Commit Graph

14602 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
178dec8fc3 pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.

Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-22 16:18:11 -05:00
Sergey Orlov
4d87982b07
ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-19 13:31:28 +01:00
Rob Crittenden
c0e63429b3 Don't double-report any errors from pki-spawn failures
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.

Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:

"During handling of the above exception, another exception occurred"

The handling is in fact expected.

This changes the user-facing installer output from:

  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n    raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

to

  [1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.

Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.

https://pagure.io/freeipa/issue/8565

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:52:05 +01:00
Rob Crittenden
ea58c75730 Suppress error message if the CRL directory doesn't exist
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.

Related: https://pagure.io/freeipa/issue/8565

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:52:05 +01:00
Kaleemullah Siddiqui
5e49910bcf ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.

related: https://pagure.io/freeipa/issue/8550

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-18 16:44:29 +01:00
Rob Crittenden
ab13cf52f2 Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.

This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-18 16:43:04 +01:00
Rob Crittenden
dea2b8af9c Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.

Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
146db28e50 Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
be4195cfaf ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Rob Crittenden
7cfd44d395 ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.

Instead pull the nickname from the DS configuration and
retrieve it based on that.

https://pagure.io/freeipa/issue/8600

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Alexander Bokovoy
f2f8d46c7f po: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 20:33:38 +02:00
Rob Crittenden
71047f68b5 Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.

https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 17:13:53 +02:00
Florence Blanc-Renaud
137b39cf93 ipatests: update expected error message
With commit ec6698f , the error message has changed from
  Unable to communicate with CMS (503)
to
  Request failed with status 503: Non-2xx response from CA REST API: 503.  (503)

Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 15:22:19 +02:00
Thorsten Scherf
84f52ea8fc man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:55 +02:00
Armando Neto
7d691f07d6 ipatests: Update PR-CI templates
Update "previous" and "latest" templates with updated dependencies.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:23 +02:00
Antonio Torres
89135830cc ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:59:41 +02:00
Antonio Torres
d6c5a92609 sudocmd: ensure command doesn't contain trailing dot before adding it
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.

RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:59:41 +02:00
Rob Crittenden
3d2d06719f Add some logging around initial ACME deployment
From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00
Rob Crittenden
b1e72cb12e Add versions to the ACME config templates and update on upgrade
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00
Rob Crittenden
d2d487bccc Set the ACME baseURL in order to pin a client to a single IPA server
ACME uses nonce values to prevent replay attacks. Since the
ipa-ca name can go to any of the IPA servers in order to verify the
nonce the servers need to know the value that was set which
relies on replication. Sometimes the client is faster than
replication so a request can fail.

This change returns the baseURL to the client as the name of the
ACME server during discovery which should pin all requests to this
one IPA server and alleviate the replication issue.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/8712

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-02-15 09:57:07 +02:00
Stanislav Levin
778ef95916 rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Stanislav Levin
596bb320be ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Stanislav Levin
3e33e546c3 Azure: Populate containers with self-AAAA records
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.

In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.

In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
  {
    "source": "ipahealthcheck.ipa.idns",
    "check": "IPADNSSystemRecordsCheck",
    "result": "WARNING",
    "uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
    "when": "20210120055054Z",
    "duration": "0.032740",
    "kw": {
      "msg": "Got {count} ipa-ca AAAA records, expected {expected}",
      "count": 1,
      "expected": 2
    }
  }
]
```
where `ipa-ca` record exists only for replica.

Note: since the most of the code in setup_containers was touched it has
been reformatted.

Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Antonio Torres
8a2e6ec320 ipatests: add test for ipa-cacert-manage prune
Add test for prune option of ipa-cacert-manage.
After a certificate is installed, a jump in time
is performed to a date where the certificate is expired,
and then it is pruned.

Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 14:08:11 -05:00
Antonio Torres
5d8cb1dd1f ipa-cacert-manage: add prune option
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.

Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 14:08:11 -05:00
Antonio Torres
9b8810c88b WebUI: change FreeIPA naming to IPA in About dialog
As part of the effort for reducing differences between
upstream and downstream releases, product naming in WebUI
About dialog is changed from FreeIPA to IPA.

Related: https://pagure.io/freeipa/issue/8669
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 12:50:08 -05:00
Florence Blanc-Renaud
4672d61cee xmlrpc tests: add a test for cert-remove-hold
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold

Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'

Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-12 17:49:02 +01:00
Florence Blanc-Renaud
ec6698f08a cert plugin: propagate the error for non-existent cert
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS

Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'

Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-12 17:49:02 +01:00
Alexander Bokovoy
46b0746fe9 test_installutils: run gpg-agent under a specific SELinux context
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.

Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-11 09:09:46 +01:00
Rob Crittenden
bf06579895 Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-09 09:49:22 -05:00
Christian Heimes
5ca918943c configure: ipaplatform falls back to ID_LIKE
The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.

CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.

Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-09 09:47:00 -05:00
Florence Blanc-Renaud
610d542c0e ipatests: ipactl status now exits with 3 when a service is stopped
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).

Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-08 09:55:01 +01:00
Florence Blanc-Renaud
27ae8a93f5 ipatests: fix ipahealthcheck fixture _modify_permission
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.

When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.

The fix consists in calling 'stat -L' because the command follows
links.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-05 15:39:07 +01:00
François Cami
82216bfa3d ipatests: add TestInstallWithoutSudo
Test IPA servers and clients behavior when sudo is not installed.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
François Cami
ed8a9e4e6a ipatests: tasks: handle uninstalling packages with nodeps
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.

Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
François Cami
a912bbbe0e ipa-client-install: output a warning if sudo is not present
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
François Cami
fcfefe0a26 freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
Florence Blanc-Renaud
ca17a81a30 OpenDNSSEC: fix timezone in key creation date
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
Florence Blanc-Renaud
7902c78496 ipatests: add a test for ZSK/KSK keytype in DNSKEY record
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.

Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
Florence Blanc-Renaud
cdfc86364e dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".

With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql

INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
	strftime('%s', REMOTE.keypairs.generate)
	ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
 REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;

and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
    locator VARCHAR(255) NOT NULL,
    candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
    bits INT UNSIGNED DEFAULT 2048,
    policy VARCHAR(255) DEFAULT 'default',
    algorithm INT UNSIGNED DEFAULT 1,
    role VARCHAR(3) DEFAULT 'ZSK',
    inception INT UNSIGNED,
    isrevoked TINYINT UNSIGNED DEFAULT 0,
    key_type VARCHAR(255),
    repository VARCHAR(255),
    backmeup TINYINT UNSIGNED DEFAULT 0,
    backedup TINYINT UNSIGNED DEFAULT 0,
    requirebackup TINYINT UNSIGNED DEFAULT 0,
    id INTEGER PRIMARY KEY AUTOINCREMENT
);

Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
Antonio Torres
d6ccb9b5b3 Update samba configuration on IPA master to explicitly use 'server role' setting
The default for this setting is 'auto', which may affect
IPA Samba configuration on future Samba versions. By explicitly
setting this parameter in the template, future manual
intervention is prevented.

Fixes: https://pagure.io/freeipa/issue/8452
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-04 14:19:16 +01:00
Michal Polovka
d0269f2367
test_webui: test_hostgroup: Wait for modal dialog to appear
Modal dialog transition is currently set to 300ms, we have to wait
for it to appear in order to interact with it. Double that time is a
safe value.

Resolves: https://pagure.io/freeipa/issue/8684

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2021-02-04 13:23:19 +01:00
Rob Crittenden
8082a2d9eb ipatests: Handle non-zero return code in test_ipactl_scenario_check
https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
ed21787190 Add exit status to the ipactl man page
The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
1870c93354 Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.

1. Move the KRA uninstall call prior to stopping all IPA
   services
2. Try to start IPA if it isn't running and a KRA is configured

It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
928ab51be6 ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.

https://pagure.io/freeipa/issue/8588

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
daf2ca3ead Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
62521edcd1 Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Alexander Bokovoy
3231c6fc79 client: synchronize ignored return codes with ipa-rmkeytab
Refactoring ipa-rmkeytab with commit
f3f9672d52 led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.

Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-03 14:21:31 -05:00
Sergey Orlov
caeed7e2d1 ipatests: use pexpect to control inetractive session of ipa-adtrust-install
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.

If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
  in this case scope of test case changes without being noticed

If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00