Commit Graph

2530 Commits

Author SHA1 Message Date
Alexander Bokovoy
6c5f2bcb30 ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like

        Bool('idnsallowdynupdate?',
            cli_name='dynamic_update',
            label=_('Dynamic update'),
            doc=_('Allow dynamic updates.'),
            attribute=True,
            default=False,
            autofill=True
        ),

in 'ipa dnszone-show':

> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']

This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.

When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:

            "idnsallowdynupdate": [
                "TRUE"
            ],

Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.

Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:

 - if output is from a command with --raw option, 'TRUE' or 'FALSE'
   should be expected

 - if output if from a normal (non-raw) command, True or False would be
   returned

Fixes: https://pagure.io/freeipa/issue/9171

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 09:25:27 +02:00
Rob Crittenden
d241d7405f Add tests for Random Serial Number v3 support
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.

Update the xml-rpc test to allow the new RSN version number
attribute.

Update some certificate tests where a specifc serial number
is expected.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
83be923ac5 Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).

Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
aedb73a90d Don't duplicate the LDAP gracelimit set in the previous test
Remove a duplicated policy change which sets the gracelimit
to 3.

We don't typically run tests individually but as a whole. If
we ever need to call this one test directly we can ignore
failures.

Fixes: https://pagure.io/freeipa/issue/9167

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-03 09:57:52 +02:00
Rob Crittenden
773d3cb45d Configure and enable the graceperiod plugin on upgrades
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.

Loading a new plugin requires a restart. Do so if a
new one is configured.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 15:24:22 -04:00
Rob Crittenden
e9d0208cac healthcheck: add tests for setting cli options in config file
Fixes: https://pagure.io/freeipa/issue/9136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-02 11:12:18 +02:00
Michal Polovka
94dd9ef1d6
ipatests: tasks: add ipactl start, stop and restart
Include functions to manage IdM service using ipactl, in particular
starting, stopping and restarting the service.

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 10:04:37 +02:00
Michal Polovka
ce50d2255f
ipatests: RFE: Improve ipa-replica-install error message
Test for RFE: Improve error message with more detail for
ipa-replica-install command. If the replication agreement already
exists, check if the error message contains
a particular command needed to delete it.

Related: https://pagure.io/freeipa/issue/9162

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 10:04:37 +02:00
Michal Polovka
c18caaa7aa
ipatests: test_subids: test subid-match shows UID of the owner
ipa subid-match should show UID of the owner instead of DN.

Related: https://pagure.io/freeipa/issue/8977

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2022-06-01 13:53:23 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Armando Neto
1101b22b58 ipatests: update definitions for custom COPR nightlies
Vagrant templates for `pki-`, `389ds-` and `testing-` are no longer
needed after feature added by https://github.com/freeipa/freeipa-pr-ci/pull/463.

This updates the test definitions to use PR-CI's custom arguments with
standard `ci-master-f36` vagrant box.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-05-25 22:38:11 +02:00
Alexander Bokovoy
ee07c1542a Ignore dnssec-enable-related named-checkonf errors in test
Check and skip dnssec-enable-related issues in 9.18+ where dnssec-enable
option was removed completely.

Fixes: https://pagure.io/freeipa/issue/9157

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-25 20:05:42 +02:00
Florence Blanc-Renaud
952a77caef ipatests: add new test with --subid installer option
Add a new test for ipa-client-install --subid
Add a new test for ipa-server-install --subid

Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Anuja More
9cc703fd0e ipatests: Add integration tests for External IdP support
Tests for [RFE]: Added integration tests for external IdP
authentication with keycloak-17 as identity provider.

Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-05-23 08:38:40 +03:00
Anuja More
5ca4e8ee33 pr-ci definitions: add external idp related jobs.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-05-23 08:38:40 +03:00
Francisco Trivino
49a1c1caaa
ipatests: Bump PR-CI latest templates to Fedora 36
Moving 'latest' to Fedora 36 and 'previous' to Fedora 35.
Update Rawhide template.

The following templates are updated:

- gating
- nightly_latest
- nightlñy_latest_selinux
- nightly_previous
- nightly_rawhide
- temp_commit

These are not updated as they will receive a new update after
"custom COPR" feature in PR-CI is merged:

- nightly_latest_389ds
- nightly_latest_pki
- nightly_latest_testing

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-05-19 12:40:37 -03:00
Alexander Bokovoy
03a905eed9 external-idp: add XMLRPC tests for External IdP objects and idp indicator
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Florence Blanc-Renaud
73daf6b50b ipatests: --no-dnssec-validation requires --setup-dns
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.

Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.

Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-08 09:32:02 +02:00
Sudhir Menon
92d8077304 ipatests: Adding --no-dnssec-validation option for healthcheck
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function

https://pagure.io/freeipa/issue/9151

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-06 09:09:09 -04:00
Alexander Bokovoy
862340a3a1 js tests: use latest grunt
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.

This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
53d9dafe2f Azure CI: don't force non-existing OpenSSL configuration anymore
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.

Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
6a086eb220 Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
64bbf31fd8 Switch Azure CI to Fedora 36 pre-release
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-05-05 15:04:28 +03:00
Alexander Bokovoy
46dc1c76ef web ui: do not provide Remove button in subid page
subid range management does not allow to delete ranges

If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.

In Web UI a button to remove the range should not be shown.

Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.

Fixes: https://pagure.io/freeipa/issue/9150

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-05-05 10:08:45 +03:00
Florence Blanc-Renaud
3edd09a8d9 ipatests: remove test_rekey_keytype_DSA
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)

Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id

Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-04 13:45:02 -04:00
Alexander Bokovoy
4a7cc3467c docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.

The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.

Fixes: https://pagure.io/freeipa/issue/9148

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-05-04 09:36:40 +03:00
Florence Blanc-Renaud
a10a48e1ec ipatests: update the expected sha256sum of epn.conf file
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.

The expected checksum needs to be updated.

Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-05-02 16:11:04 -04:00
Florence Blanc-Renaud
fbfd64fc2b ipatests: fix wrong condition in xfail_context for auto private grp
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).

Remove the wrong condition so that the test is always expected to fail.

Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore@redhat.com>
2022-04-25 09:04:17 +02:00
Armando Neto
c780504d47
ipatests: bump PR-CI rawhide template
Based on compose `20220413.n.0`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/457

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-04-24 21:13:26 -03:00
Alexander Bokovoy
599792e863 ipatests: collect samba logs when setting up trust to AD
In many cases it is impossible to investigate test failures of
environments where a trust to Active Directory is establishe without
Samba logs.

Collect Samba logs by default and make sure Samba is configured with
higher log levels if we are going to configure IPA to setup trust to
Active Directory.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-13 18:37:12 +02:00
Mohammad Rizwan
10046ffb33 ipatests: extend find_segment with suffix param
topologysegment name can be different depending on suffix.
This patch determines and supply the name of topologysgement
as per the suffix

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Mohammad Rizwan
4514e8090a ipatests: fix the topologysegment-reinitialize command
There is no guarantee for the topologysegement name, it could be
master-to-replica or replica-to-master. If it is master-to-replica
then --right should be used with the command else --left.

Fixes: https://pagure.io/freeipa/issue/9137

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-04-07 14:19:28 +02:00
Alexander Bokovoy
27ab21658b ipatests: fix check for AD topology being present
Fixes: https://pagure.io/freeipa/issue/9133

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-28 16:34:04 +03:00
Alexander Bokovoy
5a42ab115e tests: ensure AD-SUPPORT subpolicy is active in more cases
Continuation of the commit 2eee5931d7:

    Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
    mode. This is required in FIPS mode due to AD not supporting Kerberos
    AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
    defined in RFC 8009.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2022-03-25 10:23:38 +01:00
Sudhir Menon
67488d2342 ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data
This test checks that when
'pki.server.healthcheck.clones.connectivity_and_data' check is run
'Source 'pki.server.healthcheck.clones.connectivity_and_data' not found'
is not displayed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041995

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-22 08:37:51 +01:00
Florence Blanc-Renaud
e32bfd44ee ipatests: Fix a call to run_command with wildcard
The test is calling run_command with a list of arguments:
run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
but this format does not support shell expansion.

Replace with a str parameter:
run_command('rm -fv' + paths.CERTMONGER_REQUESTS_DIR + '/*')

to make sure all the files in the directory are actually removed.

Fixes: https://pagure.io/freeipa/issue/8506
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Florence Blanc-Renaud
52ec9cc027 ipatests: remove certmonger tracking before uninstall
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.

The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.

The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.

To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.

Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-19 11:20:50 +01:00
Rob Crittenden
a283735fbf Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.

The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671

Fixes: https://pagure.io/freeipa/issue/9084

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-18 09:40:37 +01:00
Rob Crittenden
fe9be8c4a1 Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.

When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.

So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.

This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).

Fixes: https://pagure.io/freeipa/issue/9004

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 12:18:35 +02:00
Mohammad Rizwan
5a909cff8d ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."

But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does

related: https://pagure.io/freeipa/issue/9038

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-16 12:17:08 +02:00
Alexander Bokovoy
517ae594e1 test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Alexander Bokovoy
621af275c3 test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.

Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).

Related: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Rob Crittenden
9ac88216a0 ipatests: Give the subCA more time to be loaded by the CA
The subCA keys are loaded out-of-band after creation into the
CA so they may have been replicated but not loaded. Give more
time for them to appear in the remote CA.

Use a loop for the checking instead of a raw sleep because most
of the time this is very fast (< 15 seconds) but sometimes it
requires just a bit more. Allow up to 60 seconds.

To avoid output difference, strip the token name out of certutil
output. We don't care about the token a certificate is stored
in, the internal or the FIPS token. We just care that they exist
on both servers and that the keys match.

Apparently in some cases the token name is displayed and not in
others so lets normalize the output to make comparisons more
consistent.

Fixes: https://pagure.io/freeipa/issue/9096

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-03-15 08:36:18 +01:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
feab723c59 pylint: Fix deprecated-method for threading
As of Python3 `currentThread`, `thread.getName` are aliases for
`threading.current_thread()` and `threading.Thread.name`
respectively.

In Python3.10:
> bpo-43723: The following threading methods are now deprecated and
  should be replaced:
  currentThread => threading.current_thread()
  activeCount => threading.active_count()
  Condition.notifyAll => threading.Condition.notify_all()
  Event.isSet => threading.Event.is_set()
  Thread.setName => threading.Thread.name
  thread.getName => threading.Thread.name
  Thread.isDaemon => threading.Thread.daemon
  Thread.setDaemon => threading.Thread.daemon

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
851f6d48ac pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
f9d0fc8a8c pylint: Skip not-callable
The klass property is referenced to class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
a1f0f2743d pylint: Fix no-member
Teach pylint or skip newly exposed no-members.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
e096478752 pylint: Skip isinstance-second-argument-not-valid-type
The type of value to be compared is class attribute.
Today's Pylint doesn't support this.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
31a9eb3783 pylint: Fix deprecated-decorator
Pylint 2.9 introduced new checker:
> The decorator is marked as deprecated and will be removed in the
  future.

- @abstractproperty has been deprecated since Python3.3 [0]
- @abstractclassmethod has been deprecated since Python3.3 [1]

[0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty
[1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00