Add a test for ipautil.run() method called with runas parameter.
The test is using ipautil.run() to execute /usr/bin/id and
checks that the uid/gid are consistent with the runas parameter.
Note that the test needs to be launched by the root user
(non-privileged user may not have the rights to execute ipautil.run()
with runas parameter).
Related to: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.
The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.
Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
lines.
* Remove nose dependency
I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.
https://pagure.io/freeipa/issue/7301
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.
A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.
See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We have only one debug log level and it causes issues with py3.
...
File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
The test class depends on a working Kerberos configuration and session.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
`__repr__` now returns more descriptive string containing the actual principal
name while keeping the ability to reconstruct the object from it.
This makes principal names visible in debug logs, easing troubleshooting a
bit.
https://fedorahosted.org/freeipa/ticket/6505
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The module ipapython.dnssec.odsmgr is the only module in ipalib,
ipaclient, ipapython and ipaplatform that uses lxml.etree.
https://fedorahosted.org/freeipa/ticket/6469
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.
This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).
The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.
https://fedorahosted.org/freeipa/ticket/5984
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Low-level unittests checking the correctness principal parsing.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fixes current reimports and enables pylint check for them
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Our custom implementation of pylint checker is often broken by
incompatible change on pylint side. Using supported solutions (config
file, pylint plugins) should avoid this issue.
The plugin adds missing (dynamic) member to classes in abstract syntax
tree generated for pylint, instead of just ignoring missing members and
all sub-members. This should improve pylint detection of typos and
missing members in api. env and test config.
make-lint python script has been removed, to run pylint execute 'make
lint'
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Web UI tests were marked as tier1 tests.
The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.
The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:
$ py.test -v -m tier1 ipatests
or in case of out of tree tests:
$ ipa-run-tests -m tier1
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
StringIO was renamed in Python 3. The import was was unused,
so remove it.
Files need to be opened in binary mode if bytes are written to them.
(For Python 2: on Linux, there's no practical difference between
text and binary mode)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, different types are generally not comparable (except for equality),
and None can't be compared to None.
Fix cases of these comparisons.
In ipatest.util, give up on sorting lists if the sorting raises a TypeError.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Sort out the accepted types.
Handle Python 3's stricter separation between bytes and unicode.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>