Commit Graph

12648 Commits

Author SHA1 Message Date
Serhii Tsymbaliuk
cd795257cc
UI tests for "Automember": Negative cases
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
33a74fb2c4
UI tests for "Automember": check setting default user/host group
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
a68035dcae
UI tests for "Automember": check creating and deleting of automember rule conditions
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
63cbf6294e
UI tests for "Automember": check creating and deleting of multiple rules
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
49df1ab1c8
UI tests for "Automember": check search filter
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Christian Heimes
ec208e9719 Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.

See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Fraser Tweedale
4b920df483 Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.

Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Christian Heimes
204353e4dc Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Christian Heimes
ec54fa7712 Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.

Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Christian Heimes
2e7f3d1d0d Improve Python configuration for LGTM
LGTM is no longer able to analyse all Python code without importing it.
Define OS and Python package dependencies and build the project for
Python, too.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 18:04:23 +02:00
Florence Blanc-Renaud
fa559808d7 ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.

Related to: https://pagure.io/freeipa/issue/7632

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Florence Blanc-Renaud
4de5ea0930 ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.

This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.

Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Rob Crittenden
552777293d Collect the client and server uninstall logs in tests
When running the integration tests capture the uninstallation
logs as well as the installation logs.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Rob Crittenden
e59ee6099f Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.

These include:

1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')

Caused by check_client_configuration() not returning the correct
return value (2).

2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir

If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.

3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.

Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.

https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Rob Crittenden
235b5bd643 Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.

Related to https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Christian Heimes
a42ca499a6 Add Coverity Scan target
Add "make cov-scan" to automate Coverity scan builds. cov-build requires
extra quirks to work with recent versions of GCC on Fedora.

The make target requires a token and Coverity's build chain. Both are
available for privileged project owners on
https://scan.coverity.com/projects/freeipa-freeipa .

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 18:28:23 +02:00
Christian Heimes
4de97f496d Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.

Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 17:44:20 +02:00
Christian Heimes
5fe3198d80 Don't abuse strncpy() length limitation
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:

  warning: ‘strncpy’ output truncated before terminating nul copying as
  many bytes from a string as its length [-Wstringop-truncation]

Use memcpy() instead if strncpy() to copy data of known size.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 16:11:55 +02:00
Christian Heimes
836e29591c Fix ipadb_multires resource handling
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
* ipadb_multires_free() supports NULL as no-op.
* ipadb_multibase_search() consistently frees and NULLs
  struct ipadb_multires **res on error.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 16:11:55 +02:00
Florence Blanc-Renaud
4600e62b6b ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.

Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 14:20:29 +02:00
Christian Heimes
23e33443c9 Add lgtm.yml to analyzse C code with LGTM
See https://lgtm.com/help/lgtm/customizing-file-classification

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 10:49:12 +02:00
Alexander Bokovoy
3b79deae53 net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.

If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.

Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.

Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.

For upgrade code this is enough as in
a678336b8b we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-23 16:50:43 +02:00
Thomas Woerner
8e98c72e51 Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 16:45:22 +02:00
Thomas Woerner
389c17c5c6 Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 16:45:22 +02:00
Thomas Woerner
5c0885d266 Update annobin to fix continuous-integration/travis-ci/pr issues
gcc is updated with the dnf builddep line, but annobin is not. Therefore
configure fails with "C compiler cannot create executables".

This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478

See: https://pagure.io/freeipa/issue/7740
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 15:55:36 +02:00
Petr Vobornik
0e22314c9b ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.

After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.

This patch updates the url.

https://pagure.io/freeipa/issue/7731

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 10:23:16 +02:00
Rob Crittenden
2fba5acc52 Handle NTP configuration in a replica server installation
There were two separate issues:

1. If not enrolling on a pre-configured client then the ntp-server and
   ntp-pool options are not being passed down to the client installer
   invocation.
2. If the client is already enrolled then the ntp options are ignored
   altogether.

In the first case simply pass down the options to the client
installer invocation.

If the client is pre-enrolled and NTP options are provided then
raise an exception.

https://pagure.io/freeipa/issue/7723

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-19 11:53:32 -04:00
Florence Blanc-Renaud
fbcb79af13 ipatests: fix path in expected error message
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.

Related to https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-17 15:51:10 +02:00
Rob Crittenden
5466eca048 Remove tests which install KRA on replica w/o KRA on master
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.

A KRA can be added afterward.

https://pagure.io/freeipa/issue/7651

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-16 11:16:41 +02:00
Serhii Tsymbaliuk
4c3f010461 UI tests for "ID Range": Clean unnecessary Python2 compatible code constructions
https://pagure.io/freeipa/issue/7709

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-16 09:09:02 +02:00
Serhii Tsymbaliuk
2d845cc70a UI tests for "ID Range": check deleting primary local range
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
6595949e1d UI tests for "ID Range": check creating ID Range with overlapping of primary and secondary RID base
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
dd590e7ea7 UI tests for "ID Range": - check creating ID range with special characters in name - check modifying ID range with existing secondary RID base
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
70f51c0db2 UI tests for "ID Range": check modifying ID range with invalid or missing values
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
dde4d19f7b UI tests for "ID Range": check adding range with overlapping of existing local range
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
b180991aca UI tests for "ID Range": check primary RID base duplication
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
369fb23ed9 UI tests for "ID Range": check adding range without primary and secondary RID bases
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Serhii Tsymbaliuk
e55d17d609 UI tests for "ID Range": check range name and base ID duplication
https://pagure.io/freeipa/issue/7709

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-15 14:11:42 +02:00
Florence Blanc-Renaud
3eac88a433 Bump requires 389-ds-base
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
 [error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.

Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-15 10:20:25 +02:00
Stanislav Levin
531eca4308 Move ipa's systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.

Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-15 10:04:33 +02:00
Rob Crittenden
1e76f100a5 Enable LDAP debug output in client to display TLS errors in join
If ipa-join fails due to a TLS connection error when doing an
LDAP-based enroll then nothing is logged by default except an
Invalid Password error which is misleading (because the failure
occurs during the bind).

The only way that debugging would have been sufficient is if
the user passed --debug to ipa-client-install which is not great.

This log level is otherwise very quiet and only logs one or two
lines on errors which is perfect.

https://pagure.io/freeipa/issue/7728

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-12 16:55:52 -04:00
Alexander Bokovoy
1ef0fe8bb8 adtrust: define Guests mapping after creating cifs/ principal
All Samba utilities load passdb modules from the configuration file. As
result, 'net groupmap' call would try to initialize ipasam passdb module
and that one would try to connect to LDAP using Kerberos authentication.

We should be running it after cifs/ principal is actually created in
ipa-adtrust-install or otherwise setting up group mapping will fail.

This only affects new installations. For older ones 'net groupmap' would
work just fine because adtrust is already configured and all principals
exist already.

A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
the initial setup.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-10 11:36:00 +02:00
Florence Blanc-Renaud
f6793043ec ipatests: mark known failures as xfail
Commit 5dbcc1a9d3 marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail

Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).

Related to https://pagure.io/freeipa/issue/7651

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-10 11:32:26 +02:00
Thomas Woerner
7f507519d4 Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.

A new command has been added to the ipa tool:

  ipa automember-find-orphans --type={hostgroup,group} [--remove]

This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.

The IPA API version has been increased and a test case has been added.

Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>

See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-10-10 09:56:40 +02:00
Florence Blanc-Renaud
6650d1b563 ipa tests: CA less
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.

Related to https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-09 14:53:56 +02:00
Florence Blanc-Renaud
9e1c26c755 certdb: provide meaningful err msg for wrong PIN
ipa-server-install or ipa-replica-install do not provide
a meaningful error message in CA-less mode when the install
fails because of a wrong PIN.

Update the err msg so that it provides a hint to the user.

Fixes https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-09 14:53:56 +02:00
Christian Heimes
341a12054a Fix zonemgr encoding issue
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.

This also fixes 'b' prefix in error messages like:

    option zonemgr: b'empty DNS label'

Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-05 09:04:15 -04:00
Florence Blanc-Renaud
4f04e91be2 ipatests: remove TestReplicaManageDel (dl0)
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.

Related to https://pagure.io/freeipa/issue/7689

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-05 08:59:34 -04:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Alexander Bokovoy
753264069f Update list of contributors
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-05 12:02:39 +02:00