The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.
The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.
This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.
Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.
https://pagure.io/freeipa/issue/7330
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Dogtag 10.6.0-0.2 contains SQL NSS DB fixes and full Python 3 support.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.
Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Teach pylint more about the internals of API to fix various issues with
pylint 1.8.3.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.
This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.
This fixes a flaky test case on CI.
Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Some fast tests depend on an api.env with realm, domain, and host. On
machines without ~/.ipa/default.conf, the settings are not available.
Provide dummy values to make tests pass.
Closes: https://pagure.io/freeipa/issue/7432
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.
This enables better co-existence with other virtual servers that want ETags.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Installer now prints runtime of each step / part to install log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.
See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move logic for installing just the Python packages out of the spec file
and into our root Makefile. It removes code duplication to simplify a
spec file that supports building without Python 2.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
After commit bbe615e12c278f9cddaeb38e80b970bf14d9b32d, if the uninstall
process fails (in the test cleanup) the error is not hidden anymore.
That brought light to errors in the cleanup process on
TestReplicaInstall test, like this:
```
RUN ['ipa-server-install', '--uninstall', '-U']
ipapython.admintool: ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server master.ipa.test to replicate with servers:
replica0.ipa.test.
ipapython.admintool: ERROR The ipa-server-install command failed
```
This commit changes the order of how a replica should be removed from
the topology.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While testing on RHEL we are getting IOError instead of OSError.
Add also IOError to except clause.
This is mostly for compatibility reasons however should not cause
any issue as IOError is alias for OSError on Python3.
https://pagure.io/freeipa/issue/7439
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.
https://pagure.io/freeipa/issue/7440
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
test to verify that replica is able to sign a certificate with
new sub CA.
https://pagure.io/freeipa/issue/7387
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions
but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.
The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.
Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.
https://pagure.io/freeipa/issue/7438
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Overide trust method test_establish_trust_with_posix_attributes to test_establish_trust.
Windows Server 2016 doesn't have support for MFU/NIS, so autodetection is not working
https://pagure.io/freeipa/issue/7313
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
when any file from FreeIPA tree has been deleted there was
a failure like:
pylint
------
************* Module ipaserver/install/ntpinstance.py
ipaserver/install/ntpinstance.py:1: [F0001(fatal), ] No module named ipaserver/install/ntpinstance.py)
Adding --diff-filter to fastlint will not list deleted files
in git diff --names-only output to not include not existing
files to checklist.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup. With the move to mod_ssl, it now raises an
exception, so remove it.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
`data` is bytes but we were opening the "--out" file as
a text.
https://pagure.io/freeipa/issue/7430
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
After commits 8960141 and 97942a7 we do not need to run
ipa-certupdate command anymore when switching to ca-full.
This patch removes the above mentioned commands in order to
properly test the scenario.
https://pagure.io/freeipa/issue/7309
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The freeipa-server package was shipping files that are only used by
freeipa-server-dns.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
NSS_STATUS_RETURN is an internal value but GCC doesn't know that.
ipa_extdom_common.c:103:5: warning: enumeration value ‘NSS_STATUS_RETURN’ not handled in switch [-Wswitch]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipadb_free() and ipadb_alloc() functions are only used with
KRB5_KDB_DAL_MAJOR_VERSION 5.
ipa_kdb.c:639:13: warning: ‘ipadb_free’ defined but not used [-Wunused-function]
ipa_kdb.c:634:14: warning: ‘ipadb_alloc’ defined but not used [-Wunused-function]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will cause the command to continue with no password set
at all which is not what we want.
We want to loop forever until the passwords match or the
user gives up and types ^D or ^C.
https://pagure.io/freeipa/issue/7383
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The disable system trust feature is no longer used.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.
See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
"Include enabled" and "Include disabled" checkboxes on "Rules" tab
of HBAC Test Web UI page don't have any descriptions. It is not
clear what they do from only the labels.
This patch adds tooltips with metadata doc text of respected API
options. I.e. in practice it adds the same as CLI help when user
hovers over the checkbox label.
--enabled Include all enabled IPA rules into test [default]
--disabled Include all disabled IPA rules into test
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
This reverts commit db2222fee4.
Temp commit was acked by accident. It should have been removed after
ack of approach of PR 1596. But the PR should not have been ACKed.