Commit Graph

632 Commits

Author SHA1 Message Date
Christian Heimes
390251d3dd
Always build Python 3 packages
Remove with_python3 checks and always build Python 3 packages.

Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
ed52baba0d
Make Python 2 build dependency optional
The specfile now uses three variables to determinate how to handle
Python support.

with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages

"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.

The patch also cleans up and fixes additional issues:

* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
  were packages with Python 2 RPMs although they had a Python 3 shebang.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Christian Heimes
fb16bc933c Require JSS 4.4.4 with fix for sub CA replication
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.

Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version

See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-05-30 08:18:40 +02:00
Christian Heimes
8e165480ac Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
dbc3788405 Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
59ea580046 Require python-ldap >= 3.1.0
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 20:44:01 +02:00
Christian Heimes
c17ba11cba Require Dogtag 10.6.1
Dogtag 10.6.1 contains fixes for external CA support.

See: http://pagure.io/dogtagpki/issue/3005
See: http://pagure.io/dogtagpki/issue/3007
See: http://pagure.io/dogtagpki/issue/3008
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1573094
Fixes: https://pagure.io/freeipa/issue/7516
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-07 16:21:10 +02:00
Christian Heimes
880d9b4134 Require nss with fix for nickname bug
nss 3.36.1-1.1 addresses a bug in the shared SQL database layer. A nicknames
of certificates are no longer changed when a certificate is imported
multiple times under different name.

Partly revert commit ad2eb3d09b with fix
for https://pagure.io/freeipa/issue/7498. The root cause for the bug has
been addressed by the NSS release.

See: https://pagure.io/freeipa/issue/7516
See: https://pagure.io/freeipa/issue/7498
See: https://bugzilla.redhat.com/show_bug.cgi?id=1568271
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-04 12:03:43 +02:00
Christian Heimes
1c1089c44d ipa-client package needs sssd-tool
Commit ccec8c6c41 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.

See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-03 14:25:36 +02:00
Robbie Harwood
ce3819c3b7 Move krb5 snippet into freeipa-client-common
Also move /usr/share/ipa into freeipa-common by necessity.

https://pagure.io/freeipa/issue/7524

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-03 10:18:29 +02:00
Florence Blanc-Renaud
1df1786b06 Migration from authconfig to authselect
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration

Fixes:
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Christian Heimes
13b9608d5c Add augeas dependency to client package
Commit 5d9c749e83 add dependency on augeas
Python package, but freeipa.spec was not updated. The python[23]-ipaclient
packages now correctly depend on python[23]-augeas.

Fixes: https://pagure.io/freeipa/issue/7512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-25 14:02:29 +02:00
Christian Heimes
236fa61eeb Create users in server-common pre hook
The ipaapi user was created in the server package but referenced by a
config file in the server-common package. The server-common package can
be installed without the server package. This caused an error

   Unknown user 'ipaapi'

with systemd-tmpfiles --create. The users are now created in the
server-common package.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-04-25 13:58:11 +02:00
Christian Heimes
04e1ae7bf1 Require 389-ds-base >= 1.4.0.8-1
1.4.0.8-1 contains a bug fix for an error in SASL connection handling.

See: https://pagure.io/389-ds-base/issue/49639
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-25 12:14:23 +02:00
Christian Heimes
ad2eb3d09b CA replica PKCS12 workaround for SQL NSSDB
CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-25 12:14:23 +02:00
Tibor Dudlák
0090a90ba2 Add dependency and paths for chrony
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
bfb544adfd Removes ntp from dependencies and behave as there is always -N option
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Christian Heimes
888d9861f8 Require more recent glibc on F27
On CPUs with AVX-512 instruction set, ntpd sometimes segfaults because
PTHREAD_STACK_MIN is too small. The bug has been fixed in
glibc-2.26-24.fc27.x86_64 or later.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1564527
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-04-09 11:42:05 +02:00
amitkuma
ccec8c6c41 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Christian Heimes
2b47f8994f Require Dogtag PKI >= 10.6
Dogtag 10.6.0-0.2 contains SQL NSS DB fixes and full Python 3 support.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-19 15:48:46 +01:00
Christian Heimes
fd9ede5296 Simplify Python package installation
Move logic for installing just the Python packages out of the spec file
and into our root Makefile. It removes code duplication to simplify a
spec file that supports building without Python 2.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-15 12:57:00 +01:00
Christian Heimes
cfe4150b22 Move DNS related files to server-dns package
The freeipa-server package was shipping files that are only used by
freeipa-server-dns.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-26 10:03:00 +01:00
Stanislav Laznicka
b21941360c
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
68caeb8b19 Add mocked test for named crypto policy update
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
631d3152fe freeipa-server no longer supports i686 arch on F28
389-ds-base 1.4 is going to drop 32bit i686 arch support in Fedora 28,
https://bugzilla.redhat.com/show_bug.cgi?id=1530832 . Skip server
related packages (freeipa-server, python[23]-ipaserver,
freeipa-server-common, freeipa-server-dns, freeipa-server-trust-ad).

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1544386
Fixes: https://pagure.io/freeipa/issue/7400
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-16 15:55:32 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Fraser Tweedale
b466172d68 ldap2: fix implementation of can_add
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS.  Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.

Update the ldap2.can_add implementation to perform the add
permission check properly.  Also update call sites accordingly.

Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix.  This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.

Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-09 08:57:41 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Christian Heimes
7619fa4154 Bump python-ldap version to fix syncrepl bug
python-ldap had a bug in syncrepl caused by incompatible changes in
pyasn1. The bug has been fixed in 2.4.25-9.

Fixes: https://pagure.io/freeipa/issue/7240
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-08 09:30:29 +01:00
Christian Heimes
df0e6696d8 Bump SELinux policy for DNSSEC
selinux-policy-3.13.1-283.24 fixes an AVC with OpenDNSSEC ods-signer.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1537971
See: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-02-08 08:24:54 +01:00
Christian Heimes
7670dcb853 Run DNSSEC under Python 3
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Rob Crittenden
aaf2eaabee Move Requires: pythonX-sssdconfig into conditional
https://pagure.io/freeipa/issue/5638

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-06 11:41:03 +01:00
Christian Heimes
1c059fbf5c Remove unused PyOpenSSL from spec file
https://pagure.io/freeipa/issue/7381

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-01-29 14:49:16 +01:00
Christian Heimes
e0c976ac32 Require dbus-python on F27
Partly revert b03d5155. python2-dbus is not available on F27. The
package only provides dbus-python:

$ dnf install python2-dbus dbus-python
Last metadata expiration check: 0:18:39 ago on 2018-01-23T18:59:22 CET.
No match for argument: python2-dbus
Package dbus-python-1.2.4-8.fc27.x86_64 is already installed, skipping.
Error: Unable to find a match

Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-23 21:02:49 +01:00
Christian Heimes
c1f7c61762 Lower python-ldap requirement for F27
For DNSSEC daemons on Python 3, python-ldap requirement was bumped to
python-ldap 3.0. But python-ldap 3.0 hasn't been released yet and is
only available as beta4 on rawhide. The DNSSEC fix hasn't landed either.

Lower requirements to python2-ldap 2.4.15 and python3-pyldap 2.4.35.1-2
until the DNSSEC fix has landed.

See https://pagure.io/freeipa/issue/7257

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-23 10:06:56 +01:00
Christian Heimes
3c59cf5728 Require python-ldap 3.0.0b2
Use new LDAPBytesWarning to ignore python-ldap's bytes warnings. New
build is available in @freeipa/freeipa-master.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-19 14:05:29 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Christian Heimes
7fbbf6689e Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.

Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.

Fast testing execute all unit tests that do not depend on ipalib.api.

In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Fraser Tweedale
c42c440de5 Use correct version of Python in RPM scripts
Fixes: https://pagure.io/freeipa/issue/7299
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:02:26 +01:00
Christian Heimes
c1f275f9eb Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.

Remove some old code for compatibility with very old python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Alexander Bokovoy
78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
Christian Heimes
57787f647e Prevent installation of Py2 and Py3 mod_wsgi
FreeIPA is either compatible with Python 2 mod_wsgi or Python 3
mod_wsgi. mod_wsgi can not coexist in the same Apache process as
mod_wsgi_python3. When both mod_wsgi and python3-mod_wsgi are installed,
the first loaded module wins and the other one is never loaded.

Add conflict on the other module to prevent installation of both
modules.

https://pagure.io/freeipa/issue/7161

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-22 09:51:56 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Christian Heimes
64a88d597c Py3: Fix vault tests
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret

https://pagure.io/freeipa/issue/7033

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:50:58 +01:00
Christian Heimes
38b17e1c79 Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:49:34 +01:00