dnsrecord_del fails when one of the record arguments is an empty list:
AttrValueNotFound("AAAA record does not contain 'None'",)
The problem is caused by the fact that LDAPEntry.__getitem__ returns None
for empty lists. The code in the plugin considers None as a single entry
and maps it to vals = [None].
The patch maps None to empty list.
Fixes: https://pagure.io/freeipa/issue/8196
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server no longer use any files and features from the custodia
package. The python3-custodia package provides all Custodia features for
ipa-custodia.service.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When there are more external groups than default limit, then
SSSD should fetch all groups.
Related : https://pagure.io/SSSD/sssd/issue/4058
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.
Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently, such arguments are eaten by 'ipa-run-tests' script as they
are not quoted.
For example, running ipa-run-tests -k ''
results in the actual invocation would be like as:
['/bin/sh',
'--norc',
'--noprofile',
'-c',
'--',
"/usr/bin/python3 -c 'import sys,pytest;sys.exit(pytest.main())' -o "
'cache_dir=/tmp/pytest-of-root/pytest-12/test_ipa_run_tests_empty_expression0/.pytest_cache '
'--confcutdir=/usr/lib64/python3/site-packages/ipatests -k ']
Note: expressions or marks could be empty as a result of the building
of command line args by more high-level tools, scripts, etc.
So, a short-termed solution is the quotting of zero-length arguments.
Fixes: https://pagure.io/freeipa/issue/8173
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Added changes in topology for test_sssd.py
As in test it needs client also.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
If group contains @ in group name on AD,
then it should fetch successfully on ipa-client.
Related to: https://bugzilla.redhat.com/1746951
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
This is the first time running Pylint-2.4 over the whole IPA codebase.
```
Pylint on /usr/bin/python is running, please wait ...
internal error with sending report for module ['ipaserver/plugins/serverroles.py']
maximum recursion depth exceeded while calling a Python object
************* Module ipatests.test_integration.base
ipatests/test_integration/base.py:84: [W0125(using-constant-test), IntegrationTest.install] Using a conditional statement with a constant value)
************* Module ipaserver.install.ipa_cacert_manage
ipaserver/install/ipa_cacert_manage.py:522: [R1724(no-else-continue), CACertManage.delete] Unnecessary "elif" after "continue")
```
The latest Pylint (via the Tox task) checks only:
```
{envsitepackagesdir}/ipaclient \
{envsitepackagesdir}/ipalib \
{envsitepackagesdir}/ipapython
```
, while the distro-Pylint runs over all project but it is not fresh.
That's why these warnings/errors weren't exposed before now.
Concerning `internal error`: a fix was accepted by upstream:
https://github.com/PyCQA/pylint/issues/3245, but wasn't released yet.
Until that is done, Pylint just warns.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
I added a comment in @d0b420f6d, later, on refactoring in
@c6769ad12 I forgot to remove it. So, it is just a clean up.
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Pylint is a static analysis tool and therefore, couldn't always
analyze dynamic stuff properly. Transformation plugins is a way
to teach Pylint how to handle such cases.
Particularly, with the help of FreeIPA own plugin, it is possible
to tell Pylint about instance fields having a duck-typing nature.
A drawback exposed here is that a static view (Pylint's) of code
should be consistent with an actual one, otherwise, codebase will
be polluted with various skips of pylint checks.
* added missing fields to ipatests.test_integration.base.IntegrationTest
* an attempt is made to clear `no-member` skips for ipatests
* removed no longer needed `pytest` module transformation
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With Astroid change [0] a inference for builtin containers
was improved. This means that all the elements of such containers
will be inferred if they are not Python constants (previously
ignored).
This change introduces several issues, one of them is a volatile
error exposed at multi-job Pylinting, but could be guaranteed
produced at single-job mode as:
```
PYTHONPATH=. /usr/bin/python3 -m pylint --rcfile=./pylintrc \
--load-plugins pylint_plugins ipaserver/plugins/dns.py ipalib/request.py
ipalib/request.py:76: [E1101(no-member), destroy_context] Instance of 'bool' has no 'disconnect' member)
-----------------------------------
Your code has been rated at 9.97/10
```
Or even adding 'context.some_attr = True' into ipalib/request.py.
It's should be treated as no one member of `context`'s attrs is a
`Connection` instance and has `destroy_context` member.
To tell Pylint that there are such members the corresponding
transformation is added.
[0] https://github.com/PyCQA/astroid/commit/79d5a3a7
Related: https://pagure.io/freeipa/issue/8116
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.
This results in an error like:
```
================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...
> os.unlink(entry.name, dir_fd=topfd)
E FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'
/usr/lib64/python3.7/shutil.py:450: FileNotFoundError
```
The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
nodejs:12 requires libicu-65.1 while gdb (not direct dependency)
libicu-63.2. As a workaround gdb-minimal [0] could be used.
It's even better as requires less packages to be downloaded
and then installed.
[0] https://fedoraproject.org/wiki/Changes/Minimal_GDB_in_buildroot
Co-authored-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This Pytest plugin is intended to issue warnings on collecting
tests, which employ unittest/nose frameworks or xunit style.
For example, this may look like:
"""
test_a/test_xunit.py:25
test_a/test_xunit.py:25: PytestDeprecationWarning: xunit style is deprecated
def test_foo_bar(self):
test_b/test_unittest.py:7
test_b/test_unittest.py:7: PytestDeprecationWarning: unittest is deprecated
def test_foo_bar(self):
"""
To treat these warnings as errors it's enough to run Pytest with:
-W error:'xunit style is deprecated':pytest.PytestDeprecationWarning
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.
This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies
Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The method modify_sssd_conf() is copying a remote sssd.conf file
to the test controller then uses sssd python API to modify the
config file.
When the test controller does not have sssd-common package installed,
SSSDConfig() call fails because the API needs sssd schema in order
to properly parse the config file, and the schema files are provided
by sssd-common pkg.
The fix also downloads the files representing sssd schema and calls
SSSDConfig() with those files. Using the schema from the test machine
is ensuring that config is consistent with the schema (if the sssd
version differs between controller and test machine for instance).
Note: we currently don't see any issue in the nightly tests because
the test controller is installed with sssd-common package but if you
run the tests as specified in https://www.freeipa.org/page/Testing
with a controller missing sssd-common, you will see the issue.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
It checks if 'SSH public key fingerprint' is
not present in the output of the command
Related: https://pagure.io/freeipa/issue/8029
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The nightly tests for rawhide and updates_testing are expected
to set
update_packages: True
in all the job definitions to make sure that dnf/yum update is called
before starting the tests.
This tag was missing for some jobs, this commit fixes the issue.
Reviewed-By: Armando Neto <abiagion@redhat.com>
Add decorator to has_record method which repeats the check when an active facet is changed
(catch StaleElementReferenceException).
Ticket: https://pagure.io/freeipa/issue/8157
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
These new images have SELinux enabled in permissive mode. After
this all tests skipped because SELinux was disabled will be
executed again.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add a small timeout (up to 5 seconds) which allows to prevent exceptions when
WebDriver attempts to click a button before it is rendered.
Ticket: https://pagure.io/freeipa/issue/8169
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
fedora-latest/temp_commit section was removed from
temp_commit.yaml file while working with PR4108, adding it back.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Previously in order to enable the LDAP profile subsystem
the ca_enable_ldap_profile_subsystem() would check the
current value of the profile subsystem class parameter in
CS.cfg. If the parameter was still set to the default value
(i.e. ProfileSubsystem), the code would change it to
LDAPProfileSubsystem.
There is a effort in PKI to clean up the profile subsystem
classes which may require changing the default value for
this parameter. However, this improvement is blocked since
the ca_enable_ldap_profile_subsystem() is implicitly assuming
that the default value will always be ProfileSubsystem.
This patch modifies the code such that instead of checking
for a specific value that needs to be changed, it will check
whether it has the desired value already. This mechanism
will reduce potential conflicts with future PKI improvements.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When there is directory mounted on the ipa-client
Then no "Unspecified GSS failure" should be in logs.
This is an integration test for :
https://bugzilla.redhat.com/show_bug.cgi?id=1759665
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18, which is part of Fedora 32+.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use a consistent way to label the tests. As a result, replace external_ca_1 with test_external_ca_TestExternalCA and external_ca_2 with test_external_ca_TestSelfExternalSelf to better reflect which subtest is executed.
Issue : freeipa/freeipa-pr-ci#336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Check that ipa-client-samba tool reports specific properties of domains:
name, netbios name, sid and id range
Related to https://pagure.io/freeipa/issue/8149
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.
To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script. Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given. Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.
As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.
Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This tests the following cases:
- deletion without nickname (expect fail)
- deletion with an unknown nickname (expect fail)
- deletion of IPA CA (expect fail)
- deletion of a root CA needed by a subCA (expect fail)
- deletion of a root CA needed by a subCA with --force (ok)
- deletion of a subca (ok)
As a side-effect this also tests install by installing the LE
root and a sub-ca. The sub-ca expires in 2021 but I tested in
the future the ipa-cacert-manage install doesn't do date
validation so for now this is ok.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.
The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:
$ contrib/lite-setup.py master.ipa.example
$ source ~/.ipa/activate.sh
(ipaenv) $ kinit username
(ipaenv) $ make lite-server
IPA server UI is available on http://localhost:8888/ipa/
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>