- Handle name / alt name for Fedora and RHEL. On Fedora, the packages
are named "freeipa-*" with alternative names "ipa-*". On RHEL it is
the other way around.
- Don't build ipatests on RHEL.
- Use latest versions of KRB5 on RHEL
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It's no longer necessary to specify "with_python3" to get Python 3
dependencies.
python3-tox pulls in Python 2.6, 3.3, 3.4, 3.5, and pypy as weak
dependency. Use --setopt=install_weak_deps=False to make a build
environment leaner.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
%{python_sitelib} has been deprecated in favor of %{python2_sitelib}.
F29 rawhide no longer defines %{python_sitelib}.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mark failing DL0 TestReplicaManageDel tests as xfail until
issue 7622 is fixed.
https://pagure.io/freeipa/issue/7622
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Globally disabling the following violations:
- `assignment-from-no-return` (E1111):
Assigning to function call which doesn't return. Used when an
assignment is done on a function call but the inferred function
doesn't return anything.
- `keyword-arg-before-vararg` (W1113):
Keyword argument before variable positional arguments list in the
definition of %s function When defining a keyword argument before
variable positional arguments, one can end up in having multiple
values passed for the aforementioned parameter in case the method is
called with keyword arguments.
Locally disabling the following:
- `subprocess-popen-preexec-fn` (W1509):
Using preexec_fn keyword which may be unsafe in the presence of
threads The preexec_fn parameter is not safe to use in the presence
of threads in your application. The child process could deadlock
before exec is called. If you must use it, keep it trivial! Minimize
the number of libraries you call into.
https://docs.python.org/3/library/subprocess.html#popen-constructor
Fixed violations:
- `bad-mcs-classmethod-argument` (C0204):
Metaclass class method %s should have %s as first argument Used when
a metaclass class method has a first argument named differently than
the value specified in valid-metaclass-classmethod-first-arg option
(default to "mcs"), recommended to easily differentiate them from
regular instance methods.
- Note: Actually `cls` is the default first arg for `__new__`.
- `consider-using-get` (R1715):
Consider using dict.get for getting values from a dict if a key is
present or a default if not Using the builtin dict.get for getting a
value from a dictionary if a key is present or a default if not, is
simpler and considered more idiomatic, although sometimes a bit slower
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some Python 2 dependencies such as python2-pki are no longer available
on Fedora 29. The pki package is a required dependency of
python2-ipaserver. It's not yet feasible to remove all Python 2
packages, since fleetcommander is not fully ported to Python 3 yet.
On Fedora 29, python2-ipaserver and python2-ipatests are no longer
built. The Python 3 packages replace the Python 2 packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix the following violations aiming to support Pylint 2.0
- `unneeded-not` (C0113):
Consider changing "not item in items" to "item not in items" used
when a boolean expression contains an unneeded negation.
- `useless-import-alias` (C0414):
Import alias does not rename original package Used when an import
alias is same as original package.e.g using import numpy as numpy
instead of import numpy as np
- `raising-format-tuple` (W0715):
Exception arguments suggest string formatting might be intended Used
when passing multiple arguments to an exception constructor, the
first of them a string literal containing what appears to be
placeholders intended for formatting
- `bad-continuation` (C0330):
This was already included on the disable list, although with current
version of pylint (2.0.0.dev2) violations at the end of the files
are not being ignored.
See: https://github.com/PyCQA/pylint/issues/2278
- `try-except-raise` (E0705):
The except handler raises immediately Used when an except handler
uses raise as its first or only operator. This is useless because it
raises back the exception immediately. Remove the raise operator or
the entire try-except-raise block!
- `consider-using-set-comprehension` (R1718):
Consider using a set comprehension Although there is nothing
syntactically wrong with this code, it is hard to read and can be
simplified to a set comprehension.Also it is faster since you don't
need to create another transient list
- `dict-keys-not-iterating` (W1655):
dict.keys referenced when not iterating Used when dict.keys is
referenced in a non-iterating context (returns an iterator in
Python 3)
- `comprehension-escape` (W1662):
Using a variable that was bound inside a comprehension Emitted when
using a variable, that was bound in a comprehension handler, outside
of the comprehension itself. On Python 3 these variables will be
deleted outside of the comprehension.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pylinti 2 is having a hard time to handle name mangled, magic attributes
correctly. Double under attributes like __d are internally renamed to
_Env__d. After multiple failed attempts, it was easier to just add more
pylint disable to the implementation.
pylint 2 also thinkgs that Env.server is defined much later or the env
doesn't have that member at all. Ignore the false warnings, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
pylint 2.0 is more strict and complains about several aspects of
ipalib.api. It turns out that AstroidBuilder.string_build() can be used
to easily teach pylint about object attributes and attribute values.
Although the assignment wouldn't work with the actual implementation,
the string builder assignments shows pylint the names and values of
members. It works without additional transformation.
See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
THe ipa console command takes an optional filename argument. The
filename argument was broken, because the implementation passed a file
object to exec() instead of a string or compiled object.
ipa console now uses compile() to compile the code with print_function
__future__ feature.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
upload_temp_contents() generates a temporary file on the remote side and
uploads content to that temporary file. The file name is returned.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa console is a useful tool to use FreeIPA's API in an interactive
Python console. The patch adds readline tab completion and history
support.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is a result of the previous commits. Building the Dojo builder
was bit more complex as it was:
1. patched Dojo sources
2. built from Dojo builder sources.
3. moved to it's location in FreeIPA project
4. built by util/make-builder.sh (does minimazation and replaces
itself)
Then Dojo layer is built by just:
1. util/make-dojo.sh
This process was documented some time ago at:
https://www.freeipa.org/page/V3/WebUI_build
Reviewed-By: Armando Neto <abiagion@redhat.com>
Rhino is no longer mainstream, nor is Nashorn. In addition it is quite
slow (about 10x) in comparison to NodeJS. Over the years NodeJS became
common part of OSes, thus one of the original reasons why use Rhino
went away.
The change in 01-Make-dojo-builder-buildable-by-itself.patch fixes
an incorrect change of the patch (it was not processing input options
well).
Removing configRhino.js and adding configNode.js are prerequisites
for Dojo Builder. These files are copied from Dojo project. Without
them it doesn̈́'t run. In long run, it would be good to replace Dojo
builder with something else but that is outside of this commit/PR.
Last changes are preparation for update to latest stable version of
Dojo 1. The updated Dojo and Dojo builder are in subsequent commit.
Reviewed-By: Armando Neto <abiagion@redhat.com>
UgligyJS is packaged in Fedora and other OSes it is no longer required
to carry our own version. This will lower the maintanance burden - the
code doesn't need to be updated and it is less code to have in repo.
On some configuration usage of the budled UglifyJS 1 produces
"JavaScript throw: java.lang.StackOverflowError" exception. Usage of more
recent version should fix it.
Reviewed-By: Armando Neto <abiagion@redhat.com>
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.
ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
In order to support pylint 2.0 the following violations must be fixed:
- `chained-comparison` (R1716):
Simplify chained comparison between the operands This message is
emitted when pylint encounters boolean operation like
"a < b and b < c", suggesting instead to refactor it to "a < b < c".
- `consider-using-in` (R1714):
Consider merging these comparisons with "in" to %r To check if a
variable is equal to one of many values,combine the values into a
tuple and check if the variable is contained "in" it instead of
checking for equality against each of the values.This is faster
and less verbose.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.
See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.
Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
7284097eed introduced a regression in
DNSSEC master installation. For standalone and replica installation,
services have to be enabled before checking bind config.
Fixes: https://pagure.io/freeipa/issue/7635
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.
A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.
Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.
Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The method IPASystemRecords.get_locations_records() has a race condition.
The IPASystemRecords object creates a mapping of server names to server
data. get_locations_records() uses server_find() again to get a list of
servers, but then operates on the cached dict of server names.
In parallel replication case, the second server_find() call in
get_locations_records() can return additional servers. Since the rest of
the code operates on the cached data, the method then fails with a KeyError.
server_data is now an OrderedDict to keep same sorting as with
server_find().
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.
Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.
However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.
Issue: https://pagure.io/freeipa/issue/7251
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Extend fix 0f31564b35 to also move
the DS SSL setup so that the xmlrpc_uri is configured to point
to the remote master we are configuring against.
https://pagure.io/freeipa/issue/7566
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit 7284097eed kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa client was installed with the --hostname= option, it stores
[network]
hostname = (current hostname)
in /var/lib/ipa-client/sysrestore/sysrestore.state and changes the hostname
from (current hostname) to the value provided in --hostname.
During uninstall, the previous hostname is restored but the entry does
not get removed from sysrestore.state. As the uninstaller checks if all
entries from sysrestore.state have been restored, it warns that some
state has not been restored.
The fix calls statestore.restore_state() instead of statestore.get_state()
as this method also clears the entry.
https://pagure.io/freeipa/issue/7620
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.
The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.
IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.
New settings will be added without any note.
Issue: https://pagure.io/freeipa/issue/5202
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.
https://pagure.io/freeipa/issue/7615
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This patch aims to fix the following tests which seems to be quite
unstable recently:
test_user::test_actions - closing notification and moving to element
to have screenshot of current place.
test_user::certificates - add wait() / close_notification
Also adds missing @screenshot decorator to test_user_misc method.
Reviewed-By: Pavel Picka <ppicka@redhat.com>
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.
See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow callers to pass abitrary extra arguments to the installer.
This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.
Apparently no manual or automated test ran into the timeout during
testing.
Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
