Commit Graph

411 Commits

Author SHA1 Message Date
Christian Heimes
c09927d16a Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.

check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.

Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 12:14:32 +01:00
Florence Blanc-Renaud
d2fa2ecb4b ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.

Related to https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-27 17:20:35 -05:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
c00dd21106 Fix various dict related pylint warnings
* dict-keys-not-iterating
* dict-values-not-iterating
* dict-items-not-iterating
* dict-iter-method

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
496d1756c9 Address consider-using-in
Replace multiple comparisons with 'in' operation.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Christian Heimes
85286beb5b Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
Florence Blanc-Renaud
1c2c2ee6f8 tests: add xmlrpc test for ipa user-add --radius-username
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.

The test ensures that the command is now succeeding.

Related to https://pagure.io/freeipa/issue/7569

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 12:40:44 +01:00
François Cami
044ffe0dd0 Add sysadm_r to default SELinux user map order
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.

Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-09 17:16:19 -05:00
Christian Heimes
816783a1b9 Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.

Coverity Scan issue 323649, Copy-paste error

   The copied code will not have its intended effect.
   In postprocess_result: A copied piece of code is inconsistent with the
   original (CWE-398)

See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-08 13:16:26 +01:00
Thomas Woerner
7f507519d4 Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.

A new command has been added to the ipa tool:

  ipa automember-find-orphans --type={hostgroup,group} [--remove]

This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.

The IPA API version has been increased and a test case has been added.

Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>

See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-10-10 09:56:40 +02:00
Christian Heimes
964a9bdcec Py3: Replace six.string_types with str
In Python 3, six.string_types is just an alias for str.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Christian Heimes
4a58adf79e Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:

  DeprecationWarning: invalid escape sequence

There is still one warning that keeps repeating, though:

  source:264: DeprecationWarning: invalid escape sequence \d

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 10:23:03 +02:00
Armando Neto
c7064494e5 Fix certificate type error when exporting to file
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.

Reflecting the changes done in 5a44ca6383.

https://pagure.io/freeipa/issue/7628

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-06 14:36:15 +02:00
Rob Crittenden
f68dca24be Convert members into types in sudorule-*-option
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.

Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.

https://pagure.io/freeipa/issue/7649

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-08-15 12:52:52 +02:00
Thomas Woerner
94159bbe13 ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel
The hard coded mindomainlevel needs to be increased to 1.

See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-08-13 12:35:06 +02:00
Christian Heimes
198a2c6112 Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.

The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.

Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-05 19:45:10 +02:00
Armando Neto
d622be295a Prevent the creation on users and groups with numeric characters only
Update regular expression validator to prevent user and group creation.

Fixes: https://pagure.io/freeipa/issue/7572

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 15:25:39 -03:00
Armando Neto
de8d308196 ipaserver config plugin: Increase search records minimum limit
Check if the given search records value is greater than an arbitrary number that is not so close to zero.

https://pagure.io/freeipa/issue/6617

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-21 14:42:15 -04:00
Kaleemullah Siddiqui
114e46b7c9 Test coverage for multiservers for radius proxy
Test checks that no multiservers can be added for
radius proxy

Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-13 16:23:18 -04:00
Christian Heimes
9b8bb85eca Add test case for allow-create-keytab
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.

See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-05-29 08:51:10 +02:00
Alexander Bokovoy
e642865717 group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Alexander Bokovoy
9e8fb94e87 service: allow creating services without a host to manage them
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Rob Crittenden
9d73e4a0f1 Allow dot as a valid character in an selinux identity name
Both of these are legal: unconfined_u and unconfined.u

https://pagure.io/freeipa/issue/7510

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 08:23:47 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Alexander Bokovoy
2de1aa27f9 ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-19 08:59:45 -04:00
Fraser Tweedale
0f8593354d certprofile: add tests for config profileId scenarios
Update the certprofile tests to cover the various scenarios
concerning the profileId property in the profile configuration.
The scenarios now explicitly tested are:

- profileId not specified (should succeed)
- mismatched profileId property (should fail)
- multiple profileId properties (should fail)
- one profileId property, matching given ID (should succeed)

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-19 08:57:53 -04:00
Christian Heimes
69599560c1 Relax message check in test_create_host_with_ip
On Travis CI, the DNS update in test case test_create_host_with_ip may fail
with different error messages. Relax the error message check and just
check that the test case is hitting a DNS update failure.

This fixes a flaky test case on CI.

Closes: https://pagure.io/freeipa/issue/7447
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-16 14:25:37 +01:00
Florence Blanc-Renaud
4295df17a4 ipa host-add: do not raise exception when reverse record not added
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.

This commit also adds a unit test.

https://pagure.io/freeipa/issue/7374

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-23 14:39:34 +01:00
Christian Heimes
1b0c55a3b3 Unified ldap_initialize() function
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.

Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 18:32:17 +01:00
Florence Blanc-Renaud
c701cd21d3 389-ds OTP lasttoken plugin: Add unit test
Add a xmlrpc test checking that a user cannot delete his last
OTP token.

Related to
https://pagure.io/freeipa/issue/7012

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-02-15 14:10:48 +01:00
Florence Blanc-Renaud
7364c268eb ipa host-add --ip-address: properly handle NoNameservers
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
    $ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
    ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.

This commit properly handles the exception, and adds a test.

https://pagure.io/freeipa/issue/7397

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-12 17:30:52 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Florence Blanc-Renaud
830866d68a Idviews: fix objectclass violation on idview-add
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.

The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.

Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.

Fixes:
https://pagure.io/freeipa/issue/7350

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-01-09 07:58:52 +01:00
Michal Reznik
65c592334a test_cert_plugin: check if SAN is added with default profile
https://pagure.io/freeipa/issue/7334

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-04 16:28:14 +01:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Michal Reznik
1ec3d54d55 test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.

E.g.: unknown command 'b'ping''

https://pagure.io/freeipa/issue/7131

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-30 15:51:24 +01:00
Alexander Bokovoy
64f4c71dd6 test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.

To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00
Christian Heimes
191605efd6 Reproducer for bug in structured dnsrecord_show
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record

https://pagure.io/freeipa/issue/7275

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-27 11:46:54 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Christian Heimes
64a88d597c Py3: Fix vault tests
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret

https://pagure.io/freeipa/issue/7033

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:50:58 +01:00
Aleksei Slaikovskii
905ab93c95 Prevent installation with single label domains
Adds validation to prevent user to install ipa with single label
domain.

https://pagure.io/freeipa/issue/7207

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-09 11:32:31 +01:00
Stanislav Laznicka
4cc9451271 x509: remove subject_base() function
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Felipe Barreto
3822120077 Fixing param-{find,show} and output-{find,show} commands
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.

https://pagure.io/freeipa/issue/7134

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-17 13:42:11 +02:00
Stanislav Laznicka
af1b8513ab Remove the message attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-06 09:19:46 +02:00
Stanislav Laznicka
c8161fc40c certmap testing: fix wrong cert construction
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-14 14:06:09 +02:00
David Kupka
bda3dd722b
tests: certmap: Add test for user-{add,remove}-certmap
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00