Sometimes the entity_show command must be called with options which are gathered
from result of entity_find command. These options needs to be passed as
arguments in URL which points to details page.
This functionality is implemented to table facet. There is new property
'additional_navigation_arguments' which is prepared for array of attributes
which will be passed to URL.
Part of: https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This patch adds the config file for Travis CI. The config file instructs the
CI to:
* check pep8 errors in PR
* build RPMs in pulled in Fedora builder container
(docker.io/martbab/freeipa-fedora-builder)
These basic checks should eliminate basic errors that can break the build
itself (formatting errors, Syntax errors/undeclared variables, missing
BuildRequires, broken API.txt, etc.). It does not run any of our
integration/unit tests.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Link-local addresses received from netifaces contains '%suffix' that
causes parse error in IPNetwork class. We must remove %suffix before
it us used in IPNetwork objects.
https://fedorahosted.org/freeipa/ticket/6296
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Cache CommandError answer to schema command to avoid sending the command
to pre-schema servers every time. This information expires after some
time (1 hour) in order to start using schema as soon as the server is
upgraded.
https://fedorahosted.org/freeipa/ticket/6095
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
When dnsrecord_add is called without options in interactive mode, it
prompts the user to enter a record type. The record type is expected to be
upper case further in the code, which causes non-upper case values not to
work correctly.
Fix this issue by upper casing the value after it is read.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Use super for proper handling of exceptions. msg property was added due
compatibility with the current code.
https://fedorahosted.org/freeipa/ticket/6294
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.
https://fedorahosted.org/freeipa/ticket/6278
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes the CLI not to always call the default version of a command even when
the version was explicitly specified.
https://fedorahosted.org/freeipa/ticket/6279
Reviewed-By: Martin Basti <mbasti@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Redirect bash error output to prevent displaying error
messages in bash completion for ipa command.
https://fedorahosted.org/freeipa/ticket/6273
Reviewed-By: David Kupka <dkupka@redhat.com>
When running test_install/test_updates and test_pkcs10/test_pkcs10 as
outoftree, these are skipped with reason 'Unable to find test update files'.
For outoftree tests wrong paths are checked for these files.
Changing file localization to provide proper test setup.
https://fedorahosted.org/freeipa/ticket/6284
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.
This fixes a crash in ipa-replica-install with --setup-ca.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.
https://fedorahosted.org/freeipa/ticket/6276
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
When a command is called on the server over RPC without its version
specified, assume version 1 instead of the highest known version.
This ensures backward compatibility with old clients, which do not support
versioned commands and understand only the first version of any given
command.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: David Kupka <dkupka@redhat.com>
Changing negative test case that verified that a certificate with different
than expected issuer cannot be added to a service to a positive one that
verifies that this operation now proceeds successfully. Corresponds to changes
made in scope of https://fedorahosted.org/freeipa/ticket/4559 implementation.
https://fedorahosted.org/freeipa/ticket/6258
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
domainlevel method is called upon each master uninstallation. Sometimes the
master uninstallation is called from within teardown method of some tests when
the master was not in fact installed, in which case the kinit_admin would
always raise an error.
https://fedorahosted.org/freeipa/ticket/6254
Reviewed-By: Martin Basti <mbasti@redhat.com>
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
was using DNS zone 'fwzone2.test.' and expected to get warning
'Forwarding policy conflicts with some automatic empty zones.'
(aka 'DNSForwardPolicyConflictWithEmptyZone').
This does not make sense because 'test.' zone is not listed in IANA registry
'Locally-Served DNS Zones':
http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml
To fix this I simply removed the warning from set of expected results.
https://fedorahosted.org/freeipa/ticket/6213
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
had server IP and zone name interchanged in "expected" dictionart.
I do not understand how this happened.
https://fedorahosted.org/freeipa/ticket/6213
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is no notable package size cost, as all the libraries and
packages are already in the freeipa-client package and
freeipa-admintools only contained a short shim calling this code.
Move /bin/ipa to freeipa-client, along with a man page and bash
completion.
Resolves: https://fedorahosted.org/freeipa/ticket/5934
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.
https://fedorahosted.org/freeipa/ticket/6199
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Plugins are being imported in the test_ldap/test_Backend test, which is no
longer valid due to changes made during thin client implementation. Plugins are
imported automatically and explicit imports make tests fail because of the
duplicity.
https://fedorahosted.org/freeipa/ticket/6194
Reviewed-By: Martin Basti <mbasti@redhat.com>
Due to thin client implementation a part of the original test is no longer
valid and causes test to fail.
https://fedorahosted.org/freeipa/ticket/6192
Reviewed-By: Martin Basti <mbasti@redhat.com>
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.
https://fedorahosted.org/freeipa/ticket/6247
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Due to race conditions the test sometimes catches 2 one-way segments instead of
one bidirectional. We need to give the master time to merge the one-way
segments before we test the output.
https://fedorahosted.org/freeipa/ticket/6265
Reviewed-By: Martin Basti <mbasti@redhat.com>
