hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find
Collect any messages returned from thsi call and display them
to the user on the cli.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With selenium driver 4.10 and above, the API for Firefox driver
initialization has changed and does not use any more the
log_path argument.
The log path is now provided through a FirefoxService option
in the webdriver initialization.
Fixes: https://pagure.io/freeipa/issue/9492
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.
Fixes: https://pagure.io/freeipa/issue/9405
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The integration test is using selenium web driver to simulate a
user authentication with an external IdP. The user performs kinit
and is provided with a URL where he needs to authenticate.
The test was written for selenium API 4.9 and must be adapted to
the changes introduced in 4.10:
- the headless method has been deprecated
- executable_path argument has been deprecated
Fixes: https://pagure.io/freeipa/issue/9493
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.
The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
--external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.
Handle both cases properly.
Fixes: https://pagure.io/freeipa/issue/9490
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Changes in ipa-tuura project are breaking the test
(removal of a script required for test preparation).
Disable the test until a solution is found in ipa-tuura.
Related: https://pagure.io/freeipa/issue/9476
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
`api.env` now has a `cache_dir` option, which defaults to
`os.path.join(USER_CACHE_PATH, 'ipa')`. Schema cache, server info, and
KRA key cache use `api.env.cache_dir` as base directory. The option
allows application to set a custom cache directory.
Related: https://pagure.io/freeipa/issue/9438
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1513934
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add new paramters to get_allowed_attributes() to return just MAY or MUST
attributes
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If an error occured when searching foc a DC a stack trace was logged,
and execution was aborted.
This patch allows execution to continue and log the error message that
caused the 'finddc' do fail.
Fixes: https://pagure.io/freeipa/issue/9484
Related: https://issues.redhat.com/browse/RHEL-12149
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.
Add an exclude for this specific key so tests will pass again.
We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.
Fixes: https://pagure.io/freeipa/issue/9400
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).
Fixes: https://pagure.io/freeipa/issue/9460
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
Use Reason instead of reason as the keyword for revocations
for PKI 11.4.0+
Related: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The command ipa group-add-member --external aduser@addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode
2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
KCS: https://access.redhat.com/solutions/6958957
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The subsystem.select is not a reliable indicator to determine
whether the CA is a renewal master since there is no process in
PKI to update the param when the role of the instance changes
(from master to clone and vice versa) so the param has been
removed in PKI 11.5.
Instead, it's better to use CAInstance.is_crlgen_enabled() since
CRL generation is only enabled in a renewal master.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The hierarchy.select param has been removed in PKI 11.5 so
it doesn't need to be updated in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Currently LWCA is only supported in IPA since the key
replication depends on Custodia, so LWCA is not actually
supported in regular PKI installation. However, currently
the AuthorityMonitor is enabled by default and it executes
a persistent search to monitor LWCA replication so it is
wasting resources in non-IPA environment.
To reduce unnecessary resource consumption the LWCA monitor
will be disabled by default in PKI, so IPA will need to
enable it explicitly for new and existing installations.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If something in the client sysrestore.state wasn't removed by
the installer a warning message was printed with an incorrect
location. Fix this by using constants instead.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.
Use a simpler method that replaces the timezone info with UTC in the
datetime object.
Fixes: https://pagure.io/freeipa/issue/9462
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.
So if there are no libpwquality options used then it's fine to
have no minlength in the policy.
Fixes: https://pagure.io/freeipa/issue/9297
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
I noticed that FreeIPA favicon is a bit squished. I would like to unsquish it.
And resize it to 32x32 pixels as it would look a bit better on HiDPI screens.
Fixes: https://pagure.io/freeipa/issue/9449
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.
Fixes: https://pagure.io/freeipa/issue/9415
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.
The test must be compatible with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.
Fixes: https://pagure.io/freeipa/issue/9459
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test often fails when running in parallel to other tests as very
little memory is left. 389-ds memory autotuning causes database backend
to refuse working in such cases. 389-ds team suggested more memory has
to be made available.
Increate RAM for this test to 2.5GB instead of 2.2GB.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC
datetime.timezone.utc was present since Python 3.2.
Since RHEL 9 is using Python 3.9, use more compatible variant.
Fixes: https://pagure.io/freeipa/issue/9454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.
```python
import ipalib
with ipalib.api as api:
api.Commands.ping()
```
See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Covscan detected an unused value in ipa_kdb_principals.c
and a use-after-free in ipa-print-pac.c.
Fixes: https://pagure.io/freeipa/issue/9431
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
