Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Issue is linked to the ticket
#3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.
Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Enable testing (gating and nightly) to use the new F29 template.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Diogo Nunes <dnunes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Since authselect 1.0.2, invoking an authselect command sequence
like this:
['authselect', 'sssd', '', '--force']
does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.
This broke uninstallation.
In all cases, features are now passed as separate arguments instead of one
argument separated by space.
Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).
Fixes https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes@redhat.com>
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.
* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Build all scripts in install/tools/ to check them with pylint, so that
``make pylint`` always checks all scripts. The script files are
generated by make.
Please note that fastlint does not check script files.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
pylint 2.2 has a checker for duplicate string formatting argument.
Instead of passing the same argument multiple times, reference the
argument by position.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The test case TestBackupAndRestoreWithReplica needs two replicas but
PR-CI just had topology: *master_1repl.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The following test was missing from nightly:
test_replica_promotion.py::TestReplicaInstallCustodia
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some tests were missing in the nightly:
- test_installation.py::TestInstallWithCA_DNS3
- test_installation.py::TestInstallWithCA_DNS4
Relates to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some tests were missing from nightly definition:
test_external_ca.py::TestExternalCAdirsrvStop
test_external_ca.py::TestExternalCAInvalidCert
test_external_ca.py::TestMultipleExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.
The fix makes --password and --admin-password options
mutually exclusive.
Fixes https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.
A new workaround detects the blocked port and restarts rpcbind.service.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.
Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add strip operator for test_suite definitions (in nightly_*.yaml) to prevent inserting line breaks.
https://pagure.io/freeipa/issue/7756
Reviewed-By: Christian Heimes <cheimes@redhat.com>
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.
Fixes https://pagure.io/freeipa/issue/7767
Reviewed-By: Christian Heimes <cheimes@redhat.com>
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
conftest uses the Function attribute of a pytest.Function object. Latest
pytest has deprecated the attribute:
_pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function
is deprecated, please use pytest.Function instead
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.
Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
3 tests were missing from this test file in the nightly tests:
- TestBackupAndRestoreWithReplica
- TestBackupAndRestoreDMPassword
- TestReplicaInstallAfterRestore
one test was having the wrong name in nightly_rawhide:
TestUserRootFilesOwnershipPermission
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.
To report the correct subject, look it up using the current
nickname.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:
is_subclass_of fails with AttributeError: 'NoneType' object has no
attribute 'name'
pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.
See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test code performs comparison to itself in order to verify __eq__ and
__ne__ implementations.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pytest.config is created dynamically.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Pylint warns about comparing callable. Replace equality with identity
test.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Ignore new consider-using-enumerate warning for now and clean up code
later.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Teach pylint that env instance has lite_* members
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pycodestyle both complains about "W504 line break after binary operator"
and "W503 line break before binary operator" when all warnings are
enabled. FreeIPA already ignores W504 in travis config. Let's ignore it
in fastcheck, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
