Commit Graph

12028 Commits

Author SHA1 Message Date
Christian Heimes
6f65abfd11 DNSSEC code cleanup
Replace assert with proper check and exception.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Christian Heimes
f39d855af4 DNSSEC: Reformat lines to address PEP8 violations
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Christian Heimes
6a54146bc0 Decode ODS commands
ODS commands are ASCII strings, but socket.recv() returns bytes and
socket.send() expects bytes. Encode/decode values properly.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Christian Heimes
7670dcb853 Run DNSSEC under Python 3
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Christian Heimes
575e513b15 More DNSSEC house keeping
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Tomas Krizek
efded2264f py3 dnssec: convert hexlify to str
hexlify returns bytes and needs to be casted to string before
printing it out.

Related: https://pagure.io/freeipa/issue/4985

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Tomas Krizek
005d85ff68 py3: bindmgr: fix bytes issues
LDAP client returns values as bytes, thus bindmgr must work with
bytes properly.

https://pagure.io/freeipa/issue/4985

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Martin Basti
53f202bdcc py3: bindmgr: fix iteration over bytes
In py3 iteration over bytes returns integers, in py2 interation over
bytes returns string.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Martin Basti
84a10ee372 py3: ipa-dnskeysyncd: fix bytes issues
LDAP client returns values as bytes, thus ipa-dnskeysyncd must work with
bytes properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-07 17:27:11 +01:00
Felipe Barreto
d945583cc7 Make IntegrationTest fail if an error happened during uninstall
Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.

It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.

https://pagure.io/freeipa/issue/7357

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 13:24:46 +01:00
amitkuma
6c81a2cb50 ipa-advise for smartcards updated
......
authconfig --enablesmartcard --smartcardmodule=sssd --updateall

Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall

Resolves: https://pagure.io/freeipa/issue/7358
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-07 12:56:41 +01:00
Felipe Barreto
7b7edd57cd IntegrationTests now collects logs from all test methods
logs_dict should not be cleared. It's filled once per class and it
should not be cleared after running the first test.

https://pagure.io/freeipa/issue/7310
https://pagure.io/freeipa/issue/7335

Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-02-06 15:53:08 +01:00
Alexander Koksharov
156f912104 Fix replica_promotion-domlevel0 test failures
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
f51869bf52
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-06 12:25:08 +01:00
Mohammad Rizwan Yusuf
1ad27076a5 Updated the TestExternalCA with the functions introduced for the steps of external CA installation.
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Mohammad Rizwan Yusuf
f1f180985f When the dirsrv service, which gets started during the first ipa-server-install --external-ca phase, is not running when the second phase is run with --external-cert-file options, the ipa-server-install command fail.
This test checks if second phase installs successfully when dirsrv
is stoped.

related ticket: https://pagure.io/freeipa/issue/6611

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-06 12:16:14 +01:00
Fraser Tweedale
01c534c229 cert-request: avoid internal error when cert malformed
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs.  Handle the exception by notifying about
the malformed certificate in the response messages.

Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-06 11:42:34 +01:00
Fraser Tweedale
fa5394cc62 Improve warning message for malformed certificates
The 'CertificateInvalid' message is used for malformed certificates.
The user error messages says "Invalid certificate...", but in X.509
"validity" has a specific meaning that does not encompass
well-formedness.  For clarify, change the user-visible message to
say "Malformed".

Part of: https://pagure.io/freeipa/issue/7390

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-06 11:42:34 +01:00
Rob Crittenden
aaf2eaabee Move Requires: pythonX-sssdconfig into conditional
https://pagure.io/freeipa/issue/5638

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-06 11:41:03 +01:00
Mohammad Rizwan Yusuf
9c208ea14d
IANA reserved IP address can not be used as a forwarder. This test checks if ipa server installation throws an error when 0.0.0.0 is specified as forwarder IP address.
related ticket: https://pagure.io/freeipa/issue/6894

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:13:50 +01:00
Aleksei Slaikovskii
6c5a7464b2
Fixing translation problems
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.

Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.

Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.

pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:03:19 +01:00
Alexander Koksharov
1235f5958d preventing ldap principal to be deleted
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.

https://pagure.io/freeipa/issue/7371

This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-31 12:35:03 +01:00
Christian Heimes
1c059fbf5c Remove unused PyOpenSSL from spec file
https://pagure.io/freeipa/issue/7381

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-01-29 14:49:16 +01:00
Florence Blanc-Renaud
86a78ca244 test_integration: backup custodia conf and keys
Add an integration test for issue 7247 (ipa-backup does not backup
Custodia keys and files)
The test performs backup / uninstall / check custodia files were removed /
restore and check that the custodia conf and keys files are restored.

related ticket https://pagure.io/freeipa/issue/7247

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-29 11:19:56 +01:00
Felipe Barreto
c8ba9eb0e6 Fixing vault-add-member to be compatible with py3
Changing from iteritems() to values() in order to be compatible with
python3.

https://pagure.io/freeipa/issue/7373

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-24 19:09:03 +01:00
Christian Heimes
e1e3218270 Give ODS socket a bit of time
ipa-ods-exporter uses systemd socket activation. The script uses
select() to check if the socket is readable. A timeout of 0 is a bit too
aggressive. Sometimes select() doesn't consider the systemd socket as
readable. This causes ODS to fail silently

A timeout of one second seems to remove the problem. A proper error code
also signals that something went wrong.

Closes: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-23 21:54:04 +01:00
Christian Heimes
e0c976ac32 Require dbus-python on F27
Partly revert b03d5155. python2-dbus is not available on F27. The
package only provides dbus-python:

$ dnf install python2-dbus dbus-python
Last metadata expiration check: 0:18:39 ago on 2018-01-23T18:59:22 CET.
No match for argument: python2-dbus
Package dbus-python-1.2.4-8.fc27.x86_64 is already installed, skipping.
Error: Unable to find a match

Part of: https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-23 21:02:49 +01:00
Christian Heimes
7924dae6ae Fix pylint error in ipapython/dn.py
ipapython/dn.py:1324: [R1710(inconsistent-return-statements), DN.__contains__]
Either all return statements in a function should return an expression, or none of them should.)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-23 17:10:16 +01:00
amitkuma
fc8c130b97 Custom ca-subject logging
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem

After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG    The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.

Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-23 10:09:12 +01:00
Christian Heimes
c1f7c61762 Lower python-ldap requirement for F27
For DNSSEC daemons on Python 3, python-ldap requirement was bumped to
python-ldap 3.0. But python-ldap 3.0 hasn't been released yet and is
only available as beta4 on rawhide. The DNSSEC fix hasn't landed either.

Lower requirements to python2-ldap 2.4.15 and python3-pyldap 2.4.35.1-2
until the DNSSEC fix has landed.

See https://pagure.io/freeipa/issue/7257

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-01-23 10:06:56 +01:00
Felipe Barreto
cd660d1922
Fixing test_backup_and_restore assert to do not rely on the order
Since we cannot assume that LDAP will return data in any ordered way,
the test should be changed to do not rely on that.

Instead of just comparing the output of the show-user command, this change
first order the groups returned in the 'Member of Group' field before
compare them.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-17 16:01:13 +01:00
Michal Reznik
e55969f7e0 test_caless: add SAN extension to other certs
Currently when testing we are using SAN extension only in
KDC, wildcard certs and not in the other certs.
During replica installation we then see a warning about certs
having no `subjectAltName`.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-17 12:52:16 +01:00
Stanislav Laznicka
cd83afcd4b
replica_prepare: Remove the correct NSS DB files
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.

https://pagure.io/freeipa/issue/7049

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-16 16:36:10 +01:00
Stanislav Laznicka
f0c0a14ec1
Add a helpful comment to ca.py:install_check()
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-16 14:15:58 +01:00
amitkuma
5c361f5450 Documenting kinit_lifetime in /etc/ipa/default.conf
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.

Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-01-12 20:33:20 +01:00
Christian Heimes
0cab090f4d
ipa-run-tests: make --ignore absolute, too
ipa-run-tests now applies the same logic to --ignore then to included
paths.

https://pagure.io/freeipa/issue/7355

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-01-12 13:47:06 +01:00
Christian Heimes
dc4109c1a4 Sort external schema files
get_all_external_schema_files() now returns schema files sorted.

Fixes: https://pagure.io/freeipa/issue/7338

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-10 09:39:57 +01:00
Michal Reznik
099856e184 prci: run full external_ca test suite
Before this patch there was just one test in external_ca suite,
now we add one new test class thus deleting the specific class
in external_ca PRCI section.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
3bdac1a84d tests: move CA related modules to pytest_plugins
Till now both create_caless_pki.py and create_external_ca.py were
stored in test_integration folder. However when trying to import
e.g. "from create_external_ca import ExternalCA" from tasks.py
where all other integration test`s support functions lives we get
"AttributeError: module 'pytest' has no attribute 'config' as pytest
was not completely initialized at the moment of the import.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
ad996d79c6 test_external_ca: selfsigned->ext_ca->selfsigned
Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
efe21a1bda test_tasks: add sign_ca_and_transport() function
Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
0cef510763 paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Michal Reznik
434d7d423c test_caless: test PKINIT install and anchor update
Add test case for installing PKINIT and anchor update when using
3rd party CA after caless installation. Related to #6831 issue.

https://pagure.io/freeipa/issue/7233

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:37:24 +01:00
Michal Reznik
dbb7784b90 test_renewal_master: add ipa csreplica-manage test
Add test case for setting renewal master using command
ipa-csreplica-manage.

Automation related to upstream ticket #7120. Testing using
config-mod already covered.

https://pagure.io/freeipa/issue/7321

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 09:36:33 +01:00
Felipe Barreto
f5c01c5e86 Fixing test_testconfig with proper asserts
When the cls in env_config.py is a WinHost, the __init__ receives different
parameters. Now, it's adapted to all different kinds of hosts.

Also, it's necessary to add the host_type field to most of domains created
in the test classes, because the field is returned by pytest_multihost.Config
in pytest_plugins/integration/config.py::Config::to_dict

https://pagure.io/freeipa/issue/7346

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-01-09 08:03:49 +01:00
Aleksei Slaikovskii
a70dcb1e18 test_backup_and_restore.py AssertionError fix
prefix in the backup function expects output to have
'ipa.ipaserver.install.ipa_backup.Backup:' and it's wrong. The right
one is 'ipaserver.install.ipa_backup:'.

https://pagure.io/freeipa/issue/7339

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-09 08:02:29 +01:00
Florence Blanc-Renaud
830866d68a Idviews: fix objectclass violation on idview-add
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.

The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.

Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.

Fixes:
https://pagure.io/freeipa/issue/7350

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-09 07:58:52 +01:00
Christian Heimes
beb6d74b81 LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
5d02c6aaeb LGTM: Use explicit string concatenation
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
f60b2c5906 LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.

It's OK to raise here because handle_not_found() always raises an
exception.

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00