Commit Graph

14748 Commits

Author SHA1 Message Date
Alexander Bokovoy
35ab6567af ipatests: fix race condition in finalizer of encrypted backup test
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.

Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-23 15:37:10 +02:00
Alexander Bokovoy
38823e9091 ipaplatform: add constant for systemd-run binary
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-23 15:37:10 +02:00
Florence Blanc-Renaud
e7949e2a0f ipatests: fix expected error message in test_commands
389ds does not return any more additional information
about a failing bind (to avoid leaking information).

As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.

Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-12-23 14:01:43 +01:00
Florence Blanc-Renaud
d0a1606e77 ipatests: remove test_acme from gating
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed

Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-12-23 13:59:29 +01:00
Alexander Bokovoy
4c4f16fc9c odsexporterinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.

We use common pattern of checking the service during uninstall:

 svc = SVCClass()
 if svc.is_configured():
    svc.uninstall()

Thus, service class constructor must not do UID/GID resolution

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Alexander Bokovoy
b6a645338c dnskeysyncinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Alexander Bokovoy
8e16a1d169 opendnssecinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.

We use common pattern for all services during uninstall:

 svc = SVCClass(..)
 if svc.is_configured()
     svc.uninstall()

This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.

Fixes: https://pagure.io/freeipa/issue/8630

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-12-22 14:05:13 +02:00
Alexander Bokovoy
705f564eb6 tests_webui: fix wrong user name key for trail space case
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.

Fix the user name data according to the test.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-21 22:32:39 +02:00
Alexander Bokovoy
2c98105cf2 tests_webui: flip leading and trailing space password test
With commit 809d9cb80f we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.

Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-21 22:32:39 +02:00
François Cami
9ce2fe4474 set SELinux back to Permissive in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-19 23:11:42 +02:00
Carl George
6ae1a05ee1 Use uglifyjs on CentOS too
Only checking for ID to equal "rhel" causes build failures on CentOS
Stream.  Instead check both ID and ID_LIKE.  This should also work later
on when rebuilds like CentOS Linux get this update.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-19 14:51:58 +02:00
Alexander Bokovoy
8c681a494a Update IPA translation template before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
1376da66b3 Update po/zh_CN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
447924bbe7 Update po/uk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
8e8ea95259 Update po/tr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
89b1f944ae Update po/tg translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
68adc9fda8 Update po/sk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
da128de17a Update po/ru translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
137dc3cea2 Update po/pt translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
27ca65c0f4 Update po/pt_BR translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
de3f22ad2d Update po/pl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
762cab3075 Update po/pa translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
e382dcb483 Update po/nl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
4567f3d86a Update po/mr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
30d783ca4b Update po/kn translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
6a372914b7 Update po/ja translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
ebebb9fa8a Update po/id translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
eeeb69105a Update po/hu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
1c591f7df1 Update po/hi translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
ffd21b0185 Update po/fr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
db5c16656d Update po/eu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
e5bdda2416 Update po/es translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
dbfaf9b1d4 Update po/en_GB translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
daaa8bbea2 Update po/de translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
68062f277c Update po/cs translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
76bd7715bb Update po/ca translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Alexander Bokovoy
ef1a7009b8 Update po/bn_IN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-19 11:04:21 +02:00
Christian Heimes
a297097bc2 Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 20:40:36 +02:00
Slava Aseev
4c0398433e ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.

This commit:
  - adds some helper functions for working with krb5_timestamp as
    unsigned (actually copied from
    https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
  - replaces operations with krb5_timestamp's by these new functions

Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-12-18 20:38:40 +02:00
Timo Aaltonen
5783a8822c ipaplatform: Use gpg instead of gpg2
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 20:37:10 +02:00
Timo Aaltonen
483315868b Debian: Fix chrony service name
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 20:37:10 +02:00
Timo Aaltonen
7dbe6e4fe3 Debian: Fix paths and service names for bind 9.16
Got changed for 9.16 and up.

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 20:37:10 +02:00
François Cami
f83195f5c1 set SELinux to Enforcing in gating.xml
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-18 20:35:15 +02:00
Vit Mojzis
b9d3860c8a selinux: Fix/waive issues reported by SELint
- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-18 20:35:15 +02:00
Antonio Torres Moríñigo
57ec5f4cc2 ipatests: test that trailing/leading whitespaces in passwords are allowed
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-18 16:47:59 +02:00
Antonio Torres Moríñigo
809d9cb80f Allow leading/trailing whitespaces in passwords
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.

Fixes: https://pagure.io/freeipa/issue/7599

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-18 16:47:59 +02:00
François Cami
e7827a6f0c ipa-client-install: unilaterally set dns_lookup_kdc to True
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.

Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into  /etc/krb5.conf realm entries.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 13:35:06 +02:00
François Cami
18a1e7ee5c ipatests: make sure dns_lookup_kdc is always true
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Make sure dns_lookup_kdc is always set to true.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 13:35:06 +02:00
Alexander Bokovoy
f841ccb352 upgrade: ensure service state is synchronized with the server state
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role.  This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.

Fixes: https://pagure.io/freeipa/issue/8623

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-12-18 13:33:44 +02:00
Alexander Bokovoy
fccceaa2d9 upgrade: do not overshadow service module in upgrade_configuration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-12-18 13:33:44 +02:00