.conf
   updated at step #4.

Fixes: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
04d25dd2 by sumenon at 2020-07-17T16:46:01+02:00
ipatests: Increase timeout value in test_getcert_list_profile_using_subca

test_getcert_list_profile_using_subca test had a timeout value of 50
waiting for the cert to be in MONITORING state, this has now been
replaced with 300, since the certmonger request was in state SUBMITTING
instead of MONITORING causing the test to fail.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
28caa22a by Rob Crittenden at 2020-07-17T14:49:41-04:00
Don't delegate the TGT in ipa-join

Pre 3.0.0 IPA delegated the TGT to enforce access control in
389-ds. At the point that S4U2Proxy support was added there
were still IPA 2.0.x servers in use so this delegation was
left in place in ipa-join so that enrollment would work.

Those days are long gone, remove that support in the XML and
JSON RPC requests.

https://pagure.io/freeipa/issue/8405

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
eff65495 by Christian Heimes at 2020-07-20T09:46:16+02:00
Teach pylint how dnspython 2.x works

pylint does not understand pylint's
globals().update(RdataType.__members__) trick.

Fixes: https://pagure.io/freeipa/issue/8419
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6ff31dbf by sumenon at 2020-07-20T22:45:45-04:00
ipatests: Test for ipa-nis-manage CLI tool.

The testcases added check the various options of ipa-nis-manage CLI
tool as below

1. ipa-nis-mange enable
2. ipa-nis-manage disable
3. Enabling NIS pluging with invalid admin password

Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
27e9988f by François Cami at 2020-07-23T23:32:11+02:00
ipatests: xfail TestIpaClientAutomountFileRestore's final test

Due to a change in authselect, rolling back the installation
does not produce the same nsswitch.conf as on a clean install.
Mark the test xfail until ipa-client-install is enhanced to
use authselect profile backup/restore.

Related: https://pagure.io/freeipa/issue/8189
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fcc99813 by sumenon at 2020-07-24T08:48:17-04:00
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed

This testcase checks that ERROR message is displayed
by IPACAChainExpirationCheck when ipa ca crt file is renamed.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
78acf0bc by Rob Crittenden at 2020-07-27T09:47:27-04:00
Add fips-mode-setup to ipaplatform.paths to determine FIPS status

This will be used by freeipa-healthcheck to report FIPS config
status. It is added here to avoid duplicating platform independence
in a sister project.

https://pagure.io/freeipa/issue/8429

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1fc1947c by Florence Blanc-Renaud at 2020-07-27T15:58:15-04:00
ipatests: fix TestUnprivilegedUserPermissions

A new test has been added to TestUnprivilegedUserPermissions that
duplicates the steps done in the precedent test. As the tests
are usually run sequentially, no need to duplicate.

Fixes: https://pagure.io/freeipa/issue/8413
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
062e18c4 by Florence Blanc-Renaud at 2020-07-27T15:58:15-04:00
ipatests: Fix TestReplicaPromotionLevel1

A new test was added to TestReplicaPromotionLevel1 but was run
after the replica uninstallation. As the new test checks
the content of /etc/sssd/sssd.conf on the replica, merge it with the
previous test, when the replica is still installed.

Fixes: https://pagure.io/freeipa/issue/8414
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3546fef0 by François Cami at 2020-07-28T19:33:11+02:00
ipatests: test_commands: test_login_wrong_password: look farther in time

Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow.
Broaden the window by looking at the past 10 seconds.

Fixes: https://pagure.io/freeipa/issue/8432
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f7ed1597 by François Cami at 2020-07-29T09:00:26+02:00
ipatests: re-enable test_sss_ssh_authorizedkeys

Re-enable test_sss_ssh_authorizedkeys.

Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
178d8096 by François Cami at 2020-07-29T09:00:26+02:00
ipatests: test_sss_ssh_authorizedkeys

Add debug information to the ssh invocation.

Related: https://pagure.io/freeipa/issue/8151
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
d5148c65 by François Cami at 2020-07-29T13:53:52+02:00
tasks: add run_ssh_cmd

Paramiko is not compatible with FIPS.
A replacement is needed, and since what clients use is "ssh",
create a shim over it so that tests can leverage it.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
73ae4c77 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH

Paramiko is not compatible with FIPS.
Migrate test_ssh_key_connection to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
5cc7a2b7 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH

Paramiko is not compatible with FIPS.
Migrate test_selinux_user_optimized to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
27ed8260 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_from_controller: refactor

test_ssh_from_controller does not use methods provided by tasks.py.
Refactor using those methods.

Related: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
112386f7 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH

Paramiko is not compatible with FIPS.
Migrate test_ssh_from_controller to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
326e1334 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH

Paramiko is not compatible with FIPS.
Migrate test_login_wrong_password to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
a9f05578 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd

Paramiko is not compatible with FIPS.
Migrate run_cmd_on_ui_host to the OpenSSH CLI SSH(1) using
tasks.py's run_ssh_cmd.
Rationale: this is exactly what clients use.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
763d3b05 by François Cami at 2020-07-29T13:53:52+02:00
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd

Paramiko is not compatible with FIPS.
Migrate test_2fa_enable_single_prompt to the OpenSSH CLI SSH(1).
Rationale: this is exactly what clients use.
Also add a warning when test_2fa_disable_single_prompt is executed in FIPS mode.

Fixes: https://pagure.io/freeipa/issue/8129
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
b25bccc5 by Serhii Tsymbaliuk at 2020-07-29T14:06:55+02:00
WebUI: Fix issue with opening links in new tab/window

- fix table item links reference
- fix global menu links reference
- fix API browser side panel links
- fix tab links reference

Ticket: https://pagure.io/freeipa/issue/7137

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
d452e45f by Serhii Tsymbaliuk at 2020-07-29T14:06:55+02:00
WebUI tests: Change navigation tests to find menu items using data-name instead of href

Since menu pseudo-links was replaced with real one, navigation tests must be changed to not use href
for searching items.

Ticket: https://pagure.io/freeipa/issue/7137

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
55b7787e by Stanislav Levin at 2020-07-29T15:10:00-04:00
ipatests: Don't turn Pytest IPA deprecation warnings into errors

With new Pytest 6.0 [0]:

> PytestDeprecationWarning are now errors by default.
Following our plan to remove deprecated features with as little disruption as
possible, all warnings of type PytestDeprecationWarning now generate errors
instead of warning messages.

PytestWarnings are no longer marked as the part of public API, but as
internal warnings. It's unsafe to use bare PytestDeprecationWarning,
which is turned into the error on major releases.

[0]: https://github.com/pytest-dev/pytest/releases/tag/6.0.0

Fixes: https://pagure.io/freeipa/issue/8435
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5dd56695 by Rob Crittenden at 2020-07-30T10:57:35+02:00
Replace SSLCertVerificationError with CertificateError for py36

This exception was added in python 3.7. Use CertificateError
instead which is an alias and will work with older python releases.

https://bugzilla.redhat.com/show_bug.cgi?id=1858318

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
eec5c9d8 by Christian Heimes at 2020-07-30T11:38:25+02:00
Allow to override ipaplatform with env var

The ipaplatform provider module can now be overriden by setting
IPAPLATFORM_OVERRIDE environment variable.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
02986ff4 by Christian Heimes at 2020-07-30T11:38:25+02:00
Add ipaplatform for Fedora and RHEL container

Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
64b20aad by Christian Heimes at 2020-07-30T11:38:25+02:00
Write state dir to smb.conf

smb.conf now sets state and cache directory, then includes the registry.
This also allows us to write the final smb.conf before importing
remaining settings into the Samba registry.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
664007e0 by Christian Heimes at 2020-07-30T11:38:25+02:00
Explicitly pass keytab to ipa-join

ipa-join defaults to /etc/krb5.keytab. Use ``-k paths.KRB5_KEYTAB`` to
write the keytab to /data share in containers.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
8f6502db by Christian Heimes at 2020-07-30T11:38:25+02:00
Convert ipa-httpd-pwdreader into Python script

and use paths from ipaplatform.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
bb2dfbbf by sumenon at 2020-07-30T13:03:46+02:00
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert

This test modifies the trust attribute of Server-Cert
and checks that healthcheck tool reports correct status

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
550fbc0b by Rob Crittenden at 2020-07-30T13:08:18+02:00
ipatests: Test cases for healthcheck File checker(s)

These check for modified file ownership (user and group) and
too permissive and restrictive permissions across the three
types of files checked by the healthcheck FileCheck.

This replaces an existing test for TomcatFileCheck which adds
more functionality and consolidates all file checks together.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
f12d3772 by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipa-client-install: use the authselect backup during uninstall

When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.

Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.

Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
aac570bb by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipatests: remove the xfail for test_nfs.py

Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
143b23cb by Florence Blanc-Renaud at 2020-07-30T13:10:39+02:00
ipatests: fix test_authselect

Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.

Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.

Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
5d9d6348 by Serhii Tsymbaliuk at 2020-07-30T14:24:26+03:00
WebUI: Fix error "unknown command 'idoverrideuser_add_member'"

There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.

Ticket: https://pagure.io/freeipa/issue/8416

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bcae2094 by Serhii Tsymbaliuk at 2020-07-30T14:24:26+03:00
WebUI tests: Add test case to cover user ID override feature

The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.

Ticket: https://pagure.io/freeipa/issue/8416

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c84b1db8 by Rob Crittenden at 2020-07-30T18:15:05+02:00
ipatests: Test that healthcheck detects and reports expiration

Set the date forward to while the certificates are still valid and
run healthcheck to confirm that an appropriate warning is made.

This validates two separate checks, one that relies on certmonger
to report expiration and one that relies on the data on disk to
determine expiration in case certmonger is out-of-date for some
reason (belt and suspenders).

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
07bc5e25 by Rob Crittenden at 2020-07-30T23:02:24+02:00
ipatests: Add healthcheck test for FileSystemSpaceCheck

Create a large file in one of the checked filesystems beyond
the allowed threshold and ensure that both the minimum space
and minimum percent errors are reported.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e1027cc8 by Rob Crittenden at 2020-07-30T23:04:03+02:00
ipatests: verify that all services can be detected by healthcheck

Add fixture to handle restarting services so that if something
goes wrong in the test the service(s) will all be restarted
so that subsequent tests can pass. Services are restarted in
reverse order.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
d238fb4f by Rob Crittenden at 2020-07-31T12:47:00-04:00
ipatests: lib389 is now providing healthchecks, update naming

Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
61c71e4a by Rob Crittenden at 2020-07-31T12:47:00-04:00
ipatests: Use healthcheck namespacing in stopped server test

The test_run_with_stopped_master() test runs ipactl stop
and then verifies that all the errors relate to the services
not being available. The newly integrated PKI tests also
report errors in this case.

Use the namespacing introduced in freeipa-healthcheck-0.6
to limit the execution to the ipahealthcheck.meta checks
to avoid the spurious PKI errors.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
cf8ef6fd by Peter Keresztes Schmidt at 2020-07-31T17:38:39-04:00
ipa-backup/restore: remove remaining chdir calls

Closes: https://pagure.io/freeipa/issue/7416
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0a3c98d2 by Florence Blanc-Renaud at 2020-08-03T19:16:32+02:00
ipatests: increase test_trust timeout

The integration test test_trust is often failing on timeout.
Add 30 minutes to increase the chances of completion.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9335bd92 by Florence Blanc-Renaud at 2020-08-03T18:00:08-04:00
CAless installation: set the perms on KDC cert file

In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.

The fix makes sure that the KDC cert file is saved with 644 perms.

Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a26e0ba5 by Florence Blanc-Renaud at 2020-08-03T18:00:08-04:00
ipatests: check KDC cert permissions in CA less install

The KDC certificate file must be stored with 644 permissions.
Add a test checking the file permissions on server + replica.

Related: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
44259e8e by Mark Reynolds at 2020-08-04T10:54:57+03:00
Issue 8407 - Support changelog integration into main database

Description: Add support for both the old and new replication changelogs.
             First try to get and update the new entry, if it's not found
             then we know we need to update the old global changelog entry.

Fixes: https://pagure.io/freeipa/issue/8407

Signed-off-by: Mark Reynolds <mreynolds at redhat.com>

Fix missing self, and missing arg

Fix copy/paste error

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3a42bc09 by Alexander Bokovoy at 2020-08-04T18:43:22+03:00
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration

Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.

nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.

Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.

In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.

Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d55e339d by Florence Blanc-Renaud at 2020-08-04T13:34:56-04:00
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck

test_ipa_healthcheck_expiring is assuming that it's executed
on a KRA-less installation, but the test is executed after
test_ipa_healthcheck_no_errors that configures the KRA.

With a KRA install, 12 certs are monitored instead of 9.

Fixes: https://pagure.io/freeipa/issue/8439
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c81cac70 by Stanislav Levin at 2020-08-04T13:47:28-04:00
pylint: Fix warning and error

- fixed W0612(unused-variable)
- added missing dependency on python-yaml

Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
606f1abd by Florence Blanc-Renaud at 2020-08-05T14:02:37-04:00
ipatests: collect IPA_RENEWAL_LOCK file

In order to troubleshoot certmonger timeouts, collect the
file /run/ipa/renewal.lock that is used as cross-process lock
by ipa-server-guard.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
61db3527 by Rob Crittenden at 2020-08-05T14:04:57-04:00
ipatests: Test healthcheck revocation checker

Revoke the Apache certificate and ensure that healthcheck properly
reports the problem.

Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
07341990 by Sergey Orlov at 2020-08-05T18:33:22-04:00
Fix password file permission

Invalid permission makes file unreadable by owner if he is not root.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ec367aa4 by Rob Crittenden at 2020-08-06T12:49:51+02:00
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations

It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.

Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.

https://pagure.io/freeipa/issue/8441

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7e37b45e by Rob Crittenden at 2020-08-06T12:49:51+02:00
ipatests: Check permissions of /etc/ipa/ca.crt new installations

It should be 0644 root:root for both CA-ful and CA-less installs.

https://pagure.io/freeipa/issue/8441

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0fa86869 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Simplify determining if an IPA server installation is complete

When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.

Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.

On upgrades existing installations will automatically get this
state.

This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.

The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
4758db12 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Simplify determining if IPA client configuration is complete

When asking the quesiton "is my IPA client configured?" right now
we look at whether the installation backed up any files and
/etc/ipa/default.conf exists.

Instead set a new state, installation, to True as soon as the
client installation finishes.

Unlike the server there is no upgrade process for clients so this
isn't going to be all that useful for quite some time unless that
changes because upgrading an existing install won't set this
to True.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
d7a4756d by Rob Crittenden at 2020-08-06T14:11:27+02:00
Create a common place to retrieve facts about an IPA installation

This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
5e027134 by Rob Crittenden at 2020-08-06T14:11:27+02:00
Don't use the has_files() to know if client/server is configured

Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2c3a042c by Rob Crittenden at 2020-08-06T14:11:27+02:00
Update check_client_configuration to use new client fact

check_client_configuration differs from is_ipa_client_configured
in that it raises an exception if not configured so is a nice
convenience in AdminTool scripts. Port it to call to
is_ipa_client_configured() instead of determining the install
state on its own.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
99948590 by Christian Heimes at 2020-08-06T14:20:54+02:00
Don't configure authselect in containers

freeipa-container images come with authselect pre-configured. There is
no need to configure, migrate, or restore authselect. The --mkhomedir
option is not supported, too.

Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
06a344a5 by Stanislav Levin at 2020-08-06T10:13:52-04:00
ipatests: Add compatibility against python-cryptography 3.0

The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.

Note: this requires python-cryptography 2.7+.

[0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b

Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
592f3fe6 by Kaleemullah Siddiqui at 2020-08-06T18:43:53+02:00
Tests for fake_mname parameter setup

fake_mname can be set through dnsserver-mod's --soa-mname-override
option which was not doable through same parameter setup in
/etc/named.conf

https://bugzilla.redhat.com/show_bug.cgi?id=1488732

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
df5526fb by Peter Keresztes Schmidt at 2020-08-07T12:42:50+02:00
WebUI: Make object_class_evaluator evaluator compatible with batch responses

Use data adapter in evaluator to be able to deal with batch
RPC responses.

Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
2d87cd4a by Peter Keresztes Schmidt at 2020-08-07T12:42:50+02:00
WebUI: Unify adapter property definition for state evaluators

Move adapter property definition to IPA.state_evaluator since it
is used by all evaluators

Related: https://pagure.io/freeipa/issue/8336
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
e1750e2a by François Cami at 2020-08-07T12:50:25+02:00
ipatests: tasks.py: fix ipa-epn invocation

tasks.py::ipa_epn would previously fail to invoke ipa-epn with
from_nbdays=0.

Related: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
41333b63 by François Cami at 2020-08-07T12:50:25+02:00
ipatests: test_epn: test_EPN_nbdays enhancements

Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
* illegal inputs for nbdays:
** from-nbdays > to-nbdays
** non-numerical input
** decimal input

Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2b85bfb0 by Stanislav Levin at 2020-08-07T17:49:31+03:00
Azure: Switch to dockerhub provider

`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.

registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.

Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
e5c09675 by Stanislav Levin at 2020-08-07T17:49:31+03:00
ipatests: Skip keyring tests on containerized platforms

The kernel keyrings are not namespaced yet.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
e89b4007 by Christian Heimes at 2020-08-07T17:54:06+03:00
Treat container subplatforms like main platform

ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:

```
  IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  ("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```

Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.

The patch also enhances debug logging for installer and upgrader.

Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0dc084a3 by Rob Crittenden at 2020-08-07T16:44:28-04:00
Address legacy pylint issues in sysrestore.py

These were triggered because of the movement of sysrestore.py in
the tree

https://pagure.io/freeipa/issue/8384

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
5fc526b1 by François Cami at 2020-08-07T17:14:24-04:00
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry

Allow for empty attributes.

Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
3bd03ea9 by François Cami at 2020-08-07T17:14:24-04:00
IPA-EPN: fix configuration file typo

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a2bf5958 by Rob Crittenden at 2020-08-07T17:14:24-04:00
IPA-EPN: Test that users without givenname and/or mail are handled

The admin user does not have a givenname by default, allow for that.

Report errors for users without a default e-mail address.

Update the SHA256 hash with the typo fix.

Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
f2711321 by Florence Blanc-Renaud at 2020-08-10T12:04:41+02:00
ipatests: fix TestIpaHealthCheckWithoutDNS failure

TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.

When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.

In order to avoid this issue, reset the date to the value saved at the
beginning of the test.

Fixes: https://pagure.io/freeipa/issue/8447
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6edf648d by François Cami at 2020-08-10T09:02:59-04:00
ipatests: test_epn: add test_EPN_connection_refused

Add a test for EPN behavior when the configured SMTP does not
accept connections.

Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
22cf65b0 by François Cami at 2020-08-10T09:02:59-04:00
IPA-EPN: Fix SMTP connection error handling

Enhance error message when SMTP is down.

Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c5853768 by Rob Crittenden at 2020-08-10T11:49:57-04:00
ipatests: CLI validation of ipa-healthcheck command

Test for illegal input values.

Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
143dea18 by Rob Crittenden at 2020-08-10T11:49:57-04:00
Added negative test case for --list-sources option

Negative test test_append_arguments_to_list_sources added
to --list-sources

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
97006786 by François Cami at 2020-08-12T09:02:08-04:00
IPA-EPN: enhance input validation

Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays

Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5452f020 by François Cami at 2020-08-12T09:02:08-04:00
ipatests: test_epn: update error messages

Update error messages in the test.

Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
400ef3aa by sumenon at 2020-08-17T09:07:12+02:00
ipatests: Tests for ipahealthcheck tool with IPA external

This testsuite checks whether the healthcheck tool reports
correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered

IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
7642ce35 by sumenon at 2020-08-17T09:07:12+02:00
Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
777147e0 by Stanislav Levin at 2020-08-17T10:40:44+02:00
rpm-spec: Don't fail on missing /etc/ssh/ssh_config

openssh-clients is not a strict requirement of freeipa-client
package and if it's missing then this case should be handled in
post scriptlet of freeipa-client package. Otherwise, the remaining
part of that scriptlet will not be run at all.

Fixes: https://pagure.io/freeipa/issue/8459
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b9ae7c45 by Mark Reynolds at 2020-08-17T10:44:03+02:00
Issue 8456 - Add new aci's for the new replication changelog entries

Description:  We need a read and a write aci for the new changelog location,
              which was moved from cn=changelog5,cn=config to
              cn=changelog,cn=BACKEND,cn=ldbm database,cn=plguins,cn=config

              The read aci allows the replica hostgroup entry to find and
              read the changelog confguration, and the write allows the replica
              to update the changelog with a proper trimming settings.

Fixes: https://pagure.io/freeipa/issue/8456

Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
89d86dac by Stanislav Levin at 2020-08-17T10:46:23+02:00
uninstall: Don't fail on missing /var/lib/samba

On some distros freeipa-server package may not depend on
`/var/lib/samba` directory. In this case an uninstallation of
ipaserver fails.

Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5c1e4483 by Stanislav Levin at 2020-08-17T10:46:23+02:00
uninstall: Clean up no longer used flag

The `_server_trust_ad_installed` was added as a flag which
indicates that `freeipa-server-trust-ad` package is installed.
Later, `ipaserver/install/adtrustinstance.py` module was moved out
into `freeipa-server` package and the import became unconditionally
successful.

Fixes: https://pagure.io/freeipa/issue/8461
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
03a5e5f3 by Stanislav Levin at 2020-08-17T10:46:23+02:00
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package

This ns-slapd plugin is used as a CLDAP server which responses to
AD DCs with an information about IPA domain. So, logically it
belongs to freeipa-server-trust-ad package.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f7a6c468 by Florence Blanc-Renaud at 2020-08-17T14:36:16-04:00
ipatests: remove xfail from test_dnssec

The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
used to fail because of https://github.com/rthalley/dnspython/issues/343,
but the issue has been fixed upstream and does not happen any more since
PRCI is using python3-dns-1.16.0-7.

Remove the xfail.

Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
af5138c2 by Rob Crittenden at 2020-08-18T11:06:04+02:00
IPA-EPN: Test that EPN can be install, uninstalled and re-installed

Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
a8d5e6bb by Rob Crittenden at 2020-08-18T11:11:26+02:00
Fall back to old server installation detection when needed

If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
2bdb18d5 by Rob Crittenden at 2020-08-18T11:11:26+02:00
Use is_ipa_configured from ipalib.facts

A couple of places still used the deprecated installutils version.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
25e042d3 by Rob Crittenden at 2020-08-18T11:11:26+02:00
ipatests: Add test for is_ipa_configured

Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
18a8a415 by Rob Crittenden at 2020-08-19T13:59:11-04:00
Improve performance of ipa-server-guard

* Drop support for python 2
* Only import traceback and syslog when needed
* Only import ipaserver.install.certs when the lock is needed
* Only import ipautil when run is needed

For the unsupported operations case this improves performance by
95%

For the supported operations that don't require a lock the
improvement is about 50%.

For the supported operations that require a lock the improvement
is about 20%

When configuring a CA certmonger calls its helper with the
following operations:

IDENTIFY
FETCH-ROOTS
GET-SUPPORTED-TEMPLATES
GET-DEFAULT-TEMPLATE
GET-NEW-REQUEST-REQUIREMENTS
GET-RENEW-REQUEST-REQUIREMENTS
FETCH-SCEP-CA-CAPS
FETCH-SCEP-CA-CERTS

Only IDENTIFY, FETCH-ROOTS and GET-NEW-REQUEST-REQUIREMENTS are
supported by ipa-submit, along with the request options SUBMIT and
POLL.

Which means every time the IPA CA in certmonger is updated
eight calls to ipa-server-guard are made so the savings are
cumulative.

The savings when executing these eight operations is a 73% decrease
(.7 sec vs 2.5 sec).

https://pagure.io/freeipa/issue/8425

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
454e023a by Rob Crittenden at 2020-08-19T14:01:01-04:00
ipatests: stop the CA during healthcheck expiration test

Time is moved during the test to ensure that ipa-healthcheck
finds expired certificates. It's possible that certmonger will also
wake up and renew the certificates before ipa-healthcheck can
execute so shut down the CA during the test.

https://pagure.io/freeipa/issue/8463

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
c08c7e11 by Mark Reynolds at 2020-08-19T14:02:27-04:00
Increase replication changelog trimming to 30 days

A long time ago the DS team recommended that the changelog trimming interval be set to 7 days.  However, more recently we tend to see more time skews on certain platforms, and issues where it appears changes were trimmed too early (which can break replication).

It would be better to set the trimming interval to 30 days.  This still prevents the changelog from getting too large, and it should help with some of the other issues we are now seeing.

Fixes: https://pagure.io/freeipa/issue/8464

Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
abd0cbfc by Mohammad Rizwan at 2020-08-19T14:04:43-04:00
ipatests: Test certmonger rekey command works fine

Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.

related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
20ece52b by Alexander Bokovoy at 2020-08-20T13:01:49+03:00
master: update po/ipa.pot

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4fdf69ad by Alexander Bokovoy at 2020-08-20T13:05:57+03:00
Add alternative email to the mailmap for myself

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
11a64478 by Alexander Bokovoy at 2020-08-20T13:09:14+03:00
Add new contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
de105aa8 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Teach pylint about more RRs types

There are many types of RRs which are provided by dnspython.
This is not all, but enough for now to fix linting errors
caused by new dnspython 2.0.

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6e858725 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Fix warning W0612(unused-variable)

New warnings were found by new pylint (2.5.3).

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ec6369ca by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Ignore `super-with-arguments`

Pylint 2.6.0 added new check:
> Add super-with-arguments check for flagging instances of Python 2
style super calls.

According to PEP 3135 this form of `super` is syntactic sugar and
is not mandatory. Right now there are 566 affected `super`s.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3135/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8831b9b6 by Stanislav Levin at 2020-08-23T09:16:18+03:00
pylint: Ignore `raise-missing-from`

Pylint 2.6.0 introduces new check:
> Add raise-missing-from check for exceptions that should have a
cause.

According to PEP 3134 the implicit exception chaining is valid and
can be used.

http://pylint.pycqa.org/en/latest/whatsnew/changelog.html#what-s-new-in-pylint-2-6-0
https://www.python.org/dev/peps/pep-3134/

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b3d7a70e by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
ipatests: Add PTR record for IP SAN

If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
bddbfb79 by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
ipatests: add --skip-overlap-check option to prepare_reverse_zone()

add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
1abeb85f by Mohammad Rizwan at 2020-08-24T10:00:05+03:00
PEP8 fixes

PEP8 fixes for visual indent, line > 79, blank line required etc

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
3f5f68e7 by Sumedh Sidhaye at 2020-08-24T10:22:02+02:00
test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run

Failing test run:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/249e30e4-e349-11ea-ac03-fa163e1ffcbd

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0a01f576 by Alexander Bokovoy at 2020-08-24T11:55:46+02:00
test_smb: make sure both smbserver and smbclient use IPA master for DNS

test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.

Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.

Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.

Fixes: https://pagure.io/freeipa/issue/8344

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
b279b3a7 by Armando Neto at 2020-08-24T09:03:41-03:00
ipatests: Bump PR-CI templates

New template images for ci-master-f32 to include latest packages.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
4a89da53 by Rob Crittenden at 2020-08-25T10:31:19-04:00
ipatests: Add option/arg parsing tests for the cli

A typo in passing in options would result in an exception.

For example -verbose was treated as: -v -e rbose

-v and -e are valid options. rbose on its own has no value in the
name-value pair so an exception would result.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
12dfb0fc by Rob Crittenden at 2020-08-25T10:31:19-04:00
cli: When parsing options require name/value pairs

If single-option values are combined together with invalid options
an exception would be raised.

For example -verbose was treated as -v -e rbose. Since rbose isn't
a name/value pair things would blow up. This is now caught and
a somewhat more reable error returned. The -v and -e are consumed,
not much we can do about that, but at least a more usable error is
returned.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4420ae81 by Sergey Orlov at 2020-08-26T13:30:19-04:00
ipatests: refactor test for login using cifs alias principal

The test had two problems:
* if it was failing,  samba services were not started and all other
tests also failed
* Utility for copying keys obscured fatal problems i.e. if file does not
exist or can not be parsed.

Fixed by moving the check to separate test and raising exceptions in
KerberosKeyCopier on any unexpected problem.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6da5cc32 by Sergey Orlov at 2020-08-26T13:30:19-04:00
ipatests: simplify fixture

Fixture enable_smb_client_dns_lookup_kdc had an unobvious structure
"contextmanage inside pytest fixture". Replaced with simple pytest
fixture.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ec67022a by Florence Blanc-Renaud at 2020-08-28T14:45:15+02:00
ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately

The test is changing the date back and forth. Due to PRCI
infra issue, chronyd is not able to connect to the default
NTP servers from the fedora pool, and the date is not
synchronized any more after this test.

To avoid polluting other tests, run this one separately.

Fixes: https://pagure.io/freeipa/issue/8472
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
2c15e996 by Florence Blanc-Renaud at 2020-08-28T14:45:15+02:00
ipatests: add missing healthcheck test in PRCI nightlies

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
173cd9b9 by Stanislav Levin at 2020-08-31T09:42:31+03:00
spec: Require ldns-utils

drill util helps to get information about DNSSEC for testing.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
a9334ce5 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Remove no longer used paths

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
5c907e34 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Allow using of a custom OpenSSL engine for BIND

For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.

With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.

BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
bed09b7f by Stanislav Levin at 2020-08-31T09:42:31+03:00
DNSKeySyncInstance: Populate named/ods uid/gid on instantiation

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
85ed106d by Stanislav Levin at 2020-08-31T09:42:31+03:00
upgrade: Handle migration of BIND OpenSSL engine

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
721435cf by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Make use of 'pkcs11' OpenSSL engine for BIND on Fedora31

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
53b341f9 by Stanislav Levin at 2020-08-31T09:42:31+03:00
spec: Bump required openssl-pkcs11 and softhsm

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
8716881f by Stanislav Levin at 2020-08-31T09:42:31+03:00
service: Allow service to clean up its state

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
ecfaf897 by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Don't override custom command line options for named

Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.

Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:M:m:n:N:p:P:sS:t:T:U:u:vVx:X:"

If there are several same options the last passed wins.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e2030b8c by Stanislav Levin at 2020-08-31T09:42:31+03:00
named: Include crypto policy in openssl config

On platforms which have system-wide crypto policy the latter has
to be included in openssl config.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
92157bc8 by Stanislav Levin at 2020-08-31T09:42:31+03:00
ipa-dnskeysyncd: Raise loglevel to DEBUG

Previously, the logging level of StreamHandler for ipa-dnskeysyncd
was restricted to INFO via `standard_logging_setup(verbose=False)`.
Thus, it was impossible to get messages having lower level.

This also sets the loglevel for ipa-dnskeysyncd to DEBUG for
troubleshooting.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
0d326a90 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Add Rawhide definitions

- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.

- add Rawhide templates

- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
60ff2841 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Drop dependency on UsePythonVersion task

Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a5b23287 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: base: Collect both install and uninstall logs

Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a102cfe5 by Stanislav Levin at 2020-08-31T09:46:03+03:00
nss: Raise exception earlier on unsupported DB type

For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f3d10871 by Stanislav Levin at 2020-08-31T09:46:03+03:00
deps: Require `nss-tools` for make's fasttest target

Otherwise, tests fail with:
```
E               FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
30cf59d0 by Stanislav Levin at 2020-08-31T09:46:03+03:00
Azure: Increase verbosity for Tox task

This allows to debug issues happened during packages installation:

> -v, --verbose     increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fdb227e5 by Stanislav Levin at 2020-08-31T09:46:03+03:00
tox: Don't expand symlinks

`virtualenv` < 20.0.0 copies system python binary into virt
environment and then links `python` to it. While
`virtualenv` >= 20.0.0 directly links `python` to system python
binary (without copying).

`realpath` by default expands symlinks. Thereby, pip attempts to
install packages into the system's site-packages and
fails with 'Permission denied' (non-privileged user).

Fixes: https://pagure.io/freeipa/issue/8475
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
49e64378 by Stanislav Levin at 2020-08-31T09:46:03+03:00
dnspython: Add compatibility shim

`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b450c9bd by Stanislav Levin at 2020-08-31T17:24:40+03:00
dns: Make use of `resolve_address` of a current resolver instead of the global one

For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b54d9364 by Fraser Tweedale at 2020-09-03T13:56:45+02:00
delete unused subroutine get_host_name()

Commit a42a711394178a459bde006e6b49ed799a7cce1a, from September
2018, removed the only call site of installutils.get_host_name().
Delete the definition.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9094dfc2 by Fraser Tweedale at 2020-09-03T13:58:59+02:00
install: simplify host name verification

Perform a small refactor to the installer code that chooses and
verifies the hostname.  In particular:

- choice of hostname is separate from validation
- read_host_name no longer performs validation
- verify_fqdn is now called from one place
- if/else branches are now "balanced"

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
15f168c1 by Sudhir Menon at 2020-09-03T15:56:15+02:00
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust

Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.

Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
50fdc808 by Florence Blanc-Renaud at 2020-09-07T09:25:25+02:00
ipatests: fix bind service name

With the commit 721435cf7f2ed41fe807c34022fed31c792b4497
the service name for bind is now 'named' instead of
'named-pkcs11' on fedora. The ipa-healthcheck test was hardcoding
the service name but it should instead use the name stored in
knownservices.named.systemd_name as it varies depending on
the OS.

Fixes: https://pagure.io/freeipa/issue/8482
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
68328299 by François Cami at 2020-09-09T17:49:23-04:00
SELinux Policy: let custodia replicate keys

Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;

Found by: test_replica_promotion::TestSubCAkeyReplication

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dbc7881e by Florence Blanc-Renaud at 2020-09-10T09:14:50+02:00
dnsforwardzone-add: support dnspython 2.0

The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.

As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.

Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
040d48fa by Rob Crittenden at 2020-09-10T09:21:25+02:00
ipatests: test ipa_server_certinstall with an IPA-issued cert

ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.

This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
f249c51b by Rob Crittenden at 2020-09-10T09:21:25+02:00
Set the certmonger subject with a string, not an object

ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
d00106b3 by Alexander Bokovoy at 2020-09-10T11:57:14-04:00
ipa-kdb: support getprincs request in kadmin.local

kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ba1a7b97 by Alexander Bokovoy at 2020-09-10T11:57:14-04:00
ipa-kdb: test kadmin.local getprincs command

Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
21186540 by Armando Neto at 2020-09-10T18:36:25+02:00
ipatests: Bump PR-CI templates

New templates with a previously working version of `geckodriver`.

Issue: https://pagure.io/freeipa/issue/8473

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0a2b6ca6 by Christian Heimes at 2020-09-11T13:22:42-04:00
Only restart DS when duplicate cacrt was found

The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
2265cb86 by Rob Crittenden at 2020-09-14T09:14:37+03:00
Don't allow both a zone name and --name-from-ip to be provided

--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
e92a4ba4 by Rob Crittenden at 2020-09-14T09:14:37+03:00
ipatests: test that a zone name and name-from-ip will be rejected

If a zone name is provided then name-from-ip makes little sense,
don't allow it.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>

- - - - -
cdf830af by Rob Crittenden at 2020-09-14T09:15:59+03:00
De-duplicate ACI attributes and permissions

Ensure uniqueuess in attributes and permissions in the ACI class.

A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2656c468 by Rob Crittenden at 2020-09-14T09:15:59+03:00
Use ACI class set_permissions() method to set permissions

This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2e4431af by Rob Crittenden at 2020-09-14T09:15:59+03:00
ipatests: Add test for ACI attribute and permission uniqueness

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cfad7af3 by Rob Crittenden at 2020-09-14T09:17:33+03:00
Require at least 1.6Gb of available RAM to install the server

Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev at altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
fc271a55 by Rob Crittenden at 2020-09-14T09:17:33+03:00
ipatests: Add tests for checking available memory

The tests always force container or no container so they should
run the same in any environment.

The following cases are handled:

- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
20b55f40 by Rob Crittenden at 2020-09-14T09:19:01+03:00
Add index for more trust-related attributes

Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname

https://pagure.io/freeipa/issue/8491

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31bc0df6 by Alexander Bokovoy at 2020-09-14T14:00:20+03:00
Specify memory limits as strings for docker compose

Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
05da1f7f by Christian Heimes at 2020-09-15T08:58:28+03:00
Add krbPrincipalName pres index correctly

See: 20b55f4017ab42113f1ced829a4b4afa17839b55
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
26ae95f4 by Armando Neto at 2020-09-15T09:11:21-03:00
ipatests: Add nightly definitions for enforcing mode

Duplicates the scenario for nightly_latest.yaml and
nightly_latest_testing.yaml setting `selinux_enforcing` parameter
as True.

Indentation for all definitions have been fixed.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/391

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c31bf3d4 by François Cami at 2020-09-17T15:59:00+02:00
ipatests: check that pkispawn log is not empty

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
be7bf98b by François Cami at 2020-09-17T15:59:00+02:00
dogtaginstance.py: add --debug to pkispawn

Since commits:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
https://github.com/dogtagpki/pki/commit/de217557a642d799b1c4c390efa55493707c738e
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c0461eb3 by Fraser Tweedale at 2020-09-18T14:17:03-04:00
spec: require pki-acme if pki-ca >= 10.10

We can use conditional dependencies (described at [1]) to require
the pki-acme package if pki-ca >= 10.10.0 (the version at which the
ACME service was separated to a subpackage).

[1] https://rpm.org/user_doc/boolean_dependencies.html

I have tested this with repos having only pki-10.9.x (and therefore
no pki-acme package), and dnf is happy.  I have also testing package
installation with pki-10.10 packages installed, but /without/
pki-acme installed. pki-acme was seen as a missing dependency and
installed alongside the freeipa packages.  This change seems to
satisfy all the scenarios.

Related: https://github.com/dogtagpki/pki/pull/513
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b606fa6c by Christian Heimes at 2020-09-18T14:20:08-04:00
Duplicate CA CRT: ignore expected cert

When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8ba15027 by Florence Blanc-Renaud at 2020-09-21T18:12:03-04:00
test_smb: skip test_smb_service_s4u2self for fed31

The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3c86baf0 by Christian Heimes at 2020-09-21T18:13:51-04:00
Don't create DS SSCA and self-signed cert

Instruct lib389 to not create its self-signed CA and temporary
self-signed certificate. FreeIPA uses local connections and Unix socket
for bootstrapping.

Fixes: https://pagure.io/freeipa/issue/8502
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
87cf2a3c by Christian Heimes at 2020-09-22T09:21:00-04:00
Add ldap_update() helper to service class

The new _ldap_update() helper methods makes it easier to apply LDAP
update files from a service instance.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
99a40cbb by Christian Heimes at 2020-09-22T09:21:00-04:00
Simplify LDAPUpdater

- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
  dictionary
- simplify substitution dictionary updates
- remove unused instances vars

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
72fb4e60 by Christian Heimes at 2020-09-22T09:23:18-04:00
Add user and group wrappers

New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b19d20e2 by Christian Heimes at 2020-09-22T09:23:18-04:00
Use new classes for run_command and Service

User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.

run_command() and Service class accept either names or User object.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
bc128cae by Christian Heimes at 2020-09-22T09:23:18-04:00
Add User and Group to all ipaplatform.constants

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dfeea164 by François Cami at 2020-09-22T18:05:38+02:00
ipatests: enhance TestSubCAkeyReplication

enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
7823da06 by François Cami at 2020-09-22T18:05:38+02:00
SELinux: Add dedicated policy for ipa-pki-retrieve-key

Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
ea9db4a9 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: let custodia_t map custodia_tmp_t

This is used by the JVM perf counters.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
820beca4 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t

Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
09816f4d by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t

ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
4b3c4b84 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
f774642b by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: make interfaces for kernel modules non-optional

Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
2f2bce43 by François Cami at 2020-09-22T18:05:38+02:00
SELinux Policy: Allow tomcat_t to read kerberos keytabs

This is required to fix:
avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Macros suggested by: Ondrej Mosnacek

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace at redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
84bbf687 by Rob Crittenden at 2020-09-22T19:30:03-04:00
Require a matching server package for the selinux subpackage

Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.

https://pagure.io/freeipa/issue/8511

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
36c6a2e7 by François Cami at 2020-09-23T14:47:06+02:00
SELinux: do not double-define node_t and pki_tomcat_cert_t

node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.

Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
cc5d9a8c by Rob Crittenden at 2020-09-23T14:48:29+02:00
Clean up entire /run/ipa/ccaches directory not just files

If there are any sub-directories in the ccaches directory
then cleaning it up will fail.

Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9f9dcfe8 by Rob Crittenden at 2020-09-23T14:48:29+02:00
Test that ccaches are cleaned up during installation

Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
80fca8d7 by Christian Heimes at 2020-09-23T14:49:15+02:00
Delay import of psutil to avoid AVC

Commit cfad7af35dd5a2cdd4081d1e9ac7c245f47f1dce added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.

     PermissionError: [Errno 13] Permission denied: '/proc/stat'

Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
644bd0e4 by Christian Heimes at 2020-09-23T14:49:56+02:00
Make git a build requirement

FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7651d335 by Zdenek Pytela at 2020-09-23T15:23:28+02:00
Add ipa_pki_retrieve_key_exec() interface

The ipa_pki_retrieve_key_exec() interface is needed to allow other
domains execute ipa-pki-retrieve-key.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
96edff0b by Christian Heimes at 2020-09-23T16:44:26+02:00
Add helpers for resolve1 and nameservers

detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e64f27fd by Christian Heimes at 2020-09-23T16:44:26+02:00
Configure NetworkManager to use systemd-resolved

zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
528c519c by Christian Heimes at 2020-09-23T16:44:26+02:00
Use new API for auto-forwarders

Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d12f1b4b by Christian Heimes at 2020-09-23T16:44:26+02:00
Configure systemd-resolved to use IPA's BIND

IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
79b9982b by Christian Heimes at 2020-09-23T16:44:26+02:00
Create systemd-resolved configuration on update

Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b47ddb01 by Rob Crittenden at 2020-09-24T08:20:48+02:00
Reduce the memory requirement from 1.6 to 1.2 GB

We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
29b41aef by Serhii Tsymbaliuk at 2020-09-24T16:21:04+02:00
WebUI: Fix jQuery DOM manipulation issues

The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
  (https://github.com/jquery/jquery/pull/4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
  (https://github.com/jquery/jquery/pull/4647)

In addition there is included a script that helps to patch and build
the new version of jQuery:

  $ install/ui/util/make-jquery.js 3.4.1

Ticket: https://pagure.io/freeipa/issue/8507

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
69ebe415 by Christian Heimes at 2020-09-24T17:03:00+02:00
Fix nsslapd-db-lock tuning of BDB backend

nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
54dff05c by Oğuz Ersen at 2020-09-26T10:25:19+03:00
Translated using Weblate (Turkish)

Currently translated at 7.6% (357 of 4654 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/

Translated using Weblate (Turkish)

Currently translated at 7.3% (342 of 4654 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/

Translated using Weblate (Turkish)

Currently translated at 4.6% (216 of 4654 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/

Translated using Weblate (Turkish)

Currently translated at 0.7% (34 of 4654 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/

Added translation using Weblate (Turkish)

Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a2f7e917 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1eaa5974 by Rafael Fontenelle at 2020-09-26T10:25:19+03:00
Translated using Weblate (Portuguese (Brazil))

Currently translated at 3.2% (153 of 4654 strings)

Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
89d85182 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a330adae by Yuri Chornoivan at 2020-09-26T10:25:19+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4654 of 4654 strings)

Translated using Weblate (Ukrainian)

Currently translated at 98.8% (4600 of 4654 strings)

Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
90c1a00f by Weblate at 2020-09-26T10:25:19+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
11828cf8 by Daniel Lara Souza at 2020-09-26T10:25:19+03:00
Translated using Weblate (Portuguese (Brazil))

Currently translated at 3.5% (167 of 4654 strings)

Co-authored-by: Daniel Lara Souza <daniellarasouza at yahoo.com.br>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
afa0f5d1 by Weblate at 2020-09-26T10:25:19+03:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
abc41640 by Yuri Chornoivan at 2020-09-26T10:25:19+03:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4676 of 4676 strings)

Translated using Weblate (Ukrainian)

Currently translated at 100.0% (4676 of 4676 strings)

Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0464a5ff by Oğuz Ersen at 2020-09-26T10:25:19+03:00
Translated using Weblate (Turkish)

Currently translated at 7.6% (358 of 4676 strings)

Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4cc9c942 by Emilio Herrera at 2020-09-26T10:25:19+03:00
Translated using Weblate (Spanish)

Currently translated at 60.8% (2845 of 4676 strings)

Translated using Weblate (Spanish)

Currently translated at 60.8% (2844 of 4676 strings)

Co-authored-by: Emilio Herrera <ehespinosa57 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4e30a48d by Christian Heimes at 2020-09-26T10:41:32+03:00
trust-add: Catch correct exception when chown SSSD

Commit 72fb4e6 introduced a regression. SSSD_USER.chown() raises
ValueError instead of KeyError when SSSD user does not exist.

Fixes: https://pagure.io/freeipa/issue/8516
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6fde06ac by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warning in ipa-pwd-extop

cast const error message to non-const char*. I tried to make errMesg a
const char* but it gets passed down to slapi_send_ldap_result() which
accepts a char*.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7de2c9bc by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warnings in libotp

Remove unused variable declarations

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6c52ef2b by Christian Heimes at 2020-09-26T10:43:42+03:00
Fix compiler warning in ipa-kdb

Make assertion_value a const char*

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2c393c09 by Alexander Bokovoy at 2020-09-28T08:47:31+02:00
Pre-populate IP addresses for the name server upgrades

Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().

Pass through the server's IP addresses during upgrade.

Fixes: https://pagure.io/freeipa/issue/8518

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
34e47778 by Christian Heimes at 2020-09-28T14:33:15+02:00
Ensure that resolved.conf.d is accessible

systemd-resolved runs as user systemd-resolve. Ensure that
resolved.conf.d drop-in directory is accessible when installer runs with
restricted umask. Also ensure the file and directory has correct SELinux
context.

The parent directory /etc/systemd exists on all platforms.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ced1dcb1 by Christian Heimes at 2020-09-28T14:33:15+02:00
Also backup DNS config drop-ins

/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e46c3792 by Christian Heimes at 2020-09-29T12:05:20+02:00
Use single update LDIF for indices

Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.

All indices are now defined in a single update file that is sorted
alphanumerically.

The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.

Fixes: https://pagure.io/freeipa/issue/8493
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9f0ec27e by Christian Heimes at 2020-09-29T12:05:20+02:00
Add more indices

ipaCASubjectDN is used by lightweight sub CA feature.

ipaExternalMember is used by KRB driver to assemble MS-PAC records.

ipaNTSecurityIdentifier was only index for "pres" and was missing an
index on "eq". Samba and ipasam perform queries with SID string..

memberPrincipal is used by S4U2Proxy constrained delegation and by
ipa-custodia.

Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and
ipaKeyUsage are currently not index because an index would rarely used
or have a poor selectivity.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1684b0f2 by Christian Heimes at 2020-09-29T12:06:24+02:00
Add missing fedora_container platform members

The fedora_container platform was missing User and Group members.

Add test case to verify that all known platforms define correct module
API.

Fixes: https://pagure.io/freeipa/issue/8519
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
aa67177f by Christian Heimes at 2020-09-30T09:52:08+02:00
Add helper for poll/sleep loops with timeout

The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b79191f7 by Christian Heimes at 2020-09-30T09:52:08+02:00
Faster certmonger wait_for_request()

wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.

request_and_wait_for_cert() now uses correct certmonger_wait_timeout
instead of http_timeout.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1921d33d by Christian Heimes at 2020-09-30T09:52:08+02:00
Drop unused extended sleep feature from Sleeper

The extended sleep feature is not used at the moment.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
38d083e3 by Christian Heimes at 2020-09-30T09:56:04+02:00
configure_dns_resolver: call self.restore_context

Use the platform implementation of restore_context() instead of the base
implementation.

Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3ab3ed5f by Christian Heimes at 2020-09-30T17:01:01+02:00
Retry chronyc waitsync only once

It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Perform more
retries with smaller timeout.

This speed up installer by 11 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a96b8938 by Piotr Drąg at 2020-09-30T11:18:37-04:00
Translated using Weblate (Polish)

Currently translated at 9.6% (451 of 4676 strings)

Co-authored-by: Piotr Drąg <piotrdrag at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fbb6484d by Christian Heimes at 2020-10-05T14:24:55+02:00
Check ca_wrapped in ipa-custodia-check

ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9a9cd302 by Christian Heimes at 2020-10-05T14:24:55+02:00
Verify freeipa-selinux's ipa module is loaded

ipa-custodia tests will fail if the ipa.pp override module from
freeipa-selinux is not correctly installed, loaded, and enabled.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
37a0af6a by Christian Heimes at 2020-10-05T15:02:14+02:00
Remove root-autobind configuration

The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root. nsslapd-ldapiautobind is enabled by lib389.

cn=root-autobind,cn=config entry is no longer needed.

nsslapd-ldapimaptoentries is kept enabled for future use.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
daec8049 by Christian Heimes at 2020-10-05T15:02:14+02:00
Remove magic sleep from create_index_task

11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9eccaf62 by Christian Heimes at 2020-10-05T15:02:14+02:00
Skip offline dse.ldif patching by default

The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.

This speeds up installer by 4 or more seconds on a fast system.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8882680e by Christian Heimes at 2020-10-05T15:04:43+02:00
Dogtag: Remove set_audit_renewal step

The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see
https://github.com/dogtagpki/pki/commit/f5b8ea5b087f642a0208c228dce6f700cd7d91c1

The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
942fe07e by Christian Heimes at 2020-10-05T15:04:43+02:00
Spawn PKI: Execute more steps early

Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6860c637 by Christian Heimes at 2020-10-06T15:35:35+02:00
Use separate install logs for AD and DNS instance

ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.

Add AD-Trust, DNS, KRA, and replica log files to backups.

Fixes: https://pagure.io/freeipa/issue/8528
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
4ed21bba by Christian Heimes at 2020-10-07T15:14:16+02:00
Replace sudo with runuser

runuser is in util-linux and does not require sudo package.

Related: https://pagure.io/freeipa/issue/8530
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6ba5a6a4 by Christian Heimes at 2020-10-08T08:32:08+02:00
Require(post) systemd with resolved enabled on F33

FreeIPA's systemd-resolved integration for Fedora 33 depends on a
working and fully configured systemd-resolved service. Ensure that
systemd's post installation RPM hook runs before FreeIPA's post hook.

Note: Other systemd version numbers are current versions on Fedora 32 and
RHEL 8.2.0.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
814328ea by Christian Heimes at 2020-10-08T08:32:08+02:00
Don't add 127.0.0.1 to resolv.conf twice

On systems with multiple IP addresses the update code could add
::1 and 127.0.0.1 multiple times.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a3abae82 by Christian Heimes at 2020-10-08T08:32:08+02:00
Simplify update code

resolve_ip_addresses_nss(host) is equivalent to
get_server_ip_address(api.env.host, True, False, []). The function
get_server_ip_address() is designed to perform interactive checks that
should not be triggered in automatic upgrade code.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
01c6b8a8 by Sudhir Menon at 2020-10-09T08:48:12+02:00
ipatests: ipa-healthcheck test fixes running on RHEL

1. Added function in tasks.py to get healthcheck version.
2. Added if else condition to certain tests to
check healthcheck version and then assert the expected test output

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a63eeaae by François Cami at 2020-10-09T08:51:02+02:00
ipatests: add check_if_sssd_is_online

Split wait_for_sssd_domain_status_online so that we can easily check
that SSSD considers the IPA domain online with check_if_sssd_is_online.

Related: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
884e0d36 by François Cami at 2020-10-09T08:51:02+02:00
ipatests: add get_kdcinfo

get_kdcinfo(host) retrieves /var/lib/sss/pubconf/kdcinfo.$REALM on host.
It also logs whether SSSD considers the IPA domain as Online or not before
and after retrieving the file.

Related: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e0586f33 by François Cami at 2020-10-09T08:51:02+02:00
ipatests: create_active_user improvements

Use get_kdcinfo before and after kinit if krb5_trace in create_active_user.
This will help determine how SSSD was selecting which KRB5KDC to use.

Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5d95794e by François Cami at 2020-10-09T08:51:02+02:00
ipatests: kinit_as_user improvements

Use get_kdcinfo before and after kinit if krb5_trace in kinit_as_user.
This will help determine how SSSD was selecting which KRB5KDC to use.

Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
731c5b21 by Christian Heimes at 2020-10-10T12:54:06+02:00
Lookup ipa-ca record with NSS

DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.

Reduce timeout to 15 seconds and tighten timeout loop.

The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.

Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
58d8af04 by Florence Blanc-Renaud at 2020-10-13T09:57:32+02:00
ipatests: add tests to 389ds regression

The following tests can be used to detect regressions with 389-ds:
- test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
- test_integration/test_dns_locations.py

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fbd7d771 by Florence Blanc-Renaud at 2020-10-13T10:03:47+02:00
rpmspec: ensure ipa snippet for sshd is always included

Whn openssh-server > 8.2 is installed, ipa rpmspec moves its
configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf
but doesn't check that the 04-ipa.conf is included from
/etc/ssh/sshd_config.

The fixes ensures that the snippet is always included, either
through the line Include /etc/ssh/sshd_config.d/*.conf or
directly with Include /etc/ssh/sshd_config.d/04-ipa.conf

Fixes: https://pagure.io/freeipa/issue/8535
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7bbb9971 by François Cami at 2020-10-13T10:07:45+02:00
ipatests: tasks: add user_del

Add an "ipa user-del" frontend to tasks.py.

Related: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
5de67028 by François Cami at 2020-10-13T10:07:45+02:00
ipatests: run freeipa-healthcheck on hidden replica

Run freeipa-healthcheck on a FreeIPA clusters with a
hidden replica to make sure a hidden replica is considered
fully healthy.

Fixes: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
cb7d0964 by Florence Blanc-Renaud at 2020-10-13T16:51:32+02:00
ipatests: properly handle journalctl return code

The test test_installation.py::TestInstallMaster::test_selinux_avcs
is failing when no AVCs are detected because it is calling
journalctl --full --grep=AVC--since=yesterday
and the command exits with return code 1.

Call the command with raiseonerr=False to support this case.

Fixes: https://pagure.io/freeipa/issue/8541
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a9d34c8e by Christian Heimes at 2020-10-19T09:53:29+02:00
Speed up cainstance.migrate_profiles_to_ldap

The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.

Skip all profiles that have been imported by Dogtag already.

Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fa580712 by Christian Heimes at 2020-10-19T09:53:29+02:00
Reuse main LDAP connection

cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
139d60d7 by Rob Crittenden at 2020-10-19T12:56:22-04:00
Don't restart certmonger after stopping tracking in uninstall

certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.

certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.

https://pagure.io/freeipa/issue/8533

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
41021c27 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add LDAP schema for new libpwquality attributes

Add new attributes for the maxrepeat, maxsequence, dictcheck and
usercheck features of libpwquality.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6b452e54 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Extend IPA pwquality plugin to include libpwquality support

Add options to support maxrepeat, maxsequence, dictcheck and
usercheck pwquality options.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c03b4862 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add new pwpolicy objectclass to test_xmprpc/objectclasses.py

This defines the expected set of objectclasses in the XMLRPC
tests.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3fc2eda4 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Require libpwolicy and configure it in the build system

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c4cca53e by Rob Crittenden at 2020-10-23T09:32:52-04:00
Extend password policy to evaluate passwords using libpwpolicy

Enable checking:

maxrepeat - reject passwrods which contain more than N consecutive
            characters.
maxsequence - rejected passwords which contain character sequences
              (abcde).
dictcheck - check passwords using cracklib
usercheck - check whether the password contains the user name.

The class checking provided by libpwpolicy is not used because this
overlaps with the existing IPA checking. This includes the options
dcredit, ucredit, lcredit, ocredit, minclass and maxclassrepeat.

The pwquality min length is fixed at 6 so if there is a conflict between
the system policy and pwquality log that length is enforced at 6.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
46d00962 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add a unit test for libpwquality-based password policy

- with all policies disabled passwords are not evaluated
- the pwpolicy minimum overrides the existing IPA minimum
- max character repeats
- max character sequences (12345)
- palindrome
- dictionary check
- user name in the password check

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
6da070e6 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Pass the user to the password policy check in the kdb driver

If the entry contains a uid then pass that into the policy checker
for the usercheck policy check.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
be2efc12 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add a raiseonerr option to ldappasswd_user_change

This is so on tests for bad password one can catch the error
message.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
fe448359 by Rob Crittenden at 2020-10-23T09:32:52-04:00
ipatests: add test for password policies

Primarily testing integration of libpwpolicy but it also
exercises some of the existing policy.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
68aa7c05 by Rob Crittenden at 2020-10-23T09:32:52-04:00
Add SELinux policy so kadmind can read the crackdb dictionary

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f602da4b by Rob Crittenden at 2020-10-23T09:32:52-04:00
Requirements and design for libpwquality integration

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
5155280b by Rob Crittenden at 2020-10-23T09:32:52-04:00
ipatests: Add test_pwpolicy to nightly runs

389ds testing is included since this exercises LDAP password
policy. pki testing is skipped since this is unrelated to
whether there is a CA or not.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
e28ec768 by Christian Heimes at 2020-10-26T17:11:19+11:00
Unify access to FQDN

FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
5d4ed65b by Christian Heimes at 2020-10-26T17:11:19+11:00
Replace nodename with ipa_gethostfqdn()

ipa_kdb and ipa-join now use ipa_gethostfqdn() instead of uname()'s nodename.

The code for hostname in ipa-join is simplified. Now the hostname is
auto-detected and verified in main(). All sub functions can now use the
hostname without additional checks. This removes a bunch of strdup(),
NULL checks, and free() calls.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
b66b961f by Christian Heimes at 2020-10-26T17:11:19+11:00
Remove problematic optimization from gethostfqdn()

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
3d796a7e by Christian Heimes at 2020-10-26T17:11:19+11:00
Update debug strings to reflect new calls

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
727a2ffb by Christian Heimes at 2020-10-26T17:11:19+11:00
Easier to use ipa_gethostfqdn()

ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
3f59118f by Fraser Tweedale at 2020-10-26T17:11:19+11:00
ipa_sam: do not modify static buffer holding fqdn

ipa_sam was modifying the buffer returned by ipa_gethostfqdn().
Subsequent calls to ipa_gethostfqdn() returned the corrupt data,
causing other operations to fail.

Update ipa_sam to copy the string and modify the copy.  Also
document this characteristic of ipa_gethostfqdn() and explain that
callers must not modify the returned data.

Part of: https://pagure.io/freeipa/issue/8501

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
8b6d1ab8 by Alexander Bokovoy at 2020-10-26T15:55:02-04:00
ipa-kdb: support subordinate/superior UPN suffixes

[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

  fabrikam.com
  sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Fixes: https://pagure.io/freeipa/issue/8554

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
2f8eb73f by Rob Crittenden at 2020-10-27T15:50:19-04:00
Use a state to determine if a 389-ds upgrade is in progress

When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.

We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.

What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.

Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.

The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.

https://pagure.io/freeipa/issue/7534

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9ba0494c by Alexander Bokovoy at 2020-10-30T12:48:22-04:00
pylint: remove unused variable

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b8b46779 by Alexander Bokovoy at 2020-10-30T12:48:22-04:00
rpcserver: fallback to non-armored kinit in case of trusted domains

MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.

FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.

[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.

[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.

Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.

In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
abefd6e1 by Sudhir Menon at 2020-10-30T12:50:22-04:00
ipatests: ipa-healthcheck fixes for tests running on RHEL

Below tests have been modified accordingly

TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_group
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_too_restrictive
TestIpaHealthCheckFileCheck::test_ipa_filecheck_too_permissive
TestIpaHealthCheckFileCheck::test_nssdb_filecheck_bad_owner
TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
TestIpaHealthCheckWithExternalCA::test_nsschainvalidation_ipa_invalid_chain
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent_bad_serial

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9a41966a by Sudhir Menon at 2020-10-30T12:52:01-04:00
ipatests: ipa-healthcheck test for DS BackendsCheck

This testcase checks that the BackendsCheck reports
the CRITICAL status when dse.ldif present in the
DS instance directory is renamed/moved.

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
563d0a07 by Alexander Bokovoy at 2020-10-30T19:06:11+02:00
rpcserver: fix exception handling for FAST armor failure

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b8a2a0f3 by Sudhir Menon at 2020-10-30T15:24:03-04:00
ipatests: ipa-healthcheck test for EncryptionCheck

This testcase checks that EncryptionCheck reports ERROR status when DS tls version is
modified to TLS1.0

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
686414d2 by Sudhir Menon at 2020-11-02T11:24:12+01:00
ipatests: ipa-healthcheck test for DS RIPluginCheck

This testcase modifies the update value set on RI Plugin
to -1 as a result checks that RIPluginCheck reports warning message

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2ef53196 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Enable importing LDIF files not shipped by IPA

This is to be able to import ACME schema provided by dogtag.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
e13d058a by Rob Crittenden at 2020-11-02T10:43:57-05:00
Let dogtag.py be imported if the api is not initialized

This allows non-plugin components to import the RestClient
classes.

Removed code that only imported pki if in_server was True. This
was legacy code from when the plugins were also loaded in the
client.

Left the ra_plugin stanza for now. This is part of the old
abstraction that allowed for different CA plugins.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
c0d55ce6 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Centralize enable/disable of the ACME service

The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.

dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.

It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.

A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.

The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.

Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md

ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
92c3ea4e by Rob Crittenden at 2020-11-02T10:43:57-05:00
Don't install ACME if full support is not available

The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.

Parse the VERSION file shipped with PKI to determine the version.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
69ae48c8 by Rob Crittenden at 2020-11-02T10:43:57-05:00
Add a status option to ipa-acme-manage

It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
e7fd7915 by Mohammad Rizwan at 2020-11-02T10:43:57-05:00
ipatests: Check if ACME is enabled on all CA servers

Test if ACME service is enabled on replica if eabled on
server. This is to check the centralize enable/disable
from single host.

ipatests: Test if ACME is enabled on replica when converted from CA-less to CA-full

Deployment where one server is deployed as CA-less and acme is enabled, when converted
to CA full, should have ACME enabled by default.

ipatests: Test ACME with CA-less replica when converted to CA-full

Deployment have one ca-less replica and ACME is not enabled.
After converting ca-less replica to ca-full, ACME can be
enabled or disabled.

related:
https://pagure.io/freeipa/issue/8524

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
d4ef64b2 by Rob Crittenden at 2020-11-02T10:43:57-05:00
ipatests: Collect the let's encrypt log

Collect the let's encrypt client log for any potential
debug purposes.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
43ea80ae by Sudhir Menon at 2020-11-02T17:34:38+01:00
ipatests: Fix for test_ipahealthcheck_ds_encryption

Nightly test failure was seen for test_ipahealthcheck_ds_encryption
The test was failing since @pytest.fixture was not specified before
the function modify_tls

Ref: https://pagure.io/freeipa/issue/8560
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9c4785f0 by Mark Reynolds at 2020-11-02T13:42:37-05:00
Reorder creation of the CA mapping tree and database backend

New validation efforts in 389-ds-base require that the backend entry for
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.

For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()

Fixes: https://pagure.io/freeipa/issue/8558
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2768b0db by Rob Crittenden at 2020-11-02T14:01:05-05:00
Require an ipa-ca SAN on 3rd party certs if ACME is enabled

ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
e0ff82c8 by Rob Crittenden at 2020-11-02T14:01:05-05:00
Change the return codes of ipa-acme-manage

Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
c8f13cd8 by Rob Crittenden at 2020-11-02T14:01:05-05:00
ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled

Test that:

1. With ACME enabled, SAN is required
2. With ACME disabled, SAN is not required

Also verify the ipa-acme-manage status command.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
c053b5e0 by Florence Blanc-Renaud at 2020-11-03T09:49:22+02:00
ipatests: curl outputs the cookie in stderr and not in sdtout

The integration test test_trust.py::TestTrust::test_password_login_as_aduser
is expecting curl to output the cookie obtained after password login
in stdout but should use stderr instead.

Fixes: https://pagure.io/freeipa/issue/8559
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2b1230e5 by Sudhir Menon at 2020-11-04T09:23:41+01:00
ipatests: Fix for test_ipahealthcheck_ds_riplugincheck

Fix for Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck

Pagure: https://pagure.io/freeipa/issue/8563

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b60d2d97 by Rob Crittenden at 2020-11-06T16:29:41-05:00
Add ipwpwdpolicy objectclass to all policies on upgrade

ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.

https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f86250a9 by Rob Crittenden at 2020-11-06T16:29:41-05:00
Test that ipapwpolicy objectclass is added on upgrade

Use ldapmodify to remove the objectclass from the default
global policy then run ipa-server-upgrade to confirm
that it is properly added.

https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
69b42f0c by Rob Crittenden at 2020-11-06T16:29:41-05:00
Catch EmptyResult exception in update_idranges

If no results are returned then find_entries will raise
EmptyResult and not NotFound. NotFound is returned if
the search base doesn't exist.

The test for not entries can be removed as well since this
is the EmptyResult case. In case of a NotFound this will
be handled by the ExecutionError clause.

Found with https://pagure.io/freeipa/issue/8555

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
81cbee4e by Alexander Bokovoy at 2020-11-06T16:32:42-05:00
ipa-kdb: fix crash in MS-PAC cache init code

When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.

Add unit test for multiple UPN suffixes.

Fixes: https://pagure.io/freeipa/issue/8566

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
91706690 by Alexander Bokovoy at 2020-11-06T16:38:37-05:00
wgi/plugins.py: ignore empty plugin directories

Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.

Check that 'foo/foo.js' actual exists when including a plugin into the
registry.

Test the registry generator by creating fake plugins and removing them
during the test.

Fixes: https://pagure.io/freeipa/issue/8567

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b7be1a24 by Sudhir Menon at 2020-11-09T09:06:11+01:00
ipatests: ipa-healthcheck tests for DS checks

1. test_ipahealthcheck_ds_configcheck
   checks ensures that warning message is displayed by ConfigCheck
   when high resolution timestamp is disabled

2. test_ipahealthcheck_ds_fschecks
   Test has been now moved under Class TestIpaHealthCheckFileCheck
   This testcase checks that when permission of pwdfile.txt is changed
   to other than 400, FSCheck returns CRITICAL status

3. test_ds_configcheck_passwordstorage
   This test checks that critical status is displayed by
   ConfigCheck when rootpwstoragescheme is set to MD5 instead
   of the required PBKDF2_SHA256

4. test_ipahealthcheck_topology_with_ipactl_stop
   This testcase ensures that ipahealthcheck.ipa.topology check
   doesnot display 'source not found' on a system when ipactl
   stop is run

5. Modified testcase name
   the testcase name and description have been modified to match
   the actual testcase executed

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
617f7824 by Sudhir Menon at 2020-11-09T09:06:11+01:00
Added nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table

In ipa-healthcheck ds-related tests i.e
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_configcheck
there exists a scenario of modifying the "nsslapd-logging-hr-timestamps-enabled" attribute to off

The tests are failing with the below error
"ipalib.errors.MidairCollision: change collided with another change"

The test audit log displays that the attribute is deleted first and then added.
changetype: modify
delete: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: on
-
add: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: off

Adding the nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table
to check if we generate a replace instead of add and delete.

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
26b9a697 by Rob Crittenden at 2020-11-09T09:41:27-05:00
Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test

libpwquality is only needed when building a server. Don't test
for it in a client build.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ab9ef13f by Florence Blanc-Renaud at 2020-11-09T16:05:43-05:00
ipatests: IPADNSSystemRecordsCheck also checks for AAAA records

With commit 02c3b27 that has been included in ipa-healthcheck 0.7,
IPADNSSystemRecordsCheck also checks the presence of an AAAA record
for ipa-ca.

The test needs to handle this case and expect an error message for
missing ipa-ca AAAA record.

Fixes: https://pagure.io/freeipa/issue/8573
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3d2a4f25 by Florence Blanc-Renaud at 2020-11-09T16:06:40-05:00
ipatests: ipa-acme-manage status returns 3 on a CA-less server

test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica is
running ipa-acme-manage status on a CA-less server and wrongly
expects retcode =1. According to the man page, the command returns 3
when executed on a server where the CA is not installed.

Fixes: https://pagure.io/freeipa/issue/8572
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
59150318 by Andika Triwidada at 2020-11-11T10:20:47+02:00
Translated using Weblate (Indonesian)

Currently translated at 6.8% (321 of 4676 strings)

Translated using Weblate (Indonesian)

Currently translated at 2.9% (136 of 4676 strings)

Co-authored-by: Andika Triwidada <andika at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b153b23c by Fraser Tweedale at 2020-11-11T10:24:38+02:00
dns: allow PTR records in arbitrary zones

PTR records in zones other than in-addr.arpa and in6.arpa are legal,
e.g. DNS-SD [RFC6763] uses such records.  If in a reverse zone
proceed with the existing checks, otherwise just accept the record.

Fixes: https://pagure.io/freeipa/issue/5566
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3ab3578b by Rob Crittenden at 2020-11-11T10:29:25+02:00
On password reset also set krbLastAdminUnlock to unlock account

This fixes the case where an account is locked on one or more servers
and the password is reset by an administrator. The account would
remain locked on those servers for the duration of the lockout.

This is done by setting krbLastAdminUnlock to the current date and
time. The lockout plugin will see this and unlock the account. Since
the value should be replicated along with the password any server
that has the new password will also be unlocked.

This does incur an additional attribute that must be replicated,
whether it is needed or not, but since lockout is computed
per-server this is the only guaranteed way to be sure that the
account will be unlocked everywhere.

My original thought was to grab password replication events and detect
whether the user was locked out and unlock them. On any given server
you can only know if the user is locked out on that server by
computing it. Doing this would require generalizing the lockout code
so it could be computed on password change. krbLastFailedAuth could
be wiped which would unlock the account on that master (the attribute
is not replicated by default).

So it is complexity vs additional replication. Assuming that admin
reset is relatively rare let's start with that. This doesn't lock
us into this solution for the future.

We could set this attribute on user-driven password changes as
well but the original ask and my thinking are that if you forgot
your password and got locked out, how can you change it yourself?
Upon reflection I guess a user could fat-finger it a bunch of times
against one IPA server then have a revelation and log in against a
different server. So they would still be locked out for the duration
on the first one. I'm not sure the extra replication is worth it for
user-generated password changes or that users would be saavy enough
to try another server for the change.

https://pagure.io/freeipa/issue/8551

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ca6fc689 by Rob Crittenden at 2020-11-11T10:29:25+02:00
ipatests: Test that password reset unlocks users too

The basic idea is:

* add a user with a password
* kinit with a bad password for the user until lockout
* on another server administratively reset the password
* wait for replication to finish
* kinit on the original server again and the user should
  be able to kinit again meaning the lockout was removed

https://pagure.io/freeipa/issue/8551

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bbe99012 by Fraser Tweedale at 2020-11-11T14:08:35+02:00
mailmap: add ftweedal

I noticed from draft release notes that some commits with a
different email address slipped in.  Add myself to mailmap so that I
do not have doppelganger.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9dccf17a by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
External-CA scenarios for ACME service

Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.

related: https://pagure.io/freeipa/issue/4751

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cbbfcd9b by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
PEP8 fixes for test_acme.py

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c4a6b0e5 by Mohammad Rizwan at 2020-11-12T15:14:12-05:00
Move acme client installation part to classmethod

Moved the acme client installation part to classmethod
so that it can be leveraged further.

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3722013d by Armando Neto at 2020-11-16T09:26:48-03:00
ipatests: Update PRCI Fedora 32 templates

Updating templates with upgraded packages installed.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1512acc7 by Serhii Tsymbaliuk at 2020-11-16T16:04:40+01:00
WebUI: Fix topology graph navigation crash

Add get_navigation_options method to all facet variations to unify forming facet links.

Ticket: https://pagure.io/freeipa/issue/8523

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
69368fcc by Serhii Tsymbaliuk at 2020-11-16T16:04:40+01:00
WebUI tests: Add simple test to check topology graph page is available

Ticket: https://pagure.io/freeipa/issue/8523

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>

- - - - -
a33530f2 by Florence Blanc-Renaud at 2020-11-17T08:39:59+01:00
ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating

The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.

In the meantime, remove the test from gating to avoid blocking the PRs.

Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
be006ad6 by Stanislav Levin at 2020-11-17T14:25:39+02:00
ipatests: Respect platform's openssl dir

There are different build configurations of OpenSSL from one distro
to another. For example,

Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
94adee3c by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Don't downgrade security

If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.

Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
977063a5 by Stanislav Levin at 2020-11-17T14:25:39+02:00
test_epn: Standardize EPN configs for deduplication

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
32aa1540 by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Enable certificate validation and hostname checking

https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
17f430ef by Stanislav Levin at 2020-11-17T14:25:39+02:00
EPN: Allow authentication by SMTP client's certificate

SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
82e69008 by Stanislav Levin at 2020-11-17T14:25:39+02:00
ipatests: Collect EPN log for debugging

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
249097c6 by Robbie Harwood at 2020-11-17T14:27:28+02:00
Update kdcpolicy design doc for jitter implementation

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0d67180f by Robbie Harwood at 2020-11-17T14:27:28+02:00
ipa-kdb: implement AS-REQ lifetime jitter

Jitter is always enabled, so there is no additional configuration.

An earlier version of this patch was authored by Becky Shanley.

Fixes: https://pagure.io/freeipa/issue/8010

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f513a55d by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-kdb: fix gcc complaints

In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from ipa_kdb.h:37,
                 from ipa_kdb_mspac.c:26:
In function 'strncpy',
    inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
    inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
fc11c565 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-kdb: fix gcc complaints in kdb tests

We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.

In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d99b7d0b by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-sam: fix gcc complaints on Rawhide

 In file included from /usr/include/string.h:519,
                  from /usr/include/lber.h:30,
                  from /usr/include/ldap.h:30,
                  from ipa_sam.c:12:
 In function 'strncpy',
     inlined from 'save_sid_to_secret' at ipa_sam.c:4478:2,
     inlined from 'pdb_init_ipasam' at ipa_sam.c:4985:12:
 /usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
    91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b36f2248 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-otpd: fix gcc complaints in Rawhide

In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from internal.h:27,
                 from main.c:31:
In function 'strncpy',
    inlined from 'main' at main.c:237:5:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
935a4615 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints

The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.

2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')

Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6e1eaad8 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: use Ubuntu-20.04 image by default

Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1bf0d628 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: use PPA to provide newer libseccomp version

Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.

When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).

libseccomp started to support faccessat2() in July 2020 with
https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)

With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2e382cdd by Robbie Harwood at 2020-11-17T18:48:24+02:00
Drop upper bound on krb5 version in freeipa.spec

This check is no longer needed now that krb5 exports the KDB version.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
39d0dd33 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
spec: use pkgconf to find out krb5 version

In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).

Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f9776291 by Alexander Bokovoy at 2020-11-17T18:48:24+02:00
Azure CI: mask chronyd in the container

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ff79c0ce by Alexander Bokovoy at 2020-11-17T19:00:52+02:00
Add contributors from translations project at Weblate

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
038645d8 by Alexander Bokovoy at 2020-11-17T19:03:07+02:00
Translations: update translations template

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a1f3e3b8 by Alexander Bokovoy at 2020-11-17T19:07:03+02:00
Become FreeIPA 4.9.0 release candidate 1

- - - - -
25eebb21 by Mohammad Rizwan at 2020-11-18T11:44:18-05:00
ipatests: Test certmonger IPA responder switched to JSONRPC

This is to test if certmonger IPA responder swithed to JSONRPC
from XMLRPC

related: https://pagure.io/freeipa/issue/3299

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
1a09ce9f by Rob Crittenden at 2020-11-18T12:40:32-05:00
Use host keytab to obtain credentials needed for ipa-certupdate

This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.

It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.

Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.

https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
4941d3d4 by Rob Crittenden at 2020-11-18T12:40:32-05:00
ipatests: Test that ipa-certupdate can run without credentials

https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
244704cc by Alexander Bokovoy at 2020-11-18T13:32:16-05:00
util: Fix client-only build

Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.

Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.

Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
46f114d9 by Sudhir Menon at 2020-11-20T15:19:24-05:00
ipatests: Tests for ipahealthcheck.ds.nss_ssl

test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring

This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a525b2eb by Rob Crittenden at 2020-11-24T11:14:42-05:00
Create IPA ssh client configuration and move ProxyCommand

The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d89e3abf by Rob Crittenden at 2020-11-24T11:14:42-05:00
ipatests: Test that Match ProxyCommand masks on no shell exec

Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3cd6b81a by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: call the CALess install method to generate the CA

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
de5baf85 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Configure a replica in TestACMEwithExternalCA

This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
5d286e79 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Clean up existing ACME registration and certs

The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
b474b263 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: configure MDStoreDir for mod_md ACME test

This directory defines the location for ACME-related files
used by mod_md. Specify and create it rather than relying
on defaults to both fix a test failure and to make the
files accessable for debugging purposes.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
75ad5757 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: honor class inheritance in TestACMEwithExternalCA

TestACMEwithExternalCA subclasses TestACME which subclasses
CALessBase.

CALessBase is necessary to generate the certificates for the
test_third_party_certs() test.

This means that the TestACME install classmethod needs to be
called by its subclasses. But the install actually does the
installation of the servers as well so needs to be aborted
at that point in the case of a subclass.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
17f293e9 by Rob Crittenden at 2020-11-25T20:42:49-03:00
ipatests: Increase timeout for ACME in gating.yaml

Increase to 7200 from 3600 to match other executions.

Related: https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
a3c5c719 by Armando Neto at 2020-11-25T20:42:49-03:00
ipatests: Bump PR-CI templates

Update box to force update dependencies on pki-* and
selinux-policy.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
17a4198a by Robbie Harwood at 2020-11-26T14:09:50+01:00
Fix krbtpolicy tests

0d67180f7d2d0c6b5856db7061c44521f6a13c23 introduced the with_admin
fixture using class scope, which caused test failures as pytest
instantiated it before the multihost fixture.

It additionally failed to account for jitter - the issued ticket becomes
within a window of the expected lifetime, so we need to include the
ticket lifetime jitter into that calculation.

Finally, the PKINIT test could not have ever worked because PKINIT is
not set up as part of policy testing.

Related: https://pagure.io/freeipa/issue/8590

Also-authored-by: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7e605e95 by Sudhir Menon at 2020-11-26T16:31:16+01:00
ipatests: support subordinate upn suffixes

This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
381cc5e8 by Alexander Bokovoy at 2020-11-26T16:31:16+01:00
ad trust: accept subordinate domains of the forest trust root

Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.

Correct this situation by applying the same check to the trusted domain
name as well.

Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
08bbd0a2 by Antonio Torres Moríñigo at 2020-11-27T08:41:55+01:00
ipa-client-install manpage: add ipa.p11-kit to list of files created

Add missing ipa.p11-kit file to list of files created in
ipa-client-install manpage.

https://pagure.io/freeipa/issue/8424

Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
06a7db18 by Florence Blanc-Renaud at 2020-12-01T08:40:36+01:00
Always define the path DNSSEC_OPENSSL_CONF

The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.

ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.

The fix also improves the method used to verify that a path exists.

Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
826dccc9 by Mark Reynolds at 2020-12-01T11:34:37+01:00
Accept 389-ds JSON replication status messages

389-ds now stores a replication agreement status message in a JSON
string in a new attribute:

                  replicaLastInitStatusJSON
                  replicaLastUpdateStatusJSON

The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.

http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html

Fixes: https://pagure.io/freeipa/issue/7975

Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a9e1c014 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Change KRA profiles in certmonger tracking so they can renew

Internal profiles were assigned which prevented rewewals.

dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.

There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.

https://pagure.io/freeipa/issue/8545

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
bd4771d7 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Test that the KRA profiles can renewal its three certificates

The KRA was previously configured with Internal CA profiles
which did not work with the IPA RA.

Use public, common profiles to manage renewal of the KRA
subsystem certificates.

https://pagure.io/freeipa/issue/8545

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
3e530e93 by Rob Crittenden at 2020-12-01T13:05:40-05:00
Require PKI 10.10+ for KRA profile and ACME support

https://pagure.io/freeipa/issue/8545
https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0d6caf5d by Rob Crittenden at 2020-12-02T10:20:31-05:00
Remove test for minimum ACME support and rely on package deps

This method was added temporarily while the required packages
were still under development and not available in stable
repositories.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ea67962d by Rob Crittenden at 2020-12-02T10:20:31-05:00
Reorder when ACME is enabled to fix failure on upgrade

On upgrading a server without ACME to one with ACME
the RA Agent DN needs to be added as a member of the
ACME Enterprise Users group. This was previously
done as part of the creation of that entry.

So on upgrade the RA Agent wouldn't be a member so
ipa-acme-manage didn't have access to operate against
the CA REST API.

In order to add the RA Agent to this group during installation
the ACME provisioning has to come after that step so it is
moved from the middle of an installation to the end and
the group addition moved into the setup_acme() method.

https://pagure.io/freeipa/issue/8603

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
20055dda by Rob Crittenden at 2020-12-02T14:30:38-05:00
Move where the restore state is marked during IPA server upgrade

There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.

I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.

If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.

https://pagure.io/freeipa/issue/7534

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4ba6a037 by Rob Crittenden at 2020-12-02T14:32:26-05:00
Allow Apache to answer to ipa-ca requests without a redirect

Any request other than the FQDN is redirected with a permanent
move (301). Allowing ipa-ca as a valid name saves a round-trip.

This is only allowed on /ca, /kra, /pki, /acme and /ipa/crl.

https://pagure.io/freeipa/issue/8595

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b478bf99 by Rob Crittenden at 2020-12-02T14:32:26-05:00
ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect

https://pagure.io/freeipa/issue/8595

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bf1d652f by Florence Blanc-Renaud at 2020-12-03T10:31:45+02:00
ipatests: fix TestTrust::test_subordinate_suffix

The test test_subordinate_suffix is failing when configuring the DNS
for the trust, because the dnsforwardzone already exists. It was
configured during the previous test for nonposix trust.

At the end of the tests for nonposix trust, unconfigure the DNS
and the trust before calling the subordinate_suffix test, and add
a test cleaning up subordinate_suffix test.

Fixes: https://pagure.io/freeipa/issue/8601
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4b56a4cb by Alexander Bokovoy at 2020-12-03T16:55:15-05:00
freeipa.spec.in: unify spec files across upstream RHEL, and Fedora

In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.

This gives us an opportunity to:

- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
  policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
  it is better to have macro support in the common spec file.

There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
2e1cbcb7 by Rob Crittenden at 2020-12-03T16:55:15-05:00
VERSION: back to git snapshots

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
848dffb5 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Convert reset_to_default_policy into a pytest fixture

This ensures that the ticket policy will be reset even on
failure.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
51b186b6 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Generate a unique cache for each connection

Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
22fa1a7e by Rob Crittenden at 2020-12-03T19:46:43-05:00
ipatests: test that stale caches are removed using the sweeper

- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
068d0857 by Rob Crittenden at 2020-12-03T19:46:43-05:00
Enable the ccache sweep systemd timer

The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
28ed75ca by Rob Crittenden at 2020-12-03T19:46:43-05:00
Increase timeout for krbtpolicy to 4800

The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2d576d5b by Rob Crittenden at 2020-12-04T13:01:49+02:00
Skip the ACME mod_md test when the client is in enforcing mode

mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.

Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.

https://pagure.io/freeipa/issue/8514

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5f36ee51 by Alexander Bokovoy at 2020-12-04T13:11:23+02:00
Update contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e74d6409 by Alexander Bokovoy at 2020-12-04T13:12:54+02:00
Become FreeIPA 4.9.0rc2

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
77674077 by Alexander Bokovoy at 2020-12-04T13:14:29+02:00
Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0cb8f065 by Alexander Bokovoy at 2020-12-04T22:31:03+02:00
Correct SELinux policy requirements

freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.

Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f2bc3f1c by Florence Blanc-Renaud at 2020-12-10T13:44:57+02:00
xmlrpctests: remove harcoded expiration date from test_user_plugin

The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.

Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
7d1a6886 by Alexander Bokovoy at 2020-12-10T16:02:51+02:00
Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches

With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.

The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.

Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.

Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.

Fixes: https://pagure.io/freeipa/issue/8613

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
cc51feb1 by Alexander Bokovoy at 2020-12-10T16:02:51+02:00
upgrade: provide DOMAIN to the server upgrade dictionary

Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a3772cd037683ff2e08c514fd02019f.

Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
184997e8 by Alexander Bokovoy at 2020-12-10T17:39:42+02:00
systemd: enforce en_US.UTF-8 locale in systemd units

Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.

When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:

locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE

Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet..

Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
cf30cc3f by Florence Blanc-Renaud at 2020-12-10T17:57:56+02:00
Improve PKI subsystem detection

The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.

The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.

Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
24f6a36b by Florence Blanc-Renaud at 2020-12-10T17:57:56+02:00
ipatests: add test for PKI subsystem detection

Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade

With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.

Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
502d2910 by Alexander Bokovoy at 2020-12-10T18:05:00+02:00
Become FreeIPA 4.9.0rc3

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f5cd9d07 by Alexander Bokovoy at 2020-12-10T18:06:10+02:00
Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d41bfea4 by Sudhir Menon at 2020-12-17T11:47:13+01:00
ipatests: Test for IPATrustDomainsCheck with external trust to AD

This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
184fa809 by Sudhir Menon at 2020-12-17T11:47:13+01:00
Modified YAML files

Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2efc44d0 by Alexander Scheel at 2020-12-17T14:32:37+01:00
Fix spelling mistake: filen ame -> filename

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
3c965a07 by François Cami at 2020-12-18T17:47:08+02:00
ipatests: make sure dns_lookup_kdc is always true

Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Make sure dns_lookup_kdc is always set to true.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
352f2bee by François Cami at 2020-12-18T17:47:08+02:00
ipa-client-install: unilaterally set dns_lookup_kdc to True

Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.

Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into  /etc/krb5.conf realm entries.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2d1594c3 by Alexander Bokovoy at 2020-12-18T18:11:05+02:00
ipa-kdb: use predefined filters for a wild-card searches

In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.

Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.

Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.

Fixes: https://pagure.io/freeipa/issue/8624

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
06fbb8b4 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
service: handle empty list of services to update their state

When there are no services in LDAP that have specified states, we don't
need to update their state.

Fixes: https://pagure.io/freeipa/issue/8623

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
59432e92 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
upgrade: do not overshadow service module in upgrade_configuration

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
56c8b174 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
upgrade: ensure service state is synchronized with the server state

Convert configuredService to either enabledService or hiddenService
depending on the state of the server role.  This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.

Fixes: https://pagure.io/freeipa/issue/8623

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
38cb763d by Timo Aaltonen at 2020-12-19T11:00:52+02:00
Debian: Fix paths and service names for bind 9.16

Got changed for 9.16 and up.

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
efe767c4 by Timo Aaltonen at 2020-12-19T11:00:52+02:00
Debian: Fix chrony service name

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b46fa4e4 by Timo Aaltonen at 2020-12-19T11:00:52+02:00
ipaplatform: Use gpg instead of gpg2

'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.

Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
18721cc8 by Slava Aseev at 2020-12-19T11:02:16+02:00
ipa-kdb: handle dates up to 2106-02-07 06:28:16

krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.

This commit:
  - adds some helper functions for working with krb5_timestamp as
    unsigned (actually copied from
    https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
  - replaces operations with krb5_timestamp's by these new functions

Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
f3a1b4af by Christian Heimes at 2020-12-19T14:49:13+02:00
Change mkdir logic in DNSSEC

- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8f6b4a07 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/bn_IN translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
57b41e0d by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ca translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
7b63b5b8 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/cs translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9c166cfc by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/de translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
09f97d2e by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/en_GB translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
03cf8ffe by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/es translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
0b02b051 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/eu translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
33f4e658 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/fr translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
fa4ac630 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/hi translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9d4d4d27 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/hu translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
036c9675 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/id translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
12de97fc by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ja translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
162aa652 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/kn translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
58d20171 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/mr translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
5ea60482 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/nl translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
4bf0a13a by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pa translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9ed9eb7c by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pl translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
970c4050 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pt_BR translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
acd2f305 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pt translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
ad37d39e by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ru translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
badd9551 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/sk translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1bf4b41f by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/tg translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
29f797d4 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/tr translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
bdb759ac by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/uk translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
6c58f825 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/zh_CN translation before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
4db85bed by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update IPA translation template before release

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
e2f9912b by Vit Mojzis at 2020-12-19T23:08:05+02:00
selinux: Fix/waive issues reported by SELint

- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
0b3f8719 by François Cami at 2020-12-19T23:08:05+02:00
set SELinux to Enforcing in gating.xml

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2244a7a2 by Carl George at 2020-12-21T16:51:35+02:00
Use uglifyjs on CentOS too

Only checking for ID to equal "rhel" causes build failures on CentOS
Stream.  Instead check both ID and ID_LIKE.  This should also work later
on when rebuilds like CentOS Linux get this update.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f8e4886 by François Cami at 2020-12-21T22:33:54+02:00
set SELinux back to Permissive in gating.xml

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d9bdd3e9 by Alexander Bokovoy at 2020-12-22T00:12:45+02:00
tests_webui: flip leading and trailing space password test

With commit 809d9cb80f5f4471f125823888f37875aa37809e we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
7d13d704 by Alexander Bokovoy at 2020-12-22T00:12:45+02:00
tests_webui: fix wrong user name key for trail space case

User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.

Fix the user name data according to the test.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
eb42b109 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
opendnssecinstance: use late binding for UID/GID resolution

Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
eae9f0d8 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
dnskeysyncinstance: use late binding for UID/GID resolution

Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
eca22818 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
odsexporterinstance: use late binding for UID/GID resolution

Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.

We use common pattern of checking the service during uninstall:

 svc = SVCClass()
 if svc.is_configured():
    svc.uninstall()

Thus, service class constructor must not do UID/GID resolution

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
a3058d52 by Alexander Bokovoy at 2020-12-23T16:10:26+02:00
Update list of contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1354031d by Weblate at 2020-12-23T16:30:25+02:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master

- - - - -
44914cf1 by Alexander Bokovoy at 2020-12-23T16:33:22+02:00
Become FreeIPA 4.9.0

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0fd4a893 by Alexander Bokovoy at 2020-12-23T16:35:08+02:00
Get back to git snapshots

Track 4.9.1 development

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8c7d1fba by Alexander Bokovoy at 2020-12-23T20:22:34+01:00
ipaplatform: add constant for systemd-run binary

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
6fe573b3 by Alexander Bokovoy at 2020-12-23T20:22:34+01:00
ipatests: fix race condition in finalizer of encrypted backup test

When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.

Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
8bc34186 by Florence Blanc-Renaud at 2020-12-23T20:25:21+01:00
ipatests: fix expected error message in test_commands

389ds does not return any more additional information
about a failing bind (to avoid leaking information).

As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.

Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
dd1b596b by Florence Blanc-Renaud at 2020-12-23T20:27:08+01:00
ipatests: remove test_acme from gating

test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed

Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
27cc011a by Sudhir Menon at 2021-01-06T16:36:26+01:00
ipatests: ipahealthcheck remove test skipped in pytest run

TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.

@pytest.mark.xfail(reason='BZ 1866558', strict=False)

Also changed the assert statement to search text in
stdout_text rather than sdterr_text

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2035ba99 by Sudhir Menon at 2021-01-06T16:37:44+01:00
ipatests: Test for IPATrustControllerPrincipalCheck

This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
286d0680 by Florence Blanc-Renaud at 2021-01-07T09:52:05+01:00
ipatests: clear initgroups cache in clear_sssd_cache

The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.

Update the method to also remove this file.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
10ba43ad by Rob Crittenden at 2021-01-07T16:10:22+01:00
Don't change the CA profile when modifying request in ipa_certupdate

The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.

https://pagure.io/freeipa/issue/8644

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ad1764a1 by Rob Crittenden at 2021-01-07T16:10:22+01:00
ipatests: test that no errors are reported after ipa-certupdate

The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.

https://pagure.io/freeipa/issue/8644

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8d7697af by Sergey Orlov at 2021-01-07T16:16:16+01:00
ipatests: do not set dns_lookup to true

dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.

Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
f36e518b by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipatests: add a test for ipa-cert-fix

Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.

Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found

Related: https://pagure.io/freeipa/issue/8618

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
eb711f78 by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipa-cert-fix: do not fail when CSR is missing from CS.cfg

When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.

The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.

Fixes: https://pagure.io/freeipa/issue/8618

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7f2be8a4 by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipatests: add test_ipa_cert_fix to the nightly definitions

Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.

Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
071b7129 by Rob Crittenden at 2021-01-09T18:09:39+01:00
Remove invalid test case for DNS SRV priority

Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.

Remove the sorting test for priority of -1.

https://pagure.io/freeipa/issue/8650

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
952b6bdc by Florence Blanc-Renaud at 2021-01-10T11:05:34+01:00
selinux: modify policy to allow one-way trust

In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.

This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.

Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.

Fixes: https://pagure.io/freeipa/issue/8508
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
9ae74425 by Rob Crittenden at 2021-01-13T17:42:16+01:00
Remove virtual attributes before rolling back a permission

On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.

Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.

This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.

https://pagure.io/freeipa/issue/8646

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bdc383a1 by Rob Crittenden at 2021-01-13T17:42:16+01:00
ipatests: test that modifying a permission attrs handles failure

Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.

https://pagure.io/freeipa/issue/8646

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
df411f00 by Robbie Harwood at 2021-01-14T10:01:46+01:00
Set client keytab location for 389ds

Handles behavior change in
https://github.com/389ds/389-ds-base/pull/4523

Fixes: https://pagure.io/freeipa/issue/8656
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
753246f4 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc: use Samba-provided trust helper to establish trust

When establishing trust to Active Directory forest, RC4 is used to
encrypt trusted domain object credentials as an application-specific
material in a secure channel based on AES session key.

In FIPS mode it is not possible to use RC4 directly.

Samba 4.14 and backports to 4.13 in Fedora 33+ and RHEL 8.4+ now
provide a helper that wraps LSA RPC call CreateTrustedDomainEx2.
This helper ensures that in FIPS mode we first check that LSA session
key is AES before allowing RC4 use internally in Samba bindings. Thus,
it becomes possible to establish trust to Active Directory forest in
FIPS mode.

Adopt FreeIPA code to use the helper provided by Samba when it is
available. If neither the helper nor unprotected arcfour_encrypt utility
is available from Samba bindings, fail import of the ipaserver.dcerpc
module.

Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8ab9bf68 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc.py: use Kerberos authentication for discovery

In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.

Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.

Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3fa07a10 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available

We want to always use SMB encryption if it is possible on LSA pipe as we
are going to pass what accounts to a plain-text content within
CreateTrustedDomainEx2 call.

The catch is that older Samba version might not have a way to enforce
this and we need fall back to work with existing connection then.

Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ca9f8d1c by Rob Crittenden at 2021-01-14T11:08:49+01:00
ipatests: See if nologin supports -c before asserting message

Per the ssh_config(5) man page under ProxyCommand:

"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."

<shell> -c <proxy command>

Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0db28969 by Florence Blanc-Renaud at 2021-01-15T09:57:28+01:00
ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection

Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.

Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
3aeb9b8e by Rob Crittenden at 2021-01-15T14:01:45+01:00
Revert "Remove test for minimum ACME support and rely on package deps"

This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440.

This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.

ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.

https://pagure.io/freeipa/issue/8634

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ec4511ec by Rob Crittenden at 2021-01-15T14:04:10+01:00
Add missing break statement to password quality switch

Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f0de5570 by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa-kdb: Change mspac base RID logic from OR to AND

The purpose is to set a default if the RID doesn't match
expectations.

Discovered by coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
93f8840e by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa-kdb: Fix logic to prevent NULL pointer dereference

Discovered by coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
df0c2d7e by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa_kdb: Fix memory leak

ipadb_get_principal() allocates client_actual. Call
ipadb_free_principal to release it.

Rather than spreading the free() amongst the code introduce
done as a target to match behavior in similar functions.

Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f6cfbffc by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa_pwd: Remove unnecessary conditional

It is already confirmed that item_data is not NULL so there
is no need to check it again.

Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
06ffc7aa by Rob Crittenden at 2021-01-15T10:48:21-05:00
ipa-rmkeytab: convert numeric return values to #defines

This makes it clearer what the return value means.

Replace closing of keytab based on the numeric return value
and do it based on whether the keytab was opened at all.

https://pagure.io/freeipa/issue/8658

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7b380969 by Rob Crittenden at 2021-01-15T10:48:21-05:00
ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get

The return value of functions managing the cursor in the keytab
were not checked or reported in a consistent way. This should
assure a reasonable error message in case something goes wrong.

https://pagure.io/freeipa/issue/8658

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ccdecaa9 by Armando Neto at 2021-01-19T11:27:10+01:00
ipatests: Update PR-CI definitions for ipa-4-9

Adding PR-CI definitions for gating, "previous" and "latest" nightly runs.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bd3bad88 by Florence Blanc-Renaud at 2021-01-19T16:13:15+01:00
ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser

389ds does not return any more additional information
about a failing bind (to avoid leaking information).

As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed..

Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
56b84973 by Christian Heimes at 2021-01-19T17:48:41+01:00
Add ccache sweeper files to gitignore

See: https://pagure.io/freeipa/issue/8589
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
41a9cc63 by Stanislav Levin at 2021-01-19T17:51:28+01:00
ipatests: Raise log level of 389-ds replication

- change log level for replication debugging
  According to the docs:
  ```
  default level of logging(16384) used for critical errors and other
  messages that are always written to the error log. Messages at this
  level are always included in the error log, regardless of the log
  level setting.
  ```

- always flush the access logs to filesystem
  During the testing access logs may be written with delay, this
  results in logs are not collected by this test node, but for example,
  the next one.

- as of now, the changes on `cn=config` are made after the installation
  of server or replica. If an error occurs during these stages, then the
  actual log level will be the default and not as expected.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2a86a93e by Antonio Torres at 2021-01-19T17:52:47+01:00
Test that IPA certs are removed on server uninstall

Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.

Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2715fbd4 by Antonio Torres at 2021-01-19T17:52:47+01:00
Check that IPA cert is added to trust store after server install

Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.

Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2a207918 by Florence Blanc-Renaud at 2021-01-20T15:56:29+01:00
ipatests: fix healthcheck test for ipahealthcheck.ds.encryption

389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.

Fixes: https://pagure.io/freeipa/issue/8670

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>

- - - - -
1dd4501a by Rob Crittenden at 2021-01-21T13:43:11+01:00
Add support for cgroup v2 to the installer memory checker

Support both the case where there is a limit imposed on the
container and when there isn't.

https://pagure.io/freeipa/issue/8635

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
85d944ce by Rob Crittenden at 2021-01-21T13:43:11+01:00
ipatests: test the cgroup v2 memory restrictions

Also rename a few tests to hopefully make their purpose clearer.

https://pagure.io/freeipa/issue/8635

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
34add4a2 by François Cami at 2021-01-22T08:43:19+01:00
ipatests: test_ipahealthcheck: fix units

df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.

Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f8bf3742 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipa-kdb: provide correct logon time in MS-PAC from authentication time

When MS-PAC structure is created, we get passed the time of
authentication from KDC. Use this to record logon time in MS-PAC
structure.

Set allow password change time to the last password change. We need to
refer to the actual password policy here in future.

Also use INT64_MAX to represent the resulting value for logoff
and kickoff times according to MS-PAC 2.6.

Fixes: https://pagure.io/freeipa/issue/8659
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
962052a0 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: implement PASSDB getgrnam call

ipasam already implemented retrieval of groups for MS-SAMR calls.
However, it did not have implementation of a group retrieval for the
path of lookup_name() function in Samba. The lookup_name() is used in
many places in smbd and winbindd.

With this change it will be possible to resolve IPA groups in Windows UI
(Security tab) and console (net localgroup ...). When Global Catalog
service is enabled, it will be possible to search for those groups as
well.

In Active Directory, security groups can be domain, domain local, local
and so on. In IPA, only domain groups exposed through ipasam because
SID generation plugin only supports adding SIDs to POSIX groups and
users. Thus, non-POSIX groups are not going to have SIDs associated and
will not be visible in both UNIX and Windows environments.

Group retrieval in Samba is implemented as a mapping between NT and
POSIX groups. IPA doesn't have explicit mapping tables. Instead, any
POSIX group in IPA that has a SID associated with it is considered a
domain group for Samba.

Finally, additional ACI is required to ensure attributes looked up by
ipasam are always readable by the trust agents.

Fixes: https://pagure.io/freeipa/issue/8660
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2e8eb0f5 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: allow search of users by user principal name (UPN)

lookup_name() in Samba may call PASSDB API to search by a UPN (e.g.
username at suffix). Support this call by detecting '@' in the passed name
and setting up filter to be

  (&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux)(krbPrincipalName:caseIgnoreIA5Match:=%s))

instead of

  (&(objectClass=ipaNTUserAttrs)(uid=%s))

The result of the search would still contain a proper user entry as we
always have krbPrincipalName in LDAP entries of IPA users. Note that the
match must be case-insensitive because otherwise krbPrincipalName is
matched with exact case in the schema. We use the same matching override
in KDB driver already.

Fixes: https://pagure.io/freeipa/issue/8661
Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e8f927db by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: free trusted domain context on failure

The context is hanging off a talloc memory context passed into the
function so it will eventually be freed. It is better, though, to free
it immediately when we exit from the fill_pdb_trusted_domain() function.

Related: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
f1031729 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: derive parent domain for subdomains automatically

[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a
FQDN of the trusted domain. In practice, for a subdomain of a forest, it
would be FQDN of the subdomain itself in the trusted domain entry in the
parent domain. This is reflected as ipaNTTrustPartner attribute in
FreeIPA.

Remove ipaNTTrustPartner from the searches that use NetBIOS name. We
match cn of that entry already.

Use RDN value of the entry to derive DNS domain name in case
ipaNTTrustPartner is missing.

For subdomains, set trust attributes to 0 and trust flags to mark them
as being within the forest. This will trigger winbindd to not ask for
credentials to reach those domain controllers directly.

Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3d706b6f by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipaserver/dcerpc: store forest topology as a blob in ipasam

winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.

Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.

Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dc16c248 by Sergey Orlov at 2021-01-22T21:10:58-05:00
ipatests: use fully qualified name for AD admin when establishing trust

Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b5359249 by JoeDrane at 2021-01-22T21:10:58-05:00
Update ipa_sam.c

fixed typo in debug message on line 4040.

Signed-off-by: JoeDrane <joe at drane.io>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c842d4b5 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
trust-fetch-domains: use custom krb5.conf overlay for all trust operations

Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.

Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.

One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.

'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.

With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.

Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.

Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.

Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp.  Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.

Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9f63afb4 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
use a constant instead of /var/lib/sss/keytabs

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dc2a52ab by Florence Blanc-Renaud at 2021-01-22T21:13:23-05:00
ipatests: fix expected output for ipahealthcheck.ipa.files

With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).

The test output needs to be fixed accordingly.

Fixes: https://pagure.io/freeipa/issue/8662

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
89eba7d3 by Antonio Torres Moríñigo at 2021-01-26T12:53:36-05:00
Allow leading/trailing whitespaces in passwords

kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.

Fixes: https://pagure.io/freeipa/issue/7599

Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3f3762ef by Antonio Torres Moríñigo at 2021-01-26T12:53:36-05:00
ipatests: test that trailing/leading whitespaces in passwords are allowed

Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.

Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
16b30cbe by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
Add design document for using AD users/groups in SUDO rules

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
132d7fb0 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: refactor validator support in add_external_pre_callback

baseldap.py:add_external_pre_callback() allows to redefine validators
used to validate member names. Originally this was done to allow
hostname validation and reused default validators associated with other
parameter types.

Provide extension of the validator callbacks to allow fine grained
validation strategy. This is helpful in case we want to apply an
alternative validation strategy in case default validator fails.

New validators can be added to 'member_validator' registry in a similar
way to how API objects are registered:

from .baseldap import member_validator

@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
    <validate value here>

Arguments passed to the validator are arguments passed to the
add_external_pre_callback() augmented with the value to validate.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
ffc2edf6 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: when adding external objects, differentiate between them and failures

It was possible to add external members without any validation. Any
object that was not found in IPA LDAP was considered an external object
and a command such as sudorule could have added it to the list of values
for externalUser attribute.

With member validator support, real external members from trusted
domains can be differentiated from the objects that were not found in
IPA and in trusted domains.

Use information from the ID Views plugin to treat external objects
accordingly. Not found objects will be part of the error messaging
instead.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a3563d1c by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
idviews: add extended validator for users from trusted domains

Register extended validator for users from trusted domains to be called
through add_external_pre_callback() in sudorules and other plugins.

The callbacks allow to validate user names as following:

 - if user name passes basic user name validator it is accepted, otherwise
 - if user name can be resolved to any user in IPA or in a trusted
   domain, it is accepted
 - otherwise the name is rejected

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
054a068f by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
sudorule-add-user: allow to reference users and groups from trusted domains directly

Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-user` family of commands.

SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.

Add member type validators to 'ipa sudorule-add/remove-user' family
commands and rely on member type validators from 'idviews' plugin to
resolve trusted objects.

Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.

RN: IPA now supports adding users and groups from trusted Active
RN: Directory domains in SUDO rules without an intermediate non-POSIX
RN: group membership

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
78043bfb by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
sudorule runAs: allow to add users and groups from trusted domains directly

Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.

IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.

Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.

Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.

RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f4d3c91e by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
ipatests: fix test_sudorule_plugin's wrong argument use

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a7c56fde by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
test_trust: add tests for using AD users and groups in SUDO rules

Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.

Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
64b70be6 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
ipatests: when talking to AD DCs, use FQDN credentials

Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.

We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.

For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.

Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
51ca3877 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: allow rejecting unknown objects instead of adding to an external attr

IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.

With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.

Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
bb786934 by Florence Blanc-Renaud at 2021-01-27T09:44:17+02:00
ipatests: fix discrepancies in nightly defs

- Build is using a prio of 100 while tests use 50, use consistent
values
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
cbe7d225 by Stanislav Levin at 2021-01-27T09:46:06+02:00
ipatests: Don't assume sshd flush its logs immediately

sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.

Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
2ac8028e by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Update contributors list

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6f6dd624 by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Force-update translation po/de.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a1c43ac3 by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Force-update translation po/hu.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cb583ac1 by Alexander Bokovoy at 2021-01-27T10:38:50+02:00
Force-update translation po/ipa.pot

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a97967ff by Alexander Bokovoy at 2021-01-27T10:38:50+02:00
Force-update translation po/uk.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
aa58fad8 by Alexander Bokovoy at 2021-01-27T10:53:40+02:00
Become FreeIPA 4.9.1

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9690659d by Alexander Bokovoy at 2021-01-27T10:55:04+02:00
Back to git commits

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5517aa69 by Sergey Orlov at 2021-01-27T16:26:47-05:00
fix collecting log files which are symlinks

One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0d9f988f by Sergey Orlov at 2021-01-29T22:32:46+01:00
ipatests: rewrite test for requests routing to subordinate suffixes

The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
  actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
  from checking original issue in case AD domain name did not match this
  hard coded value
* Invocation of commands on AD controller was failing in some environments

Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions

Related to https://pagure.io/freeipa/issue/8554

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2c48897e by Christian Heimes at 2021-01-31T14:57:59+01:00
Fix cert_request for KDC cert

ca_kdc_check() expects an API object, not an LDAP connection. Issue was
introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.

See: https://pagure.io/freeipa/issue/6739
Fixes: https://pagure.io/freeipa/issue/8686
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5ab290a0 by Christian Heimes at 2021-01-31T15:02:48+01:00
Ensure that KDC cert has SAN DNS entry

The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.

* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs

Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b71c0c67 by Rob Crittenden at 2021-01-31T15:07:57+01:00
Report the NSS database directory if it cannot be opened

If the system lacks DBM support and an older database is
opened then an exception is raised. Include the directory in
the exception so it is clearer which database cannot be opened.

https://pagure.io/freeipa/issue/8675

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
348d4eef by Rob Crittenden at 2021-01-31T15:07:57+01:00
Ignore database errors when trying to extract ipaCert on upgrade

If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.

We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.

https://pagure.io/freeipa/issue/8675

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7f1849e7 by Rob Crittenden at 2021-01-31T15:07:57+01:00
ipatests: Update NSSDatabase DBM test on non-DBM-capable installs

The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.

https://pagure.io/freeipa/issue/8675

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
6eff5b95 by Rob Crittenden at 2021-02-01T14:33:05-05:00
Provide more detailed logging around memory detection

This should make it easier to troubleshoot low memory installation
failures from the logs.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
5fb0cc43 by Rob Crittenden at 2021-02-01T14:33:45-05:00
Only build the UI with uglifyjs on RHEL 8

The previous expression tested for RHEL or RHEL-like
systems to use uglifyjs. Tighten that up to only RHEL 8
so future RHEL can use rjsmin.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8a4cf218 by Alexander Bokovoy at 2021-02-03T08:58:11+02:00
ipa-sam: return NetBIOS domain name instead of DNS one

[MS-NRPC] section 2.2.1.4.11 requires that the structure
NETLOGON_VALIDATION_SAM_INFO has the same values as defined in the
KERB_VALIDATION_INFO structure from [MS-PAC] section 2.5.

Samba's netr_SamBaseInfo.domain_name corresponds to
KERB_VALIDATION_INFO.LogonDomainName and must be a NetBIOS name of the
domain, not a DNS one.

Failure to provide NetBIOS name here actually breaks
netr_LogonSamLogonEx call issued by IPA-enrolled Samba domain member
which is confused by the returned value:

[2021/01/30 16:36:36.636010,  0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
  ../../source3/winbindd/winbindd_util.c: 175(add_trusted_domain)
  add_trusted_domain: SID [S-1-5-21-3342930694-1632731913-1318603033]
  already used by domain [INTERNAL], expected [internal.example.test]
[2021/01/30 16:36:36.636050, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
  ../../source3/winbindd/winbindd_util.c:362(add_trusted_domain_from_auth)
  add_trusted_domain_from_auth: Adding domain [internal.example.test]
  with sid [S-1-5-21-3342930694-1632731913-1318603033] failed
[2021/01/30 16:36:36.636060,  0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
  ../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
  winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
[2021/01/30 16:36:36.636079, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
  ../../source3/winbindd/winbindd.c:814(process_request_done)
  process_request_done: [smbd(1650):PAM_AUTH_CRAP]: NT_STATUS_LOGON_FAILURE

Fixes: https://pagure.io/freeipa/issue/8636
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>

- - - - -
85674f16 by Mohammad Rizwan at 2021-02-03T09:02:39+02:00
ipatests: Test if server setup without dns uninstall properly

IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls properly.

related: https://pagure.io/freeipa/issue/8630

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
29377901 by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: add a tests-oriented wrapper for pexpect module

The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.

Related to: https://pagure.io/freeipa/issue/8690

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1c15447e by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: use pexpect to invoke ktutil

`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.

Related to: https://pagure.io/freeipa/issue/8690

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
34d72d16 by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: use pexpect to control inetractive session of ipa-adtrust-install

During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.

If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
  in this case scope of test case changes without being noticed

If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.

Related to: https://pagure.io/freeipa/issue/8690

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5a1ad476 by Alexander Bokovoy at 2021-02-04T01:22:30+01:00
client: synchronize ignored return codes with ipa-rmkeytab

Refactoring ipa-rmkeytab with commit
f3f9672d527008dc741ac90aa465bac842eea08d led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.

Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b99bc2d8 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Change CA profile migration message from info to debug

This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4d26ce50 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Use the new API introduced in PKI 10.8

https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ddb5414d by Rob Crittenden at 2021-02-04T14:14:51+01:00
ipactl: support script status 3, program is not running

Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.

https://pagure.io/freeipa/issue/8588

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
87ede26c by Rob Crittenden at 2021-02-04T14:14:51+01:00
Ensure IPA is running (ideally) before uninstalling the KRA

The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.

1. Move the KRA uninstall call prior to stopping all IPA
   services
2. Try to start IPA if it isn't running and a KRA is configured

It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
302f9377 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Add exit status to the ipactl man page

The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
00226ada by Rob Crittenden at 2021-02-04T14:14:51+01:00
ipatests: Handle non-zero return code in test_ipactl_scenario_check

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
2b64a4e8 by Antonio Torres at 2021-02-04T14:29:32-05:00
Update samba configuration on IPA master to explicitly use 'server role' setting

The default for this setting is 'auto', which may affect
IPA Samba configuration on future Samba versions. By explicitly
setting this parameter in the template, future manual
intervention is prevented.

Fixes: https://pagure.io/freeipa/issue/8452
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
44762369 by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
dnssec: fix the key type with OpenDNSSEC 2.1

The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".

With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql

INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
	strftime('%s', REMOTE.keypairs.generate)
	ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
 REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;

and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
    locator VARCHAR(255) NOT NULL,
    candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
    bits INT UNSIGNED DEFAULT 2048,
    policy VARCHAR(255) DEFAULT 'default',
    algorithm INT UNSIGNED DEFAULT 1,
    role VARCHAR(3) DEFAULT 'ZSK',
    inception INT UNSIGNED,
    isrevoked TINYINT UNSIGNED DEFAULT 0,
    key_type VARCHAR(255),
    repository VARCHAR(255),
    backmeup TINYINT UNSIGNED DEFAULT 0,
    backedup TINYINT UNSIGNED DEFAULT 0,
    requirebackup TINYINT UNSIGNED DEFAULT 0,
    id INTEGER PRIMARY KEY AUTOINCREMENT
);

Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd21d068 by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
ipatests: add a test for ZSK/KSK keytype in DNSKEY record

When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.

Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2a51892a by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
OpenDNSSEC: fix timezone in key creation date

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b784e1f8 by Florence Blanc-Renaud at 2021-02-08T09:53:21+01:00
ipatests: fix ipahealthcheck fixture _modify_permission

The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.

When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.

The fix consists in calling 'stat -L' because the command follows
links.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8d306298 by Florence Blanc-Renaud at 2021-02-09T09:40:25+01:00
ipatests: ipactl status now exits with 3 when a service is stopped

Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).

Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
f05ee29d by Rob Crittenden at 2021-02-09T09:48:23-05:00
Change FreeIPA references to IPA and Identity Management

In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e35bec9a by Rob Crittenden at 2021-02-09T09:48:23-05:00
Remove support for csrgen

This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1478db89 by Rob Crittenden at 2021-02-09T09:48:23-05:00
Remove references to rjsmin in UI compile.sh

It specifically referenced using Python rjsmin while the
actual script would pick the minimizer based on the underlying
distribution.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
de351021 by Christian Heimes at 2021-02-09T09:48:23-05:00
Don't install csrgen extra dependencies

See: https://pagure.io/freeipa/issue/8669
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7d00ad4b by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/de.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d8398815 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/es.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
cf054fc1 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/fr.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e77d6890 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/id.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
12d92fe5 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/es.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fc965210 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/fr.po

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
936f98e9 by Rob Crittenden at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/ipa.pot

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
dffe6957 by Rob Crittenden at 2021-02-10T08:21:15+01:00
Add RHEL 9 UI branding patch reference

The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
55180f6e by Christian Heimes at 2021-02-10T08:23:16+01:00
configure: ipaplatform falls back to ID_LIKE

The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.

CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.

Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7ca2797e by Alexander Bokovoy at 2021-02-11T12:45:33+01:00
test_installutils: run gpg-agent under a specific SELinux context

system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.

Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
45d7d15c by Florence Blanc-Renaud at 2021-02-15T10:01:10+02:00
cert plugin: propagate the error for non-existent cert

ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS

Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'

Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
55c7e212 by Florence Blanc-Renaud at 2021-02-15T10:01:10+02:00
xmlrpc tests: add a test for cert-remove-hold

Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold

Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'

Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4f63dc99 by Antonio Torres at 2021-02-15T10:02:58+02:00
WebUI: change FreeIPA naming to IPA in About dialog

As part of the effort for reducing differences between
upstream and downstream releases, product naming in WebUI
About dialog is changed from FreeIPA to IPA.

Related: https://pagure.io/freeipa/issue/8669
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a16dc594 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Set the ACME baseURL in order to pin a client to a single IPA server

ACME uses nonce values to prevent replay attacks. Since the
ipa-ca name can go to any of the IPA servers in order to verify the
nonce the servers need to know the value that was set which
relies on replication. Sometimes the client is faster than
replication so a request can fail.

This change returns the baseURL to the client as the name of the
ACME server during discovery which should pin all requests to this
one IPA server and alleviate the replication issue.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
31061c60 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Add versions to the ACME config templates and update on upgrade

Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
6526ab48 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Add some logging around initial ACME deployment

>From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
63b14839 by Stanislav Levin at 2021-02-15T13:47:45+02:00
Azure: Populate containers with self-AAAA records

IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.

In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.

In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
    "when": "20210120055054Z",
    "duration": "0.032740",
    "kw": {
      "msg": "Got {count} ipa-ca AAAA records, expected {expected}",
      "count": 1,
      "expected": 2
    }
  }
]
```
where `ipa-ca` record exists only for replica.

Note: since the most of the code in setup_containers was touched it has
been reformatted.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
151fa504 by Stanislav Levin at 2021-02-15T13:47:45+02:00
ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check

This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0b11a7ce by Stanislav Levin at 2021-02-15T13:47:45+02:00
rpm-spec: Require crypto-policies-scripts

`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
602a4fa3 by Antonio Torres at 2021-02-15T13:52:54+02:00
sudocmd: ensure command doesn't contain trailing dot before adding it

Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.

RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
029daa5f by Antonio Torres at 2021-02-15T13:52:54+02:00
ipatests: test addition of invalid sudo command

Check that sudocmd-add fails when trying to add
a command containing a trailing dot.

Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b290bc12 by Thorsten Scherf at 2021-02-15T14:24:42+02:00
man: fix ipa-client-samba.1 typos

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9872610f by Rob Crittenden at 2021-02-15T19:06:21+02:00
Remove the option stop_certmonger from stop_tracking_*

This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.

https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9854c399 by Florence Blanc-Renaud at 2021-02-15T20:29:42+02:00
ipatests: update expected error message

With commit ec6698f , the error message has changed from
  Unable to communicate with CMS (503)
to
  Request failed with status 503: Non-2xx response from CA REST API: 503.  (503)

Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d1313a59 by Alexander Bokovoy at 2021-02-15T20:35:53+02:00
po: update translations template

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
66ffc9a6 by Alexander Bokovoy at 2021-02-15T20:36:53+02:00
po: refresh translations to remove outdated strings

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
34600a0e by Alexander Bokovoy at 2021-02-15T20:38:54+02:00
Become IPA 4.9.2

- - - - -
811d130c by Alexander Bokovoy at 2021-02-15T20:40:10+02:00
Back to git commits

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b590dcef by François Cami at 2021-02-16T12:51:11-05:00
ipatests: add TestInstallWithoutSudo

Test IPA servers and clients behavior when sudo is not installed.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0c2741af by François Cami at 2021-02-16T12:51:11-05:00
ipatests: tasks: handle uninstalling packages with nodeps

Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.

Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <