Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Azure host has 6 GB of physical memory + 7 GB of swap.
FreeIPA CI runs at least 5 masters on each Azure's host.
Thus, swap is intensively used.
Based on the available *physical* memory 389-ds performs db tweaks
and in future may fail to start in case of memory shortage.
Current memory limit for Azure Docker containers(master/replica):
- Physical
$ cat /sys/fs/cgroup/memory/memory.limit_in_bytes
1610612736
- Physical + swap:
$ cat /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes
3221225472
In the meantime, installation of master + ca + kra + dnssec requires:
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
1856929792
Some test environments require more memory.
For example, 'ipatests.test_integration.test_commands.TestIPACommand':
$ cat /sys/fs/cgroup/memory/memory.memsw.max_usage_in_bytes
2232246272
$ cat /sys/fs/cgroup/memory/memory.max_usage_in_bytes
2232246272
Fixes: https://pagure.io/freeipa/issue/8264
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
```
class TestFoo(IntegrationTest):
def test_foo(self):
pass
def test_bar(self, integration_logs):
integration_logs.collect_method_log(self.master, '/logfile')
```
Collected logs:
1) 'test_foo' - default logs
2) 'test_bar' - default logs + /logfile
3) 'TestFoo' - default logs
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The last usage of 'collect_logs' decorator has been removed
in 1d70ce850e. So, it could be safely removed.
Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Make it easier to skip tests based on platform ID and platform LIKE_ID.
Skip some tests that are not working on Debian-like platforms
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The design draft lists the user stories, implementation choices,
implementation details, limitations, and changes for the new
Expired Password Notifications (EPN) feature.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.
The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.
Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Refactor code to use api.env.container_sysaccounts instead of
('cn', 'sysaccounts'), ('cn', 'etc')
Related: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
``__getnewargs__()`` must return a tuple.
Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
__getnewargs__ does not return a tuple)``.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.
https://pagure.io/freeipa/issue/8082
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
The definition of servrole.takes_params was missing a comma.
Related: https://pagure.io/freeipa/issue/8290
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result
Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Run sphinx-builder with -W (fail on error), --keep-going, and -j auto.
Auto-job scaling speeds up sphinx-builder a LOT.
Add make lint target to doc/Makefile. The -E and -a option ensure that
all files are always re-read and rewritten.
Add option to run sphinx-builder from a virtual env that mimics RTD
builds closer than Fedora packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)
Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.
Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.
Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Use -W with sphinx-build by default to turn warnings into errors.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add doclint to fastcheck so that documentation syntax issues
are caught sooner (before they hit CI).
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The shell command line options and parameters used there are bash-
specific. This results in an error on attempting of running
'ipa-run-tests' on systems where '/bin/sh' is pointing to another
shell, for example, dash on Ubuntu.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Pytest 5.2+ warns if tests XML report is generated but its format (schema)
is not explicitly specified:
```
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417
/root/.local/lib/python3/site-packages/_pytest/junitxml.py:417: PytestDeprecationWarning: The 'junit_family' default value will change to 'xunit2' in pytest 6.0.
Add 'junit_family=xunit1' to your pytest.ini file to keep the current format in future versions of pytest and silence this warning.
_issue_warning_captured(deprecated.JUNIT_XML_DEFAULT_FAMILY, config.hook, 2)
```
For example, xunit2 is used by jenkins and Pytest strictly conforms its
schema [0]. Pytest's xunit1, in turn, allows to attach user fields to
report.
The only known client of IPA tests results is Azure. Azure supports
[1] JUnit, which is likely the same as Pytest's xunit1, while Azure's
xUnit2 is actually xUnit.net v2. This means that Azure supports (in
one form or another) Pytest's both xunit1 and xunit2 as JUnit.
[0]: https://github.com/jenkinsci/xunit-plugin/blob/xunit-2.3.2/src/main/resources/org/jenkinsci/plugins/xunit/types/model/xsd/junit-10.xsd
[1]: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/test/publish-test-results?view=azure-devops&tabs=yaml
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Since the required Pytest is 3.9.1+ the compat 'pytest.skip'
for Pytest < 3 can be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Since the required Pytest is 3.9.1+, old Pytest compat code can
be removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
'get_marker' was a compat shim for Pytest < 3.6.
Since the requred Pytest is 3.9.1+, the workaround can be
removed.
Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.
related: https://pagure.io/freeipa/issue/8017
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks whether healthcheck reports only that master is stopped
with no other false positives when services on IPA master are stopped.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix the syntax in ipa-cacert-manage.1 and default.conf.5
Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Co-authored-by: Howard Guo <hguo@suse.com>
Co-authored-by: Daniel Molkentin <dmolkentin@suse.com>
Co-authored-by: Marcus Rückert <darix@nordisch.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.
Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
test_webui_server tends to take more than 3600s to run.
Increase timeout to 7200s.
Fixes: https://pagure.io/freeipa/issue/8266
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
Users should be encouraged to make their passwords as lengthy as they
want, within reason. Since the size of a hashed password is independent
of its length, there is no reason not to permit the use of lengthy
passwords (or pass phrases) if the user wishes. Extremely long passwords
(perhaps megabytes in length) could conceivably require excessive
processing time to hash, so it is reasonable to have some limit.
FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.
MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.
To prevent silent cut off for user passwords, use limit of 1000
characters.
Thus, this patch enforces common limit of 1000 characters everywhere:
- LDAP-based password changes
- LDAP password change control
- LDAP ADD and MOD operations on clear-text userPassword
- Keytab setting with ipa-getkeytab
- Kerberos password setting and changing
Fixes: https://pagure.io/freeipa/issue/8268
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
test_ipahealthcheck tends to take more than 3600s to run.
Increate timeout to 4800s.
Fixes: https://pagure.io/freeipa/issue/8262
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The FreeIPA integration tests strictly require Firewalld.
But not all the distros have such or any other high-level tool
for managing a firewall. Thus, to run integration tests on such systems
NoOpFirewall class has been added, which provides no-op firewalld
commands.
Fixes: https://pagure.io/freeipa/issue/8261
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.
'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.
With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.
The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.
The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.
These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.
As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.
Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Applications may crash.
If a crash happens on a remote system during CI run it's sometimes
very hard to understand the reason. The most important means to
analyze such is a stack trace. It's also very important to check
whether there was a core dump or not, even a test passed.
For Docker environment, the core dumps are collected by the host's
systemd-coredump, which knows nothing about such containers (for
now). To build an informative thread stack trace debuginfo packages
should be installed. But they can't be installed on the host OS
(ubuntu), That's why after all the tests completed an additional
container should be up and the host's core dumps and host's journal
should be passed into it.
Even if there weren't enough debuginfo packages at CI-runtime, the
core dump could be analyzed locally later.
Fixes: https://pagure.io/freeipa/issue/8251
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The platforms may have different Pythons.
But due to [0] the Python installed via the 'UsePythonVersion@0'
task should be compatible with the container's 'libpythonxx.so'.
'AZURE_PYTHON_VERSION' platform variable is introduced to cover
this. So, if your distro has Python3.8, set the mentioned variable
to '3.8', later, this version will be installed by the
'UsePythonVersion@0' Azure task for 'WebUI_Unit_Tests' and 'Tox'
jobs.
To allow tox to run any Python3 environment the 'py3' one is used.
'py3' is the well-known Tox's environment, which utilizes 'python3'
executable.
[0]: https://github.com/microsoft/azure-pipelines-tasks/issues/11070
Fixes: https://pagure.io/freeipa/issue/8254
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.
https://bugzilla.redhat.com/show_bug.cgi?id=1774032
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
both the path to the backup and the whole result from run_command ;
The path to the backup can be determined from the result.
Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.
Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.
Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This function provides functionality similar to pytest.mark.xfail
but for a block of code instead of the whole test function. This has
two benefits:
1) you can mark single line as expectedly failing without suppressing
all other errors in the test function
2) you can use conditions which can not be evaluated before the test start.
The check is always done in "strict" mode, i.e. if test is expected to
fail but succeeds then it will be marked as failing.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This function should be used to conditionally skip tests or
mark them xfail when installed version of sssd does not yet contain
patch for the tested issue.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
