Commit Graph

12001 Commits

Author SHA1 Message Date
Pavel Vomacka
2dd7741075 Update tests
With newer QUnit the API has changed, therefor there are necesary changes
in tests. QUnit methods does not pollute global workspace they use global
QUnit object or assert object passed as argument to test method.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c47784dc9f Create symlink to qunit.js
Base path for all unit tests is install/ui/js. This path is also used
by PhantomJS when runnig unit tests from command line. PhantomJS then
tries to find qunit.js therefor symlink in install/ui/js is needed.

This might be automated in the future.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c50092c3b5 Update jsl to not warn about module in Gruntfile
Gruntfile uses module keyword which is not known by our JSLint.
Adding it into known keywords fix the warning.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c48ac2819b Add Gruntfile and package.json to ui directory
Those files are used when running WebUI unit tests from command line.

- Gruntfile specifies grunt task which can run the webui tests.
- symlink to src/freeipa/package.json where are specified npm packages
  which are required for running those test.
  There is only symlink to not duplicite package.json file

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
8b25ac88e1 Update QUnit CSS file to 2.4.1
Update QUnit CSS to correspond with QUnit JS library

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
68540856cf Update qunit.js to version 2.4.1
It provides more functions, bug fixes, but mainly better error handling
therefore it is easier to debug errors while tests are automatically
run.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Alexander Koksharov
fbb1889766 ensuring 389-ds plugins are enabled after install
To avoid problems caused by desabled plugins on 389-ds side
explicitly enable plugins required by IPA

https://pagure.io/freeipa/issue/7271

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-14 16:41:01 +01:00
Christian Heimes
929c77c784 Travis: Add workaround for missing IPv6 support
Latest Travis CI image lacks IPv6 address on localhost. Add some
diagnostics and skip IPv6 tests in ipa-server-install when TRAVIS is
detected.

The hack will be removed as soon as it is no longer required to pass
automated testing.

https://pagure.io/freeipa/issue/7323

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-14 14:04:19 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Fraser Tweedale
6a8c84718d Don't use admin cert during KRA installation
KRA installation currently imports the admin cert.  FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.

Part of: https://pagure.io/freeipa/issue/7287

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 16:07:11 +01:00
Fraser Tweedale
0e9ce73a52 Add uniqueness constraint on CA ACL name
It is possible to add caacl entries with same "name" (cn).  The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.

Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.

Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 14:36:44 +01:00
Pavel Vomacka
4d9d953663 Extend ui_driver to support geckodriver log_path
Geckodriver automatically logs into geckodriver.log file which
is placed in the same directory from which tests are run. In case
of running tests using ipa-run-tests the current working directory is
/usr/lib/python*/site-packages/ipatests where most of users cannot
write because of priviledges.

By adding "geckodriver_log_path" into test configuration we allow to
set path where user who run tests have priviledges to write.

Config file might be seen here:
https://www.freeipa.org/page/Web_UI_Integration_Tests#Running_tests

Fixes: https://pagure.io/freeipa/issue/7311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-12 14:19:44 +01:00
Christian Heimes
f4001e1c53 Add safe DirectiveSetter context manager
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.

The new DirectiveSetter context manager wraps everything under an easy
to use interface.

https://pagure.io/freeipa/issue/7312

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Fraser Tweedale
f688b5d8a7 Add tests for installutils.set_directive
Part of: https://pagure.io/freeipa/issue/7288

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Fraser Tweedale
c77f3a50d7 installutils: refactor set_directive
To separate concerns and make it easier to test set_directive,
extract function ``set_directive_lines`` to do the line-wise
search/replace, leaving ``set_directive`` to deal with the file
handling.

Part of: https://pagure.io/freeipa/issue/7288

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Fraser Tweedale
1b04718b3c pep8: reduce line lengths in CAInstance.__enable_crl_publish
Part of: https://pagure.io/freeipa/issue/7288

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Fraser Tweedale
2546ef6eb0 Prevent set_directive from clobbering other keys
`set_directive` only looks for a prefix of the line matching the
given directive (key).  If a directive is encountered for which the
given key is prefix, it will be vanquished.

This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered.  This can cause failures later
on during KRA installation, and possibly cloning.

Match the whole directive to avoid this issue.

Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-12-12 14:13:54 +01:00
Christian Heimes
b32a4aef86 More log in verbs
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
dca9f84961 Address more 'to login'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
ae3160fdd7 Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
3756dbf964 Fix grammar in login screen
https://pagure.io/freeipa/issue/7263

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Christian Heimes
7fbbf6689e Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.

Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.

Fast testing execute all unit tests that do not depend on ipalib.api.

In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Christian Heimes
ec4620ecb2 Add python_requires to Python package metadata
freeIPA 4.6 and 4.7 requires Python 2.7 or >= 3.5.

https://pagure.io/freeipa/issue/7294

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-11 15:32:45 +01:00
Fraser Tweedale
34f73b4a94 install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation.  This leads to situations where the
administrator wants a different Subject DN later.  Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.

The go/no-go prompt in ipa-ca-install is new.  It is suppressed for
unattended installations.

Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:06:28 +01:00
Michal Reznik
29d0f8673c test_x509: test very long OID
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.

https://pagure.io/freeipa/issue/7300

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:05:16 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
97942a7c7a Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
8960141adb ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
93d53e5cd0 CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install).  Refactor
ipa_certupdate.CertUpdate to make it easy to do that.  In
particular, make it possible to use an already-initialised API
object.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Mohammad Rizwan Yusuf
feee70d7bb ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
    `cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
    may arise due to incorrect uninstall of replica or ipa server-del is
    not executed on master.

    related bug : https://pagure.io/freeipa/issue/7174

Fixes: https://pagure.io/freeipa/issue/7276

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 08:32:39 +01:00
Alexander Bokovoy
c19eb49935 ipaserver/plugins/trust.py: pep8 compliance
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
a57f613314 trust: detect and error out when non-AD trust with IPA domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.

This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.

To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.

Fixes https://pagure.io/freeipa/issue/7264

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
956e265fae ipaserver/plugins/trust.py; fix some indenting issues
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Fraser Tweedale
3eb3844353 renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object.  Apply to correct type.

Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-07 17:28:12 +01:00
Christian Heimes
8700101d98 Remove Custodia keys on uninstall
Keys are removed from disk and LDAP

https://pagure.io/freeipa/issue/7253

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-07 16:55:40 +01:00
Christian Heimes
1505922c2b NSSDB: use preferred convert command
After further testing, Kai Engert proposed to use -N with -f -@ to
convert a NSSDB from DBM to SQL format.

https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql#Upgrade.2Fcompatibility_impact

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-07 16:46:10 +01:00
Florence Blanc-Renaud
891cced446 Improve help message for ipa trust-add --range-type
Add the correct procedure for re-running ipa trust-add with a different
range type.

Fixes:
https://pagure.io/freeipa/issue/7308

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 14:00:27 +01:00
Fraser Tweedale
ba411b0f6d Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag.  This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts.  There is still a possibility for this
kind of failure, but the delay minimises it.

FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.

Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:03:30 +01:00
Fraser Tweedale
c42c440de5 Use correct version of Python in RPM scripts
Fixes: https://pagure.io/freeipa/issue/7299
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:02:26 +01:00
Christian Heimes
be09823fd5 Skip test_rpcclient_context in client tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Christian Heimes
c1f275f9eb Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.

Remove some old code for compatibility with very old python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Rob Crittenden
01bfe2247e If the cafile is not present or readable then raise an exception
This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.

This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.

https://pagure.io/freeipa/issue/7145

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Rob Crittenden
e8a26afb94 Add test to ensure that properties are being set in rpcclient
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Rob Crittenden
17bda0b1a5 Use the CA chain file from the RPC context
The value can be passed in the create_connection() call but
wasn't used outside that call. It already defaults to
api.env.tls_ca_cert so the context.ca_certfile should be used
instead so the caller can override the cert chain on a
per-connection basis. This may be handy in the future when
there is IPA-to-IPA trust, or for IPA-to-IPA migration.

https://pagure.io/freeipa/issue/7145

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Michal Reznik
1ec3d54d55 test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.

E.g.: unknown command 'b'ping''

https://pagure.io/freeipa/issue/7131

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-30 15:51:24 +01:00
Christian Heimes
f45d72af83 Update builddep command to install Python 3 and tox deps
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-30 13:47:54 +01:00
Alexander Bokovoy
78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
Alexander Bokovoy
64f4c71dd6 test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.

To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00