Commit Graph

12223 Commits

Author SHA1 Message Date
Anuja More
4f4835a724
Test for ipa-replica-install fails with PIN error for CA-less env.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-06-18 14:53:32 +02:00
Christian Heimes
f1d5ab3a03 Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-15 13:02:53 +02:00
Christian Heimes
907e164958 Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-15 08:30:55 +02:00
Christian Heimes
7d12bbb99b Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.

python2-lesscpy was the last Python 2 dependency.

Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-14 09:04:06 +02:00
Kaleemullah Siddiqui
114e46b7c9 Test coverage for multiservers for radius proxy
Test checks that no multiservers can be added for
radius proxy

Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-13 16:23:18 -04:00
Stanislav Levin
f5a04da95d Fix translation of commands description in API Browser
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-12 08:38:56 +02:00
Christian Heimes
c74f65ef23 Split external_ca PR-CI into two jobs
The external_ca job takes about 38 minutes of testing. Split the tests
into TestExternalCA (~17 minutes) and TestSelfExternalSelf +
TestExternalCAInstall (~20 minutes).

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-06-11 18:02:55 +02:00
Rob Crittenden
fe70a9e62b Suppress missing cn=schema compat on installation
The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.

Check to see if it is configured at all before trying to
disable it.

https://pagure.io/freeipa/issue/6610

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-11 12:20:48 +02:00
Aleksei Slaikovskii
283987c1df Revert "Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users"
This reverts commit 415578a199.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-11 10:48:40 +02:00
Aleksei Slaikovskii
ec9ea73b63 Uninstall fix for named-pkcs11
Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.

Fixes backup/restore tests runs. Maybe something else.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-11 10:48:40 +02:00
Christian Heimes
390251d3dd
Always build Python 3 packages
Remove with_python3 checks and always build Python 3 packages.

Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
ed52baba0d
Make Python 2 build dependency optional
The specfile now uses three variables to determinate how to handle
Python support.

with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages

"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.

The patch also cleans up and fixes additional issues:

* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
  were packages with Python 2 RPMs although they had a Python 3 shebang.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-11 08:44:18 +02:00
Christian Heimes
533307382a Use one Custodia peer to retrieve all secrets
Fix 994f71ac8a was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.

Custodia client now uses a single remote to upload keys and download all
secrets.

Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2018-06-10 18:33:38 +02:00
Michal Reznik
b1f368c682 ui_tests: fixes for issues with sending key and focus on element
Fixes 2 issues in WebUI tests. One issue is that we are unable to
confirm a dialog by "Enter" keyboard - "actions.click()" helps
here to get focus on the page.

Second issue is probbaly related to screen resolution as we cannot
click to some of the action buttons (buttons which are having issue
varies).

https://pagure.io/freeipa/issue/7583

Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-06-08 14:03:30 +02:00
Rob Crittenden
f976f6cfd8 Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-08 10:49:18 +02:00
Rob Crittenden
2b3eb5c567 Disable Schema Compat plugin during server upgrade
If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.

When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.

Upon restoring it will always write the camel-case version.

https://pagure.io/freeipa/issue/6721

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-06-07 12:55:01 -04:00
Felipe Barreto
f03df5fe41
Adding xfail to failing tests
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.

TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-07 17:27:38 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
amitkuma
326fd6a70d Match Common Name attribute in Subject
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.

Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 14:01:11 -04:00
Mohammad Rizwan Yusuf
3927b0e7b1 Extended UI test for selfservice permission.
Follwoing scenario added:
 - test_add_all_attr
 - test_add_and_add_another
 - test_add_and_edit
 - test_add_and_cancel
 - test_add_permission_undo
 - test_add_permission_reset
 - test_permission_negative
 - test_del_multiple_permission
 - test_permission_using_enter_key
 - test_reset_sshkey_permsission

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-06-01 09:42:32 -04:00
Fraser Tweedale
816daf9355 Add missing space in error string
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-01 09:40:33 -04:00
Christian Heimes
cf25823e99 Print version string in installer
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-31 14:12:49 -04:00
Robbie Harwood
a2e8d989a3 Fix elements not being removed in otpd_queue_pop_msgid()
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-31 11:53:25 -04:00
Pavel Picka
3e4b9cd969 Adding WebUI Host test cases
Added test cases due to downstream test cases
- negative input
- ssh keys
- csr
- otp
- filter
- buttons

https://pagure.io/freeipa/issue/7550

Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-05-31 13:05:05 +02:00
Mohammad Rizwan Yusuf
4274b361fe Test to check second replica installation after master restore
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.

    related ticket: https://pagure.io/freeipa/issue/7247

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-31 12:18:34 +02:00
Christian Heimes
0a87de5ed5 Backport gzip.decompress for Python 2
Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.

Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 15:09:55 +02:00
Fraser Tweedale
1da3eddf56 Handle compressed responses from Dogtag
We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header.  But we don't decompress the
received data.  Inspect the response Content-Encoding header and
decompress the response body according to its value.

The `gzip.decompress` function is only available on Python 3.2 or
later.  In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file.  This commit avoids this
complexity.  Therefore it should only be included in Python 3 based
releases.

Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 15:09:55 +02:00
Rob Crittenden
59b3eb0433 Add tests for ipa-restore with DM password validation check
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:

1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked

Related: https://pagure.io/freeipa/issue/7136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 08:53:12 +02:00
Rob Crittenden
2256f9ef6a Validate the Directory Manager password before starting restore
The password was only indirectly validated when trying to
disable replication agreements for the restoration.

Only validate the password if the IPA configuration is available
and dirsrv is running.

https://pagure.io/freeipa/issue/7136
https://pagure.io/freeipa/issue/7535

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 08:53:12 +02:00
Christian Heimes
fb16bc933c Require JSS 4.4.4 with fix for sub CA replication
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.

Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version

See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-05-30 08:18:40 +02:00
Stanislav Laznicka
f47d86c719 Move config directives handling code
Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
8c0d7bb92f Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
ffdb20aeb3 ldapupdate: Add support for Debian multiarch
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.

Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
c5ee8ae529 named.conf: Disable duplicate zone on debian, and modify data dir
zone already imported via default zones.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
86ef31d760 Add mkhomedir support for Debian
Fixes: https://pagure.io/freeipa/issue/7556
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
a3a3d6da5b paths: Fix some path definitions for Debian.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
7a27651a0a constants: Fix HTTPD_GROUP for Debian
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
0030118ddc Create kadm5.acl if it doesn't exist
kadmind doesn't start without it, and Debian doesn't ship it by default.

Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Christian Heimes
172df673dd Refuse PORT, HOST in /etc/openldap/ldap.conf
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.

Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-29 15:30:37 +02:00
Christian Heimes
829998b19b Apply sane LDAP settings to C code
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-29 15:30:37 +02:00
Christian Heimes
9a9c8ced30 Use sane default settings for ldap connections
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.

https://pagure.io/freeipa/issue/7418

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-29 15:30:37 +02:00
Christian Heimes
9b8bb85eca Add test case for allow-create-keytab
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-05-29 08:51:10 +02:00
Florence Blanc-Renaud
1d70ce850e Test for 7526
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.

Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).

Related to:
https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-28 21:25:47 +02:00
Florence Blanc-Renaud
af99032d90 ipa-server-install: publish complete cert chain in /usr/share/ipa/html/ca.crt
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).

If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.

https://pagure.io/freeipa/issue/7526

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-28 21:25:47 +02:00
Rob Crittenden
7c5ecb8d08 Rename test class for testing simple commands, add test
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.

Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:08:21 +02:00
Rob Crittenden
45d776a7bf Don't try to set Kerberos extradata when there is no principal
This was causing ns-slapd to segfault in the password plugin.

https://pagure.io/freeipa/issue/7561

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:08:21 +02:00
Christian Heimes
8e165480ac Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
dbc3788405 Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
59ea580046 Require python-ldap >= 3.1.0
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-25 20:44:01 +02:00
Christian Heimes
1e5c3d7c6a Reproducer for issue 5923 (bytes in error response)
Error response used to contain bytes instead of text, which triggered an
exception.

See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-05-25 16:26:14 +02:00