For backward compatibility, the values are converted to unicode, unless the
attribute is binary or the conversion fails.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.
This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In legacy client integration test, the test cases that query information
from subdomain about subdomain users and group expected subdomain
users and groups to have the UIDs/GIDs as users and groups in the root
domain.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When creating a BaseHost instance, the machine's hostname was
reconfigured to have the same shortname prepended the domain name
of the domain where it was defined.
However, it makes sense in certain use cases to define hosts
that have hostnames other than belonging directly in the domain
they were defined in.
Treat input hostnames with trailing dots as static FQDNs that
will not be changed by the name of the domain they were defined in.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Since realmdomains is only one entry, _show with --all will return
the ACI on it. Add it to expected output.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When serial numbers were generated with $RANDOM, there
could be collisions.
Use sequential numbers instead.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.
https://fedorahosted.org/freeipa/ticket/4239
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Replace all IPA.command, IPA.batch_command and IPA.concurrent_command usages
by equivalents from rpc module.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
In test_trust.py, several tests did case sensitive search on the output of
the ipa idrange-show command. This could cause false negatives.
Part of: https://fedorahosted.org/freeipa/ticket/4267
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The test that searches with a limit of 1 assumes a specific order
LDAP returns entries in. Future patches will change this order.
Do not check the specific entry returned.
The test that searched for --bindtype assumed that no anonymous
permissions exist in a clean install. Again, this will be changed
in future patches.
Add a name to the bindtype test, and add a negatitive test to
verify the filtering works.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This allows code like:
from ipalib.plugins.dns import dnszone_mod
api.Command[dnszone_mod]
This form should be preferred when getting specific objects
because it ensures that the appropriate plugin is imported.
https://fedorahosted.org/freeipa/ticket/4185
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Host adder dialog differs on installations with and without DNS.
Previous test used values for adding hosts which were suitable only for IPA servers installed with DNS.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Information from the AD about the home directories is not leveraged at
all, but is generated from the username and domain. Fix the assumptions
in the tests.
Also changes 'Subdomain Test User' to 'Subdomaintest User' to be more
consistent.
https://fedorahosted.org/freeipa/ticket/4184
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the test backup directory was never created (for example if
there was an early failure, or install was never run),
we don't want the test to fail.
Do not restore if the backup dir is not there.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
checkboxes and radio buttons:
- do not change color on hover when disabled
- are focusable and checkable be keyboard again. This uses a little
trick where the real checkbox is hidden under the artificial
checkbox. That way it has the same position and therefore it
works even in containers with overflow set.
https://fedorahosted.org/freeipa/ticket/4217
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The extratargetfilter behaves exactly like targetfilter, so that e.g.
ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.
Part of the work for https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it
Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.
Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.
Write support will be added in a subsequent patch.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Use basic math rather than timezone conversion to get
minutes and seconds.
Break out the message generation into a small tested function.
https://fedorahosted.org/freeipa/ticket/4242
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
this patch implements:
- output_formatter in field. It should be used in par with formatter. Formatter serves for datasource->widget conversion, output_formatter for widget->datasource format conversion.
- datetime module which parses/format strings in subset of ISO 8601 and LDAP generalized time format to Date.
- utc formatter replaced with new datetime formatter
- datetime_validator introduced
- new datetime field, extension of text field, which by default uses datetime formatter and validator
Dojo was regenerated to include dojo/string module
https://fedorahosted.org/freeipa/ticket/4194
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Using the in-tree binary makes testing outside the source tree
impossible.
Use ipa-getkeytab from $PATH, and add the directory to $PATH when
running the in-tree tests.
Part of the work for https://fedorahosted.org/freeipa/ticket/3654
Reviewed-By: Martin Kosek <mkosek@redhat.com>
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.
https://fedorahosted.org/freeipa/ticket/4212
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using the input environment saved in self._session_env
outside of the config loading meant that methods of
configuration other than environment variables wouldn't
be possible.
Restructure the roles/extra_roles to not depend on _session_env.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In the parameters system, we have been checking for a positive list of values
which get converted to None. The problem is that this method can in some
cases throw warnings when type coercion doesn't work (particularly, string
to unicode). Instead, any values that evaluate to False that are neither
numeric nor boolean should be converted to None.
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
When restoring files from backup, we do use an incorrect order of
operations - we first restore SELinux context and then copy the
files from backup, when we need to do the exact opposite.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
This class was built into the framework from its early days but it's
not used anywhere.
Remove it along with its tests
https://fedorahosted.org/freeipa/ticket/3460
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Older versions of dnspython have problems with implicit values for
size and h/v precision so our tests use explicit value.
See https://github.com/rthalley/dnspython/issues/47
This change is necessary because we want to test if data visible
over DNS protocol matches data visible over LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Sometimes, we will want to do more than just call IPA commands and
check the output. This patch makes it possible to add arbitrary
functions to Declarative tests. They will be called as part of
the sequence of tests.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
In the non-posix tests on the legacy clients, the testuser does not
belong to the testgroup (since this is represented by the NIS
group membership).
Relax the regular expression check for the output of the id testuser.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The hardcoded values for the home directories for the AD users did
not properly scale up from the POSIX attrs only test scanario.
When using POSIX attrs, the home dir is returned as whatever is set
in the AD (/home/username by default). Without using POSIX attributes,
the /home/domain/username form is taken by default.
Refactor the tests to take this behaviour into account.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adds test cases for:
* getent subdomain user on legacy client
* getent subdomain group on legacy client
* getent id subdomain user on legacy client
* ssh into legacy client with subdomain user
* ssh into legacy client with disabled subdomain user
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In the integration tests, we do not stop the sssd service
before deleting the cache, but rather start it. We need
to stop sssd before deleting the cache.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When we add the disabledipauser during the setup class part of the
BaseTestLegacyClient, we need to make sure that we re-kinit admin
since we do ntpsync with the AD just before that, which can render
the previous ticket invalid.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
When the host is down, the preparation of the host fails. This
produces misleading errors, since the test framework reports that
the actual command being executed failed, when in fact (in case
of SSHTransport), the cause of failure was unability to establish
a SSH session.
https://fedorahosted.org/freeipa/ticket/4132
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Adds test cases for legacy client support with IPA that has estabilish
trust with AD that does not leverage POSIX attributes defined on AD.
https://fedorahosted.org/freeipa/ticket/4134
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Restoring backup files and restoring their context were two separate commands,
what means that in case we use SSHTrasport, which creates a separate SSH
session for each command, we try to restore the SELinux context of the
changed files in a new session.
This causes problems, if the access to files themselves are necessary
for the creation of the new SSH session.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
All the hosts in the domain have IPA master set as their only
nameserver. However, the IPA master does not create records for
these machines by default. This is not an big issue for clients
or replicas, since those records do get created in other ways,
but external hosts using their internal hostnames will not resolve.
Adds an A record for each host in master's domain.
https://fedorahosted.org/freeipa/ticket/4130
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The integration test for legacy clients used incorrectly "test group"
instead of "testgroup" as group used on AD for test purposes. This
is inconsistent with the usage of "testuser".
https://fedorahosted.org/freeipa/ticket/4131
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When legacy client tests fail during IPA installation, the legacy
client test produces an additional misleading error
(the real cause is reported as well). This happens due the fact
that we try to cleanup host that was not yet defined. We need to
check for this attribute being defined before unapplying fixes there.
https://fedorahosted.org/freeipa/ticket/4124
Sudo calls are not necessary since we log in as a root. Additionally,
sudo requires tty in default configuration, which is not acquired
when using OpenSSH transport.
https://fedorahosted.org/freeipa/ticket/4125
Both the password plugin and the kdb driver code automatically fall
back to the default password policy.
so stop adding an explicit reference to user objects and instead rely on the
fallback.
This way users created via the framework and users created via winsync plugin
behave the same way wrt password policies and no surprises will happen.
Also in case we need to change the default password policy DN this will allow
just code changes instead of having to change each user entry created, and
distinguish between the default policy and explicit admin changes.
Related: https://fedorahosted.org/freeipa/ticket/4085
When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.
https://fedorahosted.org/freeipa/ticket/4102
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
The driver only checked if the corresponding value was in the config, so
no_dns: False
had the same effect as
no_dns: True
Change the check to take the value into consideration.
This makes false-y values like False (from YAML) and empty string
(from environment) work as if the value was not specified.
The framework had a concept of external hostnames,
which the controller uses to contact the test machines,
but they were not loaded from configuration.
Load external names from configuration.
This makes tests pass in setups where internal and external
hostnames are different, and the internal hostnames are not
initially resolvable from the controller.
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
This object will allow splitting large translatable strings into more
pieces, so translators don't have to re-translate the entire text
when a small part changes.
https://fedorahosted.org/freeipa/ticket/3587
This is achieved by storing both decoded and encoded attribute values in
LDAPEntry and synchronizing changes between them whenever an attribute is
accessed.
Added a new property "raw" to LDAPEntry. It provides a dictionary-like
object which can be used to directly access encoded attribute values.
https://fedorahosted.org/freeipa/ticket/3521
Adds support for host definition by a environment variables of the
following form:
ROLE_<keyword>_envX, where X is the number of the environment
for which host referenced by a role <keyword> should be defined.
Adds a required_extra_roles attribute to the IntegrationTest class,
which can test developer use to specify the extra roles that this
particular test requires. If not all required extra roles are
available, the test will be skipped.
All extra (and static) roles are accessible to the IntegrationTests
via the host_by_role method, which returns a host of given role.
Part of: https://fedorahosted.org/freeipa/ticket/3833
The rename tests use names that were not being cleaned up when the
tests fail. Add cleanup steps for them.
Also, use --force so system permissions are removed as well.
The integration tests must wait for replication to happen before checking
results. In some cases, the tests have failed because the checks that
detect completed replication were insufficient.
This fixes the code to:
- Wait for replication to be completed on both servers
- In the case of an error, continue waiting -- it might be the case that
the DS is temporarily unreachable
When trying to create a new ordered test case by inheriting
from already defined test case, by overriding few of its methods,
the execution order of the tests is as follows:
- first all non-overriden test methods from the parent test class
- then all overriden tests methods
This patch makes sure that methods are executed in the logical order,
that is, the order defined in the parent class.
