Commit Graph

12737 Commits

Author SHA1 Message Date
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
58053b2747 TestBackupAndRestoreWithReplica needs 2 replicas
The test case TestBackupAndRestoreWithReplica needs two replicas but
PR-CI just had topology: *master_1repl.

Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-23 10:44:09 +01:00
Varun Mylaraiah
42fb0cc6a7 Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2018-11-23 10:42:44 +01:00
François Cami
dd0490e1d8 Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
François Cami
a709da6748 Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691

Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
Sergey Orlov
8182ebc6c3
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.

https://pagure.io/freeipa/issue/7455

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-11-21 10:29:51 +01:00
Christian Heimes
8decef33d3 Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-21 08:57:08 +01:00
Florence Blanc-Renaud
d18b0d558b ipatests: add missing tests for test_replica_promotion.py
The following test was missing from nightly:
test_replica_promotion.py::TestReplicaInstallCustodia

Related to https://pagure.io/freeipa/issue/7743

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 07:36:01 +01:00
Florence Blanc-Renaud
19211257c6 ipatests: add missing tests for test_installation.py
Some tests were missing in the nightly:
- test_installation.py::TestInstallWithCA_DNS3
- test_installation.py::TestInstallWithCA_DNS4

Relates to https://pagure.io/freeipa/issue/7743

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 07:36:01 +01:00
Florence Blanc-Renaud
1e7be6fb3d ipatests: add missing tests for test_external_ca.py
Some tests were missing from nightly definition:
test_external_ca.py::TestExternalCAdirsrvStop
test_external_ca.py::TestExternalCAInvalidCert
test_external_ca.py::TestMultipleExternalCA

Related to https://pagure.io/freeipa/issue/7743

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 07:36:01 +01:00
Florence Blanc-Renaud
26e35dca41
ipatests: add test for ipa-replica-install options
Add a test checking that --password and --admin-password
options are mutually exclusive.

Related to https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-20 15:12:25 +01:00
Florence Blanc-Renaud
23306a28c9
ipa-replica-install: password and admin-password options mutually exclusive
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.

The fix makes --password and --admin-password options
mutually exclusive.

Fixes https://pagure.io/freeipa/issue/6353

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-20 15:12:25 +01:00
Florence Blanc-Renaud
55c0a93271 ipatests: fix test_replica_uninstall_deletes_ruvs
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list

When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.

The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.

Fixes https://pagure.io/freeipa/issue/7545

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-20 13:34:07 +01:00
Christian Heimes
7434a3299d PR-CI: Restart rpcbind when it blocks kadmin port
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.

A new workaround detects the blocked port and restarts rpcbind.service.

See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-20 09:31:32 +01:00
Alexander Bokovoy
122f968cee ipa-kdb: reduce LDAP operations timeout to 30 seconds
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.

Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2018-11-16 16:54:38 -05:00
Serhii Tsymbaliuk
6dc8b0c6a7
Fix nightly PR CI configuration for Web UI tests
Add strip operator for test_suite definitions (in nightly_*.yaml) to prevent inserting line breaks.

https://pagure.io/freeipa/issue/7756

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-16 10:55:56 +01:00
Florence Blanc-Renaud
1ec404fafe freeipa.spec.in: add BuildRequires for python3-lib389
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.

Fixes https://pagure.io/freeipa/issue/7767

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-16 09:22:48 +01:00
sudharsanomprakash
0c0a392dd0 Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.

Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 17:52:10 -05:00
Christian Heimes
1e2c4d5bd1 Fix pytest deprecation warning
conftest uses the Function attribute of a pytest.Function object. Latest
pytest has deprecated the attribute:

  _pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function
   is deprecated, please use pytest.Function instead

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-11-15 15:02:13 +01:00
Christian Heimes
13917ddc55 certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.

Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-11-14 07:57:13 +01:00
Alexander Bokovoy
ee52ceb98c Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 17:43:28 +01:00
Florence Blanc-Renaud
14ad844bb1 ipatests: add missing tests in test_backup_and_restore.py
3 tests were missing from this test file in the nightly tests:
- TestBackupAndRestoreWithReplica
- TestBackupAndRestoreDMPassword
- TestReplicaInstallAfterRestore

one test was having the wrong name in nightly_rawhide:
TestUserRootFilesOwnershipPermission

Related to https://pagure.io/freeipa/issue/7743

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 15:16:35 +01:00
Fraser Tweedale
61e1d7a83b certdb: validate certificate signatures
When verifying a CA certificate, validate its signature.  This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes.  The '-e' option to 'certutil -V' was the
missing ingredient.

An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test.  With this change,
ipa-cacert-manage will reject the certificate:

  # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
  Importing the renewed CA certificate, please wait
  CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
  in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
  certificate was signed using a signature algorithm that is
  disabled because it is not secure.

Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 14:19:18 +01:00
Fraser Tweedale
a2a293ed2f Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.

To report the correct subject, look it up using the current
nickname.

Part of: https://pagure.io/freeipa/issue/7761

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 14:19:18 +01:00
Christian Heimes
3abfaa5754 Require pylint 2.1.1-2
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:

  is_subclass_of fails with AttributeError: 'NoneType' object has no
  attribute 'name'

pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.

See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
ec61f5de3c Silence comparison-with-itself in tests
Test code performs comparison to itself in order to verify __eq__ and
__ne__ implementations.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
dc2c71bff8 Fix raising-format-tuple
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
c00dd21106 Fix various dict related pylint warnings
* dict-keys-not-iterating
* dict-values-not-iterating
* dict-items-not-iterating
* dict-iter-method

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
1e569c4f46 Fix Module 'pytest' has no 'config' member
pytest.config is created dynamically.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
713607769e Fix useless-import-alias
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
83cdd27f97 Fix comparison-with-callable
Pylint warns about comparing callable. Replace equality with identity
test.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
496d1756c9 Address consider-using-in
Replace multiple comparisons with 'in' operation.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
7bdc9badfd Ignore consider-using-enumerate for now
Ignore new consider-using-enumerate warning for now and clean up code
later.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
85286beb5b Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
8944458d3c Address pylint violations in lite-server
Teach pylint that env instance has lite_* members

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
e6d7f20039 Ignore W504 code style like in travis config
pycodestyle both complains about "W504 line break after binary operator"
and "W503 line break before binary operator" when all warnings are
enabled. FreeIPA already ignores W504 in travis config. Let's ignore it
in fastcheck, too.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Florence Blanc-Renaud
1dd98d2517 Revert "temp commit: run test_integration/test_caless.py::TestCertInstall"
This reverts commit 5483f9f6bb.
2018-11-13 13:22:54 +01:00
Florence Blanc-Renaud
5483f9f6bb temp commit: run test_integration/test_caless.py::TestCertInstall
Please remove before pushing

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:04:19 +01:00
Florence Blanc-Renaud
8b7e17aa16 ipatests: update tests for ipa-server-certinstall
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).

The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).

The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.

The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).

Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.

Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:04:19 +01:00
Florence Blanc-Renaud
1be415cd04 ipatests: add missing tests for test_caless
Two tests were missing from nightly definition:
- test_caless.py::TestReplicaCALessToCAFull
- test_caless.py::TestServerCALessToExternalCA

Related to https://pagure.io/freeipa/issue/7743

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:42:38 +01:00
Florence Blanc-Renaud
da4c12c3e6 ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>

This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.

Related to https://pagure.io/freeipa/issue/7570

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Florence Blanc-Renaud
5d603fce5d radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.

The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>

Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Florence Blanc-Renaud
1c2c2ee6f8 tests: add xmlrpc test for ipa user-add --radius-username
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.

The test ensures that the command is now succeeding.

Related to https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Florence Blanc-Renaud
19cd960387 ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.

The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.

The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).

Fixes https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
Christian Heimes
d39bb65a2f Remove DS perl paths from debian platform
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Christian Heimes
a606b44f3a Drop dependency on 389-ds-base-legacy-tools
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
8fb63966cd Use the newer way of removing the DS instance
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
e8342d414d DS install: don't fail if SSL already configured
DS now comes with certain SSL capabilities turned on after
installation. Previously, we did not expect this and were
blindly forcing everything on without checking, whether it
needs turning on. This would result in failures if the
config entries are already set the way we want. Relax this
configuration.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
104ef413ed DS install: fix DS asking for NSS pin during install
DS now comes with nsslapd-security turned on and its own CA
cert in its NSS database. We're re-setting the NSS database
and setting our own CA cert to it, the DS pin file therefore
needs to be updated with the new password after this reset.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Laznicka
56f8e20013 DS uninstall: fix serverid missing in state restore
During uninstallation, we're using serverid which we get from
sysrestore.state. This was not set in the newer install,
return it back.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00