Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
libkrad does not have package config file so we keep the old way here.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
setuptools does not support data_files any more. The ipa(1) man page is
now handled like the remaining man pages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In commit c718ef0588 some param values were
accidentally removed from cert-find output.
In commit 22d5f579bb `serial_number_hex` and
`revoked` were added back.
Add back `revocation_reason` as well. Also, do not include `revoked` with
--raw, as it's a virtual attribute.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.
https://fedorahosted.org/freeipa/ticket/6274
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Providing tests for certificate revocation to replace deleted tests from
test_cert_find.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
A bunch of certplugin tests were testing number of revoked certificates with
various revocation reasons. Since existence of revoked certificates often
depends on other parts of IdM than IPA, it is not really valid to check their
presence unless creation of revoked certificate is intentionally tested.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Missing attributes in instance created by pickle.load cause AttributeError in
second part of ipa-server-install --external-ca.
https://fedorahosted.org/freeipa/ticket/6385
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when
building FreeIPA, we have to fix these errors
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
The label of API Browser is now in translatable strings and it has
uppercase B at the beginnig of second word.
https://fedorahosted.org/freeipa/ticket/6384
Reviewed-By: Martin Basti <mbasti@redhat.com>
When the admin runs ipa-cacert-manage install, he should also run
ipa-certupdate on master/replicas/clients in order to update the
certificates databases.
The man page should mention this requirement, and also clarify that
"install" command does not replace IPA CA but rather installs an
additional trusted CA.
https://fedorahosted.org/freeipa/ticket/6381
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.
Partially fixes https://fedorahosted.org/freeipa/ticket/6292
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add commentary to 'ca' plugin documentation to explain what happens
when a CA gets deleted - namely, that its signing cert gets revoked
and its private key deleted.
Also break the docstring up into smaller chunks to aid translation.
Fixes: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Require Dogtag 10.3.5-6, which is the first release that implements
revocation of lightweight CA signing certificates upon deletion.
Part of: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove unnecessary check for absolute file paths for config file.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In the future Custodia is going to make CSStore.span an abstract method.
Closes: https://fedorahosted.org/freeipa/ticket/6365
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cainstance.__spawn_instance() exits in rather weird manner on
successful external CA install. This masks the weird implementation
from the user. :-&
https://fedorahosted.org/freeipa/ticket/6230
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch implements several test cases testing the enforcement
of CA ACLs on certificate requests with subject alternative names.
https://fedorahosted.org/freeipa/ticket/6366
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is to prevent situations when installer prints
CRITICAL Failed to load ....ldif
and continues just to crash later on because of non-existing LDAP container
or so on.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The test would be failing because recent pretty-print changes
that caused the inner members of a dictionary to be printed
in a different order.
https://fedorahosted.org/freeipa/ticket/6373
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
The code which handles configuration of mod_nss module must be more robust
when handling NSS nicknames generated from subject names containing quoted RDN
values.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
By default, ipa-run-tests will now pretty-print structures
compared in the assert_deepequal function. This behaviour
can be turned off by the --no-pretty-print option.
https://fedorahosted.org/freeipa/ticket/6212
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When user is logged in and opens details page of another user there should not
be visible button for adding new certificate and also the option in action menu
for deleting certificate should be grayed out.
This is achieved by adding custom field for certificates widget, which is able to
read ACLs from result of user-show and not from cert-find result.
https://fedorahosted.org/freeipa/ticket/6341
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Input data should be packaged into freeipa-test module to be able run
test from RPM (outoftree)
https://fedorahosted.org/freeipa/ticket/6333
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.
https://fedorahosted.org/freeipa/ticket/6169
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`common.Continuous` class is a basis for uninstallers, which should execute
all the steps regardless of occuring errors. However, we would like the
installer to raise exceptions and return non-zero exit code during validation
phase when some preconditions are not met.
Add a separate exception handler which catches exceptions and logs them as
errors during execution phase only.
https://fedorahosted.org/freeipa/ticket/5725
Reviewed-By: Petr Spacek <pspacek@redhat.com>
