We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Verify the certificate issued during an installation belongs
to its private key.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.
We already have a backup of nss.conf from pre-install. Stick with
that.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Change some built-in assumptions that Apache has an NSS certificate
database.
Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.
Drop mod_nss-specific methods and functions.
There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.
TODO:
- backup and restore
- use user-provided PKCS#12 file for the certificate and key
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Realm domains commands produce big fat warnings about DNS state/checks.
Given the length of these warnings, they stay displayed for longer time.
As Web UI automated tests progresses quickly more of the warnings can
be displayed at the same time and thus taking a lot of space and thus
covering UI needed for next test step.
By closing the notifications before next action we make sure that test
won't fail because notification covered the required UI.
Reviewed-By: Petr Cech <pcech@redhat.com>
Try adding and deleting with "Check DNS" (in html 'ok' button)
DNS check expects that the added domain will have DNS record:
TXT _kerberos.$domain "$REALM"
When a new domain is added using dnszone-add it automatically adds
this TXT record and adds a realm domain. So in order to test without
external DNS we must get into state where realm domain is not added
(in order to add it) but DNS domain with the TXT record exists.
Reviewed-By: Petr Cech <pcech@redhat.com>
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.
The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.
Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.
This commit also adds integration test for non-regression.
https://pagure.io/freeipa/issue/7342
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`git diff` shows also context lines by default. When passed to pycodestyle
it can produce errors unrelated to changed lines. It prevents running of
subsequent checks.
Limiting context to 0 lines by `git diff -U0` enables to test only the
modified lines and allows to run subsequent checks.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.
This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
The approach ActionChains.move_to_element no longer works as said here [1],
so, it's necessary to change it to the new one. This means, running a
javascript script to move the page to where the element is.
There are more details in the link [1], but in summary the w3c spec is
not obvious if a click should scroll the page to the element or not.
In one hand Chrome and Edge does that, but Firefox don't. As we use
Firefox to run the tests, we need the workaround.
[1] https://github.com/mozilla/geckodriver/issues/776
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When filling the combo box (the gidnumber) in the dialog to create a new
user, the Add button was also clicked; closing the dialog. The wait
makes it to not click.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Instead of always entering the address on the address bar and reloading the
application, now the code checks if that is necessary.
With the change, the logout process is done correctly and we do not keep any
AJAX call left behind. Which could cause the user not being logout properly and
breaking the tests.
More about the logout problem described in:
https://github.com/freeipa/freeipa/pull/1479
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
As described in the commit [1] and ticket [2], it should not be possible to
change the range of a local IPA domain.
The basic_crud was changed to make it flexible to do not run the mod operation
if needed.
[1] 55feea500b
[2] https://pagure.io/freeipa/issue/4826
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The "rcue-login-screen" element does not exist anymore. Changing the
code to use the ".login-pf" instead.
With the change, it's also necessary to check if the login screen is still
visible when trying to fill the fields of new password, otherwise a
StaleElementReferenceException exception will be raised.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.
Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a xmlrpc test checking that a user cannot delete his last
OTP token.
Related to
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.
This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).
Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.
The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.
Fixes:
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.
Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Python 3's regular expression default to full range of unicode
characters. Restrict \w matches to ASCII and drop \b suffix check to fix
a problem with validation the Chinese translation zh_CN.
Co-Authored-By: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>