Commit Graph

12828 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
a81ea9af19 ipatests: fix test_full_backup_and_restore
The test is failing when calling (on the replica)
    ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.

The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.

Fixes https://pagure.io/freeipa/issue/7778

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-10 17:04:56 +01:00
Diogo Nunes
cdfbcd409f Fix f52e0e31f7 typo in tests label definition.
Signed-off-by: Diogo Nunes <dnunes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-07 17:44:05 +01:00
Thomas Woerner
a6862bd7af ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Thomas Woerner
f86b410ff5 ipatests/test_integration/test_replica_promotion.py: Fix firewall config
The firewall needs to be configured before installing replicas.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Thomas Woerner
8e25ee64c8 ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Thomas Woerner
228d1c81c0 ipatests integration/tasks.py: Honor clean for firewall in uninstall_master
This fix will make sure that the firewall services are only cleaned up if
the clean flag is True for example for backup and restore tests where the
clean flag is set to False for the server uninstall.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-07 17:29:59 +01:00
Oleg Kozlov
a0e09526b3 Check pager's executable before subprocess.Popen
Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function.

Fixes: https://pagure.io/freeipa/issue/7746
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 14:06:29 +01:00
Diogo Nunes
03edd82d1a
PR-CI: Add gating tests to nightly_[master, f28, rawhide]
The objective of this change is to address the problem mentioned in this
thread: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/FIOWT53LJMAZQYHOTT4BEAJX5Q6422LB/

Since the concept of nightly is being a superset of gating, the gating
tests are incorporated in nightly in this commit.

Fixes: https://pagure.io/freeipa/issue/7788

Signed-off-by: Diogo Nunes <dnunes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-12-07 09:44:34 -02:00
Christian Heimes
f52e0e31f7 Run idviews integration tests in nightly
See: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 11:39:23 +01:00
Christian Heimes
5a2a7151d5 Add integration tests for idviews
Add several tests to verify new anchor override and general idview
override functionality.

Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 11:39:23 +01:00
Christian Heimes
97e9e009bf Resolve user/group names in idoverride*-find
ipa idoverrideuser-find and ...group-find have an --anchor argument. The
anchor argument used to support only anchor UUIDs like
':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular
user or group names and translate them to anchors.

Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-12-07 11:39:23 +01:00
Mohammad Rizwan Yusuf
e7581cc0d8
Test error when yubikey hardware not present
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.

related ticket : https://pagure.io/freeipa/issue/6979

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-06 14:33:14 +01:00
Christian Heimes
07e6d5148e Require Dogtag PKI 10.6.8-3
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.

Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.

Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:35:45 +01:00
Florence Blanc-Renaud
4a938adca2 ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).

The fix re-connects before using the ldap handle.

Related to https://pagure.io/freeipa/issue/7775

Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-12-05 11:09:23 +01:00
Florence Blanc-Renaud
a230153837 PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.

There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.

Fixes https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:06:21 +01:00
Florence Blanc-Renaud
52c3c90875 ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable

At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.

The new test is added in the nightly definitons.

Related to https://pagure.io/freeipa/issue/7200

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:06:21 +01:00
Alexander Bokovoy
7debb4deed Update translations from Zanata
Following translations were updated:
 - Spanish
 - Ukranian

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-12-05 11:03:10 +01:00
Mohammad Rizwan Yusuf
b7ae9f7a3f Test KRA installtion after ca agent cert renewal
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.

related ticket: https://pagure.io/freeipa/issue/7288

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-05 11:00:52 +01:00
Varun Mylaraiah
83487c49f6
nightly_rawhide.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-12-03 13:58:19 +01:00
Varun Mylaraiah
715d1223dd
nightly_master.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mavrun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-12-03 13:58:19 +01:00
Varun Mylaraiah
dde2aa4b16
ipatests: add tests for NTP options usage on server, replica, and client
The following tests are added in test_ntp_options.py :: TestNTPoptions
  - test_server_and_client_install_without_option_n
  - test_server_and_client_install_with_option_n
  - test_server_and_client_install_with_multiple_ntp_server
  - test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
  - test_server_and_client_install_with_mixed_options
  - test_two_step_replica_install_using_ntp_options
  - test_two_step_replica_install_without_ntp_options

Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-12-03 13:58:19 +01:00
Thomas Woerner
3a7153c75c ipatests/test_integration/test_replica_promotion.py: Configure firewall
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
3ac830c7b4 ipatests/test_integration/test_dnssec.py: Enable dns firewall service
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
5a740144e0 ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.

The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.

The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
d427e4b2ba ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.

The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
e3d134e66f ipatests/pytest_ipa/integration/tasks.py: Configure firewall
install_master: Enable firewall services freeipa-ldap and freeipa-ldaps by
default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled after the master has been
successfully installed.

install_replica: Enable firewall services freeipa-ldap and freeipa-ldaps
by default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled before the replica gets
installed and disabled if the installation failed.

install_adtrust: Enable firewall service freeipa-trust after
ipa-adtrust-install has been called.

uninstall_master: Disable services freeipa-ldap, freeipa-ldaps,
freeipa-trust and dns after ipa-server-install --uninstall -U has been
called.

install_dns: Enable firewall service dns after ipa-dns-install has been
called.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Thomas Woerner
fc70c78e45 New firewall support class in ipatests/pytest_ipa/integration/firewall
The new Firewall class provides methods to enable and disable a service,
service lists and also methods to apply a passthrough rule, also to add,
prepend and also remove a list of passthrough rules:

class Firewall
    __init__(host)
        Initialize with host where firewall changes should be applied
        Unmasks, enables and starts firewalld

    enable_service(service)
        Enable firewall service in firewalld runtime and permanent
        environment

    disable_service(service)
        Disable firewall service in firewalld runtime and permanent
        environment

    enable_services(services)
        Enable list of firewall services in firewalld runtime and
        permanent environment

    disable_services(services)
        Disable list of firewall services in firewalld runtime and
        permanent environment

    passthrough_rule(rule, ipv=None)
        Generic method to get direct passthrough rules to firewalld
        rule is an ip[6]tables rule without using the ip[6]tables command.
        The rule will per default be added to the IPv4 and IPv6 firewall.
        If there are IP version specific parts in the rule, please make
        sure that ipv is set properly.
        The rule is added to the direct sub chain of the chain that is
        used in the rule

    add_passthrough_rules(rules, ipv=None)
        Add passthough rules to the end of the chain
        rules is a list of ip[6]tables rules, where the first entry of each
        rule is the chain. No --append/-A, --delete/-D should be added
        before the chain name, beacuse these are added by the method.
        If there are IP version specific parts in the rule, please make
        sure that ipv is set to either ipv4 or ipv6.

    prepend_passthrough_rules(rules, ipv=None)
        Insert passthough rules starting at position 1 as a block
        rules is a list of ip[6]tables rules, where the first entry of each
        rule is the chain. No --append/-A, --delete/-D should be added
        before the chain name, beacuse these are added by the method.
        If there are IP version specific parts in the rule, please make
        sure that ipv is set to either ipv4 or ipv6.

    remove_passthrough_rules(rules, ipv=None)
        Remove passthrough rules
        rules is a list of ip[6]tables rules, where the first entry of each
        rule is the chain. No --append/-A, --delete/-D should be added
        before the chain name, beacuse these are added by the method.
        If there are IP version specific parts in the rule, please make
        sure that ipv is set to either ipv4 or ipv6.

See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-12-03 11:26:08 +01:00
Fraser Tweedale
8a835daf47 certupdate: add commentary about certmonger behaviour
It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate.  Add some commentary to explain this behaviour.

Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-03 10:32:36 +01:00
Christian Heimes
2616795b3b Update temp commit template to F29
The temp_commit.yaml template now uses F29 as well. It also contains all
topology configurations from the nightly jobs.

Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-11-30 13:13:52 +01:00
Florence Blanc-Renaud
93e3fc4d89 ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value

The upgrade should finish successfully and repair
the double-encoded cert.

Related to https://pagure.io/freeipa/issue/7775

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-30 11:05:17 +01:00
Florence Blanc-Renaud
800f2690f5 ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
 #3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.

The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.

With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.

Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-30 11:05:17 +01:00
Diogo Nunes
25cfeea769 PR-CI: Move to Fedora 29 template, version 0.2.0
Enable testing (gating and nightly) to use the new F29 template.

Fixes: https://pagure.io/freeipa/issue/7779

Signed-off-by: Diogo Nunes <dnunes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-11-30 10:03:29 +01:00
Adam Williamson
7aceca2da4 Fix authselect invocations to work with 1.0.2
Since authselect 1.0.2, invoking an authselect command sequence
like this:

['authselect', 'sssd', '', '--force']

does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.

This broke uninstallation.

In all cases, features are now passed as separate arguments instead of one
argument separated by space.

Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-29 16:57:33 +01:00
Francisco Trivino
8c650add34 prci_definitions: update vagrant memory topology requirements
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.

This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.

Fixes https://pagure.io/freeipa/issue/7777

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-11-28 20:35:31 +01:00
Florence Blanc-Renaud
d2fa2ecb4b ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.

Related to https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-27 17:20:35 -05:00
Florence Blanc-Renaud
372c2fc990 ipaldap.py: fix method creating a ldap filter for IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-27 17:20:35 -05:00
Christian Heimes
3243498faa Increase debugging for blocked port 749 and 464
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.

See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-27 14:43:20 +01:00
Serhii Tsymbaliuk
07c163ca92
Fix "ID views" tests fail after running "Automember" tests
Clear default user/host group before deleting.

https://pagure.io/freeipa/issue/7771

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-27 14:20:34 +01:00
Christian Heimes
bb4b558164 Address misc pylint issues in CLI scripts
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.

* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio

See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
d8791f8f9b pylint: also verify scripts
Build all scripts in install/tools/ to check them with pylint, so that
``make pylint`` always checks all scripts. The script files are
generated by make.

Please note that fastlint does not check script files.

See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
f800d8f8ca pylint: Fix duplicate-string-formatting-argument
pylint 2.2 has a checker for duplicate string formatting argument.
Instead of passing the same argument multiple times, reference the
argument by position.

See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
58053b2747 TestBackupAndRestoreWithReplica needs 2 replicas
The test case TestBackupAndRestoreWithReplica needs two replicas but
PR-CI just had topology: *master_1repl.

Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-23 10:44:09 +01:00
Varun Mylaraiah
42fb0cc6a7 Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2018-11-23 10:42:44 +01:00
François Cami
dd0490e1d8 Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
François Cami
a709da6748 Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691

Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
Sergey Orlov
8182ebc6c3
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.

https://pagure.io/freeipa/issue/7455

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-11-21 10:29:51 +01:00
Christian Heimes
8decef33d3 Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-21 08:57:08 +01:00
Florence Blanc-Renaud
d18b0d558b ipatests: add missing tests for test_replica_promotion.py
The following test was missing from nightly:
test_replica_promotion.py::TestReplicaInstallCustodia

Related to https://pagure.io/freeipa/issue/7743

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 07:36:01 +01:00
Florence Blanc-Renaud
19211257c6 ipatests: add missing tests for test_installation.py
Some tests were missing in the nightly:
- test_installation.py::TestInstallWithCA_DNS3
- test_installation.py::TestInstallWithCA_DNS4

Relates to https://pagure.io/freeipa/issue/7743

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 07:36:01 +01:00