pytest 3.x does no longer support plain pytest.skip() on module level.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add tests for searching disabled/enabled users.
XFAIL: newly created users has no 'nsaccountlock' attribute set and
user-find doesn't return them as active users. This should be fixed.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Requesting certificates for test purposes is not necessary as we allow to
upload arbitrary certificate to the user, host or service. Also requesting
certificate from dogtag takes some time and the test is slower for no good
reason.
More it's not posible to request certificate for stageuser even though it's
possible to upload certificates to stageusers now.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method
https://fedorahosted.org/freeipa/ticket/6126
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA. Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values). Add the `--chain' flag for including the chain in the
result (chain is also included with `--all'). Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
- for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
- for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.
Fix some renamed modules, module members and functions.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In tracker, 'self.attrs' variable is created and filled in track_create method.
Some objects are not created but still require access to this variable.
Created 'self.attrs' variable in init
https://fedorahosted.org/freeipa/ticket/6125
Reviewed-By: Milan Kubik <mkubik@redhat.com>
A bunch of certplugin tests were testing number of revoked certificates with
various revocation reasons. Since existence of revoked certificates often
depends on other parts of IdM than IPA, it is not really valid to check their
presence unless creation of revoked certificate is intentionally tested.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Removing --force option from tracker base class so it would not be required to
be implemented in every specific tracker, even though it's not necessary.
Modifying existing trackers to reflect this change.
https://fedorahosted.org/freeipa/ticket/6124
Reviewed-By: Martin Basti <mbasti@redhat.com>
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.
https://fedorahosted.org/freeipa/ticket/6276
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
