The reason why the test started to fail is probably commit be3ad1e where the checks
were reordered. TestLastServices relies on execution of tests in a specific order.
So it fails given that checks were changed but tests weren't.
Given that master is installed with DNS and CA and replica with anything and given
that checks in server-del command are in order: DNS, DNSSec, CA, KRA then the test
should be something like:
* install master (with DNS, CA)
* install replica
* test test_removal_of_master_raises_error_about_last_dns
* test_install_dns_on_replica1_and_dnssec_on_master (installing DNS and
DNSSec will allow DNSSec check)
* test_removal_of_master_raises_error_about_dnssec
* test_disable_dnssec_on_master (will allow CA check)
* test_removal_of_master_raises_error_about_last_ca
* test_forced_removal_of_master
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Often when trying to check e.g. required field we pass the
method another element as parent in order to narrow down a scope
for validation. This way we can just pass "field" name to make the
process easier.
https://pagure.io/freeipa/issue/7546
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
We check a box with clicking on label by default however sometimes
when a label is too short (1-2 letters) we are hitting an issue
that the checkbox obscures the label.
https://pagure.io/freeipa/issue/7547
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0
Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.
Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.
See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
All tests are taking over an hour to execute, which is too long for
PR-CI.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.
https://pagure.io/freeipa/issue/7469
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.
For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.
In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.
https://pagure.io/freeipa/issue/6843
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently, the test is skipped if the platform is fedora-like. The
decision to skip should rather be based on authselect command
availability (i.e. when ipaplatform.paths.paths.AUTHSELECT is None).
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit ccec8c6c41 add a call to sssctl but
the providing package sssd-tools was not added to ipa-client package.
The tool is not need to build packages.
See: https://pagure.io/freeipa/issue/7376
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also move /usr/share/ipa into freeipa-common by necessity.
https://pagure.io/freeipa/issue/7524
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The test helper create_external_ca is useful to create an external root
CA and sign ipa.csr for external CA testing. I also moved the file into
ipatests top package to make the import shorter and to avoid an import
warning.
Usage:
ipa-server-install --external-ca ...
python3 -m ipatests.create_external_ca
ipa-server-install --external-cert-file=/tmp/rootca.pem \
--external-cert-file=/tmp/ipaca.pem
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
chrony is causing an SELinux denial because of chronyd
was not spawned using systemd and the command creates
a pidfile for unconfined proccess in /var/run with SELinux label:
unconfined_u:object_r:var_run_t:s0
Following chronyd daemon enablement with systemd will fail
due to mismatched SELinux labels on chronyd pidfile.
chronyd pidfile should be labeled with the following label:
system_u:object_r:chronyd_var_run_t:s0
This also changes bindcmdaddress to not touch /var/run/chrony.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.
For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.
Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.
The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2. This could confuse the administrator. Fix
the message.
Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The directory contained a script to generate mod_nss configuration
snippet. Since FreeIPA moved to mod_ssl, it is no longer of use.
Fixes: https://pagure.io/freeipa/issue/5673
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The nose_compat plugin uses internal pytest APIs to suspend and resume
the capture manager. In pytest 3.4, the internal APIs have changed and a
public API was added.
The fix is required to run integration tests under Fedora 28.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.
https://pagure.io/freeipa/issue/7436
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Point mailing list to lists.fedorahosted.org
Use HTTPS for all URLs
Drop Solaris and Unix from platforms
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.
Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.
Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Scenario1: Setup external CA1 and install ipa-server with CA1.
Setup exteranal CA2 and renew ipa-server with CA2.
Get information to compare CA change for ca1 and CA2
it should show different Issuer between install
and renewal.
Scenario2: Renew CA Cert on Replica using ipa-cacert-manage
verify that replica is caRenewalMaster
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
By this commit we introduce new test_misc cases file to
test various miscellaneous cases that do not fit to other suites.
In this cases that "version" is present in profile`s "about".
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
In this patch we tune login() in order to test login without
username.
Then we add edit_multivalued and undo_multivalued to test "undo"
and "reset" buttons.
Also there is a new boolean "negative" in mod_record() to switch
button assertion.
Later ssh_key methods were fine-tuned a little to add more keys,
delete all of them and to extend their usage to hosts and id views.
Lastly new method assert_value_checked() was introduced to assert
whether a particular record is checked.
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
Extend WebUI test_user suite with the following test cases:
test_add_user_special
test_user_misc
test_ssh_keys
test_add_delete_undo_reset
test_disable_delete_admin
test_login_without_username
https://pagure.io/freeipa/issue/7507
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
Extended webui group automation test with below scenarios
Scenarios
*add netgroup with invalid names
*add and delete records in various scenarios
*verify button's action in various scenarios.
https://pagure.io/freeipa/issue/7505
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add new test for client and server installation when authselect tool
is used instead of authconfig
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration
Fixes:
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When a segment is deleted, the underlying replica agreement is also deleted.
An exception to this is if the status of the deleted segment is "obsolete" (i.e. merged segments)
The status should contain only one value, but to be protected against potential
bugs (like https://pagure.io/389-ds-base/issue/49619) this fix checks if
"obsolete" is in the status values.
https://pagure.io/freeipa/issue/7461
Reviewed-By: Christian Heimes <cheimes@redhat.com>
