Commit Graph

2748 Commits

Author SHA1 Message Date
Rob Crittenden
6294b93e14 ipatests: Ignore spacing in OpenSSL validation error message
The error message format changed between releases of OpenSSL.
The updated version has dropped spaces around equal signs
between RDN elements in the subject.

e.g. In 3.1.1 it reports O = EXAMPLE.TEST, CN = IPA RA
and in 3.2.1 reports O=EXAMPLE.TEST, CN=IPA RA

So ignore all spacing in the error message so it works on all
versions.

I saw this in openssl-3.1.1-4.fc39.x86_64 vs
openssl-3.2.1-3.fc41.x86_64

Fixes: https://pagure.io/freeipa/issue/9567

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-04-04 16:30:09 -04:00
Stanislav Levin
1df2abbd5f ap: Migrate to docker compose V2
Azure Pipelines started to roll 20240401.4 Ubuntu image that doesn't
include docker-compose v1:

https://github.com/actions/runner-images/blob/ubuntu20/20240401.4/images/ubuntu/Ubuntu2004-Readme.md

See https://github.com/actions/runner-images/issues/9557

Compose V1 to V2 migration guide:

https://docs.docker.com/compose/migrate/

Fixes: https://pagure.io/freeipa/issue/9566
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 11:42:24 -04:00
Erik Belko
fc7c2cb624 xmlrpc tests: Create user with manager option set using user-add
Related: https://pagure.io/freeipa/issue/9515

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-04-04 15:56:25 +01:00
Rob Crittenden
5d3c6b761b Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.

The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.

With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.

Related: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Rob Crittenden
a9bb811296 Check for file permissions after the ca/cert-show is complete
The commands ca-show and cert-show provide the ability to direct
the certificate output to a file. If the requested object was
not present then this resulted in a zero-length file.

This is because the check to determine if the file was writable,
by opening it, was done prior to the operation to retrieve
the entry.

So move the check after the data retrieval.

Also convert cert-show to be more consistent with ca-show.

I considered cleaning up the empty file afterward but IMHO we
shouldn't touch the file until we're ready to write. This
costs an API roundtrip but its a small price to pay for
potentially protecting existing data.

Fixes: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Christian Heimes
38d0e74b6d Move ipalib.install.kinit to ipalib
- kinit helpers are now in `ipalib.kinit`.
- helpers can now use default ccache locations like many other similar
  helpers
- helpers return the result from `run` for debugging
- constants are now in `krb_utils`
- helpers pass `KRB5*` and `GSS*` env vars along, so `KRB5_TRACE` works
- document how to kinit for `ipalib.api`

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-27 18:07:17 +01:00
Florence Blanc-Renaud
6cc668ffeb xmlrpc: adapt range plugin test
A warning is added in ipa idrange-add/mod/del for
local ranges. Adapt the test expectation.

Related: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Alexander Bokovoy
a57b665be0 idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.

Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.

Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Sudhir Menon
adf95dcf86 ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.

[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.

Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-03-25 12:27:43 +01:00
Florence Blanc-Renaud
64861a0cf9 idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.

Fixes: https://pagure.io/freeipa/issue/9558

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-20 13:59:21 +01:00
Alexander Bokovoy
1d2897e3d7 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).

This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.

Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.

Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00
Florence Blanc-Renaud
558a7de8b7 ipatests: some tests are date-sensitive and fail Feb 29
A few tests are changing the date back and forth using for
instance date -s +3Years+1day and date -s -3Years-1day.
This method does not bring the system back to the current date
if executed around Feb 28 or 29 on a leap year, and may result
in de-synchronized server and client.

Add a note in the test to warn about potential future failures.

Related: https://pagure.io/freeipa/issue/9548

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-01 11:53:48 +01:00
Rob Crittenden
3766fb9863 ipa-restore: adapt for 389-ds switch to LMDB
ipa-restore is relying on the presence of specific directories,
e.g. /var/lib/dirsrv/slapd-/db/ipaca, to detect
which backends are in use (userRoot or ipaca).

With the switch to LMDB, these directories do not exist and the
restore fails finding the ipaca backend.

Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check which backends are present.

This method was been introduced in 389ds 2.1.0 and works with
Berkeley DB and LMDB.

Add a --data option to the ipa-backup and ipa-restore tasks to do
only an LDIF backup and restore. Also add the ability to restore by
backend.

Add new tests to do a data-only backup and restore.

Fixes: https://pagure.io/freeipa/issue/9526

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-02-23 14:11:25 +01:00
Rob Crittenden
33af154b7f validate_principal: Don't try to verify that the realm is known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).

This fixes CVE-2024-1481

Fixes: https://pagure.io/freeipa/issue/9541

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-02-22 14:35:59 -05:00
Alexander Bokovoy
404fe1018e rpcserver: validate Kerberos principal name before running kinit
Do minimal validation of the Kerberos principal name when passing it to
kinit command line tool. Also pass it as the final argument to prevent
option injection.

Accepted Kerberos principals are:
 - user names, using the following regexp
   (username with optional @realm, no spaces or slashes in the name):
   "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"

 - service names (with slash in the name but no spaces). Validation of
   the hostname is done. There is no validation of the service name.

The regular expression above also covers cases where a principal name
starts with '-'. This prevents option injection as well.

This fixes CVE-2024-1481

Fixes: https://pagure.io/freeipa/issue/9541

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-02-21 17:07:33 -05:00
Florence Blanc-Renaud
e5bb0f392a ipatests: fix tasks.wait_for_replication method
With the fix for https://pagure.io/freeipa/issue/9171, the
method entry.single_value['nsds5replicaupdateinprogress'] now
returns a Boolean instead of a string "TRUE"/"FALSE".

The method tasks.wait_for_replication needs to be fixed so that
it properly detects when replication is not done.

Fixes: https://pagure.io/freeipa/issue/9530

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-02-14 09:26:00 +01:00
Florence Blanc-Renaud
908ef6a179 ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.

Related: https://github.com/SSSD/sssd/issues/7169

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2024-02-12 08:32:20 +01:00
Florence Blanc-Renaud
dfb5099e7f ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2024-02-12 08:32:20 +01:00
Sudhir Menon
7f849956df ipatests: Skip tests for ipahealtcheck tests for specific pki version
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
respective tests are skipped.

Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'

Ref: https://issues.redhat.com/browse/RHEL-21367

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-02-02 11:03:00 +01:00
Florence Blanc-Renaud
9c470d10a5 ipatests: test_idp fails calling yum list wget
On rawhide, the package wget has been replaced with wget2
(more info in https://bugzilla.redhat.com/show_bug.cgi?id=2254790).

The test test_idp is checking that the sudo command is working
for a keycloak user, by creating a sudo rule for the yum command
and calling sudo yum list wget.
As the wget package does not exist any more on Rawhide, the command
returns an error:
Error: No matching Packages to list
and the test fails.

Replace the call "sudo yum list wget" with a call to "sudo yum list yum"
as the yum package is always present.

Fixes: https://pagure.io/freeipa/issue/9522

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 18:27:12 +01:00
Christian Heimes
22875ea2c6 test_acme: Use ipalib.x509
Use IPA's x509 module instead of `cryptography.x509`. This fixes a
regression which was introduced in commit a45a7a20.

Related: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2024-01-25 18:07:20 +01:00
Christian Heimes
a45a7a20d9 Compatibility fix for PyCA cryptography 42.0.0
Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.

The old properties are deprecated. The changeset also modifies code and
tests to use the new `_utc` variants.

Fixes: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-24 14:54:24 +01:00
Masahiro Matsuya
c740cb84ba ipatests: wait for replica update in test_dns_locations
test_ipa_ca_records and test_adtrust_system_records can fail with
NXDOMAIN, because it doesn't wait enough for the update on replica.
It can be resolved by waiting for the update with wait_for_replication.

Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-23 07:57:56 +01:00
Florence Blanc-Renaud
717ae87a75 Nightly tests: test on f38 and f39
Fedora 39 is now officically available. Update the test definitions:
- lastest now uses f39
- previous now uses f38

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-01-12 18:46:41 -05:00
Alexander Bokovoy
a5d38ca171 host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb4, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.

If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.

This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.

There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.

Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.

Fixes: https://pagure.io/freeipa/issue/9496

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-12 18:41:01 -05:00
Carla Martinez
2874823c12
ipatests: test new columns in group details
Test for checking the new columns 'givenname', 'sn' and 'nsaccountlock'.

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2024-01-12 15:26:45 +01:00
Rob Crittenden
e5a9e46138 get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.

In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.

The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.

There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.

This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.

Fixes: https://pagure.io/freeipa/issue/9506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-11 17:19:47 +01:00
Rob Crittenden
ce811db6be ipatests: Test client install/uninstall with automount enabled
The automount installation was failing. Confirm that it is fixed.

The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.

Fixes: https://pagure.io/freeipa/issue/9487

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-01-11 17:13:35 +01:00
Sudhir Menon
8ef3d6ce5c ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.

'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'

Hence the test is skipped to be run on RHEL9.0 SUT.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-10 14:58:49 -05:00
Rob Crittenden
86b073a7f0
Integration tests for verifying Referer header in the UI
Validate that the change_password and login_password endpoints
verify the HTTP Referer header. There is some overlap in the
tests: belt and suspenders.

All endpoints except session/login_x509 are covered, sometimes
having to rely on expected bad results (see the i18n endpoint).

session/login_x509 is not tested yet as it requires significant
additional setup in order to associate a user certificate with
a user entry, etc.

This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
and adding:

Satisfy Any
Require all granted

Then comment out Auth and SSLVerify, etc. and restart httpd.

With a valid Referer will fail with a 401 and log that there is no
KRB5CCNAME. This comes after the referer check.

With an invalid Referer it will fail with a 400 Bad Request as
expected.

CVE-2023-5455

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2024-01-10 10:27:06 +01:00
Florence Blanc-Renaud
8d7bd6c6ab pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)

Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
8981ede1a2 azure tests: move to fedora 39
Update python3 to ensure the fix for BZ 2252567 is pulled.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Alexander Bokovoy
c3bc938650
ipatests: make sure PKINIT enrollment works with a strict policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.

We set admin user authentication type to PASSWORD to simplify
configuration in the test.

What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.

Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Florence Blanc-Renaud
a177121af6 ipatests: disable dnssec validation in tests using dnf
The 2 following tests rely on dnf install and use
mirrors.fedoraproject.org which has a broken trust chain.
Disable dnssec validation so that dnf succeeds.

Fixes: https://pagure.io/freeipa/issue/9498

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-19 14:59:42 +01:00
Rob Crittenden
d1e09c68af ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:58:50 +01:00
Florence Blanc-Renaud
25b58e6dea Webui: use service options to init Firefox driver
With selenium driver 4.10 and above, the API for Firefox driver
initialization has changed and does not use any more the
log_path argument.

The log path is now provided through a FirefoxService option
in the webdriver initialization.

Fixes: https://pagure.io/freeipa/issue/9492
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 11:51:43 +01:00
Florence Blanc-Renaud
9abb50eb1e test_install: restart services after date change
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.

Fixes: https://pagure.io/freeipa/issue/9405

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:55:20 +01:00
Florence Blanc-Renaud
53951ca860 test_external_idp: update code for selenium 4.10
The integration test is using selenium web driver to simulate a
user authentication with an external IdP. The user performs kinit
and is provided with a URL where he needs to authenticate.

The test was written for selenium API 4.9 and must be adapted to
the changes introduced in 4.10:
- the headless method has been deprecated
- executable_path argument has been deprecated

Fixes: https://pagure.io/freeipa/issue/9493
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:52:05 +01:00
Florence Blanc-Renaud
d61d1b059c Make test_external_ca.py compatible with crypto 41.0.0
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.

The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
                    --external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.

Handle both cases properly.

Fixes: https://pagure.io/freeipa/issue/9490

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-12-11 09:49:47 +01:00
Florence Blanc-Renaud
5028b391f1 Integration tests: disable test_sso
Changes in ipa-tuura project are breaking the test
(removal of a script required for test preparation).
Disable the test until a solution is found in ipa-tuura.

Related: https://pagure.io/freeipa/issue/9476

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-04 15:58:07 +01:00
Alexander Bokovoy
6bc9e9d06e Remove upgrade test from Azure CI
It is already running in PR CI for all kinds of targets:

ipatests/prci_definitions/gating.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_389ds.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_pki.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_selinux.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_previous.yaml:        test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_rawhide.yaml:        test_suite: test_integration/test_upgrade.py

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-11-28 17:02:47 +01:00
Rob Crittenden
f00b52ce6d ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.

Fixes: https://pagure.io/freeipa/issue/9482

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-11-16 15:51:03 -05:00
Rob Crittenden
d659d21b43 ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.

Add an exclude for this specific key so tests will pass again.

We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.

Fixes: https://pagure.io/freeipa/issue/9400

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-11-16 15:51:03 -05:00
Florence Blanc-Renaud
07e5637269 ipatests: fix expected output for ipahealthcheck.meta.services
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).

Fixes: https://pagure.io/freeipa/issue/9460

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-11-13 16:39:52 -05:00
Sudhir Menon
9d49f403c2 ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.

SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode

2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.

ie. postconf -e smtpd_tls_fingerprint_digest=sha256

KCS: https://access.redhat.com/solutions/6958957

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-10-19 12:27:01 +02:00
Florence Blanc-Renaud
b6af3a43c7 ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.

Use a simpler method that replaces the timezone info with UTC in the
datetime object.

Fixes: https://pagure.io/freeipa/issue/9462

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-16 14:46:45 -04:00
Rob Crittenden
62454574a1 Allow password policy minlength to be removed like other values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.

So if there are no libpwquality options used then it's fine to
have no minlength in the policy.

Fixes: https://pagure.io/freeipa/issue/9297

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-10-16 13:23:20 -04:00
Florence Blanc-Renaud
430054db41 ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.

Fixes: https://pagure.io/freeipa/issue/9415

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:20:44 -04:00
Florence Blanc-Renaud
e459e5b8bc ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.

The test must be compatible with old and new versions.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:17:52 -04:00
Florence Blanc-Renaud
f9075f9f77 ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.

Fixes: https://pagure.io/freeipa/issue/9459

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:15:29 -04:00