Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).
The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).
The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.
The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).
Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.
Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Two tests were missing from nightly definition:
- test_caless.py::TestReplicaCALessToCAFull
- test_caless.py::TestServerCALessToExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.
The test ensures that the command is now succeeding.
Related to https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.
The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.
Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reuse master instance when installing replica with custom DS config.
This avoids one extra ipa-server-install and also tests replica
installation from a master with custom DS config.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Run test_customized_ds_config_install and test_dns_locations in nightly
runs.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
0a5a7bdef7 introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.
Coverity Scan issue 323649, Copy-paste error
The copied code will not have its intended effect.
In postprocess_result: A copied piece of code is inconsistent with the
original (CWE-398)
See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix Coverity finding CID 323644: logically dead code path
The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.
As result, a part of the code got neglected and was never executed.
Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.
We mock up the actual execution so that no access to LDAP or Samba is
needed.
Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo
Related to https://pagure.io/freeipa/issue/7538
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.
Related to: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running the integration tests capture the uninstallation
logs as well as the installation logs.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On a plain uninstall there should not be a bunch of confusing
warning/error messages.
Related to https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.
A KRA can be added afterward.
https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes@redhat.com>