With ca-del now requiring disablement first, CATracker cleanup fails
because the CA is not yet disabled. Implement auto disable before
delete in CATracker, with an option to suppress. This suppress
option is used when testing the "disable first" option.
The patch also includes a tweak to EnableTracker cleanup. In case
the CA already got deleted (and in the case of CATracker, also
disabled), this avoids an attempt to re-enable the already-deleted
object.
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently ca-del disables the target CA before deleting it.
Conceptually, this involves two separate permissions: modify and
delete. A user with delete permission does not necessarily have
modify permission.
As we head toward enforcing IPA permissions in Dogtag, it is
necessary to decouple disablement from deletion, otherwise the
disable operation shall fail if the user does not have modify
permission. Although it introduces an additional step for
administrators, the process is consistent, required permissions map
1:1 to the operations, and the error messages make it clear what
needs to happen (i.e. disable first).
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca6383.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
The patch implements Tracker subclass for CA plugin
and the basic CRUD tests for the plugin entries.
https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
