When the admin runs ipa-cacert-manage install, he should also run
ipa-certupdate on master/replicas/clients in order to update the
certificates databases.
The man page should mention this requirement, and also clarify that
"install" command does not replace IPA CA but rather installs an
additional trusted CA.
https://fedorahosted.org/freeipa/ticket/6381
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.
Partially fixes https://fedorahosted.org/freeipa/ticket/6292
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add commentary to 'ca' plugin documentation to explain what happens
when a CA gets deleted - namely, that its signing cert gets revoked
and its private key deleted.
Also break the docstring up into smaller chunks to aid translation.
Fixes: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Require Dogtag 10.3.5-6, which is the first release that implements
revocation of lightweight CA signing certificates upon deletion.
Part of: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove unnecessary check for absolute file paths for config file.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In the future Custodia is going to make CSStore.span an abstract method.
Closes: https://fedorahosted.org/freeipa/ticket/6365
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cainstance.__spawn_instance() exits in rather weird manner on
successful external CA install. This masks the weird implementation
from the user. :-&
https://fedorahosted.org/freeipa/ticket/6230
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch implements several test cases testing the enforcement
of CA ACLs on certificate requests with subject alternative names.
https://fedorahosted.org/freeipa/ticket/6366
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is to prevent situations when installer prints
CRITICAL Failed to load ....ldif
and continues just to crash later on because of non-existing LDAP container
or so on.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The test would be failing because recent pretty-print changes
that caused the inner members of a dictionary to be printed
in a different order.
https://fedorahosted.org/freeipa/ticket/6373
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
The code which handles configuration of mod_nss module must be more robust
when handling NSS nicknames generated from subject names containing quoted RDN
values.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
By default, ipa-run-tests will now pretty-print structures
compared in the assert_deepequal function. This behaviour
can be turned off by the --no-pretty-print option.
https://fedorahosted.org/freeipa/ticket/6212
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When user is logged in and opens details page of another user there should not
be visible button for adding new certificate and also the option in action menu
for deleting certificate should be grayed out.
This is achieved by adding custom field for certificates widget, which is able to
read ACLs from result of user-show and not from cert-find result.
https://fedorahosted.org/freeipa/ticket/6341
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Input data should be packaged into freeipa-test module to be able run
test from RPM (outoftree)
https://fedorahosted.org/freeipa/ticket/6333
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.
https://fedorahosted.org/freeipa/ticket/6169
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`common.Continuous` class is a basis for uninstallers, which should execute
all the steps regardless of occuring errors. However, we would like the
installer to raise exceptions and return non-zero exit code during validation
phase when some preconditions are not met.
Add a separate exception handler which catches exceptions and logs them as
errors during execution phase only.
https://fedorahosted.org/freeipa/ticket/5725
Reviewed-By: Petr Spacek <pspacek@redhat.com>
installer framework has been modified to allow for different error handling
during validation and execution phases.
https://fedorahosted.org/freeipa/ticket/5725
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The --server option now specifically mentions that
it expects the FQDN of the IPA server.
https://fedorahosted.org/freeipa/ticket/6202
Reviewed-By: Petr Spacek <pspacek@redhat.com>
It is not obvious how to add SELinux type and role transitions to a
Sudo rule. Update the 'sudorule' plugin documentation with examples
of how to do this.
Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It looks that pylint stopped printing false positive errors for
cyclic-import check, thus check can be enabled.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
