Commit Graph

10182 Commits

Author SHA1 Message Date
Lenka Doudova
44a2bdd8ea Tests: Fix failing tests in test_ipalib/test_frontend
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
  ipa.test_ipalib.test_frontend.test_Attribute.test_init
  ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run

https://fedorahosted.org/freeipa/ticket/6188

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:41:08 +02:00
Lenka Doudova
380ffcc052 Tests: Fix failing tests in test_ipalib/test_parameters
Some of the tests are failing due to changes introduced because of thin client feature.

https://fedorahosted.org/freeipa/ticket/6187
https://fedorahosted.org/freeipa/ticket/6224

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:39:08 +02:00
Tiboris
d25a0725c0 Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:55:49 +02:00
Pavel Vomacka
c36d721a01 Add 'trusted to auth as user' checkbox
Add new checkbox to host and service details page

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Alexander Bokovoy
1c73ac91a4 service: add flag to allow S4U2Self
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Jan Cholasta
4ee426a68e server install: do not prompt for cert file PIN repeatedly
Prompt for PIN only once in interactive mode.

This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.

https://fedorahosted.org/freeipa/ticket/6032

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 15:11:55 +02:00
Stanislav Laznicka
fea56fefff Fail on topology disconnect/last role removal
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.

https://fedorahosted.org/freeipa/ticket/6168

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-17 14:58:11 +02:00
David Kupka
6e6cbda036 compat: Fix ping command call
Remove extra argument from client.forward call.

https://fedorahosted.org/freeipa/ticket/6095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
4b43558b1c schema check: Check current client language against cached one
https://fedorahosted.org/freeipa/ticket/6204

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
f2c26119f5 schema cache: Read schema instead of rewriting it when SchemaUpToDate
https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
1b79ac67d7 client: Do not create instance just to check isinstance
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
87a6f746bc schema cache: Store API schema cache in memory
Read whole cache into memory and keep it there for lifetime of api
object. This removes the need to repetitively open/close the cache and
speeds up every access to it.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
6716aaedc8 schema cache: Read server info only once
Do not open/close the file with every access to plugins. Extensive
access to filesystem may cause significant slowdown.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
83b46238e7 frontent: Add summary class property to CommandOverride
Avoid creating instance of overriden command to get its summary.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
e45e29f337 Access data for help separately
To avoid the need to read all data for a plugin from cache and actualy
use the separately stored help data it must be requested and returned
separately.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
134fd235a2 schema cache: Do not read fingerprint and format from cache
Fingerprint can be obtained from schema filename of from ServerInfo
instance. Use FORMAT in path to avoid openening schema just to read its
format.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
ba16d99f37 schema cache: Do not reset ServerInfo dirty flag
Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
Pavel Vomacka
ff51e43a3e Set servers list as default facet in topology facet group
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.

Part of: https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Pavel Vomacka
d45b0efe5d Add warning about only one existing CA server
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.

https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Jan Cholasta
8ad03259fe cert: do not crash on invalid data in cert-find
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Jan Cholasta
c718ef0588 cert: speed up cert-find
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.

Restructure the code to make it (hopefully) easier to follow.

https://fedorahosted.org/freeipa/ticket/6098

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Petr Spacek
b73ef3d7f9 DNS: allow to add forward zone to already broken sub-domain
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.

https://fedorahosted.org/freeipa/ticket/6062

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-17 12:28:56 +02:00
Stanislav Laznicka
5776f1e900 Remove sys.exit from install modules and scripts
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.

https://fedorahosted.org/freeipa/ticket/5750

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 18:22:44 +02:00
Petr Spacek
d461f42f95 server upgrade: do not start BIND if it was not running before the upgrade
https://fedorahosted.org/freeipa/ticket/6206

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:33:17 +02:00
Petr Spacek
f2fe357219 DNS server upgrade: do not fail when DNS server did not respond
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.

I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.

In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:23:30 +02:00
Ganna Kaihorodova
64c5340329 Fix for integration tests replication layouts
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0

[https://fedorahosted.org/freeipa/ticket/6134]

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-16 12:55:40 +02:00
Simo Sorce
cf0816f415 Additional coverity fixes.
This are manual fixes for patches submitted upstream, and should be
picked up once a new asn1c is available.
They will be overridden if the code is regenerated before then.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Simo Sorce
512aa90bec Regenerate asn1 code
Regenerate the code with asn1c 0.9.27, this allows us to pick up a few
fixes for problems identified by coverity as well as other general bugfixes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Ben Lipton
58d28b7410 Silence sshd messages during install
Fix for accidentally pushed commit c15ba1f9e8

During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-16 12:17:05 +02:00
Milan Kubík
b92b1d7d7f ipatests: Fix wrong fixture in kerberos principal alias test
https://fedorahosted.org/freeipa/ticket/6197

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:13:30 +02:00
Lenka Doudova
425291dc19 Fix malformed or missing docstrings in ipalib/messages
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.

https://fedorahosted.org/freeipa/ticket/6215

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:59:35 +02:00
Lenka Doudova
f75735b16a Tests: test_ipalib/test_output fails due to change of Output behaviour
https://fedorahosted.org/freeipa/ticket/6189

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Lenka Doudova
71d0bc7c10 Tests: Add data attribute to messages
Tests test_ipalib/test_messages.py are failing because messages now contain
also 'data' attribute, which is not yet reflected in tests.

https://fedorahosted.org/freeipa/ticket/6185

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Stanislav Laznicka
0745c5d0f9 Don't show --force-ntpd option in replica install
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.

https://fedorahosted.org/freeipa/ticket/6046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:33:35 +02:00
Peter Lacko
019f3611c2 Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.

https://fedorahosted.org/freeipa/ticket/5881

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:07:46 +02:00
Petr Vobornik
6217d680da ca-less tests: fix getting cert in pem format from nssdb
usage of ipautil.run in  get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307

This results in failure of all CA-less test.

https://fedorahosted.org/freeipa/ticket/6177

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 16:53:33 +02:00
Stanislav Laznicka
9f26e395e5 Removed objectclass from LDAP*ReverseMember based tests
Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.

https://fedorahosted.org/freeipa/ticket/6198

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 13:53:55 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Petr Spacek
a83523e37e server-install: Fix --hostname option to always override api.env values
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Jan Cholasta
20ee4a73e7 client: add missing output params to client-side commands
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 10:27:00 +02:00
Jan Cholasta
e9c1d21b9f parameters: move the confirm kwarg to Param
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.

Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.

This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.

https://fedorahosted.org/freeipa/ticket/6174

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 08:51:39 +02:00
Petr Spacek
771dea5c6b client: RPM require initscripts to get *-domainname.service
https://fedorahosted.org/freeipa/ticket/4831

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 07:39:13 +02:00
Martin Basti
148e021ac1 ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.

https://fedorahosted.org/freeipa/ticket/6165

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 18:29:21 +02:00
Pavel Vomacka
0fdbad1e1a Fix unicode characters in ca and domain adders
Topology graph didn't show plus icons correctly.

There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.

https://fedorahosted.org/freeipa/ticket/6175

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-09 16:27:51 +02:00
Tomas Krizek
af4ebaca62 Fix ipa-caalc-add-service error message
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.

https://fedorahosted.org/freeipa/ticket/6171

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 16:24:39 +02:00
Jan Cholasta
96db47cfa5 Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
Remove the conflict, as bind-chroot caused issue only on systems with older
bind and bind-chroot - e.g. RHEL 6.

This reverts commit 3ab63fa6ba.

https://fedorahosted.org/freeipa/ticket/5696

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 16:20:32 +02:00
Stanislav Laznicka
bf6adfe69d Improvements for the ipa-cacert-manage man and help
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.

Also fixed a few missing articles.

https://fedorahosted.org/freeipa/ticket/6013

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-08-09 16:09:08 +02:00
Lukas Slebodnik
5fece5ff17 ipa-kdb: Fix unit test after packaging changes in krb5
Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Lukas Slebodnik
e7480bed27 ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....

Related change in samba
4406cf792a

Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Pavel Vomacka
58da5fb4b9 Add jslint into Makefile
Also put jsl into dependencies.

The patch also split lint target into more smaller targets.
The purpose of this change is to add possibility to run only
fast jslint by using make jslint and don't waste time with pylint,
which can take a lot of time.

https://fedorahosted.org/freeipa/ticket/6161

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-09 12:59:54 +02:00