Commit Graph

12001 Commits

Author SHA1 Message Date
Rob Crittenden
64fca87a52 Remove the Continuous installer class, it is unused
https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Rob Crittenden
68c7b03689 Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.

The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.

This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.

Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.

https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Christian Heimes
2b47f8994f Require Dogtag PKI >= 10.6
Dogtag 10.6.0-0.2 contains SQL NSS DB fixes and full Python 3 support.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-19 15:48:46 +01:00
Christian Heimes
3871fe6de5 Keep owner when backing up CA.cfg
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.

Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-03-19 15:46:56 +01:00
Christian Heimes
ce8ec5028a Pylint 1.8.3 fixes
Teach pylint more about the internals of API to fix various issues with
pylint 1.8.3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 10:58:48 +01:00
Rob Crittenden
3bb3e7555d VERSION.m4: Set back to git snapshot 2018-03-16 14:20:33 -04:00
Rob Crittenden
8946bf2654 Become IPA 4.6.90.pre1 2018-03-16 12:44:32 -04:00
Rob Crittenden
d646861590 Update Contributors.txt
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2018-03-16 11:35:10 -04:00
Alexey Slaykovsky
c450e2dc8f Make WebUI unit tests to generate results as JUnit
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.

This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 14:26:48 +01:00
Christian Heimes
69599560c1 Relax message check in test_create_host_with_ip
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.

This fixes a flaky test case on CI.

Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-16 14:25:37 +01:00
Christian Heimes
75f7b7b5e6 Make fasttest pass without ~/.ipa/default.conf
Some fast tests depend on an api.env with realm, domain, and host. On
machines without ~/.ipa/default.conf, the settings are not available.
Provide dummy values to make tests pass.

Closes: https://pagure.io/freeipa/issue/7432
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
2018-03-16 11:50:41 +01:00
Brian J. Murrell
d7c23a3ba6 Move ETag disabling to /ipa virtual server
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.

This enables better co-existence with other virtual servers that want ETags.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 08:01:53 +01:00
Rob Crittenden
bfd1170118 Redirect CRL requests to the http port, not the https port
https://pagure.io/freeipa/issue/7433

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 07:42:07 +01:00
Christian Heimes
7a03a4e9a4 Instrument installer to profile steps
Installer now prints runtime of each step / part to install log.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-16 07:33:58 +01:00
Christian Heimes
fa94ef0412 autoconf prefers Python 3 over 2
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.

See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-15 12:57:00 +01:00
Christian Heimes
fd9ede5296 Simplify Python package installation
Move logic for installing just the Python packages out of the spec file
and into our root Makefile. It removes code duplication to simplify a
spec file that supports building without Python 2.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-15 12:57:00 +01:00
Felipe Barreto
9a6a90bbdf prci: Bump ci-master-f27 template to 1.0.3
This enable us to run WebUI tests

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-15 09:26:56 +01:00
Felipe Barreto
5ef49ffcbc Adding more tests to PR CI
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-15 09:26:56 +01:00
amitkuma
a3060b5238 Error message while adding idrange with untrusted domain
While trying to add idrange with untrusted domain name error
message is misleading.

Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.

Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-15 07:31:37 +01:00
Robbie Harwood
bffcef6bbd Log errors from NSS during FIPS OTP key import
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-14 13:05:17 -04:00
Felipe Barreto
2c05e42af6 Fixing cleanup process in test_caless
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.

That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR    Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
    replica0.ipa.test.
ipapython.admintool: ERROR    The ipa-server-install command failed
```

This commit changes the order of how a replica should be removed from
the topology.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-14 12:28:16 +01:00
Michal Reznik
5a04936f47 test_caless: adjust try/except to capture also IOError
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.

This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.

https://pagure.io/freeipa/issue/7439

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-14 12:26:42 +01:00
Florence Blanc-Renaud
105e774914 ipa-restore: remove /etc/httpd/conf.d/nss.conf
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.

https://pagure.io/freeipa/issue/7440

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-14 12:25:04 +01:00
Stanislav Laznicka
7960352f1c Backup HTTPD's mod_ssl config and cert-key pair
https://pagure.io/freeipa/issue/3757

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-13 10:52:41 +01:00
Michal Reznik
317c20e9dc
ipa_tests: test signing request with subca on replica
test to verify that replica is able to sign a certificate with
new sub CA.

https://pagure.io/freeipa/issue/7387

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-13 10:37:30 +01:00
Florence Blanc-Renaud
54ea4aade6 ipa-server-install: handle error when calling kdb5_util create
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions

but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.

The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.

Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.

https://pagure.io/freeipa/issue/7438

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2018-03-13 10:09:13 +01:00
Nathaniel McCallum
d498d7272d Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a4.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.

https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Nathaniel McCallum
a01a24ce5a Increase the default token key size
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Nathaniel McCallum
c9c58f2d35 Fix OTP validation in FIPS mode
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Ganna Kaihorodova
9797309ef9
Overide trust methods for integration tests
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working

https://pagure.io/freeipa/issue/7313

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-08 09:05:01 +01:00
Tibor Dudlák
2b17a086d0
Do not check deleted files with make fastlint
when any file from FreeIPA tree has been deleted there was
a failure like:
 pylint
 ------
 ************* Module ipaserver/install/ntpinstance.py
 ipaserver/install/ntpinstance.py:1: [F0001(fatal), ] No module named ipaserver/install/ntpinstance.py)
Adding --diff-filter to fastlint will not list deleted files
in git diff --names-only output to not include not existing
files to checklist.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-08 08:57:55 +01:00
Fraser Tweedale
3650e3b955 upgrade: remove fix_trust_flags procedure
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup.  With the move to mod_ssl, it now raises an
exception, so remove it.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-07 12:31:04 +01:00
Rob Crittenden
95a45a2b09 Don't try to backup CS.cfg during upgrade if CA is not configured
https://pagure.io/freeipa/issue/7409

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-06 14:17:16 -05:00
Stanislav Laznicka
c9c41d2d90
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.

https://pagure.io/freeipa/issue/7430

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-06 13:00:23 +01:00
amitkuma
e6ca3b0c73 Removing extra spaces present in man ipa-server-install
There are extras space present in man page. PR removes
identified extra spaces.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-06 10:11:52 +01:00
Michal Reznik
2a50a7daf0 tests: ca-less to ca-full - remove certupdate
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.

This patch removes the above mentioned commands in order to
properly test the scenario.

https://pagure.io/freeipa/issue/7309

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-02-26 10:11:33 +01:00
Christian Heimes
cfe4150b22 Move DNS related files to server-dns package
The freeipa-server package was shipping files that are only used by
freeipa-server-dns.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-26 10:03:00 +01:00
Florence Blanc-Renaud
4295df17a4 ipa host-add: do not raise exception when reverse record not added
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.

This commit also adds a unit test.

https://pagure.io/freeipa/issue/7374

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-23 14:39:34 +01:00
Christian Heimes
642712f9c4 Silence GCC warning in ipa_extdom
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.

ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-23 14:38:20 +01:00
Christian Heimes
d749723a14 Silence GCC warning in ipa-kdb
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.

ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-23 14:38:20 +01:00
Rob Crittenden
0aaee0a97f Don't return None on mismatched interactive passwords
This will cause the command to continue with no password set
at all which is not what we want.

We want to loop forever until the passwords match or the
user gives up and types ^D or ^C.

https://pagure.io/freeipa/issue/7383

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-23 14:22:40 +01:00
Christian Heimes
df99af4a68 Remove unused modutils wrappers from NSS/CertDB
The disable system trust feature is no longer used.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
a8555d42a4 Update /etc/ipa/nssdb in client scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
66a32d8931 NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
492e3c9b1e NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
c5fb6c8502 Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
  auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.

The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.

https://pagure.io/freeipa/issue/7354

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
88fd3f9435 certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
2d8d5ad8d9 Remove deprecated -p option from ipa-dns-install
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.

See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 09:29:43 +01:00
Petr Vobornik
f7b2342426 webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
"Include enabled" and "Include disabled" checkboxes on "Rules" tab
of HBAC Test Web UI page don't have any descriptions. It is not
clear what they do from only the labels.

This patch adds tooltips with metadata doc text of respected API
options. I.e. in practice it adds the same as CLI help when user
hovers over the checkbox label.

  --enabled        Include all enabled IPA rules into test [default]
  --disabled       Include all disabled IPA rules into test

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2018-02-22 16:27:11 -03:00
Petr Vobornik
efaa48e455 Revert "temp commit to run the affected tests"
This reverts commit db2222fee4.

Temp commit was acked by accident. It should have been removed after
ack of approach of PR 1596. But the PR should not have been ACKed.
2018-02-21 09:50:59 +01:00