Recent certificate refactoring probably unclogged some failure
in handling certificates which causes test_changepw to correctly
fail since it is trying to connect using an HTTPS connection
without the CA certificate. This patch adds the CA cert to the
connection.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.
https://pagure.io/freeipa/issue/5603
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
KDC crashes on quite random interval while trying to reach LDAP
https://pagure.io/freeipa/issue/7017
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().
The new makepki adds SKI and AKI extensions for correct
cert validation.
Other minor changes needed as we do not use NSS to store our
certificates on the test controller.
https://pagure.io/freeipa/issue/7030
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Add new validator which inherits from integer validator
and checks whether the integer is positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.
Always configure logging on the root logger.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.
Disable the logging-not-lazy and logging-format-interpolation pylint
checks.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not configure stderr handler by default and let the application do the
configuration.
Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.
Implement the following simplifications:
- Search all user/host/service accounts at once, by krbPrincipalName
(error if no account found). Use principal canonical name to
determine the type of the principal.
- Update subject principals userCertificate attribute uniformly,
instead of dispatching to user/host/service-mod based on type of
principal.
Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
IPA will not print error message header when maximum
number of agreements per replica exceeded in topology.
Resolves: https://pagure.io/freeipa/issue/6533
Reviewed-By: David Kupka <dkupka@redhat.com>
Fedora system upgrades don't necessary require the network to be up.
However, we do, so we have to make sure the network is online before
performing an upgrade.
https://pagure.io/freeipa/issue/7039
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Changed deletion of edges in remove_vertex method because there's no
need to store redundant variable in memory.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Hi!
I've just read the code and I saw that graph bfs uses not optimal
for Python solution. So I've edited it with more optimal one.
https://pagure.io/freeipa/issue/7051
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Pytest can be executed from a machine that doesn't have IPA configured.
In this case, api can't be finalized because values such as basedn are
unknown and missing.
Fixes https://pagure.io/freeipa/issue/7046
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.
Ticket #6838
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Tests for whoami command with user,
host, and service principal's tgt.
Resolves: https://pagure.io/freeipa/issue/6745
Reviewed-By: Milan Kubik <mkubik@redhat.com>
To prevent regressions in py3, all ported scripts should be run by py3
by default.
This is temporary and will be removed once porting to py3 is done
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We are slowly migrating python scripts to py3 and setting py3 as default
for them. Thus we need to depend on both py2 and py3 packages until
everything is migrated.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.
Use new smbldap API to set the LDAP bind callback.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.
Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.
Fixes https://pagure.io/freeipa/issue/6877
Reviewed-By: Martin Basti <mbasti@redhat.com>
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.
Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the setting of server attribute fails (e.g. due to master not having
the associated role enabled) the error would pop up *after* the old
values were cleared from LDAP. Fix this behavior so that all checks are
performed before manipulating any data.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
IPA installation with large number of host entries gets timeout
when invoking ipaserver.plugins.host.get_dn() method.
Resolves: https://pagure.io/freeipa/issue/6939
Reviewed-By: Martin Basti <mbasti@redhat.com>
Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`.
Derive the default value of `basedn` from `domain`.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default.
This patch removes hardcoded default so the so the code which depends
on these values blows up early and does not do crazy stuff
with default values instead of real ones.
This should help to uncover issues caused by improper ipalib
initialization.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument. The default URI might be ldapi://, so make sure
autobind is not attempted where the custom URI was ldap://.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
