Commit Graph

541 Commits

Author SHA1 Message Date
Rob Crittenden
6b0f6ff19e Allow the admin user to be disabled
A previous change made it not possible to remove the admin
user. This also included disabling the admin user. The user can
be disabled, just not deleted because it is required.

Move the test test_ipa_cacert_manage_prune to the end of the
class because it changes time which can break replication.

Fixes: https://pagure.io/freeipa/issue/9489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-10 09:26:47 +02:00
Erik Belko
fc7c2cb624 xmlrpc tests: Create user with manager option set using user-add
Related: https://pagure.io/freeipa/issue/9515

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-04-04 15:56:25 +01:00
Rob Crittenden
5d3c6b761b Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.

The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.

With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.

Related: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Florence Blanc-Renaud
6cc668ffeb xmlrpc: adapt range plugin test
A warning is added in ipa idrange-add/mod/del for
local ranges. Adapt the test expectation.

Related: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Alexander Bokovoy
a57b665be0 idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.

Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.

Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Florence Blanc-Renaud
64861a0cf9 idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.

Fixes: https://pagure.io/freeipa/issue/9558

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-20 13:59:21 +01:00
Florence Blanc-Renaud
8d7bd6c6ab pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)

Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-09 08:40:47 +01:00
Rob Crittenden
d1e09c68af ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:58:50 +01:00
Florence Blanc-Renaud
0654fb3737 idp: add the ipaidpuser objectclass when needed
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.

Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-30 09:13:23 -04:00
Rob Crittenden
317e7061d0 Adjust test to handle revocation reason REMOVE_FROM_CRL
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.

This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.

So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-08-28 10:21:48 -04:00
Rob Crittenden
d98d5e4751 Remove all references to deleted indirect map from parent map
An attempt to do this was already coded but the wrong
argument was used. It was passing in the location name and
not the map name so the map wouldn't be completely removed.

Include a test to verify that the map is gone after removing
it by calling automountlocation-tofiles which will fail if the
map wasn't properly removed.

Fixes: https://pagure.io/freeipa/issue/9397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-21 10:49:06 +02:00
Rob Crittenden
dea35922cd Prevent the admin user from being deleted
admin is required for trust operations

Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.

Fixes: https://pagure.io/freeipa/issue/8878

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-01 13:47:56 +02:00
Florence Blanc-Renaud
7517e2ce21 xmlrpc tests: add a test for user plugin with non-existing idp
Add new tests checking the error returned for
ipa user-add ... --idp nonexistingidp
ipa user-mod ... --idp nonexistingidp
ipa stageuser-add ... --idp nonexistingidp
ipa stageuser-mod ... --idp nonexistingidp

The expected error message is:
ipa: ERROR: External IdP configuration nonexistingidp not found

Related: https://pagure.io/freeipa/issue/9416

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-07-19 16:59:25 -04:00
Erik Belko
4a3e3efb84
test: add tests for descriptive error message in ipa user-add
Add tests for renaming existing user and group with invalid name or only numeric name,
add numeric-only stage user, rename some functions and fix indentation
Related: https://pagure.io/freeipa/issue/9378

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-07-04 15:49:04 +02:00
Florence Blanc-Renaud
ae6549ffae xmlrpc tests: add test renaming user or group with setattr
Add a new test renaming user or group using --setattr.
The new name must be validated and invalid names must be
refused.

Related: https://pagure.io/freeipa/issue/9396

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-06-16 15:19:10 -04:00
Rob Crittenden
fa3a69f91f Use the python-cryptography parser directly in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814

Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.

The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.

CLI times from before and after searching for all certs:

original:

-------------------------------
Number of entries returned 5038
-------------------------------
real    0m15.507s
user    0m0.828s
sys     0m0.241s

using cryptography:

real    0m4.037s
user    0m0.816s
sys     0m0.193s

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-16 11:15:48 -04:00
Florence Blanc-Renaud
0075c8b8f6 passkeyconfig: require-user-verification is a boolean
ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
6f0da62f5a Passkey: add support for discoverable credentials
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a7d90c1ef5 XMLRPC tests: add new tests for passkey auth type
Add tests for the new passkey authentication type
(ipa user-*, ipa config-mod)
Add tests for the new passkey authentication indicator
(ipa service-*, ipa host-*)
Add tests for the new krbtpolicy parameters
(ipa krbtpolicy-mod --passkey-maxlife=INT --passkeymaxrenew=INT)

Related: ipatests/test_xmlrpc/test_user_plugin.py
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
ae3c281a64 XMLRPC tests: test new passkey commands
Add tests for:
 ipa passkeyconfig-show
 ipa passkeyconfig-mod
 ipa user-add-passkey LOGIN PASSKEY
 ipa user-remove-passkey LOGIN PASSKEY
 ipa stageuser-add-passkey LOGIN PASSKEY
 ipa stageuser-remove-passkey LOGIN PASSKEY

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Rob Crittenden
a213253bb1 Don't allow a group to be converted to POSIX and external
This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.

Fixes: https://pagure.io/freeipa/issue/8990

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-31 09:24:55 +02:00
Florence Blanc-Renaud
7b0ad59fea user or group name: explain the supported format
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-22 20:22:59 +02:00
mbhalodi
ef0ae496b7 ipatests: add remove automember condition tests
Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-02 20:40:01 +02:00
Alexander Bokovoy
9b777390fb test_xmlrpc: adopt to automember plugin message changes in 389-ds
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
mbhalodi
4119e4e799 ipatests: add missing automember-cli tests
Revisit the bash tests and port the valid
tests to upstream.

Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-04-04 16:11:32 +02:00
Thorsten Scherf
2aeb963fc9 external-idp: change idp server name to reference name
When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-03 05:08:02 +01:00
Stanislav Levin
c523e85835 pylint: Fix unhashable-member
https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html:
> Emitted when a dict key or set member is not hashable (i.e. doesn't
define __hash__ method).

https://docs.python.org/3/library/stdtypes.html#dict.update:
> Update the dictionary with the key/value pairs from other, overwriting
existing keys. Return None.
update() accepts either another dictionary object or an iterable of
key/value pairs (as tuples or other iterables of length two). If keyword
arguments are specified, the dictionary is then updated with those
key/value pairs: d.update(red=1, blue=2).

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Stanislav Levin
0e03315299 pylint: Fix used-before-assignment
> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.

Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
79153655d7 pylint: disable unhashable-member
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
8e7e48dc78 pylint: fix duplicate-value
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
8cd9ddfdeb pylint: remove arguments-renamed warnings
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
2011d1a36a pylint: disable used-before-assignment
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Carla Martinez
b326b4afae ipatest: Remove warning message for 'idnssoaserial'
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.

Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Rob Crittenden
36591995ac Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.

Fixes: https://pagure.io/freeipa/issue/9243

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-09-20 14:51:56 -04:00
Rob Crittenden
c8955a4d0a Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Florence Blanc-Renaud
54d32fcd76 ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.

Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 13:07:03 +02:00
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Florence Blanc-Renaud
3732349bc2 xmlrpc tests: updated expected output for preserved user
Update the expected summary for the command
ipa user-del --preserve

The command now displays: Preserved user: user1
instead of                Deleted user: user1

Related: https://pagure.io/freeipa/issue/9187

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-22 20:53:29 +02:00
Alexander Bokovoy
6c5f2bcb30 ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like

        Bool('idnsallowdynupdate?',
            cli_name='dynamic_update',
            label=_('Dynamic update'),
            doc=_('Allow dynamic updates.'),
            attribute=True,
            default=False,
            autofill=True
        ),

in 'ipa dnszone-show':

> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']

This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.

When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:

            "idnsallowdynupdate": [
                "TRUE"
            ],

Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.

Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:

 - if output is from a command with --raw option, 'TRUE' or 'FALSE'
   should be expected

 - if output if from a normal (non-raw) command, True or False would be
   returned

Fixes: https://pagure.io/freeipa/issue/9171

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 09:25:27 +02:00
Rob Crittenden
d241d7405f Add tests for Random Serial Number v3 support
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.

Update the xml-rpc test to allow the new RSN version number
attribute.

Update some certificate tests where a specifc serial number
is expected.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Alexander Bokovoy
03a905eed9 external-idp: add XMLRPC tests for External IdP objects and idp indicator
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Rob Crittenden
fe9be8c4a1 Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.

When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.

So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.

This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).

Fixes: https://pagure.io/freeipa/issue/9004

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 12:18:35 +02:00
Mohammad Rizwan
5a909cff8d ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."

But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does

related: https://pagure.io/freeipa/issue/9038

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-16 12:17:08 +02:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
851f6d48ac pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
516adf40f8 pylint: Fix unnecessary-dict-index-lookup
Pylint 2.9 introduced new check:
> Emitted when iterating over the dictionary items (key-item pairs) and
accessing the value by index lookup. The value can be accessed directly
instead.

Note: in Python3 removing from dict during an iteration is not
possible even. For example,
```
cat a.py
d = {"a": 1}

for k, v in d.items():
    if v is not None:
        del d[k]

python3 a.py
Traceback (most recent call last):
  File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module>
    for k, v in d.items():
RuntimeError: dictionary changed size during iteration
```

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
139f6b63b1 pylint: Fix deprecated-class
There is no actual usage of deprecated classes for Python3.
Pylint complains about such for Python2. Since Python2 is no
longer supported these imports were removed.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
017b73e7f6 pylint: Fix use-maxsplit-arg
Pylint 2.9.0 new checker:
> Emitted when accessing only the first or last element of str.split().
  The first and last element can be accessed by using str.split(sep,
  maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Florence Blanc-Renaud
325415bb66 config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.

Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-13 14:20:59 -05:00