Commit Graph

15690 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
e459e5b8bc ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.

The test must be compatible with old and new versions.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:17:52 -04:00
Florence Blanc-Renaud
f9075f9f77 ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.

Fixes: https://pagure.io/freeipa/issue/9459

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 09:15:29 -04:00
Alexander Bokovoy
b22605ee54 Azure CI: increase memory for forced reenrollment test
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 08:37:28 -04:00
Alexander Bokovoy
48cfe6848c Increase memory usage for Azure CI upgrade test
The test often fails when running in parallel to other tests as very
little memory is left. 389-ds memory autotuning causes database backend
to refuse working in such cases. 389-ds team suggested more memory has
to be made available.

Increate RAM for this test to 2.5GB instead of 2.2GB.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-10-04 08:37:28 -04:00
Antonio Torres
fe223cde95
Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-10-03 14:57:20 +02:00
Antonio Torres
843f4a7458
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-10-03 14:56:42 +02:00
Alexander Bokovoy
1a2cd7f408 Use datetime.timezone.utc instead of newer datetime.UTC alias
datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC

datetime.timezone.utc was present since Python 3.2.

Since RHEL 9 is using Python 3.9, use more compatible variant.

Fixes: https://pagure.io/freeipa/issue/9454

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-09-29 15:06:33 -04:00
Christian Heimes
6aebfe74fb Add context manager to ipalib.API
`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.

```python
import ipalib

with ipalib.api as api:
    api.Commands.ping()
```

See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-09-29 12:57:06 +02:00
Florence Blanc-Renaud
8b70ee1ea8 Covscan issues: deadcode and Use after free
Covscan detected an unused value in ipa_kdb_principals.c
and a use-after-free in ipa-print-pac.c.

Fixes: https://pagure.io/freeipa/issue/9431

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-09-29 12:05:48 +02:00
Francisco Trivino
4af05dde48 Workshop: fix broken Sphinx cross-references.
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.

This commit introduces explicit targets and references to ensure that
the pages are correctly linked.

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-26 11:30:33 +02:00
Mohammad Rizwan
496e3ace85 ipatests: restart ipa services after moving date
When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.

Fixes: https://pagure.io/freeipa/issue/9379

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-18 17:51:30 +02:00
Christian Heimes
7ddf7711f3 Use find_spec() in meta importer
The `find_module()` method of meta importers has been deprecated for a
long time. Python 3.12 no longer falls back to `find_module()`.

See: https://docs.python.org/3.12/whatsnew/3.12.html#removed
Related: https://pagure.io/freeipa/issue/9437
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2023-09-18 17:46:24 +02:00
Alexander Bokovoy
32721c4132 Allow ipa-otpd to access USB devices for passkeys
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.

Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-18 17:36:40 +02:00
Rob Crittenden
f248b22ef4 Don't assume KRB5CCNAME is in the environment in replica install
The replica install was unilaterally removing KRB5CCNAME from
os.environ in some cases. Instead check first to see if it is
present and only remove in that case.

Fixes: https://pagure.io/freeipa/issue/9446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-09-14 07:59:44 +02:00
Alexandra Nikandrova
dade02d5bb doc: typo in basic_usage.md
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-09-12 21:41:57 +02:00
Alexander Bokovoy
6aa3c3b628 Restore selinux states if they exist at uninstall time
Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-09-12 14:32:00 -04:00
Alexander Bokovoy
f123b01d81 updates: add ACIs for RBCD self-management
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-09-11 09:51:51 +02:00
Alexander Bokovoy
d355761f23 ipa-client-install: enable SELinux for SSSD
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.

Fixes: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-09-11 09:24:31 +02:00
Antonio Torres
2bc247d831 ipatests: rename 'ipatuura' directory to 'scim' in bridge tests
A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app
to 'scim'. Change it in IPA side as well to fix tests.

[1]: f12592cea4

Fixes: https://pagure.io/freeipa/issue/9447

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-09-11 09:12:51 +02:00
Viktor Ashirov
953c7cc076 BDB tuning should be applied only when BDB backend is used
389DS supports BDB and LMDB backends. FreeIPA installation fails with
LMDB backend since it tries to apply tuning for BDB backend.

Instead, tuning for BDB should be applied only when 389DS uses BDB
backend.

Fixes: https://pagure.io/freeipa/issue/9435

Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-09-01 13:16:15 -04:00
Rob Crittenden
45fa43540f Configure affinity during server installation
Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.

When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:

 - existing server value in /etc/ipa/default.conf
 - the chosen CA host if the server doesn't provide one
 - the chosen KRA host if the server doesn't provide one

This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.

In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.

For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.

Fixes: https://pagure.io/freeipa/issue/9289

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-09-01 13:13:02 -04:00
Christian Heimes
8f25b2a74a Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.

Related: https://pagure.io/freeipa/issue/9272
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2023-08-30 09:18:17 -04:00
Florence Blanc-Renaud
0654fb3737 idp: add the ipaidpuser objectclass when needed
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.

Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-30 09:13:23 -04:00
Rob Crittenden
317e7061d0 Adjust test to handle revocation reason REMOVE_FROM_CRL
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.

This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.

So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-08-28 10:21:48 -04:00
Rob Crittenden
ed52142c40 Use the PKI REST API wherever possible instead of XML
The XML API is already deprecated and will be removed in some
future release.

All but the updateCRL API has an equivalent in REST. The upstream
dogtag project documents most of the API at
https://github.com/dogtagpki/pki/wiki/REST-API . I say most
because not every API includes sample input/output. The
pki ca-cert command is a good substitute for seeing how the API
is used by their own tooling.

This changes no pre-existing conventions. All serial numbers are
converted to decimal prior to transmission and are treated as
strings to avoid previous limitations with sizing (which would
have been exacerbated by random serial numbers).

Fixes: https://pagure.io/freeipa/issue/9345

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-08-28 10:21:48 -04:00
Mohammad Rizwan
8d081ce894 ipatests: accommodate DST in ACME cert expiry
There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.

Fix is to use 90days+2hours to expire the cert.

Fixes: https://pagure.io/freeipa/issue/9428

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-08-23 13:10:02 -04:00
Antonio Torres
1251c15fae
Bump to IPA 4.12
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-08-21 16:39:16 +02:00
Alexander Bokovoy
ef955c9015
support more DateTime attributes in LDAP searches in IPA API
LDAPSearch class constructs a filter from a set of attributes and their
values passed in by the command. During this construction process a
limited set of attributes gets converted to a special form, the rest is
simply taken as a string and escaped according to LDAP rules.

This means DateTime class would simply be converted to string using
str(DateTime) and that uses default formatting method. For LDAP we need
to apply a specific formatting method instead.

Following LDAP attributes now handled as datetime.datetime:

 ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 ( 2.16.840.1.113730.3.8.16.1.3  NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
 ( 2.16.840.1.113730.3.8.16.1.4  NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')

Fixes: https://pagure.io/freeipa/issue/9395

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-08-21 16:28:04 +02:00
Antonio Torres
d5ae5e1884
Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-08-21 14:57:34 +02:00
Antonio Torres
73c8aa4dc4
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-08-21 14:55:59 +02:00
Rob Crittenden
d98d5e4751 Remove all references to deleted indirect map from parent map
An attempt to do this was already coded but the wrong
argument was used. It was passing in the location name and
not the map name so the map wouldn't be completely removed.

Include a test to verify that the map is gone after removing
it by calling automountlocation-tofiles which will fail if the
map wasn't properly removed.

Fixes: https://pagure.io/freeipa/issue/9397

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-21 10:49:06 +02:00
Rafael Guterres Jeffman
82b129fe76 Fix typo in "Subordinate ID Selfservice User" role
The description of "Subordinate ID Selfservice User" role had
'subordiante' instead of 'subordinate'.

This patch corrects the default value and adds a replace to fix
existing deployments.

Related: https://pagure.io/freeipa/issue/9418

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-21 10:41:57 +02:00
Florence Blanc-Renaud
33549183ef ipa-server-guard: make the lock timezone aware
ipa-server-guard reads a lock file in order to
check if the lock is still taken by comparing
the stored value, for instance:
expire = 20230810155452589311
with the current datetime.

The expire value needs to be timezone-aware in
order to be compared with "now" which is also tz aware.

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-17 14:28:26 +02:00
Florence Blanc-Renaud
0f16b72bcb ipa-cert-fix: use timezone-aware datetime
ipa-cert-fix compares the current datetime with the
value obtained from a cert.not_valid_after.
With the fix for #9425, not_valid_after is timezone
aware and cannot be compared to a naive datetime.

Make the datetime "now" timezone aware.
Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-17 14:28:26 +02:00
Florence Blanc-Renaud
59e68f79e4 ipa-epn: include timezone info
ipa-epn is using timezone-aware timestamps for "now"
but converts krbpasswordexpiration attribute into
a naive datetime object that is missing the tzinfo.

It is not possible to substract timezone aware and
naive values. Convert krbpasswordexpiration attribute
into an UTC value before doing the substration.

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-17 14:28:26 +02:00
Florence Blanc-Renaud
7796b7b958 Installer: activate nss and pam services in sssd.conf
If there is already a sssd.conf file before the installer is
executed, the nss and pam services may not be enabled by the
installer. This happens for instance if the machine is hardened
for STIG and sssd.conf does not define services=... in the
[sssd] section.

The consequence is that trust cannot be established with an AD
domain.

The installer must enable nss and pam services even if there is
a pre-existing sssd.conf file.

Fixes: https://pagure.io/freeipa/issue/9427

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-16 14:43:55 +02:00
Florence Blanc-Renaud
a6f01115cf ipatests: fixture can produce IndexError
The fixture issue_and_expire_acme_cert returns a function
that fills the hosts array. If the function is not called in
the test (for instance because a test is skipped, as in
TestACMEPrune::test_prune_cert_search_size_limit), hosts = []
and hosts[0] raises an IndexError.

Fix the fixture to check first that hosts is not empty.

Related: https://pagure.io/freeipa/issue/9348

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2023-08-16 11:33:32 +02:00
Endi S. Dewata
33c2740d82 Remove default values for pki_ca_signing_*_path
In the future pkispawn will validate all path params so the
default values for pki_ca_signing_csr_path and
pki_ca_signing_cert_path need to be removed since they point
to non-existent files. When the params are actually used for
installing an external CA, CAInstance.__spawn_instance()
will initialize them with the correct paths.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-08-15 12:00:09 -04:00
Florence Blanc-Renaud
6f5fe80de0 ipatests: fix test_topology
The test TestTopologyOptions::test_add_remove_segment is
randomly failing downstream. Test scenario:
- create a line topology master <-> repl1 <-> repl2
- create user on master
- wait for repl success on master
- check that the user is seen on repl2

The test waits for replication to complete on the master but
it should also wait for the replication to complete on repl1
before checking the user presence on repl2.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-08-14 09:58:05 +02:00
Sudhir Menon
8e142bc1d4 ipatests: idm api related tests.
IDM API related tests are automated in the
above PR
Ref: https://freeipa.readthedocs.io/en/latest/api/basic_usage.html

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-14 09:55:42 +02:00
Endi S. Dewata
a9ee2adec3 Remove non-existent default pki_cert_chain_path
In the future pkispawn will validate all path params so the
default value for pki_cert_chain_path needs to be removed
since it points to a non-existent file. When the param is
actually used (e.g. for installing with an external CA)
CAInstance.__spawn_instance() will configure the param to
point to the actual cert chain.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:58:17 +02:00
Endi S. Dewata
7233944e74 Add pki_share_dbuser_dn for CA
In the future the default value for pki_share_dbuser_dn might
change. To ensure that CA and KRA in IPA will use the same
database user, the pki_share_dbuser_dn needs to be defined
for CA to match the same param for KRA.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:57:31 +02:00
Endi S. Dewata
cfc4f47a10 Remove unused subsystem.count
The subsystem.count param has actually been removed since
PKI 10.10 so it doesn't need to be set in renew_ca_cert.in.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:56:33 +02:00
Alexander Bokovoy
8173e5df2d ipa-epn: don't use too general exception
When modifying ipa-epn code, a warning was issued:

--------------
Python 3.11.4 (main, Jun  7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)]
************* Module ipaclient.install.ipa_epn
ipaclient/install/ipa_epn.py:89: [W0719(broad-exception-raised), drop_privileges] Raising too general exception: Exception)
--------------

Use 'RequiresRoot' exception class and clarify the message:
    ipalib.errors.RequiresRoot: Cannot drop privileges!

Related: https://pagure.io/freeipa/issue/9425

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-09 18:31:03 +02:00
Alexander Bokovoy
09497d2df0 python 3.12: utcnow function is deprecated
The following warning is displayed on a system running with Python 3.12:
-------------------
/usr/lib/python3.12/site-packages/ipalib/rpc.py:925: DeprecationWarning:
datetime.utcnow() is deprecated and scheduled for removal in a future
version. Use timezone-aware objects to represent datetimes in UTC:
datetime.now(datetime.UTC).

  timestamp=datetime.datetime.utcnow())
-------------------

Fixes: https://pagure.io/freeipa/issue/9425
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-09 18:31:03 +02:00
Mohammad Rizwan
bbb53a1271 ipatests: remove fixture call and wait to get things settle
system date moved in order to expire the certs. Sometime it
is observed that subsequent operation fails with 500 error for CA,
hence restart the services after moving date and wait for sometime
to get things settle.

Also the tests was calling fixture which is not required for it, hence
removed it as well.

Fixes: https://pagure.io/freeipa/issue/9348

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-09 18:28:52 +02:00
Florence Blanc-Renaud
e49ec1048d ipatests: update expected webui msg for admin deletion
The deletion of the admin is now forbidden (even if it is
not the last member of the admins group) and the error
message has changed from "admin cannot be deleted or
disabled because it is the last member of group admins"
to " user admin cannot be deleted/modified: privileged user".

Update the expected message in the webui test.

Related: https://pagure.io/freeipa/issue/8878

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-08 12:53:09 +02:00
Rob Crittenden
dea35922cd Prevent the admin user from being deleted
admin is required for trust operations

Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.

Fixes: https://pagure.io/freeipa/issue/8878

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-01 13:47:56 +02:00
Alexander Bokovoy
69e4397421 idp: when adding an IdP allow to override IdP options
Use of 'ipa idp-add --provider' was supposed to allow override scope and
other IdP options. The defaults are provided by the IdP template and
were actually not overridden. Fix this.

Fixes: https://pagure.io/freeipa/issue/9421
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-01 13:41:59 +02:00
Julien Rische
c84c59c66f ipa-kdb: fix error handling of is_master_host()
Adding proper error handling to the is_master_host() function to allow
it to make the difference between the absence of a master host object
and a connection failure. This will keep the krb5kdc daemon from
continuing to run with a NULL LDAP context.

Fixes: https://pagure.io/freeipa/issue/9422

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-01 13:31:09 +02:00