Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
User repr() instead of str() for bytes, it has the same effect, but it
is proper way how to print bytes
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.
Both formats were kept to allow tests run on older and new
versions of DS.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
for Decimal only from client to server direction uses __base64__
notation. Server replies with pure string for Decimal data, and also
server is able to parse string and create decimal values where needed.
without this we need ugly py3 code:
- return {'__base64__': base64.b64encode(str(val))}
+ return {'__base64__': base64.b64encode(
+ str(val).encode('ascii')).decode('ascii')}
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The encode method of LDAPClient didn't return DNSName as bytes but
string in py3. In py2 it returns non-unicode string so it can be encoded
safely by ascii as to_text() method returns only ascii characters.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Requesting certificates for test purposes is not necessary as we allow to
upload arbitrary certificate to the user, host or service. Also requesting
certificate from dogtag takes some time and the test is slower for no good
reason.
More it's not posible to request certificate for stageuser even though it's
possible to upload certificates to stageusers now.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not log the value of the --password option of ipa-client-install when it
is run from ipa-replica-install before replica promotion.
https://fedorahosted.org/freeipa/ticket/6633
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.
Source: cheimes@redhat.comhttps://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
FreeIPA server modules requires pki module
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups
The test case tests for direct and indirect membership.
https://fedorahosted.org/freeipa/ticket/6439
Reviewed-By: Martin Basti <mbasti@redhat.com>
In 'store_session_cookie', if the server does not set the session
cookie for some reason, the 'session_cookie' variable does not get
assigned, resulting in UnboundLocalError. Set an initial value of
'None'.
Fixes: https://fedorahosted.org/freeipa/ticket/6636
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-kra-install creates an admin cert file in
/root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the
parent directory exists. This situation can happen when uninstall + restore
has been run.
The fix creates the directory if not present.
https://fedorahosted.org/freeipa/ticket/6606
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Calling str() on bytes causes undesired side effect: it adds prefix "b"
to the result of conversion. The method decode() should be used instead.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When using private_ccache, yield 'path' from the context manager.
This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within
the context.
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Martin Basti <mbasti@redhat.com>
csr must be in string because framework excpects only strings, so we
have to decode it back
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Bytes are unsupported and we should raise a TypeError from Principal
__init__ method otherwise we get hard to debug result
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove decode() as it causes error in py3 because the attribute is
already string not bytes
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Update encoding/decoding accordingly to work under Py3
Removing functions that were used only once in code and give no real
improvements
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
variable 'e' is valid only in except block in py3, so it must be
assigned to different variable for further usage
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
WSGI prints TypeError into error log when IPA doesn't return bytes in
list as result
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This fix is temporal because Memcache will be removed soon, so it is
more workaround than fix
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function
https://fedorahosted.org/freeipa/ticket/6588
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This patch also contains some code changes to make the code easier to
test and to make the tests pass.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.
The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
