Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.
Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.
Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:
- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
1) Extended webui group automation test with below scenarios
Scenarios
*Add user group with invalid names
*Add multiple groups records at one shot
*Select and delete multiple records
*Find and delete records etc...
2) Improved add_record method to support additional use cases:
*confirm by additional buttons: 'Add', 'Add and add another', 'Add and Edit,' 'Cancel'
*add multiple records in one call (uses 'Add and add another' behavior)
https://pagure.io/freeipa/issue/7485
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.
This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.
https://pagure.io/freeipa/issue/5776
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Delete code related to NTP checks.
As we migrated to chronyd and IPA server is not NTP server anymore
https://pagure.io/freeipa/issue/7499
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.
Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes@redhat.com>
389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".
Change the check_repl_update() to handle both formats.
Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.
Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit afc0d4b62d added an upgrade
step that add an attribute to a replica config entry. The entry
only exists after a replica has been added, so upgrade was broken
for standalone server. Catch and suppress the NotFound error.
Related to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit 6b145bf3e6 should not be pushed,
because it was not the intention to add a new test to .freeipa-pr-ci.
This commits reverts its change.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.
See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fix typo in dependencies and require release of python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
test_ipap11helper no longer changes directory for the entire test suite.
The fix revealed a bug in another test suite. test_secrets now uses a
proper temporary directory.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.
See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Without ldap_uri, IPAKEMKeys parses /etc/ipa/default.conf. During
uninstallation, the file may no longer contain ldap_uri. This workaround
is required for test case
test_replica_promotion.py::TestReplicaPromotionLevel0::test_promotion_disabled
Fixes: https://pagure.io/freeipa/issue/7474
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.
Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Moves chrony enablement and sync attempt to new method
so chrony will be enabled even when not configured.
Add logger info about skipping configuration to client's
installation when not on master and -N is used.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
These tests are all skipped if there is no YAML configuration
file passed but the teardown method is always called and since
there is a reference to the Config object this blows up if just
ipa-run-tests is executed.
Look at the config and break out if no domains are set.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
AD related tests, which aren't require all set of AD machines
were skipped with error msg: Not enough resources configured.
Changed hard coded number of AD machines to use.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
On CPUs with AVX-512 instruction set, ntpd sometimes segfaults because
PTHREAD_STACK_MIN is too small. The bug has been fixed in
glibc-2.26-24.fc27.x86_64 or later.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1564527
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Add close_all_dialogs(),change assert_last_dialog_details() method
to assert_last_error_dialog() to make it more generic and tweak
add_record() method to skip asserts so we can assert later.
We are also changing assert_record_value() to accept list of values
and adding select_multiple_records().
https://pagure.io/freeipa/issue/7463
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
test_topology_updated_on_replica_install_remove from the beginning used
invalid sequence of commands for removing a replica.
Proper order is:
master$ ipa server-del $REPLICA
replica$ ipa-server-install --uninstall
Alternatively usage of `ipa-replica-manage del $replica` instead of
`ipa server-del $replica` is possible. In essence ipa-replica-manage
calls the server-del command.
At some point there was a plan to achieve uninstalation only through
`ipa-server-install --uninstall` but that was never achieved to this
date.
This change also removes the ugly wrapper which makes test collection
fail if no environment config is provided (i.e. replicas cannot be
indexed).
$ pytest --collect-test ipatests/test_integration
https://pagure.io/freeipa/issue/6250
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ctypes.util.find_library() is costly and slows down startup of ipa CLI.
ipaplatform.redhat.tasks now defers loading of librpm until its needed.
CFFI has been replaced with ctypes, too.
See: https://pagure.io/freeipa/issue/6851
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
test_ipauser_authentication is failing with error: "Confidentiality required"
Password operation must be performed over a secure connection
To start TLS encryption added -ZZ option, in order to be connection successful
https://pagure.io/freeipa/issue/7470
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.
Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.
https://pagure.io/freeipa/issue/7095
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.
Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
test_host.py::test_host::test_crud fails in nightly tests in delete record
step.
It started to fail probably after commit 4295df17a4
which changed host-add behavior into showing a warning message about DNS resolution
instead of raising an error. This warning notification stays displayed for some
time, as all longer, notifications. By being open it takes some area on the page.
Given that webui tests proceeds quicker than a user, the notification can
cover some elements.
The test fails because web driver cannot click on an element which is covered
by the notification. In this case, it cannot open a deleter dialog.
So the fix is to close the notification(s). This is OK since a user would do
it as well if it was in a way.
This kind of issue is harder to reproduce when testing locally because
most people uses screen resolution 1920x1200 or full HD. PR-CI uses
1400x1200 for web ui testing.
/usr/bin/Xvfb $DISPLAY -ac -noreset -screen 0 1400x1200x8
So alternative fix would be to change resolution used by the PR-CI. Combination
of both could be the best.
https://pagure.io/freeipa/issue/7468
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.
As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.
While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.
Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
