Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.
E.g.: unknown command 'b'ping''
https://pagure.io/freeipa/issue/7131
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.
To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.
See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some tests from installation suite fail.
The issues are:
* ipa-replica-install --setup-kra if first KRA in topology fails
https://pagure.io/freeipa/issue/7008
* Third KRA installation in topology fails
https://pagure.io/freeipa/issue/7220
This patch marks those tests as failing.
Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.
https://pagure.io/freeipa/issue/7265
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret
https://pagure.io/freeipa/issue/7033
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.
https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.
Previously, before commit 07229c8ff6,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.
This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.
As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2] * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2] * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2] * Create and configure an instance of Directory Server
[[...].Host.master.cmd2] * Create and configure a Kerberos Key Distribution Center (KDC)
```
Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
LDIFWriter.unparse() expects the scalar values of the attributes
of the entries to be bytes as it applies a byte regular expression
to check whether to base64-encode the values or not. Previously,
we were passing the scalar attribute values as strings which
was breaking the LDIFWriter.unparse() exectution.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
During integration tests, the log level of 8192 (replication debugging)
was excessive and made reading 389-ds logs very hard without providing
any useful information.
Part of: https://pagure.io/freeipa/issue/7162
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.
This situation is not optimal because we need to see what happend
during the debbuging the tests.
So, this patch solves this situation and it adds try--finally
construction.
https://pagure.io/freeipa/issue/7214
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This fix adds correct usage of host.hostname in logger.
Fixes: https://pagure.io/freeipa/issue/7190
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.
https://fedorahosted.org/freeipa/ticket/6622
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.
https://pagure.io/freeipa/issue/7124
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().
https://pagure.io/freeipa/issue/7131
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add caless to external CA test as the suite is currently
missing one.
https://pagure.io/freeipa/issue/7155
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pylint requires all classes implementing __eq__ to also implement
__hash__. We disable hashing for the classes that miss the ability,
should they ever be required to use it, it can be implemented then.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
commit bddb90f38a added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.
When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.
https://pagure.io/freeipa/issue/7120
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.
https://pagure.io/freeipa/issue/7035
Signed-off-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Make sure logs are collected after calling ipa-ca-install command.
Related: https://pagure.io/freeipa/issue/7060
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.
https://pagure.io/freeipa/issue/7105
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.
https://pagure.io/freeipa/issue/7100
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
external_ca test suite is failing during installation due to
missing SKI extension.
https://pagure.io/freeipa/issue/7099
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Recent certificate refactoring probably unclogged some failure
in handling certificates which causes test_changepw to correctly
fail since it is trying to connect using an HTTPS connection
without the CA certificate. This patch adds the CA cert to the
connection.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.
https://pagure.io/freeipa/issue/5603
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().
The new makepki adds SKI and AKI extensions for correct
cert validation.
Other minor changes needed as we do not use NSS to store our
certificates on the test controller.
https://pagure.io/freeipa/issue/7030
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.
Disable the logging-not-lazy and logging-format-interpolation pylint
checks.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Pytest can be executed from a machine that doesn't have IPA configured.
In this case, api can't be finalized because values such as basedn are
unknown and missing.
Fixes https://pagure.io/freeipa/issue/7046
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Tests for whoami command with user,
host, and service principal's tgt.
Resolves: https://pagure.io/freeipa/issue/6745
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument. The default URI might be ldapi://, so make sure
autobind is not attempted where the custom URI was ldap://.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
We have only one debug log level and it causes issues with py3.
...
File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In py3 dict.items() doesn't return list so we must create a list to
avoid changing dictionary over iteration.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In py3 the variable is valid only in the block where it is defined. We
must move test definition to global scope.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
If logs aren't collected to logfile_dir, skip collection of systemd
journal.
Related https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.
Fixes: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.
Related: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.
https://pagure.io/freeipa/issue/6956
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.
https://pagure.io/freeipa/issue/6956
Reviewed-By: Martin Basti <mbasti@redhat.com>
The test fixture haphazardly intermixed MockLDAP and ldap2 calls in
setup and teardown code, greatly hampering extension of the code and
also porting efforts to Python 3. Get rid of MockLDAP and use ldap2 for
all LDAP operations.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
A new multi-valued server attribute `pkinit_server` was added which
reports IPA masters that have PKINIT configuration usable by clients.
The existing tests were modified to allow for testing the new attribute.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to achieve the task, the following changes were required:
* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
accepts/returns single-value lists in order to not break Liskov
substitution principle
* Existing attributes inherit from the child class
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved
https://pagure.io/freeipa/issue/6959
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Now, the cert-request command compares the domain part of the
email case-insensitively.
https://pagure.io/freeipa/issue/5919
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user
https://pagure.io/freeipa/issue/6896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add non regression test for issue 6404: when idrange-add is called with
empty dom-name, the command returns
ipa: ERROR: an internal error has occurred
https://pagure.io/freeipa/issue/6404
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.
https://pagure.io/freeipa/issue/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The test class depends on a working Kerberos configuration and session.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Doctests of ipatests.util fail under Python 3.
The old test scenario does no longer work on Python 3 since u'how are you'
and 'how are you' have identical type, but u'how are you' != b'how are you'.
It works with int / float on all Python versions.
Python 2 has <type 'int'> while Python 3 uses <class 'int'>.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow the sudorule objects to be renamed.
https://pagure.io/freeipa/issue/2466
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow HBAC rule objects to be renamed.
https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
pytest 3.x does no longer support plain pytest.skip() on module level.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The changes made to ipa-run-tests script in fd1b4f6 broke the
ipa-test-config and ipa-test-task scripts which are not executed
via pytest.
To fix the issue, all helper code and dependencies of the integration
plugin are moved out of ipatests.test_integration and into the
integration plugin. As first step ipatests.pytest_plugins.integration
is turned into a package.
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Bunch of tests for WebUI Vault Management.
Covers:
Adding vaults
Modifying vaults
Adding members and owners to all types of vaults
https://fedorahosted.org/freeipa/ticket/5426
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This will allow to test --setup-kra option together with
ipa-server-install in install tests
Separate installation using ipa-kra-install is already covered.
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Commit ada91c2 introduced changes in "csrgen/templates/openssl_base.tmpl"
which broke the following 2 tests:
test_CSRGenerator.test_userCert_OpenSSL
test_CSRGenerator.test_caIPAserviceCert_OpenSSL
The tests use files caIPAserviceCert_openssl.sh and userCert_openssl.sh
as expected scripts in order to compare scripts generated by CSRGenerator.
E.g. as other parameter was introduced we are now not checking with
"if [[ $# -ne 2 ]]" but rather with if "[[ $# -lt 2 ]]".
https://pagure.io/freeipa/issue/6724
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
test_ldap just imported nss.nss to call nss_init_nodb(). It should be
safe to remove the call. Let's see what CI has to say.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Setting fips_mode to object would fail if ipaplatform.tasks module
wasn't present.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
* add missing default_backend
* unpad encrypted data
* use cryptography's hashes and HMAC construct
* remove hard dependency on python-nss from setup.py
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
MD5 is a grandpa and FIPS does not like it at all.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Commit 1e6a204b43 added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
