Commit Graph

2083 Commits

Author SHA1 Message Date
Christian Heimes
fbb6484dbe Check ca_wrapped in ipa-custodia-check
ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-10-05 14:24:55 +02:00
Christian Heimes
aa67177f4c Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-30 09:52:08 +02:00
Christian Heimes
1684b0f2c3 Add missing fedora_container platform members
The fedora_container platform was missing User and Group members.

Add test case to verify that all known platforms define correct module
API.

Fixes: https://pagure.io/freeipa/issue/8519
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-29 12:06:24 +02:00
Christian Heimes
69ebe41525 Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-24 17:03:00 +02:00
Christian Heimes
644bd0e46b Make git a build requirement
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-23 14:49:56 +02:00
Rob Crittenden
9f9dcfe88a Test that ccaches are cleaned up during installation
Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-23 14:48:29 +02:00
François Cami
dfeea1644a ipatests: enhance TestSubCAkeyReplication
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-09-22 18:05:38 +02:00
Christian Heimes
b19d20e2db Use new classes for run_command and Service
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.

run_command() and Service class accept either names or User object.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
72fb4e60c8 Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
99a40cbbe9 Simplify LDAPUpdater
- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
  dictionary
- simplify substitution dictionary updates
- remove unused instances vars

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Christian Heimes
3c86baf0ad Don't create DS SSCA and self-signed cert
Instruct lib389 to not create its self-signed CA and temporary
self-signed certificate. FreeIPA uses local connections and Unix socket
for bootstrapping.

Fixes: https://pagure.io/freeipa/issue/8502
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-21 18:13:51 -04:00
Florence Blanc-Renaud
8ba15027d4 test_smb: skip test_smb_service_s4u2self for fed31
The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-21 18:12:03 -04:00
François Cami
c31bf3d430 ipatests: check that pkispawn log is not empty
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-17 15:59:00 +02:00
Armando Neto
26ae95f4b4
ipatests: Add nightly definitions for enforcing mode
Duplicates the scenario for nightly_latest.yaml and
nightly_latest_testing.yaml setting `selinux_enforcing` parameter
as True.

Indentation for all definitions have been fixed.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/391

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-15 09:11:21 -03:00
Alexander Bokovoy
31bc0df6a2 Specify memory limits as strings for docker compose
Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-14 14:00:20 +03:00
Rob Crittenden
fc271a55bb ipatests: Add tests for checking available memory
The tests always force container or no container so they should
run the same in any environment.

The following cases are handled:

- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-09-14 09:17:33 +03:00
Rob Crittenden
2e4431af70 ipatests: Add test for ACI attribute and permission uniqueness
https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:15:59 +03:00
Rob Crittenden
e92a4ba4ae ipatests: test that a zone name and name-from-ip will be rejected
If a zone name is provided then name-from-ip makes little sense,
don't allow it.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2020-09-14 09:14:37 +03:00
Armando Neto
21186540f0 ipatests: Bump PR-CI templates
New templates with a previously working version of `geckodriver`.

Issue: https://pagure.io/freeipa/issue/8473

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-09-10 18:36:25 +02:00
Alexander Bokovoy
ba1a7b97c1 ipa-kdb: test kadmin.local getprincs command
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-10 11:57:14 -04:00
Rob Crittenden
040d48fa61 ipatests: test ipa_server_certinstall with an IPA-issued cert
ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.

This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-09-10 09:21:25 +02:00
Florence Blanc-Renaud
50fdc8089a ipatests: fix bind service name
With the commit 721435cf7f
the service name for bind is now 'named' instead of
'named-pkcs11' on fedora. The ipa-healthcheck test was hardcoding
the service name but it should instead use the name stored in
knownservices.named.systemd_name as it varies depending on
the OS.

Fixes: https://pagure.io/freeipa/issue/8482
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-07 09:25:25 +02:00
Sudhir Menon
15f168c103 ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust
Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.

Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-09-03 15:56:15 +02:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
30cf59d0ae Azure: Increase verbosity for Tox task
This allows to debug issues happened during packages installation:

> -v, --verbose     increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
a102cfe5fa nss: Raise exception earlier on unsupported DB type
For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
a5b23287ae Azure: base: Collect both install and uninstall logs
Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
60ff2841cd Azure: Drop dependency on UsePythonVersion task
Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
0d326a9097 Azure: Add Rawhide definitions
- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.

- add Rawhide templates

- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
e2030b8cad named: Include crypto policy in openssl config
On platforms which have system-wide crypto policy the latter has
to be included in openssl config.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Florence Blanc-Renaud
2c15e99694 ipatests: add missing healthcheck test in PRCI nightlies
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-28 14:45:15 +02:00
Florence Blanc-Renaud
ec67022af2 ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
The test is changing the date back and forth. Due to PRCI
infra issue, chronyd is not able to connect to the default
NTP servers from the fedora pool, and the date is not
synchronized any more after this test.

To avoid polluting other tests, run this one separately.

Fixes: https://pagure.io/freeipa/issue/8472
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-28 14:45:15 +02:00
Sergey Orlov
6da5cc32d7 ipatests: simplify fixture
Fixture enable_smb_client_dns_lookup_kdc had an unobvious structure
"contextmanage inside pytest fixture". Replaced with simple pytest
fixture.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-26 13:30:19 -04:00
Sergey Orlov
4420ae81ae ipatests: refactor test for login using cifs alias principal
The test had two problems:
* if it was failing,  samba services were not started and all other
tests also failed
* Utility for copying keys obscured fatal problems i.e. if file does not
exist or can not be parsed.

Fixed by moving the check to separate test and raising exceptions in
KerberosKeyCopier on any unexpected problem.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-26 13:30:19 -04:00
Rob Crittenden
4a89da5352 ipatests: Add option/arg parsing tests for the cli
A typo in passing in options would result in an exception.

For example -verbose was treated as: -v -e rbose

-v and -e are valid options. rbose on its own has no value in the
name-value pair so an exception would result.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-25 10:31:19 -04:00
Armando Neto
b279b3a7c9
ipatests: Bump PR-CI templates
New template images for ci-master-f32 to include latest packages.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-24 09:03:41 -03:00
Alexander Bokovoy
0a01f576e0
test_smb: make sure both smbserver and smbclient use IPA master for DNS
test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.

Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.

Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.

Fixes: https://pagure.io/freeipa/issue/8344

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-08-24 11:55:46 +02:00
Sumedh Sidhaye
3f5f68e770 test_cert.py is timing out due to newly added test test_cert.py::TestCertmongerRekey which needs more time to execute. Adding additional 30 mins to the timeout in order to complete the test run
Failing test run:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/249e30e4-e349-11ea-ac03-fa163e1ffcbd

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-08-24 10:22:02 +02:00
Mohammad Rizwan
1abeb85fba PEP8 fixes
PEP8 fixes for visual indent, line > 79, blank line required etc

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-24 10:00:05 +03:00
Mohammad Rizwan
bddbfb79e4 ipatests: add --skip-overlap-check option to prepare_reverse_zone()
add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.

Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-24 10:00:05 +03:00
Mohammad Rizwan
b3d7a70ee0 ipatests: Add PTR record for IP SAN
If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-24 10:00:05 +03:00
Mohammad Rizwan
abd0cbfcfd ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.

related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-19 14:04:43 -04:00
Rob Crittenden
454e023ad8 ipatests: stop the CA during healthcheck expiration test
Time is moved during the test to ensure that ipa-healthcheck
finds expired certificates. It's possible that certmonger will also
wake up and renew the certificates before ipa-healthcheck can
execute so shut down the CA during the test.

https://pagure.io/freeipa/issue/8463

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-08-19 14:01:01 -04:00
Rob Crittenden
25e042d3d1 ipatests: Add test for is_ipa_configured
Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:11:26 +02:00
Rob Crittenden
af5138c2aa IPA-EPN: Test that EPN can be install, uninstalled and re-installed
Verify that no cruft is left over that will prevent reinstallation
if it is uninstalled.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:06:04 +02:00
Florence Blanc-Renaud
f7a6c468ca ipatests: remove xfail from test_dnssec
The nightly test test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
used to fail because of https://github.com/rthalley/dnspython/issues/343,
but the issue has been fixed upstream and does not happen any more since
PRCI is using python3-dns-1.16.0-7.

Remove the xfail.

Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-08-17 14:36:16 -04:00
sumenon
7642ce3582 Modified nightly YAML files to include ipa-healthcheck ExternalCA Tests
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-08-17 09:07:12 +02:00
sumenon
400ef3aa2c ipatests: Tests for ipahealthcheck tool with IPA external
This testsuite checks whether the healthcheck tool reports
correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered

IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-08-17 09:07:12 +02:00
François Cami
5452f020f9 ipatests: test_epn: update error messages
Update error messages in the test.

Fixes: https://pagure.io/freeipa/issue/8449
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-12 09:02:08 -04:00
François Cami
97006786df IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays

Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-12 09:02:08 -04:00