Commit Graph

15290 Commits

Author SHA1 Message Date
Alexander Bokovoy
10b4e131a1 doc: migrate to m2r2 and newer sphinx, add plantuml to venv
m2r project was forked to m2r2 which is actively developed.
m2r2 works with new Sphinx versions.

Update our list of documentation requirements and add support for
plantuml to be able to integrate diagrams.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-04 09:36:40 +03:00
Florence Blanc-Renaud
a10a48e1ec ipatests: update the expected sha256sum of epn.conf file
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.

The expected checksum needs to be updated.

Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-02 16:11:04 -04:00
Florence Blanc-Renaud
300f62f72b EPN: document missing option msg_subject
In /etc/ipa/epn.conf it is possible to customize the
e-mail subject by setting msg_subject=<value> but this
setting is not documented in the man page.

Add the options in epn.conf man page and in the template.

Fixes: https://pagure.io/freeipa/issue/9145
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-04-29 13:56:19 -04:00
Antonio Torres
9d88a2fde7
Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-26 16:45:30 +02:00
Antonio Torres
73dbda47e8
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-26 16:33:58 +02:00
Florence Blanc-Renaud
fbfd64fc2b ipatests: fix wrong condition in xfail_context for auto private grp
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).

Remove the wrong condition so that the test is always expected to fail.

Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore@redhat.com>
2022-04-25 09:04:17 +02:00
Armando Neto
c780504d47
ipatests: bump PR-CI rawhide template
Based on compose `20220413.n.0`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/457

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-04-24 21:13:26 -03:00
Alexander Bokovoy
599792e863 ipatests: collect samba logs when setting up trust to AD
In many cases it is impossible to investigate test failures of
environments where a trust to Active Directory is establishe without
Samba logs.

Collect Samba logs by default and make sure Samba is configured with
higher log levels if we are going to configure IPA to setup trust to
Active Directory.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
Alexander Bokovoy
4a95661686 ipa-sam: retrieve trusted domain account credential from the TDO itself
When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC
would use trusted domain account to authenticate to Samba. This means
that Samba would do internally samr_QueryUserInfo2 request with level 16
(UserControlInformation), coming to PDB module via pdb_getsampwsid()
call.

For normal user or workstation accounts we expect to have Kerberos keys
available and may be able to extract NTLM hash data from them. However,
trusted domain account is not a normal Kebreros principal. It stores TDO
credential in a different way. Since we never processed it through the
pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash
for TDO account at all, hence netr_ServerAuthenticate3 call was failing.

NTLM hash is used internally in Samba. An external communication with AD
DC will use an AES-based session key that is derived from the TDO
credential. The credential itself can  be treated as a plaintext here.

Fix it by adding a recognition of the trusted domain object account and
retrieve the NTLM hash from the correct attribute of the TDO.

Fixes: https://pagure.io/freeipa/issue/9134

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
Alexander Bokovoy
5638bdcb85 ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.

Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.

A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation

Fixes: https://pagure.io/freeipa/issue/9134

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
Mohammad Rizwan
10046ffb33 ipatests: extend find_segment with suffix param
topologysegment name can be different depending on suffix.
This patch determines and supply the name of topologysgement
as per the suffix

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Mohammad Rizwan
4514e8090a ipatests: fix the topologysegment-reinitialize command
There is no guarantee for the topologysegement name, it could be
master-to-replica or replica-to-master. If it is master-to-replica
then --right should be used with the command else --left.

Fixes: https://pagure.io/freeipa/issue/9137

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Sumit Bose
f91e9d3fd4 ipa-kdb: fix make check
The recent refactoring split out code into two new files which are
needed for the test binary as well.

Related: https://pagure.io/freeipa/issue/9083
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-29 14:01:29 -04:00
Alexander Bokovoy
27ab21658b ipatests: fix check for AD topology being present
Fixes: https://pagure.io/freeipa/issue/9133

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-28 16:34:04 +03:00
Alexander Bokovoy
5a42ab115e tests: ensure AD-SUPPORT subpolicy is active in more cases
Continuation of the commit 2eee5931d7:

    Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
    mode. This is required in FIPS mode due to AD not supporting Kerberos
    AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
    defined in RFC 8009.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2022-03-25 10:23:38 +01:00
Sudhir Menon
67488d2342 ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data
This test checks that when
'pki.server.healthcheck.clones.connectivity_and_data' check is run
'Source 'pki.server.healthcheck.clones.connectivity_and_data' not found'
is not displayed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041995

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-22 08:37:51 +01:00
Florence Blanc-Renaud
e32bfd44ee ipatests: Fix a call to run_command with wildcard
The test is calling run_command with a list of arguments:
run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
but this format does not support shell expansion.

Replace with a str parameter:
run_command('rm -fv' + paths.CERTMONGER_REQUESTS_DIR + '/*')

to make sure all the files in the directory are actually removed.

Fixes: https://pagure.io/freeipa/issue/8506
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Florence Blanc-Renaud
52ec9cc027 ipatests: remove certmonger tracking before uninstall
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.

The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.

The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.

To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.

Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Rob Crittenden
a283735fbf Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.

The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671

Fixes: https://pagure.io/freeipa/issue/9084

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-18 09:40:37 +01:00
Alexander Bokovoy
d237c40b2c ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default
Python 3.10 deprecated ssl.PROTOCOL_TLS and ssl.PROTOCOL_SSLv23
constants which were aliases to each other. Use of them now causes a
warning to be displayed:

/usr/lib/python3.10/site-packages/ipalib/util.py:347: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Use ssl.PROTOCOL_TLS_CLIENT instead, this constant is available since
Python 3.6.

Fixes: https://pagure.io/freeipa/issue/9129

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-17 11:49:57 -04:00
Rob Crittenden
fe9be8c4a1 Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.

When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.

So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.

This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).

Fixes: https://pagure.io/freeipa/issue/9004

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 12:18:35 +02:00
Mohammad Rizwan
5a909cff8d ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."

But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does

related: https://pagure.io/freeipa/issue/9038

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-16 12:17:08 +02:00
Francisco Trivino
b8f45fc689 Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Christian Heimes
40c362e1ee Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Alexander Bokovoy
517ae594e1 test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Alexander Bokovoy
621af275c3 test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.

Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Alexander Bokovoy
a6030f5f53 Kerberos instance: default to AES256-SHA2 for master key encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.

This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.

MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.

Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key

One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Sumit Bose
c37a033b8a extdom: user getorigby{user|group}name if available
New calls, getorigbyusername() and getorigbygroupname(), are added to
libsss_nss_idmap. They allow to query the AD specific attributes for a
user or a group directly. Besides a minor performance benefit it helps
to avoid issues if there are users and groups with the same name and the
group is not a user-private group but a real group with members.

Fixes: https://pagure.io/freeipa/issue/9127
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 11:08:39 +02:00
Rob Crittenden
9ac88216a0 ipatests: Give the subCA more time to be loaded by the CA
The subCA keys are loaded out-of-band after creation into the
CA so they may have been replicated but not loaded. Give more
time for them to appear in the remote CA.

Use a loop for the checking instead of a raw sleep because most
of the time this is very fast (< 15 seconds) but sometimes it
requires just a bit more. Allow up to 60 seconds.

To avoid output difference, strip the token name out of certutil
output. We don't care about the token a certificate is stored
in, the internal or the FIPS token. We just care that they exist
on both servers and that the keys match.

Apparently in some cases the token name is displayed and not in
others so lets normalize the output to make comparisons more
consistent.

Fixes: https://pagure.io/freeipa/issue/9096

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-03-15 08:36:18 +01:00
Fraser Tweedale
4bdecd55e3 allow overriding systemd-tmpfiles program
In some contexts, filesystem mounts may be owned by unmapped users
(e.g. `emptyDir` mounts in Kubernetes / OpenShift when using user
namespaces).  This causes `systemd-tmpfiles(8)` to fail, as a
consequence of systemd's path processing routines which reject this
scenario.  Therefore, in Fedora container context, if the
`IPA_TMPFILES_PROG` environment value is set, use the program
specified by its value instead of `/bin/systemd-tmpfiles`.

Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9126
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-14 13:06:17 -04:00
Stanislav Levin
575b3a2115 azure: Bump supported Pylint
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
bcc6361c48 pylint: Skip false-positive invalid-sequence-index
Pylint doesn't handle flow control and thus, doesn't understand
that a key of type `str` is not reachable at this point:

> ipalib/base.py:472: [E1126(invalid-sequence-index),
  NameSpace.__getitem__] Sequence index is not an int, slice, or instance
  with __index__)

Note: I faced this error on Python3.9 and didn't see it using
Python3.10.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
ac6fe016c6 pylint: Fix format-string-without-interpolation
Found by new Pylint:
> ipaclient/install/client.py:1926:
[W1310(format-string-without-interpolation), get_ca_certs] Using
formatting for a string that does not have any interpolated variables)

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
f416abe559 pylint: Skip unsupported-assignment-operation
Pylint thinks that the values are None because doesn't support
flow analysis.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
feab723c59 pylint: Fix deprecated-method for threading
As of Python3 `currentThread`, `thread.getName` are aliases for
`threading.current_thread()` and `threading.Thread.name`
respectively.

In Python3.10:
> bpo-43723: The following threading methods are now deprecated and
  should be replaced:
  currentThread => threading.current_thread()
  activeCount => threading.active_count()
  Condition.notifyAll => threading.Condition.notify_all()
  Event.isSet => threading.Event.is_set()
  Thread.setName => threading.Thread.name
  thread.getName => threading.Thread.name
  Thread.isDaemon => threading.Thread.daemon
  Thread.setDaemon => threading.Thread.daemon

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
adc7b7cc0b pylint: Skip deprecated-method for match_hostname
Python3.7 switched to
`X509_VERIFY_PARAM_set1_host`/`X509_VERIFY_PARAM_set1_ip`
and deprecated `match_hostname` without replacement. Probably,
on removal `match_hostname` the similar functionality may be
implemented on IPA side.

https://docs.python.org/3/library/ssl.html#ssl.match_hostname

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
42ff1e0fc2 pylint: Fix consider-using-in
Pylint 2.11.0 extends consider-using-in check to work for
attribute access.

> To check if a variable is equal to one of many values,combine the
  values into a tuple and check if the variable is contained "in" it
  instead of checking for equality against each of the values.This
  is faster and less verbose.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
baf68ef37c pylint: Fix arguments-renamed
Pylint 2.9.0 introduced new checker which was a subset of
arguments-differ:

> Used when a method parameter has a different name than in the
  implemented interface or in an overridden method.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
8383e60b2f pylint: Skip use-implicit-booleaness-not-comparison
Pylint 2.12.0 introduced new checker:
> Used when Pylint detects that collection literal comparison is being
  used to check for emptiness; Use implicit booleaness insteadof a
  collection classes; empty collections are considered as false

Comparison of variable to equality to collection:
> Lexicographical comparison between built-in collections works as follows:
  For two collections to compare equal, they must be of the same type,
  have the same length, and each pair of corresponding elements must
  compare equal (for example, [1,2] == (1,2) is false because the type is
  not the same).
  Collections that support order comparison are ordered the same as their
  first unequal elements (for example, [1,2,x] <= [1,2,y] has the same
  value as x <= y). If a corresponding element does not exist, the shorter
  collection is ordered first (for example, [1,2] < [1,2,3] is true).

So, `assert value == {}` is not the same as `assert not value`.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
57ee7d38e9 pylint: Enable useless-suppression
https://pylint.pycqa.org/en/latest/user_guide/message-control.html#detecting-useless-disables:

> As pylint gets better and false positives are removed, disables that
  became useless can accumulate and clutter the code. In order to clean
  them you can enable the useless-suppression warning.

This doesn't enforce useless-suppression warnings as errors. The idea is
cleanup of these warings on every Pylint's bump.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
df3c40fd34 pylint: Skip raising-bad-type
See https://github.com/PyCQA/pylint/issues/4772 for details.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
851f6d48ac pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
f9d0fc8a8c pylint: Skip not-callable
The klass property is referenced to class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
ba95a377b0 pylint: Fix unused-variable
Fixed newly exposed unused variables.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
a1f0f2743d pylint: Fix no-member
Teach pylint or skip newly exposed no-members.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
e096478752 pylint: Skip isinstance-second-argument-not-valid-type
The type of value to be compared is class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
31a9eb3783 pylint: Fix deprecated-decorator
Pylint 2.9 introduced new checker:
> The decorator is marked as deprecated and will be removed in the
  future.

- @abstractproperty has been deprecated since Python3.3 [0]
- @abstractclassmethod has been deprecated since Python3.3 [1]

[0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty
[1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
516adf40f8 pylint: Fix unnecessary-dict-index-lookup
Pylint 2.9 introduced new check:
> Emitted when iterating over the dictionary items (key-item pairs) and
accessing the value by index lookup. The value can be accessed directly
instead.

Note: in Python3 removing from dict during an iteration is not
possible even. For example,
```
cat a.py
d = {"a": 1}

for k, v in d.items():
    if v is not None:
        del d[k]

python3 a.py
Traceback (most recent call last):
  File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module>
    for k, v in d.items():
RuntimeError: dictionary changed size during iteration
```

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
139f6b63b1 pylint: Fix deprecated-class
There is no actual usage of deprecated classes for Python3.
Pylint complains about such for Python2. Since Python2 is no
longer supported these imports were removed.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00