`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This enables plugins to share authentication configuration cache code.
Additionally, update the caching mechanism to be declarative and faster.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Pytest imports all modules when running doctests.
The setup.py runs code on import, and raises an exception,
depending on globa connand-line arguments, so it needs to be ignored.
Also, pytest dislikes multiple top-level modules with the same name
("setup" in this case). Again ignoring is the way to go.
OTP token tests do not properly reinitialize the NSS db, thus
making subsequent xmlrpc tests fail on SSL cert validation.
Make sure NSS db is re-initalized in the teardown method.
https://fedorahosted.org/freeipa/ticket/4748
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move the IPA-specific log collection out of the Beakerlib plugin.
Add the --logfile-dir option to tests and ipa-test-task, so that logs
can be collected even if BeakerLib is not used.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The --with-xunit option ihas the same behavior as in nosetests:
it's an alias for pytest's --junitxml=nosetests.py
The --logging-level option enables direct IPA logging to stdout.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The unused capability to run on multiple Python versions is removed,
and needed arguments are now listed in pytest.ini,
leaving just a simple call to the actual test runner.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The pytest.ini file needs to be in or above the directory py.test is called in.
When in IPA project root, this invocation will find ./ipatests/pytest.ini:
py.test ipatests/
but these will not (they're equivalent):
py.test .
py.test
So pytest.ini must be in the project root.
However, setupttols can't include files outside package directories,
so we also need this file to be under ipatests/
Solve the problem by symlinking ./pytest.ini to ipatests/pytest.ini.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
