Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.
Fixes: https://pagure.io/freeipa/issue/9377
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser@ad.test.
The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.
Fixes: https://pagure.io/freeipa/issue/9372
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.
Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.
Fixes: https://pagure.io/freeipa/issue/9374
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.
Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Pylint reports false-negative result for Sphinx 6.1.0+:
```
************* Module ipasphinx.ipabase
ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util')
```
Actually `sphinx.util.progress_message` is still available in Sphinx 6.1
but it's deprecated and will be removed in 8.0:
https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis
Related change:
8c5e7013ea
Fixes: https://pagure.io/freeipa/issue/9361
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.
Fixes: https://pagure.io/freeipa/issue/9368
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Add also a dependency on sssd-krb5 for freeipa-client.
https://pagure.io/freeipa/issue/9267
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136
The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.
It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.
Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.
pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
CLI times from before and after:
original:
-------------------------------
Number of entries returned 5011
-------------------------------
real 0m21.155s
user 0m0.835s
sys 0m0.159s
using OpenSSL:
real 0m5.747s
user 0m0.864s
sys 0m0.148s
OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests. See ipaserver/wsgi.py for the gory details.
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.
A value of 0 will retain old behavior and return all certificates.
The default value is the LDAP searchsizelimit.
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.
https://pagure.io/freeipa/issue/9226
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:
Package krb5 was not found in the pkg-config search path.
Perhaps you should add the directory containing `krb5.pc'
to the PKG_CONFIG_PATH environment variable
Package 'krb5', required by 'virtual:world', not found
`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build. It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Per the Fedora packaging guidelines¹.
The GPG key was generated using details found on the wiki². The
following commands can be used to fetch the signing key via fingerprint
and extract it:
fpr=0E63D716D76AC080A4A33513F40800B6298EB963
gpg --keyserver keys.openpgp.org --receive-keys $fpr
gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc
¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.
DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.
Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.
Related: https://pagure.io/freeipa/issue/9349
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
This includes:
* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.
Run RBCD check when the rule exists and when the rule is removed.
Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.
The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.
The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
IPA API commands to manage RBCD access controls.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.
Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.
This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.
Related: https://pagure.io/freeipa/issue/5444
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Constrained delegation target may already be configured by default.
Related: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Revisit the bash tests and port the valid
tests to upstream.
Related: https://pagure.io/freeipa/issue/9332
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.
This fixes the default path to use the appropriate location in its
multiarch-qualified path.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.
This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Added in Python Cryptography 40.0
Thanks to @tiran for the code
Fixes: https://pagure.io/freeipa/issue/9355
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.
Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments
Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.
Fixes: https://pagure.io/freeipa/issue/9326
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.
Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286
Also added some generally helpful functions to tasks.py
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The ipa-advise command should not fail
with error in command.
Related: https://pagure.io/freeipa/issue/6044
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.
Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When you run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server. Other files
are updated as well to reflect this change.
Additionally some typos are fixed with this patch too.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The doc string located in the 'Authentication
indicators' ('Services' settings page) was
missing the usage explanation for the 'ipd'
checkbox option.
Fixes: https://pagure.io/freeipa/issue/9338
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`nameservers` was transformed into the property in dnspython 2:
bbf0cfd239
This causes
> AttributeError: type object 'Resolver' has no attribute 'nameservers'
on the previous dnspython 1.1x.
Fixes: https://pagure.io/freeipa/issue/9339
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.
[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1
Fixes: https://pagure.io/freeipa/issue/9342
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
