File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.
Fixes: https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixed a false negative related to replication taking some time: added
wait_for_replication call before checking for new object in replicas.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-replica-prepare could crash during addition of replica's PTR records if
there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone'
returns an unhandled None. The code will now issue a warning and skip the PTR
record addition in this case.
https://fedorahosted.org/freeipa/ticket/5740
Reviewed-By: Martin Basti <mbasti@redhat.com>
- User is now notified about "Kerberos Principal expiration" message instead of
"Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
generic error message.
https://fedorahosted.org/freeipa/ticket/5077
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.
https://fedorahosted.org/freeipa/ticket/4631
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.
https://fedorahosted.org/freeipa/ticket/5591
Reviewed-By: David Kupka <dkupka@redhat.com>
API commands inheriting from LDAPSearch should mention which limit was
exceeded in the warning message sent with truncated results.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Clarify that dns removes only A, AAAA, PTR, SSHFP records of the host(s) managed by IPA DNS.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
only A, AAAA, SSHPF and PTR records are managed by IPA. The other
records should be removed by user.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This command has no effect in that block of code, dnsrecord_show is
enough for detection if records exists.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Due the configuration of dnsrecord_find, it works as dnsrecord-show,
thus it can be replaced.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Originally only the first A/AAAA record is removed, and one other record. This commit fixes it
and all records are removed.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This pre_callback contains method to preprocessing usercertificate that
was not called during stageuser-add. This commit adds missing
pre_common_callback call to stageuser_add.
https://fedorahosted.org/freeipa/ticket/5759
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The following testcases were automated:
1. Test one command replica installation
2. Test csreplica-manage-(del, connect, disconnect) are disabled in domain
level 1
3. Client enrollment and replica promotion by an unprivileged user are
prohibited
4. Replica uninstallation is prohibited if it disconnects a part of existing
topology (is possible only with --ignore-topology-disconnect option)
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The python-qrcode print_ascii() method does not work in terminals with
non-UTF-8 encoding. When this is the case do not render QR code but print a
warning instead. Also print a warning when the QR code size is greater that
terminal width if the output is a tty.
https://fedorahosted.org/freeipa/ticket/5700
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Some integration tests expect the members of topology to have the testfolder.
The testfolder however was created during master and client installations. In
case the client is not intalled from the very beginning of the test execution,
the test would complain about missing testfolder.
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Basti <mbasti@redhat.com>
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.
https://fedorahosted.org/freeipa/ticket/5712
Reviewed-By: Martin Basti <mbasti@redhat.com>
Trying to install the package depending on python-polib breaks
when the system has newer (and renamed) version python2-polib.
*This patch is an workaround* for the issue described in [1].
If a renamed package's provides is equal to an older package's
name, dnf tries to install the older package.
When the newer package is in the system, this leads to a conflict.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1096506
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
teardown_method is a standard pytest method used to put any code to be executed
after each test method is executed. While treated correctly by our integration
tests, this method is misinterpreted by in-tree tests in the following way:
in-tree tests try to execute it even if all the test methods are skipped due to
test resources being not configured. This causes the tests, that otherwise would
have been skipped, to fail
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Basti <mbasti@redhat.com>
The size of svg element is calculated when the topology graph facet is load
and then every time when the window is resized. The resize event listener
is removed after the topology graph facet emits hide event.
https://fedorahosted.org/freeipa/ticket/5647
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Regression caused by commit 491447cc5a,
ValueErrori and AttributeError are too much specific for these cases, multiple types of
exception can be raised.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>