ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.
related ticket https://pagure.io/freeipa/issue/7247
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently
A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.
Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Partly revert b03d5155. python2-dbus is not available on F27. The
package only provides dbus-python:
$ dnf install python2-dbus dbus-python
Last metadata expiration check: 0:18:39 ago on 2018-01-23T18:59:22 CET.
No match for argument: python2-dbus
Package dbus-python-1.2.4-8.fc27.x86_64 is already installed, skipping.
Error: Unable to find a match
Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipapython/dn.py:1324: [R1710(inconsistent-return-statements), DN.__contains__]
Either all return statements in a function should return an expression, or none of them should.)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem
After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.
Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
For DNSSEC daemons on Python 3, python-ldap requirement was bumped to
python-ldap 3.0. But python-ldap 3.0 hasn't been released yet and is
only available as beta4 on rawhide. The DNSSEC fix hasn't landed either.
Lower requirements to python2-ldap 2.4.15 and python3-pyldap 2.4.35.1-2
until the DNSSEC fix has landed.
See https://pagure.io/freeipa/issue/7257
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.
Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently when testing we are using SAN extension only in
KDC, wildcard certs and not in the other certs.
During replica installation we then see a warning about certs
having no `subjectAltName`.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
https://pagure.io/freeipa/issue/7049
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.
Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-run-tests now applies the same logic to --ignore then to included
paths.
https://pagure.io/freeipa/issue/7355
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Before this patch there was just one test in external_ca suite,
now we add one new test class thus deleting the specific class
in external_ca PRCI section.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.
https://pagure.io/freeipa/issue/7302
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.
https://pagure.io/freeipa/issue/7233
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add test case for setting renewal master using command
ipa-csreplica-manage.
Automation related to upstream ticket #7120. Testing using
config-mod already covered.
https://pagure.io/freeipa/issue/7321
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.
Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict
https://pagure.io/freeipa/issue/7346
Reviewed-By: Christian Heimes <cheimes@redhat.com>
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.
https://pagure.io/freeipa/issue/7339
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Silence false positive by using isinstance(value, dict).
Also clean up and optimize most common cases.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
For loop variable '_nothing' is not used in the loop body. The name
'unused' is used to indicate that a variable is unused.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Check pycodestyle before pylint. pycodestyle takes seconds while
pylint can easily take half a minute or more.
- Fix exit, needs two $
- Add some newlines to make output more readable
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The ipa-run-tests command used os.chdir() to change into the ipatests/
directory. The approach works for simple cases but breaks some pytest
features. For example it makes it impossible to selects tests by their
fully qualified test name.
Further more, coverage statistics break because path and module names
get messed up by chdir.
A name plugin takes care of adjusting paths relative to ipatests and to
add ipatests as base. It's now possible to run tests with qualified test
names, e.g.
ipa-run-tests ipatests/test_ipalib/test_base.py::test_ReadOnly::test_lock
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"
Fixes: https://pagure.io/freeipa/issue/7341
Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.
Fix suggested by Florence Blanc-Renaud.
Signed-off-by: François Cami <fcami@fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.
Fixes: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There is no object class before adding the first item into tables,
therefore there are no ACI and WebUI is not able to figure out
whether table is writable or not. Adding flag 'w_if_no_aci'
tells "make it writable even if we have not ACIs and try to do
the API call.
https://pagure.io/freeipa/issue/7111
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Use new LDAPBytesWarning to ignore python-ldap's bytes warnings. New
build is available in @freeipa/freeipa-master.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.
https://pagure.io/freeipa/issue/7325
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.
See https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.
See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
