Commit Graph

13376 Commits

Author SHA1 Message Date
François Cami
438094f868 DSU: add Design for Disable Stale Users
Add disable-stale-users.md: feature document for the upcoming DSU feature.

Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-23 00:12:24 +01:00
Rob Crittenden
c02cc93c14 Add integration test for Kerberos ticket policy
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Alexander Bokovoy
c5f32165d6 Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.

The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Alexander Bokovoy
9db6f65a85 Allow presence of LDAP attribute options
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.

When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.

Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Serhii Tsymbaliuk
7f6b1c99f0
WebUI: Fix notification area layout
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.

Ticket: https://pagure.io/freeipa/issue/8120

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-21 16:44:11 +01:00
Cédric Jeanneret
ae256fa524 Update selinux-policy minimal requirement
Since 6c27104467 we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-11-20 17:12:34 -05:00
Christian Heimes
b216701d9a Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.

Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 17:08:40 +01:00
Alexander Bokovoy
ba466a8021 Do not run trust upgrade code if master lacks Samba bindings
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-11-20 16:19:00 +01:00
Florence Blanc-Renaud
7893fb9cb1 test_ipalib: add test for DNParam class
A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Florence Blanc-Renaud
ecdd7dae19 XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer
ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Florence Blanc-Renaud
e08a6de6af DNParam: raise Exception when multiple values provided to a 1-val param
When ipa user-add-certmapdata is called with multiple --subject or
multiple --issuer, the DNParam's _convert_scalar method is called with
a tuple containing all the params and should raise an exception as the
--subject and --issuer are single-value params.

The DNParam _convert_scalar method internally calls the DN init method,
and the DN init method is able to create a DN from a tuple of RDNs.
As such, it won't raise exception if a tuple/list is provided.

Check that _convert_scalar is only provided a single element.

Fixes: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Serhii Tsymbaliuk
c0b0c6b4b5
WebUI: Fix adding member manager for groups and host groups
- fix API method call for adding member manager
- fix regressions in host group associated tables

Ticket: https://pagure.io/freeipa/issue/8123

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-19 13:31:08 +01:00
Armando Neto
e536824425 prci: bump template version for temp_commit and nightly_latest
Commit cd887a48b5 did that for gating,
this commit bumps the version for the remaining definitions.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-14 12:03:36 -03:00
Christian Heimes
8124b1bd4c Test installation with (fake) userspace FIPS
Based on userspace FIPS mode by Ondrej Moris.

Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.

Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-14 16:01:15 +01:00
Francisco Trivino
cd887a48b5 prci: bump template version and fix test_smb gating definition
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.

This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-14 13:09:24 +01:00
Alexander Bokovoy
d243c188f2 Update contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-12 20:49:18 +02:00
Alexander Bokovoy
d317fd4de7 Update translations
Add Portuguese translation

Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-12 17:08:43 +02:00
Armando Neto
99d6845dbe prci: bump fedora release
Fedora 31 is the latest release, Fedora 30 is now the previous release.

New template boxes were built for current tests definitions with
updated dependencies.

Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Armando Neto
c62bd1608e prci: rename definitions files and jobs to change how fedora releases are referenced
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.

Future changes would only require to update the name and version of the template used.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Christian Heimes
97a31e69e8 Use default ssh host key algorithms
ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.

The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-12 12:26:49 +01:00
Cédric Jeanneret
6c27104467 Prevents DNS Amplification Attack and allow to customize named
While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] 5f4c75eb28

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2019-11-12 10:49:49 +02:00
Sergey Orlov
f58fb573d1
ipatests: enable test_smb.py in gating.yaml
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
c2b230ce64
ipatests: replace ad hoc backup with FileBackup helper
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
72540c4233
ipatests: refactor FileBackup helper
* `cp` now preserves all attributes of original file, there is no reason
  to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk

Related to: https://pagure.io/freeipa/issue/8115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Christian Heimes
0f4c41ab26 Add tests for member management
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Christian Heimes
f0a1f084b6 Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Florence Blanc-Renaud
87c24ebd34 smartcard: make the ipa-advise script compatible with authselect/authconfig
"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).

The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.

Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-08 12:57:54 +01:00
Rob Crittenden
3593e53622 Conditionally restart certmonger after client installation
If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>
2019-11-07 13:00:15 -05:00
Rob Crittenden
1e3de17269 Add conditional restart (try-restart) capability to services
This will conditionally restart a service if it is active.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>
2019-11-07 13:00:15 -05:00
Robbie Harwood
3cb9444c4c Provide modern example enctypes in ipa-getkeytab(1)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-06 15:39:51 -05:00
Christian Heimes
560acf3748 Skip commented lines after substitution
LDAP updater now ignores commented out lines after substitution.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-05 11:48:28 -05:00
Christian Heimes
bc56642bf9 Block camellia in krbenctypes update in FIPS
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-05 11:48:28 -05:00
Sergey Orlov
f16c08b7d6
ipatests: in DNS zone file add A record for name server
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Sergey Orlov
b10e43c3ea
ipatests: strip newline character when getting name of temp file
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Rob Crittenden
09d5b938c1 Enable AES SHA 256 and 384-bit enctypes in Kerberos
https://pagure.io/freeipa/issue/8110

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-04 09:45:07 -05:00
Sergey Orlov
14be271533 ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:49:09 -04:00
Spencer E. Olson
73796c7797 Fixes debian path for IPA_CUSTODIA_HANDLER
Debian installs into a different directory for libexec files.  This patch
fixes the path to the custodia files for debian.

Signed-off-by: Spencer E. Olson <olsonse@umich.edu>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:46:14 -04:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
François Cami
f44b73b97c ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore
The fixes for https://pagure.io/freeipa/issue/8054 and
https://pagure.io/freeipa/issue/8038 are intended for f30.
Given that the fixes will not be backported to f29, disable
that test.

Fixes: https://pagure.io/freeipa/issue/8063
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 22:40:00 +02:00
Armando Neto
3d8a444f62 prci: increase timeout argument for test_sssd.py
Follow-up for commit a4ca34261a.

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci@380c8b8.

This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.

This also adds a missing but available topology to `temp_commit.yaml`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-10-18 11:27:09 -03:00
Florence Blanc-Renaud
921f500240 ipa-backup: fix python2 issue with os.mkdir
Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)

ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).

Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-10-17 08:36:54 +02:00
Stanislav Levin
1ed7dd4bf1 Install language packs for tests
* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive

* 'en_US' is a commonly used locale
AP warns regularly:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:29:06 +02:00
Stanislav Levin
16149831da Restore running of 'test_ipaserver' tests on Azure
`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:29:06 +02:00
Fraser Tweedale
e767386e71 test_integration: add tests for custom CA subject DN
Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
Fraser Tweedale
7ea50ff76d upgrade: fix ipakra people entry 'description' attribute
Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
Fraser Tweedale
326d417d98 krainstance: set correct issuer DN in uid=ipakra entry
If IPA CA has custom subject DN (not "CN=Certificate
Authority,{subject_base}"), the uid=ipakra people entry gets an
incorrect 'description' attribute.  The issuer DN in the
'description' attribute is based on the aforementioned pattern,
instead of the actual IPA CA subject DN.

Update KRAInstance.configure_instance() to require the CA subject DN
argument.  Update ipaserver.install.kra.install() to pass the CA
subject DN.

Fixes: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
Florence Blanc-Renaud
0fc8562b24 ipa-server-certinstall manpage: add missing options
Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE

Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-17 08:11:45 +02:00
François Cami
e6db4980d8 ipatests: temporarily remove test_smb from gating
test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-16 12:14:19 +02:00
François Cami
1ac7169de2 ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)
660c49 introduced --idmap-domain which sets the Domain option in
idmapd.conf. However the help message for that knob mentioned
idmap.conf which is wrong. Fix that.
Reported by Marc Muehlfeld <mmuehlfe@redhat.com>.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-10-14 11:01:40 +02:00
Sergey Orlov
0d7f89c5a0
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-10-10 13:27:03 +02:00