Commit Graph

12149 Commits

Author SHA1 Message Date
amitkuma
951e5db10c Correcting detect typo in server.m4
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-05 11:25:01 +02:00
amitkuma
5a4e358b00 Correction of management spelling.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-04 10:23:18 +02:00
Christian Heimes
6aca027ecc Fix installer CA port check for port 8080
The installer now checks that port 8080 is available and not in use by
any other application.

The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.

Original patch by m3gat0nn4ge.

Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-04 08:58:48 +02:00
Felipe Barreto
a947695ab0 Fix TestSubCAkeyReplication providing the right path to pki log
The pki debug log has its name in this format: debug.<date>.log. This commit
changes the code to use this format, fixing the test.

Unfortunately, it's not possible to use some kind of regex (like debug.*.log)
to get the file, because python multihost gets the path and tries to open
(using the "open" python function) the file with that.

https://pagure.io/freeipa/issue/7095

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-03 14:20:18 +02:00
Felipe Barreto
6b145bf3e6 temp commit: adding test to PR CI run
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:10:01 +02:00
Felipe Barreto
e7c4f77d0d Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
When installing ipa in interactive mode, it's necessary to provide the
hostname. This will make the test pass.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:10:01 +02:00
Christian Heimes
d705320ec1 Temporarily disable authconfig backup and restore
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.

Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:07:46 +02:00
Christian Heimes
64438f8619 Cleanup and remove more files on uninstall
* /etc/nsswitch.conf.ipabkp
* /etc/openldap/ldap.conf.ipabkp
* /var/lib/ipa/sysrestore/*
* /var/named/dyndb-ldap/ipa/
* /var/lib/dirsrv/scripts-%s/

See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-28 21:18:48 +02:00
Petr Vobornik
70c6da9c54 webui tests: fix test_host:test_crud failure
test_host.py::test_host::test_crud fails in nightly tests in delete record
step.

It started to fail probably after commit 4295df17a4
which changed host-add behavior into showing a warning message about DNS resolution
instead of raising an error. This warning notification stays displayed for some
time, as all longer, notifications. By being open it takes some area on the page.
Given that webui tests proceeds quicker than a user, the notification can
cover some elements.

The test fails because web driver cannot click on an element which is covered
by the notification. In this case, it cannot open a deleter dialog.

So the fix is to close the notification(s). This is OK since a user would do
it as well if it was in a way.

This kind of issue is harder to reproduce when testing locally because
most people uses screen resolution 1920x1200 or full HD. PR-CI uses
1400x1200 for web ui testing.
  /usr/bin/Xvfb $DISPLAY -ac -noreset -screen 0 1400x1200x8

So alternative fix would be to change resolution used by the PR-CI. Combination
of both could be the best.

https://pagure.io/freeipa/issue/7468

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-03-28 15:31:27 +02:00
Alexander Bokovoy
34d06b2be7 Allow anonymous access to parentID attribute
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.

As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.

While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.

Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-28 15:29:00 +02:00
Fraser Tweedale
0176e1a68a Add commentary about PKI admin password
Add a note in cainstance.configure_instance that "admin_password" is
the password to be used for the PKI admin account, NOT the IPA admin
password.  In fact, it is set to the Directory Manager password.

This comment would have saved me some time during recent
investigation of a replica installation issue.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-28 12:42:11 +02:00
Fraser Tweedale
421fc376cc Fix upgrade when named.conf does not exist
Commit aee0d2180c adds an upgrade step
that adds system crypto policy include to named.conf.  This step
omitted the named.conf existence check; upgrade fails when it does
not exist.  Add the existence check.

Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.

Part of: https://pagure.io/freeipa/issue/4853

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-28 12:30:31 +02:00
amitkuma
b0d8c6c211 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
amitkuma
ccec8c6c41 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
Pavel Picka
1fe795b75b WebUI Hostgroups tests cases added
Added test for negative (invalid) names
Added test for add/add another/add and edit/cancel buttons
Added test for duplicate records

https://pagure.io/freeipa/issue/7458

Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-26 13:00:39 +02:00
Felipe Barreto
30ab8c4743 Changing Django's CoC to reflect FreeIPA CoC
Also including sections "Scope" and "Enforcement" from Contributor
Covenant [1]

[1] https://www.contributor-covenant.org/

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-26 09:51:25 +02:00
Felipe Barreto
7580da414d Adding Django's Code of Conduct
We will use the Django's Code of Conduct to develop the FreeIPA CoC

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-26 09:51:25 +02:00
Stanislav Laznicka
e707d974a3 ipa_backup: Backup the password to HTTPD priv key
https://pagure.io/freeipa/issue/7421

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 09:42:07 +02:00
Stanislav Laznicka
47cf159f11 Fix upgrading of FreeIPA HTTPD
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.

This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 09:42:07 +02:00
Fraser Tweedale
5afbe1d261 replica-install: warn when there is only one CA in topology
For redundancy and security against catastrophic failure of a CA
master, there must be more than one CA master in a topology.
Replica installation is a good time to warn about this situation.
Print a warning at the end of ipa-replica-install, if there is only
one CA replica in the topology.

Fixes: https://pagure.io/freeipa/issue/7459
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 09:39:17 +02:00
Michal Reznik
5f87b9c3e5 ui_tests: run ipa-get/rmkeytab command on UI host
Run ipa-get/rmkeytab command on UI host in order to test whether
we have the key un/provisioned.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
bf1f2d1c3f ui_tests: select_combobox() fixes
Move strict "search_btn" element finding to later so we
do not fail when using combobox without search button.
Also switch open_btn.click() before fill_textbox() as it
is used to close the selection.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
16083eb9b5 ui_tests: test cancel and delete without button
Add "confirm_btn" to cancel dialog and if "None" return
for confirmation with "Enter" key.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
553183944a ui_tests: make associations cancelable
Adjust associations functions to simulate "cancel"
action.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
18e8c964f5 ui_tests: add function to run cmd on UI host
Run shell command on the UI system using "admin"
user's passwd from conf.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
95de6f061c ui_tests: add funcs to add/remove users public SSH key
Add funcs to add/remove users public SSH key.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
7fb4f755e9 ui_tests: add assert_field_required()
Add assert_field_required() to check whether we
got 'Required field' error message.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
01fa54117d ui_tests: add assert_notification()
Add assert_notification() function to check whether
we have a notification of particular type/

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
cd86fd21c5 ui_tests: add more test cases
Add more test cases to test_services. Details in the ticket.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
735d48d820 ui_tests: add more test cases to test_certification
Add cases for:
"cancel_cert_request", "cancel_hold_cert", "cancel_remove_hold",
"cancel_revoke_cert" and "revoke_cert"

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
0f5084b9c4 ui_tests: add_service() support func in test_service
Add add_service() support func into test_service.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
62a131aba0 ui_tests: add_host() support func in test_service
Add add_host() support func into test_service to
create temp hosts.

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Michal Reznik
d8cbd5d3ac ui_tests: change get_http_pkey() function
change get_http_pkey() function to more generic one in
order to get pkey for different services

https://pagure.io/freeipa/issue/7441

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-03-24 14:23:47 +01:00
Stanislav Laznicka
830b608d67 Remove py35 env from tox testing
Ever since fa94ef04, only Python3 versions >=3.6 are supported.
Removing py35 env from tox tests.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-24 14:18:23 +01:00
Alexander Bokovoy
a678336b8b upgrade: Run configuration upgrade under empty ccache collection
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-23 15:31:48 +01:00
Christian Heimes
48fb6d2c87 Fix compatibility with latest pytest
pytest removed copy() method from its Namespace class. Use the copy
module to make a copy of early options.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-23 13:08:39 +01:00
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Stanislav Laznicka
e7e06f6d78
Dogtag configs: rename deprecated options
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-22 16:17:29 +01:00
Alexander Bokovoy
b47d6a3654 use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.

With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.

Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.

LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.

Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-22 11:33:17 +01:00
Alexander Bokovoy
2da9a4ca6a
Update template directory with new variables when upgrading ipa.conf.template
With e6c707b168 we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.

Add all missing variables to the upgrade code.

Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-21 22:22:35 +01:00
Alexander Bokovoy
48acb7d865
Processing of server roles should ignore errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.

Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.

Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-21 22:22:35 +01:00
Petr Vobornik
b43e73143d
realm domains: improve doc text
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.

https://pagure.io/freeipa/issue/7424

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-21 15:29:50 +01:00
Florence Blanc-Renaud
0f31564b35 ipa-replica-install: make sure that certmonger picks the right master
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.

The replication conflict later causes kerberos issues, preventing
from installing a new replica.

The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.

https://pagure.io/freeipa/issue/7041

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-21 09:35:56 +01:00
Takeshi MIZUTA
ce0b87e9a6
Fix some typos in man page
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-21 08:41:34 +01:00
Alexey Slaykovsky
b947296fe9 Make tox tests to generate results in JUnit XML
As our tox runs pytest it's great to have their results in JUnit
format for later processing.

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-20 14:42:49 +01:00
Ganna Kaihorodova
518e3578d1 Fix for test TestInstallMasterReservedIPasForwarder
Second check in test is failing, because it accepts default installer's values of domain, which is already used for lab machines.
IPA DNS domain must not exist before the installation, fix is to provide domain name derived from vm name.

Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-03-20 10:44:22 +01:00
Fraser Tweedale
83c173cf9d install: configure dogtag status request timeout
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.

This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them.  Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried.  Setting a shorter timeout allows the request to be
re-tried.

Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support.  It is known that a
value of 5s is too short in HSM environment.

This fix requires pki-core >= 10.6.0, which is already required by
the spec file.

Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-20 10:28:05 +01:00
Christian Heimes
a6e6e7f5e4 More cleanup after uninstall
Remove more files during ipaserver uninstallation:

* /etc/gssproxy/10-ipa.conf
* /etc/httpd/alias/*.ipasave
* /etc/httpd/conf/password.conf
* /etc/ipa/dnssec/softhsm2.conf
* /etc/systemd/system/httpd.service.d/
* /var/lib/ipa/dnssec/tokens

Fixes: https://pagure.io/freeipa/issue/7183
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-20 10:15:28 +01:00
Rob Crittenden
64fca87a52 Remove the Continuous installer class, it is unused
https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Rob Crittenden
68c7b03689 Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.

The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.

This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.

Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.

https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00