The test is calling dnsrecord-mod --ttl and should expect a unicode
value in order to be python2/python3 compatible.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test suite did not have any test for modification of the TTL
of an existing DNS record.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new XMLRPC test with the following scenario:
- ldapadd a user without the posixaccount objectclass
- call ipa stageuser-find <user>
- check that 1 entry is returned
Related: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The behavior of automember changed with the design
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
such that members are "cleaned up" first then re-added. This has
the effect of removing members that no longer apply to a rule.
This was breaking the automember rebuild tests because sometimes
the tests were faster than 389-ds causing memberships to be missed.
This does a client-side wait for the task to finish up so still
exercises the rebuild code.
https://pagure.io/freeipa/issue/7972
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
389-DS 1.4.0.22 was pushed to Fedora over the weekend. The new versin
breaks test_find_orphan_automember_rules. Skip the test case for now
until we have more time to investigate the issue.
Related: https://pagure.io/freeipa/issue/7902
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.
Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.
Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test was not executing ipa automember-rebuild --type hostgroup.
The test has been extended to execute it twice: Once when it needs to fail
because there is an orphan automember rule. Also after this orphan
automember rule has been removed. Here the test needs to succeed.
Fixes: https://pagure.io/freeipa/issue/7891
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With 389-DS 1.4.0.21, automember plugin also gets triggered on modify ops
by default. This means that a member manually removed gets automatically
re-added by the plugin.
This behavior can be disabled by setting autoMemberProcessModifyOps=off in
the entry cn=Auto Membership Plugin,cn=plugins,cn=config.
Before 389-DS 1.4.0.21, it was possible to remove a member and the member
did not get re-added (unless automember-rebuild was called). This former
behavior can be forced by setting autoMemberProcessModifyOps=off.
This commit fixes the test and checks the behavior when
autoMemberProcessModifyOps=off and when autoMemberProcessModifyOps=on.
Fixes: https://pagure.io/freeipa/issue/7855
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Update the IP address validation to raise different error messages
for:
- inability to reach IP address from a DNS name
- missing PTR records for IP address
- asymmetric PTR / forward records
If multiple scenarios apply, indicate the first error (from list
above).
The code should now be a bit easier to follow. We first build dicts
of forward and reverse DNS relationships, keyed by IP address. Then
we check that entries for each iPAddressName are present in both
dicts. Finally we check for PTR-A/AAAA symmetry.
Update the tests to check that raised ValidationErrors indicate the
expected error.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.
check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.
Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.
The test ensures that the command is now succeeding.
Related to https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.
Coverity Scan issue 323649, Copy-paste error
The copied code will not have its intended effect.
In postprocess_result: A copied piece of code is inconsistent with the
original (CWE-398)
See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.
A new command has been added to the ipa tool:
ipa automember-find-orphans --type={hostgroup,group} [--remove]
This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.
The IPA API version has been increased and a test case has been added.
Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>
See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In Python 3, six.string_types is just an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca6383.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Update regular expression validator to prevent user and group creation.
Fixes: https://pagure.io/freeipa/issue/7572
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks that no multiservers can be added for
radius proxy
Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.
Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.
Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:
- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.
This fixes a flaky test case on CI.
Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.
Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a xmlrpc test checking that a user cannot delete his last
OTP token.
Related to
https://pagure.io/freeipa/issue/7012
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>