Commit Graph

14368 Commits

Author SHA1 Message Date
Rob Crittenden
b691850cc9 Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.

dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.

There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.

https://pagure.io/freeipa/issue/8545

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-12-01 12:56:03 +01:00
Mark Reynolds
daddcf6ec6 Accept 389-ds JSON replication status messages
389-ds now stores a replication agreement status message in a JSON
string in a new attribute:

                  replicaLastInitStatusJSON
                  replicaLastUpdateStatusJSON

The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.

http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html

Fixes: https://pagure.io/freeipa/issue/7975

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-01 08:45:07 +01:00
Florence Blanc-Renaud
3b007b7bba Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.

ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.

The fix also improves the method used to verify that a path exists.

Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-11-30 15:52:19 +01:00
Antonio Torres Moríñigo
f777314e5c ipa-client-install manpage: add ipa.p11-kit to list of files created
Add missing ipa.p11-kit file to list of files created in
ipa-client-install manpage.

https://pagure.io/freeipa/issue/8424

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-26 14:12:16 +01:00
Alexander Bokovoy
0da6a57b40 ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854 added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.

Correct this situation by applying the same check to the trusted domain
name as well.

Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-26 12:00:57 +02:00
Sudhir Menon
442038c41a ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-26 12:00:57 +02:00
Robbie Harwood
9e0084ba98 Fix krbtpolicy tests
0d67180f7d introduced the with_admin
fixture using class scope, which caused test failures as pytest
instantiated it before the multihost fixture.

It additionally failed to account for jitter - the issued ticket becomes
within a window of the expected lifetime, so we need to include the
ticket lifetime jitter into that calculation.

Finally, the PKINIT test could not have ever worked because PKINIT is
not set up as part of policy testing.

Related: https://pagure.io/freeipa/issue/8590

Also-authored-by: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-25 18:02:25 -05:00
Armando Neto
b6004cf88f ipatests: Bump PR-CI templates
Update box to force update dependencies on pki-* and
selinux-policy.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
75e3803b68 ipatests: Increase timeout for ACME in gating.yaml
Increase to 7200 from 3600 to match other executions.

Related: https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
e6489dcb8c ipatests: honor class inheritance in TestACMEwithExternalCA
TestACMEwithExternalCA subclasses TestACME which subclasses
CALessBase.

CALessBase is necessary to generate the certificates for the
test_third_party_certs() test.

This means that the TestACME install classmethod needs to be
called by its subclasses. But the install actually does the
installation of the servers as well so needs to be aborted
at that point in the case of a subclass.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
3a9fc01156 ipatests: configure MDStoreDir for mod_md ACME test
This directory defines the location for ACME-related files
used by mod_md. Specify and create it rather than relying
on defaults to both fix a test failure and to make the
files accessable for debugging purposes.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
70306515f7 ipatests: Clean up existing ACME registration and certs
The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
89fddb0750 ipatests: Configure a replica in TestACMEwithExternalCA
This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.

https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Rob Crittenden
790b765598 ipatests: call the CALess install method to generate the CA
https://pagure.io/freeipa/issue/8581

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-11-25 16:16:12 -05:00
Michal Polovka
89c846a1f6
WebUI: Test if links are opened in new tab correctly
Test for PF#7137: [RFE]: Able to browse different links
from IPA web gui in new tabs

Test verifies whether opening target link in new tab
navigates to target (desired behaviour) compared to creation of copy of
current state of page on new tab (old behaviour).

WebUI: Add method for opening link in a new tab

Add `navigate_to_row_record_in_new_tab`  method.
`navigate_to_row_record_in_new_tab` works as
`navigate_to_row_record` but opens link in new tab instead and focuses
on it.

Related: https://pagure.io/freeipa/issue/7137
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2020-11-23 13:02:32 +01:00
Rob Crittenden
16616e576d ipatests: Test that Match ProxyCommand masks on no shell exec
Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-23 09:04:27 +01:00
Rob Crittenden
15b30e15a4 Create IPA ssh client configuration and move ProxyCommand
The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-23 09:04:27 +01:00
Sudhir Menon
cd9b4efa91 ipatests: Tests for ipahealthcheck.ds.nss_ssl
test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring

This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-11-20 09:27:48 +01:00
Rob Crittenden
d30939ebfd ipatests: Test that ipa-certupdate can run without credentials
https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-11-18 16:27:12 +02:00
Rob Crittenden
d9b259dd58 Use host keytab to obtain credentials needed for ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.

It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.

Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.

https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-11-18 16:27:12 +02:00
Alexander Bokovoy
d81df964c2 util: Fix client-only build
Commit 26b9a69784 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.

Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.

Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-18 16:23:05 +02:00
Mohammad Rizwan
b84f5d87ee ipatests: Test certmonger IPA responder switched to JSONRPC
This is to test if certmonger IPA responder swithed to JSONRPC
from XMLRPC

related: https://pagure.io/freeipa/issue/3299

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-11-18 08:16:58 -05:00
Alexander Bokovoy
2d2784dffc VERSION: back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 19:12:50 +02:00
Alexander Bokovoy
a1f3e3b836 Become FreeIPA 4.9.0 release candidate 1 2020-11-17 19:07:03 +02:00
Alexander Bokovoy
038645d8c2 Translations: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 19:03:07 +02:00
Alexander Bokovoy
ff79c0cea5 Add contributors from translations project at Weblate
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 19:00:52 +02:00
Alexander Bokovoy
f977629182 Azure CI: mask chronyd in the container
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
39d0dd332c spec: use pkgconf to find out krb5 version
In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).

Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
2e382cdd02 Drop upper bound on krb5 version in freeipa.spec
This check is no longer needed now that krb5 exports the KDB version.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
1bf0d62828 Azure CI: use PPA to provide newer libseccomp version
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.

When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).

libseccomp started to support faccessat2() in July 2020 with
5696c89640
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)

With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
6e1eaad873 Azure CI: use Ubuntu-20.04 image by default
Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
935a461582 ipa-acme-manage: user a cookie created for the communication with dogtag REST endpoints
The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.

2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')

Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
b36f224892 ipa-otpd: fix gcc complaints in Rawhide
In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from internal.h:27,
                 from main.c:31:
In function 'strncpy',
    inlined from 'main' at main.c:237:5:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
d99b7d0b01 ipa-sam: fix gcc complaints on Rawhide
In file included from /usr/include/string.h:519,
                  from /usr/include/lber.h:30,
                  from /usr/include/ldap.h:30,
                  from ipa_sam.c:12:
 In function 'strncpy',
     inlined from 'save_sid_to_secret' at ipa_sam.c:4478:2,
     inlined from 'pdb_init_ipasam' at ipa_sam.c:4985:12:
 /usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
    91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
fc11c56544 ipa-kdb: fix gcc complaints in kdb tests
We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.

In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Alexander Bokovoy
f513a55ded ipa-kdb: fix gcc complaints
In file included from /usr/include/string.h:519,
                 from /usr/include/lber.h:30,
                 from /usr/include/ldap.h:30,
                 from ipa_kdb.h:37,
                 from ipa_kdb_mspac.c:26:
In function 'strncpy',
    inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
    inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
   91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
0d67180f7d ipa-kdb: implement AS-REQ lifetime jitter
Jitter is always enabled, so there is no additional configuration.

An earlier version of this patch was authored by Becky Shanley.

Fixes: https://pagure.io/freeipa/issue/8010

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:27:28 +02:00
Robbie Harwood
249097c624 Update kdcpolicy design doc for jitter implementation
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:27:28 +02:00
Stanislav Levin
82e69008ad ipatests: Collect EPN log for debugging
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
17f430efc4 EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
32aa1540f0 EPN: Enable certificate validation and hostname checking
https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
977063a56e test_epn: Standardize EPN configs for deduplication
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
94adee3c73 EPN: Don't downgrade security
If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.

Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
be006ad6c4 ipatests: Respect platform's openssl dir
There are different build configurations of OpenSSL from one distro
to another. For example,

Debian: '--openssldir=/usr/lib/ssl',
Fedora: '--openssldir=/etc/pki/tls',
openSUSE: '--openssldir=/etc/ssl',
ALTLinux: '--openssldir=/var/lib/ssl'.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Florence Blanc-Renaud
a33530f2f6 ipatests: temporarily remove test_dnssec.py::TestInstallDNSSECFirst from gating
The test test_dnssec.py::TestInstallDNSSECFirst is failing due to known
issue https://pagure.io/freeipa/issue/8496
currently under investigation by 389ds team.

In the meantime, remove the test from gating to avoid blocking the PRs.

Related: https://pagure.io/freeipa/issue/8496
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 08:39:59 +01:00
Serhii Tsymbaliuk
69368fccdb WebUI tests: Add simple test to check topology graph page is available
Ticket: https://pagure.io/freeipa/issue/8523

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-11-16 16:04:40 +01:00
Serhii Tsymbaliuk
1512acc7de WebUI: Fix topology graph navigation crash
Add get_navigation_options method to all facet variations to unify forming facet links.

Ticket: https://pagure.io/freeipa/issue/8523

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-11-16 16:04:40 +01:00
Armando Neto
3722013dcd
ipatests: Update PRCI Fedora 32 templates
Updating templates with upgraded packages installed.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-16 09:26:48 -03:00
Mohammad Rizwan
c4a6b0e566 Move acme client installation part to classmethod
Moved the acme client installation part to classmethod
so that it can be leveraged further.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00
Mohammad Rizwan
cbbfcd9b1e PEP8 fixes for test_acme.py
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-12 15:14:12 -05:00