Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.
Part of: https://fedorahosted.org/freeipa/ticket/6144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The rpc module is now separated from display layer.
There are two new global topics:
- 'rpc-start' for showing the widget which indicates execution of rpc calls
- 'rpc-end' for hiding the widget which indicates execution of rpc calls.
These two global topics replace the original methods IPA.display_activity_icon() and
IPA.hide_activity_icon().
There is also new property of a command (notify_globally), which allows to turn off the widget
which indicates network activity. Instead of classic activity indicator there can be
called custom function at the beginning and at the end of network activity.
There are also changes in internal communication in rpc.js module. There are four new
events, two for calling on_success and on_error methods and two for calling custom functions
at the beginning and at the end of network activity.
https://fedorahosted.org/freeipa/ticket/6144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Since commit 32b1743e5f, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Let's replace some ugly hacks with proper pytest conftest.py hooks.
Test initialization of ipalib.api is now handled in
pytest_cmdline_main(). Pytest plugins, markers and ignores are also
moved into conftest.py. Additional guards make it possible to run tests
without ipaserver installed.
I added confcutdir to ensure that pytest does not leave our project
space. Pytest used pytest.ini or setup.py before but pytest.ini is gone.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
If we get to the `run-tests` phase, we no longer care about messages
from previous steps so we can truncate the log output to only show
pytest failures/errors, reducing log size.
As a fallback, the previous behaviour to print last 5000 log lines was
kept in the case the CI tests fail during setup.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This is a preparatory work for the future requirement of running
Python2/3 jobs simultaneously.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In order to speed our Travis CI gating even further, the lint step has
been split to a separate job that can be run in parallel with the test
runs. The test runs are in turn launched in developer mode to speed them
up.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
this script is intended only for use in Travis CI and contains
configuration of the test run requested:
* it can run linter step separately by specifying TASK_TO_RUN="lint"
environment variable in .travis.yml. In this case it also runs
pep8 checker on the commits in PR.
* other steps are run in developer mode in order to skip pylint run
and speed up the task
* in all cases the CI result log is populated and can be displayed
if the job fails
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This prevents Travis log collector to add separate expansion marks to
the echo output and the actuall log output.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.
https://fedorahosted.org/freeipa/ticket/6486
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options
Fixes https://fedorahosted.org/freeipa/ticket/5435
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.
tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.
https://fedorahosted.org/freeipa/ticket/6418
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In commit 822e1bc82a the call to create the
KRA agent PEM file was accidentally removed from the server installer.
Call into the KRA installer from the server installer to create the file
again.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Commit dbb98765d7 changed certmonger
requests for DS and HTTP certificates during installation to raise
on error (https://fedorahosted.org/freeipa/ticket/6514).
This introduced a regression in DL1 replica installation in CA-less
topology. A certificate was requested, but prior to the
aforementioned commit this would fail silently and installation
continued, whereas now installation fails.
Guard the certificate request with a check that the topology is
CA-ful.
Fixes: https://fedorahosted.org/freeipa/ticket/6573
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.
Escape the percent sign in '%global' in the comment to prevent this.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
This small integration suite tests some basic operations using
kadmin.local interface on services in both kerberos and services
subtree.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.
Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.
Fixes https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object. When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles. This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
https://fedorahosted.org/freeipa/ticket/6560
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.
https://fedorahosted.org/freeipa/ticket/6558
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.
https://fedorahosted.org/freeipa/ticket/6539
Reviewed-By: Martin Basti <mbasti@redhat.com>
Spaces are causing problems in libtool, makefiles, autoconf itself, gettextize
framework etc. so this issue cannot be easily fixed.
Return on investment is too small to invest into this. Let's detect the
whitespace early and error out with descriptive error message.
https://fedorahosted.org/freeipa/ticket/6537
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
32b1743e5f introduced a regression in
test_serverroles.py, caused by ca_find attempting to log into the
Dogtag REST API. (ca_find is called by cert_find which is called by
server_del during cleanup).
Avoid logging into Dogtag in cert_find unless something actually
needs to be retrieved.
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
configure option --with/without-pylint was replaced by
--enable/disable-pylint. Pylint is always called as $(PYTHON) -m python.
If you need to override Pylint version, use command "make pylint PYTHON=xxx".
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
python3-samba is intentionally ommited because it is not in Fedora repos.
Pylint somehow magically ignores this missing package.
Keep in mind that server will not work until this this solved.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.
After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.
For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commint 2cbaf15604 introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.
https://fedorahosted.org/freeipa/ticket/6546
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
