A bunch of certplugin tests were testing number of revoked certificates with
various revocation reasons. Since existence of revoked certificates often
depends on other parts of IdM than IPA, it is not really valid to check their
presence unless creation of revoked certificate is intentionally tested.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
When the admin runs ipa-cacert-manage install, he should also run
ipa-certupdate on master/replicas/clients in order to update the
certificates databases.
The man page should mention this requirement, and also clarify that
"install" command does not replace IPA CA but rather installs an
additional trusted CA.
https://fedorahosted.org/freeipa/ticket/6381
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.
Partially fixes https://fedorahosted.org/freeipa/ticket/6292
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add commentary to 'ca' plugin documentation to explain what happens
when a CA gets deleted - namely, that its signing cert gets revoked
and its private key deleted.
Also break the docstring up into smaller chunks to aid translation.
Fixes: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is to prevent situations when installer prints
CRITICAL Failed to load ....ldif
and continues just to crash later on because of non-existing LDAP container
or so on.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The code which handles configuration of mod_nss module must be more robust
when handling NSS nicknames generated from subject names containing quoted RDN
values.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When user is logged in and opens details page of another user there should not
be visible button for adding new certificate and also the option in action menu
for deleting certificate should be grayed out.
This is achieved by adding custom field for certificates widget, which is able to
read ACLs from result of user-show and not from cert-find result.
https://fedorahosted.org/freeipa/ticket/6341
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.
https://fedorahosted.org/freeipa/ticket/6169
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`common.Continuous` class is a basis for uninstallers, which should execute
all the steps regardless of occuring errors. However, we would like the
installer to raise exceptions and return non-zero exit code during validation
phase when some preconditions are not met.
Add a separate exception handler which catches exceptions and logs them as
errors during execution phase only.
https://fedorahosted.org/freeipa/ticket/5725
Reviewed-By: Petr Spacek <pspacek@redhat.com>
It is not obvious how to add SELinux type and role transitions to a
Sudo rule. Update the 'sudorule' plugin documentation with examples
of how to do this.
Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It looks that pylint stopped printing false positive errors for
cyclic-import check, thus check can be enabled.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
