Commit Graph

15296 Commits

Author SHA1 Message Date
Stanislav Levin
e9b232fcf4 ap: Constrain supported docutils
New Sphinx 5.1.0 (Released: Jul 24, 2022) bumped supported docutils
to 0.19:
https://github.com/sphinx-doc/sphinx/pull/10656

But m2r2 doesn't support it yet:
https://github.com/CrossNox/m2r2/issues/52

Thereby, docutils must be constrained to < 0.19.

This should be fixed by m2r2 and after they do it the restriction
can be removed.

Fixes: https://pagure.io/freeipa/issue/9208
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
8542fd3012 ap: Rearrange overloaded jobs
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
dd094e3889 ap: Disable azure's security daemon
This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
0e8bde3175 ap: Raise dbus timeout
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.

https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
David Pascual
3237ade3d2 ipatests: Checker script for prci definitions
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-07-15 17:09:17 +02:00
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Armando Neto
436c9d85ee
webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.

Fixes: https://pagure.io/freeipa/issue/9192

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-07-12 11:38:17 -03:00
Florence Blanc-Renaud
e8d34361c7 ipatests: fix SSSD nightly definition
The nightly test test_external_idp requires a topology
with 2 replicas. Fix the definition in nightly_latest_sssd.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-12 10:15:21 +02:00
Fraser Tweedale
f8da5bfbea install: suggest --skip-mem-check when mem check fails
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.

Related: https://pagure.io/freeipa/issue/8404

Signed-off-by: Fraser Tweedale <frase@frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 14:29:27 +02:00
Fraser Tweedale
cb0ce1bd8b man: add --skip-mem-check to man pages
Document the --skip-mem-check flag in the ipa-server-install(1) and
ipa-replica-install(1) man pages.

Related: https://pagure.io/freeipa/issue/8404

Signed-off-by: Fraser Tweedale <frase@frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 14:29:27 +02:00
Fraser Tweedale
7a40948d6e BUILD.txt: remove redundant dnf-builddep option
-b and --best are the same option (see dnf(8)).  Remove -b and keep
--best, because --best is more descriptive.

Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 14:26:52 +02:00
Iker Pedrosa
03e9139504 ipatests: definitions for SSSD COPR nightly
Defined the tests that will be executed for SSSD's COPR nightly.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 09:46:17 +02:00
Sumedh Sidhaye
2e11247cde Added a check while removing 'cert_dir'. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.

Pagure Issue: https://pagure.io/freeipa/issue/9179

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-02 18:34:16 +02:00
Rob Crittenden
22d1392a8a Only calculate LDAP password grace when the password is expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-30 08:34:28 -04:00
Armando Neto
52782b55f5
ipatests: update rawhide template
Python packages updated to include latest `pytest-html`.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/467

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-29 21:24:04 -03:00
Antonio Torres
9819058d73
Bump to IPA 4.11
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-29 17:07:59 +02:00
Antonio Torres
494aac95e1
Update FreeIPA translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-29 16:28:57 +02:00
Rob Crittenden
9a97f9b40c Fix test_secure_ajp_connector.py failing with Python 3.6.8
Some of the test data are not expected to cause a rewrite in
the upgrade code. Those that do will set the rewrite flag.

In that case there is a new server.xml to be read. This is
handled with mock_open(). The contents can be retrieved via
mocked_file().write.call_args but the repr() of it is:

call(b'<Server port="1234" shutdown="SHUTDOWN">\n  ...')

In at least Python 3.10 one can use write.call_args.args to get
just the raw data. This does not work with Python 3.6.8 and
returns the string 'args' instead results in a TypeError.

TypeError: a bytes-like object is required, not 'str'

Instead drop the args and use the data directly.

For the case of x = mocked_file().write.call_args:

   x[0] is a tuple with the first element being the data
   x[0][0] is the raw data

So use x[0][0] to get at the data instead of x.args[0]

Fixes: https://pagure.io/freeipa/issue/9190

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-23 17:46:57 -04:00
Matthew Davis
6d6b135ffb Add missing parameter to Suse modify_nsswitch_pam_stack
Add missing subid parameter for Suse.

Fixes: https://pagure.io/freeipa/issue/9185
Signed-off-by: Matthew Davis <github@virtual.drop.net>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-23 13:06:02 -04:00
Anuja More
ef091c99f8 ipatests: Fix install_master for test_idp.py
For install_master added --no-dnssec-validation.

Fixes: https://pagure.io/freeipa/issue/9189

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-23 13:04:05 -04:00
Timo Aaltonen
808ac46ba5 ipaplatform/debian: Drop the path for ldap.so
Named is able to find plugins if they are installed in the plugindir,
so drop the hardcoded path from named.conf.

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-23 13:02:46 -04:00
Timo Aaltonen
92d718dbf8 ipaplatform/debian: Use multiarch path for libsofthsm2.so
The library moved there some years ago, and the compat symlink might go
away at some point. Better prepare for it.

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-23 13:02:46 -04:00
Michal Polovka
d3c11f7627 ipatests: Healthcheck use subject base from IPA not REALM
Test if healthcheck uses cert subject base from IPA and not from
REALM. This prevents false-positive errors when the subject base is
customized.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/253

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-23 13:01:36 -04:00
Anuja More
bd57ff3566 Add end to end integration tests for external IdP
Added tests for HBAC and SUDO rule and other
test scenarios.

Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-22 20:57:22 +02:00
Anuja More
a80a981948 ipatests: update prci definitions for test_idp.py
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-22 20:57:22 +02:00
Florence Blanc-Renaud
3732349bc2 xmlrpc tests: updated expected output for preserved user
Update the expected summary for the command
ipa user-del --preserve

The command now displays: Preserved user: user1
instead of                Deleted user: user1

Related: https://pagure.io/freeipa/issue/9187

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-22 20:53:29 +02:00
Florence Blanc-Renaud
cbc18ff8c7 Preserve user: fix the confusing summary
When ipa user-del --preserve is called, the command output
prints a summary with:
    Deleted user: user1
although the user was preserved.
Replace the summary with
    Preserved user: user1
to reflect what was actually done.

Fixes: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-22 20:53:29 +02:00
Armando Neto
b3085b8302
ipatests: update prci template
New box contains the fixed mock configuration needed when
`enable_testing_repo` is True.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-20 09:09:37 -03:00
Michal Polovka
40b3c11bd0
ipatests: Increase expect timeout for interactive mode
Increase the default timeout for expect function when testing
interactive mode to mitigate an issue when the tests are failing
on the slow systems.

Fixes: https://pagure.io/freeipa/issue/9183

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-06-17 12:18:42 +02:00
Michal Polovka
b2bbf81659
ipatests: Healthcheck should ignore pki errors when CA is not configured
Test if ipa-healthcheck complains about pki.server.healthcheck errors
when CA is not configured on the replica.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/201

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-16 10:47:37 +02:00
Antonio Torres
ca95acc7f8
Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-15 16:26:55 +02:00
Antonio Torres
27b60cdd45
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-06-15 16:25:58 +02:00
Michal Polovka
e46dd73a9a
ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version
Change xfail for test_replica_promotion.py/TestHiddenReplicaPromotion/test_ipahealthcheck_hidden_replica
to respect platform and pki version as the related issue is fixed.

Implement tasks/get_platform_version which returns a platform version
number(s) of a provided host in a form of a tuple.

Related: https://pagure.io/freeipa/issue/8582

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-15 10:03:00 +02:00
Matthew Davis
86acb96e38 Suse compatibility fix
Removes authselect requirement for Suse
    Use Suse 'pam-config' to configure PAM
    Configures nsswitch.conf
    Removes domainname service since it does not exist on Suse

Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github@virtual.drop.net
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 14:21:59 -04:00
Matthew Davis
5fb9653f4b Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
One some distributions, namely Suse, the SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
does not exist by default. Ipa-client-install will fail to initialize
the kerberos ticket and error when this directory does not exist.

This patch simply creates the directory if it does not exist before
adding the include statement into /etc/krb5.conf

Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github@virtual.drop.net
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-14 13:17:37 -04:00
Alexander Bokovoy
e06f0cc9b4 idviews: use cached ipaOriginalUid value when resolving ID override anchor
For ID overrides 'ipaOriginalUid' value should be the human-readable
version of the ID override anchor. Since we would have it already set in
the ID override entry, prefer using it instead of looking up the
override anchor.

This should speed up significantly operations which list all ID
overrides in the view, like Web UI views.

Fixes: https://pagure.io/freeipa/issue/9178
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-14 15:58:55 +03:00
Rob Crittenden
05d96e16dc Add switch for LDAP cache debug output
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.

Fixes: https://pagure.io/freeipa/issue/9180

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:56:21 +03:00
Rob Crittenden
7572174175 Remove extraneous AJP secret from server.xml on upgrades
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version.  It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.

PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.

Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.

Fixes: https://pagure.io/freeipa/issue/9176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:54:50 +03:00
Florence Blanc-Renaud
ae193a22a7 ACI: define "Read DNS entries from a zone" aci during install
The ACI "Read DNS entries from a zone" is defined when
ipa-server-upgrade is run but not for new installations.
In order to have consistent ACI (same set for new install
and for install + upgrade), define this ACI in
install/share/dns.ldif instead of "Allow read access".

Fixes: https://pagure.io/freeipa/issue/9173
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-13 14:34:30 -04:00
Armando Neto
93a06d8295 ipatests: bump pr-ci templates
Packages updated to include `freeipa-healthcheck-0.11-2`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-13 12:56:04 +02:00
Florence Blanc-Renaud
8f785482df ipatests: update expected output for boolean attribute
Now that IPA API properly maps LDAP boolean attributes to the
python bool type, they are displayed as True/False instead
of TRUE/FALSE in the ipa *-show outputs.

Update the expected output for DNS Active Zone.

Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-13 09:07:38 +02:00
Florence Blanc-Renaud
8a4ad65936 ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean
nsds5replicaUpdateInProgress is defined in LDAP schema as a boolean.
Now that IPA API is able to properly map booleans to the python
bool type, this attribute is not a string any more and
comparisons can be done directly based on its real type.

The code in ipa-replica-install was reading nsds5replicaUpdateInProgress
and calling value.tolower() == 'true' but should now use
value == True instead.

Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-13 09:07:38 +02:00
Francisco Trivino
60d092f002 Update subordinate design doc
This commit updates the subordinate design document to reflect the current state
and remove "outdated" message.

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-10 14:50:07 +02:00
Sudhir Menon
aa1105b64d ipatests: ipahealthcheck tests to check change in permission of ipaserver log files
This testscase checks that when permission of
ipaserver-upgrade.log
file is changed healtcheck tool reports the correct warning message.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 12:16:55 +02:00
Florence Blanc-Renaud
d5e4e572ff ipatest: update expected out for ipa-healthcheck's DogtagCertsConnectivityCheck
Pre ipa-healthcheck 0.11, failures detected by DogtagCertsConnectivityCheck
were reported as:
"msg": "Request for certificate failed, <error>"
but the output is now the following:
"msg": "Request for certificate failed: {error}"
"error": <error>

Update the expected output to be compatible with both versions.

Fixes: https://pagure.io/freeipa/issue/9175
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-10 09:30:38 +02:00
Alexander Bokovoy
6c5f2bcb30 ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like

        Bool('idnsallowdynupdate?',
            cli_name='dynamic_update',
            label=_('Dynamic update'),
            doc=_('Allow dynamic updates.'),
            attribute=True,
            default=False,
            autofill=True
        ),

in 'ipa dnszone-show':

> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']

This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.

When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:

            "idnsallowdynupdate": [
                "TRUE"
            ],

Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.

Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:

 - if output is from a command with --raw option, 'TRUE' or 'FALSE'
   should be expected

 - if output if from a normal (non-raw) command, True or False would be
   returned

Fixes: https://pagure.io/freeipa/issue/9171

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 09:25:27 +02:00
Rob Crittenden
d241d7405f Add tests for Random Serial Number v3 support
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.

Update the xml-rpc test to allow the new RSN version number
attribute.

Update some certificate tests where a specifc serial number
is expected.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
beaa0562dc Add support for Random Serial Numbers v3
Dogtag has implemented a new random serial number scheme
they are calling RSNv3.

https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

Given the known issues reported this will be supported in IPA for
new installations only.

There is no mixing of random servers and non-random servers
allowed.

Instructions for installing a CA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc

Instructions for installing a KRA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc

The version of random serial numbers is stored within the CA entry
of the server. It is stored as a version to allow for future upgrades.

If a CA has RSN enabled then any KRA installed will also have it
enabled for its identifiers.

A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA
entry to track the version number in case PKI has future major
revisions. This can also be used to determine if RSN is enabled or not.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
83be923ac5 Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).

Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
d3481449ee doc/designs: add Random Serial Numbers v3 support
Related: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00