Commit Graph

15973 Commits

Author SHA1 Message Date
Francisco Trivino
4cc6b9cd17 Vault: improve vault server archival/retrieval calls error handling
If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
error and raising it as an IPA error.

Related: https://pagure.io/freeipa/issue/9191

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-30 10:18:02 -05:00
Francisco Trivino
2d0a088f93 Vault: add support for RSA-OAEP wrapping algo
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS
approved mechanism. This commit adds support for RSA-OAEP padding as a
fallback.

Fixes: https://pagure.io/freeipa/issue/9191

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-30 10:18:02 -05:00
Alexander Bokovoy
d4ffc53b2a doc/designs/id-mapping.md: expand on ID range allocation details
Related: https://pagure.io/freeipa/issue/9477

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-30 10:11:47 -05:00
Julien Rische
75afdfea5d ipa-kdb: Fix memory leak during PAC verification
Commit 0022bd70d9 introduced a memory leak
during the copy of some PAC buffers, because of an unfreed memory
allocation context.

Fixes: https://pagure.io/freeipa/issue/9520

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 07:50:19 +01:00
Stanislav Levin
9802e852cb ipapython: Propagate KRB5Error exceptions on iterating ccache
`ipapython.session_storage.get_data` iterates over
credentials in a credential cache till `krb5_cc_next_cred` returns
an error. This function doesn't expect any error on calling
other kerberos foreign functions during iteration. But that can
actually happen and KRB5Error exceptions stop an iteration while
they should be propagated.

With this change iteration will exactly stop on `krb5_cc_next_cred`
error as it was supposed to be.

Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 07:43:57 +01:00
Stanislav Levin
6cd04875de ipapython: Correct return type of krb5_free_cred_contents
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html

> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
>
> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
> param:
> [in] context - Library context
>
> [in] val - Credential structure to free contents of
>
> This function frees the contents of val , but not the structure itself.

5b00197227/src/lib/krb5/krb/kfree.c (L166)

This leads to undefined behavior and `krb5_free_cred_contents` can
raise KRB5Error (because of garbage data) while actually its foreign
function doesn't.

Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 07:43:57 +01:00
Stanislav Levin
d002a4d7c9 ipapython: Clean up krb5_error
`krb5_error` has different definition in MIT krb.
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html

> Error message structure.
>
> Declaration:
> typedef struct _krb5_error krb5_error

While `krb5_error_code`
https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code

> krb5_error_code
> Used to convey an operation status.
>
> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.
>
> Declaration
> typedef krb5_int32 krb5_error_code

And this is what was actually used.

To prevent confusion of types `krb5_error` was replaced with
`krb5_error_code`.

Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 07:43:57 +01:00
Christian Heimes
22875ea2c6 test_acme: Use ipalib.x509
Use IPA's x509 module instead of `cryptography.x509`. This fixes a
regression which was introduced in commit a45a7a20.

Related: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2024-01-25 18:07:20 +01:00
Christian Heimes
a45a7a20d9 Compatibility fix for PyCA cryptography 42.0.0
Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.

The old properties are deprecated. The changeset also modifies code and
tests to use the new `_utc` variants.

Fixes: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-24 14:54:24 +01:00
Rob Crittenden
e6014a5c19 Server affinity: call ca.install() if there is a CA in the topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.

Fixes: https://pagure.io/freeipa/issue/9510

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-23 16:32:58 +01:00
Alexander Bokovoy
5adc07ae55 doc/Makefile: run sphinx in serial mode
Unfortunately, using pydata_sphinx_theme extension generates warnings in
sphix processing. These warnings cause documentation build to be
considered a failure:

WARNING: the pydata_sphinx_theme extension is not safe for parallel writing
WARNING: doing serial write
....
build finished with problems, 2 warnings.
make: *** [Makefile:24: html] Error 1

Since the build is already doing a serial write, enforce it from start.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-01-23 13:19:37 +01:00
Alexander Bokovoy
e399232a78 ipasam: make krbtgt TDO principal canonical
For the trusted domain object for remote realm, we have to use
krbtgt/REMOTE-FLAT-NAME@OUR-REALM as a canonical name.

Fixes: https://pagure.io/freeipa/issue/9471

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-01-23 13:19:37 +01:00
Masahiro Matsuya
c740cb84ba ipatests: wait for replica update in test_dns_locations
test_ipa_ca_records and test_adtrust_system_records can fail with
NXDOMAIN, because it doesn't wait enough for the update on replica.
It can be resolved by waiting for the update with wait_for_replication.

Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-23 07:57:56 +01:00
Rob Crittenden
3645543670 Server affinity: Don't rely just on [ca|kra]_enabled for installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]

Fixes: https://pagure.io/freeipa/issue/9510

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-18 11:51:18 +01:00
Alexander Bokovoy
9b456101a3 adtrustinstance: make sure NetBIOS name defaults are set properly
Some tools may pass None as NetBIOS name if not put explicitly by a
user. This meant to use default NetBIOS name generator based on the
domain (realm) name. However, this wasn't done properly, so None is
passed later to python-ldap and it rejects such LDAP entry.

Fixes: https://pagure.io/freeipa/issue/9514

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-17 19:32:47 +01:00
Florence Blanc-Renaud
717ae87a75 Nightly tests: test on f38 and f39
Fedora 39 is now officically available. Update the test definitions:
- lastest now uses f39
- previous now uses f38

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-01-12 18:46:41 -05:00
Alexander Bokovoy
a5d38ca171 host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb4, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.

If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.

This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.

There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.

Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.

Fixes: https://pagure.io/freeipa/issue/9496

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-12 18:41:01 -05:00
Carla Martinez
2874823c12
ipatests: test new columns in group details
Test for checking the new columns 'givenname', 'sn' and 'nsaccountlock'.

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2024-01-12 15:26:45 +01:00
007hacky007
49c090b976
webui: Unify user group members columns with users columns
Adds 'givenname', 'sn' and 'nsaccountlock' columns to the user group members
and makes columns in the users view and user group members unified.
i.e. Makes easy to see disabled users in the group.

Fixes: https://pagure.io/freeipa/issue/9390
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2024-01-12 15:26:45 +01:00
zoedong
2c0fe1dd92 ipaplatform: add opencloudos/tencentos support
Fixes:https://pagure.io/freeipa/issue/9501

Signed-off-by: zoedong <zoedong@tencent.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-12 08:36:20 -05:00
Rob Crittenden
e5a9e46138 get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.

In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.

The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.

There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.

This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.

Fixes: https://pagure.io/freeipa/issue/9506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-11 17:19:47 +01:00
Rob Crittenden
2a95a05f9e Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.

If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.

Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.

Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-01-11 17:15:53 +01:00
Rob Crittenden
54fb1173f9 ipa-client-automount: Don't use deprecated ipadiscovery.IPADiscovery
This class was moved to ipaclient/discovery.py in e6d560af66 to make
it available to PyPI.

Related: https://pagure.io/freeipa/issue/9487

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-01-11 17:13:35 +01:00
Rob Crittenden
ce811db6be ipatests: Test client install/uninstall with automount enabled
The automount installation was failing. Confirm that it is fixed.

The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.

Fixes: https://pagure.io/freeipa/issue/9487

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-01-11 17:13:35 +01:00
Rob Crittenden
e4420624ff Fix ipa-client-automount install/uninstall with new install states
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().

The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".

Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.

This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.

Fixes: https://pagure.io/freeipa/issue/9487

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-01-11 17:13:35 +01:00
Sudhir Menon
8ef3d6ce5c ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.

'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'

Hence the test is skipped to be run on RHEL9.0 SUT.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-10 14:58:49 -05:00
Rob Crittenden
a44cb09713 ACME: Don't treat pki-server ca-config-show failures as fatal
Up to PKI 11.5.0 even when a pki-server call failed it had a
return value of 0. This was fixed in 11.5.0 which breaks
ipa-acme-manage pruning. If a configuration value is not set
then the call fails and the tool gives up with an error like:

ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit

In previous versions this resulted in an empty string so the tool
displayed the default value.

So now upon failure look in the stderr output for "No such parameter"
and return an empty string so the behavior is consistent between
both old and new PKI server versions.

Fixes: https://pagure.io/freeipa/issue/9503

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-10 13:35:51 -05:00
Rob Crittenden
86b073a7f0
Integration tests for verifying Referer header in the UI
Validate that the change_password and login_password endpoints
verify the HTTP Referer header. There is some overlap in the
tests: belt and suspenders.

All endpoints except session/login_x509 are covered, sometimes
having to rely on expected bad results (see the i18n endpoint).

session/login_x509 is not tested yet as it requires significant
additional setup in order to associate a user certificate with
a user entry, etc.

This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
and adding:

Satisfy Any
Require all granted

Then comment out Auth and SSLVerify, etc. and restart httpd.

With a valid Referer will fail with a 401 and log that there is no
KRB5CCNAME. This comes after the referer check.

With an invalid Referer it will fail with a 400 Bad Request as
expected.

CVE-2023-5455

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2024-01-10 10:27:06 +01:00
Rob Crittenden
13778d88ca
Check the HTTP Referer header on all requests
The referer was only checked in WSGIExecutioner classes:

 - jsonserver
 - KerberosWSGIExecutioner
 - xmlserver
 - jsonserver_kerb

This left /i18n_messages, /session/login_kerberos,
/session/login_x509, /session/login_password,
/session/change_password and /session/sync_token unprotected
against CSRF attacks.

CVE-2023-5455

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2024-01-10 10:26:51 +01:00
Rob Crittenden
11877d5903 Include supported migration scenarios in the ipa-to-ipa docs
Lay out the supported migration paths. Users are likely to get
creative with migration so we need to narrow the path for which
we can provide support.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-01-09 16:15:23 -05:00
Florence Blanc-Renaud
bf1110bda1 Tox: use sitepackages
Tox is creating a virtual environment before execution.
With python 3.12 the virtual env does not include any
more setuptools, so use setuptools from the globally
installed packages.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
8d7bd6c6ab pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)

Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
7f485ba7dc pylint: disable new checks
pylint 3.0 introduces new checks that raise too many errors:
    use-implicit-booleaness-not-comparison-to-string,
    use-implicit-booleaness-not-comparison-to-zero,
    broad-exception-raised,
Disable the new checks in pylintrc

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
020af153db pylint: updates related to deprecations
pylint 3.0 has deprectated a few functions:
- check_messages: Use utils.only_required_for_messages
- The config attribute of BaseChecker has been deprecated. You can
use checker.linter.config to access the global configuration object
instead of a checker-specific object
- Everything related to the __implements__ construct was removed.
- Checker should only inherit BaseChecker or any of the other checker
types from pylint.checkers.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Florence Blanc-Renaud
8981ede1a2 azure tests: move to fedora 39
Update python3 to ensure the fix for BZ 2252567 is pulled.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Alexander Bokovoy
c3bc938650
ipatests: make sure PKINIT enrollment works with a strict policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.

We set admin user authentication type to PASSWORD to simplify
configuration in the test.

What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.

Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Alexander Bokovoy
62c44c9e69
ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
Related: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Alexander Bokovoy
69ae9febfb
ipa-kdb: when applying ticket policy, do not deny PKINIT
PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.

Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.

Fixes: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Alexander Bokovoy
00f8ddbfd2
ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.

Add detection of special principals to avoid these situations and always
allow password or hardened for services.

Special handling is needed for the following principals:

 - krbtgt/..       -- TGT service principals
 - K/M             -- master key principal
 - kadmin/changepw -- service for changing passwords
 - kadmin/kadmin   -- kadmin service principal
 - kadmin/history  -- key used to encrypt history

Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.

Fixes: https://pagure.io/freeipa/issue/9485

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-12-22 10:34:19 +01:00
Thorsten Scherf
821259f069 ipa-client: Check if IPA CA cert is empty
IPA CA file should not be used when file is empty.

Fixes: https://pagure.io/freeipa/issue/9499
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 16:24:19 +01:00
Florence Blanc-Renaud
a177121af6 ipatests: disable dnssec validation in tests using dnf
The 2 following tests rely on dnf install and use
mirrors.fedoraproject.org which has a broken trust chain.
Disable dnssec validation so that dnf succeeds.

Fixes: https://pagure.io/freeipa/issue/9498

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-19 14:59:42 +01:00
Rob Crittenden
d1e09c68af ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:58:50 +01:00
Rob Crittenden
48846e98e5 hbactest was not collecting or returning messages
hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find

Collect any messages returned from thsi call and display them
to the user on the cli.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:58:50 +01:00
Endi S. Dewata
dc2ab91681 Remove unused pki_theme_* params
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:51:46 +01:00
Mark Reynolds
6d3d191825 Issue 9497 - update debug logging in ipa_uuid
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00
Mark Reynolds
0007876f42 Issue 9497 - update debug logging in ipa-pwd-extop
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00
Mark Reynolds
6cd5a0847a Issue 9497 - update debug logging in ipa_otp_lasttoken
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00
Mark Reynolds
2a1d454c74 Issue 9497 - update debug logging in ipa_otp_counter
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00
Mark Reynolds
79b08556a4 Issue 9497 - update debug logging in ipa_modrdn
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00
Mark Reynolds
23ead1dc23 Issue 9497 - update debug logging in ipa_lockout
Fixes: https://pagure.io/freeipa/issue/9497

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-12-14 09:24:46 +01:00