Commit Graph

9918 Commits

Author SHA1 Message Date
David Kupka
e45e29f337 Access data for help separately
To avoid the need to read all data for a plugin from cache and actualy
use the separately stored help data it must be requested and returned
separately.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
134fd235a2 schema cache: Do not read fingerprint and format from cache
Fingerprint can be obtained from schema filename of from ServerInfo
instance. Use FORMAT in path to avoid openening schema just to read its
format.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
David Kupka
ba16d99f37 schema cache: Do not reset ServerInfo dirty flag
Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
Pavel Vomacka
ff51e43a3e Set servers list as default facet in topology facet group
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.

Part of: https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Pavel Vomacka
d45b0efe5d Add warning about only one existing CA server
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.

https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Jan Cholasta
8ad03259fe cert: do not crash on invalid data in cert-find
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Jan Cholasta
c718ef0588 cert: speed up cert-find
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.

Restructure the code to make it (hopefully) easier to follow.

https://fedorahosted.org/freeipa/ticket/6098

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Petr Spacek
b73ef3d7f9 DNS: allow to add forward zone to already broken sub-domain
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.

https://fedorahosted.org/freeipa/ticket/6062

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-17 12:28:56 +02:00
Stanislav Laznicka
5776f1e900 Remove sys.exit from install modules and scripts
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.

https://fedorahosted.org/freeipa/ticket/5750

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 18:22:44 +02:00
Petr Spacek
d461f42f95 server upgrade: do not start BIND if it was not running before the upgrade
https://fedorahosted.org/freeipa/ticket/6206

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:33:17 +02:00
Petr Spacek
f2fe357219 DNS server upgrade: do not fail when DNS server did not respond
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.

I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.

In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 14:23:30 +02:00
Ganna Kaihorodova
64c5340329 Fix for integration tests replication layouts
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0

[https://fedorahosted.org/freeipa/ticket/6134]

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-16 12:55:40 +02:00
Simo Sorce
cf0816f415 Additional coverity fixes.
This are manual fixes for patches submitted upstream, and should be
picked up once a new asn1c is available.
They will be overridden if the code is regenerated before then.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Simo Sorce
512aa90bec Regenerate asn1 code
Regenerate the code with asn1c 0.9.27, this allows us to pick up a few
fixes for problems identified by coverity as well as other general bugfixes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:33:27 +02:00
Ben Lipton
58d28b7410 Silence sshd messages during install
Fix for accidentally pushed commit c15ba1f9e8

During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-16 12:17:05 +02:00
Milan Kubík
b92b1d7d7f ipatests: Fix wrong fixture in kerberos principal alias test
https://fedorahosted.org/freeipa/ticket/6197

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 12:13:30 +02:00
Lenka Doudova
425291dc19 Fix malformed or missing docstrings in ipalib/messages
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.

https://fedorahosted.org/freeipa/ticket/6215

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:59:35 +02:00
Lenka Doudova
f75735b16a Tests: test_ipalib/test_output fails due to change of Output behaviour
https://fedorahosted.org/freeipa/ticket/6189

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Lenka Doudova
71d0bc7c10 Tests: Add data attribute to messages
Tests test_ipalib/test_messages.py are failing because messages now contain
also 'data' attribute, which is not yet reflected in tests.

https://fedorahosted.org/freeipa/ticket/6185

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:56:49 +02:00
Stanislav Laznicka
0745c5d0f9 Don't show --force-ntpd option in replica install
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.

https://fedorahosted.org/freeipa/ticket/6046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:33:35 +02:00
Peter Lacko
019f3611c2 Test URIs in certificate.
Test that CRL URI and OCSP URI are present and correct in generated certificate.

https://fedorahosted.org/freeipa/ticket/5881

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-11 15:07:46 +02:00
Petr Vobornik
6217d680da ca-less tests: fix getting cert in pem format from nssdb
usage of ipautil.run in  get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307

This results in failure of all CA-less test.

https://fedorahosted.org/freeipa/ticket/6177

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 16:53:33 +02:00
Stanislav Laznicka
9f26e395e5 Removed objectclass from LDAP*ReverseMember based tests
Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.

https://fedorahosted.org/freeipa/ticket/6198

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-10 13:53:55 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Petr Spacek
a83523e37e server-install: Fix --hostname option to always override api.env values
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Jan Cholasta
20ee4a73e7 client: add missing output params to client-side commands
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 10:27:00 +02:00
Jan Cholasta
e9c1d21b9f parameters: move the confirm kwarg to Param
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.

Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.

This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.

https://fedorahosted.org/freeipa/ticket/6174

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 08:51:39 +02:00
Petr Spacek
771dea5c6b client: RPM require initscripts to get *-domainname.service
https://fedorahosted.org/freeipa/ticket/4831

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 07:39:13 +02:00
Martin Basti
148e021ac1 ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.

https://fedorahosted.org/freeipa/ticket/6165

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 18:29:21 +02:00
Pavel Vomacka
0fdbad1e1a Fix unicode characters in ca and domain adders
Topology graph didn't show plus icons correctly.

There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.

https://fedorahosted.org/freeipa/ticket/6175

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-09 16:27:51 +02:00
Tomas Krizek
af4ebaca62 Fix ipa-caalc-add-service error message
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.

https://fedorahosted.org/freeipa/ticket/6171

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 16:24:39 +02:00
Jan Cholasta
96db47cfa5 Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
Remove the conflict, as bind-chroot caused issue only on systems with older
bind and bind-chroot - e.g. RHEL 6.

This reverts commit 3ab63fa6ba.

https://fedorahosted.org/freeipa/ticket/5696

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 16:20:32 +02:00
Stanislav Laznicka
bf6adfe69d Improvements for the ipa-cacert-manage man and help
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.

Also fixed a few missing articles.

https://fedorahosted.org/freeipa/ticket/6013

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-08-09 16:09:08 +02:00
Lukas Slebodnik
5fece5ff17 ipa-kdb: Fix unit test after packaging changes in krb5
Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Lukas Slebodnik
e7480bed27 ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....

Related change in samba
4406cf792a

Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Pavel Vomacka
58da5fb4b9 Add jslint into Makefile
Also put jsl into dependencies.

The patch also split lint target into more smaller targets.
The purpose of this change is to add possibility to run only
fast jslint by using make jslint and don't waste time with pylint,
which can take a lot of time.

https://fedorahosted.org/freeipa/ticket/6161

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-09 12:59:54 +02:00
Lukas Slebodnik
50c53395de ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
ipa_pwd_extop.c: In function ‘ipapwd_chpwop’:
ipa_pwd_extop.c:337:13: warning: assignment discards ‘const’ qualifier
  from pointer target type [-Wdiscarded-qualifiers]
   target_dn = slapi_sdn_get_ndn(target_sdn);
             ^

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:35:11 +02:00
Lukas Slebodnik
7e1898bd01 ipa_pwd_extop: Fix warning declaration shadows previous local
ipa_pwd_extop.c:397:19: warning: declaration of ‘target_sdn’
  shadows a previous local [-Wshadow]
         Slapi_DN *target_sdn;
                   ^~~~~~~~~~
ipa_pwd_extop.c:212:16: note: shadowed declaration is here
  Slapi_DN     *target_sdn = NULL;
                ^~~~~~~~~~

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:33:39 +02:00
Ben Lipton
c15ba1f9e8 Use existing HostKey config to test sshd
Prevents sshd from producing warning messages on package upgrade because
not all of the default host key files (/etc/ssh/ssh_host_dsa_key,
/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
/etc/ssh/ssh_host_rsa_key) are present.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-08 14:24:23 +02:00
Oleg Fayans
bd5746c538 Fixed incorrect domainlevel determination in tests
https://fedorahosted.org/freeipa/ticket/6167

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-05 13:16:29 +02:00
Tomas Krizek
d8fe5863d2 Update ipa-replica-install documentation
Update the ipa-replica-install man page and help to reflect that replica_file
is optional instead of mandatory.

https://fedorahosted.org/freeipa/ticket/6164

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-05 12:08:09 +02:00
Fraser Tweedale
9dac0a13f1 caacl: fix regression in rule instantiation
The Principal refactor causes service collections
('memberservice_service' attribute) to return Principal objects
where previously it returned strings, but the HBAC machinery used
for CA ACL enforcement only handles strings.  Update the code to
stringify service Principal objects when adding them to HBAC rules.

Fixes: https://fedorahosted.org/freeipa/ticket/6146
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-05 11:51:43 +02:00
Petr Spacek
503d096ebc Fix ipa-replica-prepare's error message about missing local CA instance
ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).

The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.

https://fedorahosted.org/freeipa/ticket/6134

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
2016-08-05 11:49:39 +02:00
Florence Blanc-Renaud
cad6a551d6 Fix ipa hbactest output
ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).

Note that the issue did not appear before because the 'value' field
had a flag no_display.

https://fedorahosted.org/freeipa/ticket/6157

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-04 17:13:16 +02:00
Oleg Fayans
2df047b8c5 Fixed incorrect return code assert
The assert checked that the returncode of the replica uninstallation is zero
where in fact the uninstallation was expected to fail with the certain error
message

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-04 15:11:42 +02:00
Jan Cholasta
1a73477e15 vault: add missing salt option to vault_mod
The option was accidentally removed in commit
4b119e21a2.

https://fedorahosted.org/freeipa/ticket/6154

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-04 14:20:06 +02:00
Jan Cholasta
a42b456b91 install: fix external CA cert validation
The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).

https://fedorahosted.org/freeipa/ticket/6166

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-04 10:44:59 +02:00
Christian Heimes
1de92b1326 RedHatCAService should wait for local Dogtag instance
RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
returns OK. The ca_status() function defaults to api.env.ca_host as
host.

On a replica without CA ca_host is a remote host (e.g. master's
FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.

https://fedorahosted.org/freeipa/ticket/6016

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-03 19:20:42 +02:00
David Kupka
229e2a1ed9 compat: Save server's API version in for pre-schema servers
When client comunicates with server that doesn't support 'schema'
command it needs to determine its api version to be able to use the
right compat code. Storing information about server version reduces the
need to call 'env' or 'ping' command only to first time the server is
contacted.

https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
David Kupka
e76b0bbbcc help: Do not create instances to get information about commands and topics
Creating instance requires that complete schema for the command is
read from schema cache and passed to constructor. This operation takes
a lot of time. Utilizing class properties and pregenerated help bits
allows to get the necessary information directly from classes reducing
time it takes significantly.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00