rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.9.6-5

Browse Source 
- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
- Resolves: rhbz#1986329 ipa-server install failure without DNS
- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg
- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests
This commit is contained in:
Florence Blanc-Renaud 2021-08-17 10:34:03 +02:00
parent 6e57c7ade0
commit 6ff3da92fc
24 changed files with 1928 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch Normal file
View File

@ -0,0 +1,35 @@
From b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 11 Jul 2021 16:29:16 +0200
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_external_ca.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 72aa57a0b..d48d73deb 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -301,7 +301,7 @@ class TestSelfExternalSelf(IntegrationTest):
def test_switch_back_to_self_signed(self):
# for journalctl --since
- switch_time = time.strftime('%H:%M:%S')
+ switch_time = time.strftime('%Y-%m-%d %H:%M:%S')
# switch back to self-signed CA
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--self-signed'])
--
2.31.1

43
0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch Normal file
View File

@ -0,0 +1,43 @@
From 26be7ffdba87e0e6294ea035ab3dc9bd933fba43 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Fri, 9 Jul 2021 13:44:12 +0530
Subject: [PATCH] ipatests: Fix for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Related: https://pagure.io/freeipa/issue/8889
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 305d7b945..f6a3043f1 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -499,9 +499,6 @@ class TestIpaHealthCheck(IntegrationTest):
from host's keytab.
"""
msg = (
- "Failed to obtain host TGT: Major (458752): "
- "No credentials were "
- "supplied, or the credentials were unavailable or inaccessible, "
"Minor (2529639107): No credentials cache found"
)
@@ -514,7 +511,7 @@ class TestIpaHealthCheck(IntegrationTest):
)
assert returncode == 1
assert data[0]["result"] == "ERROR"
- assert data[0]["kw"]["msg"] == msg
+ assert msg in data[0]["kw"]["msg"]
def test_source_ipahealthcheck_topology_IPATopologyDomainCheck(self):
"""
--
2.31.1

52
0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch Normal file
View File

@ -0,0 +1,52 @@
From 7f910eb2dda8595da435b4aed6e759a2916df813 Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Wed, 23 Jun 2021 14:53:49 +0200
Subject: [PATCH] ipatests: test_ipahealthcheck: print a message if a system is
healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).
Related: https://pagure.io/freeipa/issue/8892
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index f6a3043f1..36fe72be7 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -286,7 +286,7 @@ class TestIpaHealthCheck(IntegrationTest):
for source in sources_avail:
assert source in result.stdout_text
- def test_human_output(self, restart_service):
+ def test_human_severity(self, restart_service):
"""
Test that in human output the severity value is correct
@@ -306,6 +306,18 @@ class TestIpaHealthCheck(IntegrationTest):
assert output == \
"ERROR: ipahealthcheck.meta.services.sssd: sssd: not running"
+ def test_human_output(self):
+ """
+ Test if in case no failures were found, informative string is printed
+ in human output.
+
+ https://pagure.io/freeipa/issue/8892
+ """
+ returncode, output = run_healthcheck(self.master, output_type="human",
+ failures_only=True)
+ assert returncode == 0
+ assert output == "No issues found."
+
def test_ipa_healthcheck_after_certupdate(self):
"""
Verify that ipa-certupdate hasn't messed up tracking
--
2.31.1

104
0024-ipatests-test_installation-move-tracking_reqs-depend.patch Normal file
View File

@ -0,0 +1,104 @@
From e5df4dc4884f1a66ccbca79b9a0d83874c996d1d Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Mon, 31 May 2021 14:43:28 +0200
Subject: [PATCH] ipatests: test_installation: move tracking_reqs dependency to
ipalib constants ipaserver: krainstance: utilize moved tracking_reqs
dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipalib/constants.py | 8 ++++++++
ipaserver/install/krainstance.py | 7 ++-----
ipatests/test_integration/test_installation.py | 7 +++----
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bff899ba6..2aeafac7a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -360,3 +360,11 @@ SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT)
SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START
# threshold before DNA plugin requests a new range
SUBID_DNA_THRESHOLD = 500
+
+# moved from ipaserver/install/krainstance.py::KRAInstance to avoid duplication
+# as per https://pagure.io/freeipa/issue/8795
+KRA_TRACKING_REQS = {
+ 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
+ 'transportCert cert-pki-kra': 'caTransportCert',
+ 'storageCert cert-pki-kra': 'caStorageCert',
+}
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index e63db3fef..13cb2dcaa 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -27,6 +27,7 @@ import base64
from ipalib import api
from ipalib import x509
+from ipalib.constants import KRA_TRACKING_REQS
from ipaplatform.paths import paths
from ipapython import directivesetter
from ipapython import ipautil
@@ -64,11 +65,7 @@ class KRAInstance(DogtagInstance):
# Mapping of nicknames for tracking requests, and the profile to
# use for that certificate. 'configure_renewal()' reads this
# dict. The profile MUST be specified.
- tracking_reqs = {
- 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
- 'transportCert cert-pki-kra': 'caTransportCert',
- 'storageCert cert-pki-kra': 'caStorageCert',
- }
+ tracking_reqs = KRA_TRACKING_REQS
def __init__(self, realm):
super(KRAInstance, self).__init__(
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 0c96536f0..27f15dbe5 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import hashes
from cryptography import x509 as crypto_x509
from ipalib import x509
-from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import DOMAIN_LEVEL_0, KRA_TRACKING_REQS
from ipalib.constants import IPA_CA_RECORD
from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipapython.dn import DN
@@ -34,7 +34,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipaplatform import services
-from ipaserver.install import krainstance
+
config = get_global_config()
@@ -1282,8 +1282,7 @@ class TestInstallMasterKRA(IntegrationTest):
"""
Test that the KRA subsystem certificates renew properly
"""
- kra = krainstance.KRAInstance(self.master.domain.realm)
- for nickname in kra.tracking_reqs:
+ for nickname in KRA_TRACKING_REQS:
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
--
2.31.1

31
0025-webui-tests-close-notification-when-revoking-cert.patch Normal file
View File

@ -0,0 +1,31 @@
From 40e4ccf1ea943aba4d10e8126ffa49feddd2e683 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 13 Jul 2021 18:38:22 +0200
Subject: [PATCH] webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.
Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_webui/test_cert.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py
index 53dc76faa..7a8ffde91 100644
--- a/ipatests/test_webui/test_cert.py
+++ b/ipatests/test_webui/test_cert.py
@@ -107,6 +107,7 @@ class test_cert(UI_driver):
self.action_list_action('revoke_cert', False)
self.select('select[name=revocation_reason]', reason)
self.dialog_button_click('ok')
+ self.close_notifications()
self.navigate_to_entity(ENTITY)
return cert
--
2.31.1

153
0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch Normal file
View File

@ -0,0 +1,153 @@
From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 24 Jun 2021 13:10:00 +0530
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 92 ++++++++++++++++++-
1 file changed, 90 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index b2e92d4dc..394e85603 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600):
return count
+def move_date(host, chrony_state, date_str):
+ """Helper method to move the date on given host
+ :param host: The host on which date is to be moved
+ :param chrony_state: State to which chrony service to be moved
+ :param date_str: date string to move the date i.e 2years1month1days
+ """
+ host.run_command(['systemctl', chrony_state, 'chronyd'])
+ host.run_command(['date', '-s', date_str])
+
+
@pytest.fixture
def expire_cert_critical():
"""
@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest):
# the fixture
pass
+ @pytest.fixture
+ def expire_ca_cert(self):
+ tasks.install_master(self.master, setup_dns=False,
+ extra_args=['--no-ntp'])
+ move_date(self.master, 'stop', '+20Years+1day')
+
+ yield
+
+ tasks.uninstall_master(self.master)
+ move_date(self.master, 'start', '-20Years-1day')
+
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest):
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
- if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'):
+ if (tasks.get_pki_version(self.master)
+ != tasks.parse_version('10.10.0')):
assert result.returncode == 0
# get the number of certs track by certmonger
@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest):
raiseonerr=False)
assert result.returncode == 2
+ def test_missing_startup(self, expire_cert_critical):
+ """
+ Test ipa-cert-fix fails/warns when startup directive is missing
+
+ This test checks that if 'selftests.container.order.startup' directive
+ is missing from CS.cfg, ipa-cert-fix fails and throw proper error
+ message. It also checks that underlying command 'pki-server cert-fix'
+ should fail to renew the cert.
+
+ related: https://pagure.io/freeipa/issue/8721
+
+ With https://github.com/dogtagpki/pki/pull/3466, it changed to display
+ a warning than failing.
+
+ This test also checks that if 'selftests.container.order.startup'
+ directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
+ (depending on pki version)
+
+ related: https://pagure.io/freeipa/issue/8890
+ """
+ expire_cert_critical(self.master)
+ # pki must be stopped in order to edit CS.cfg
+ self.master.run_command(['ipactl', 'stop'])
+ self.master.run_command([
+ 'sed', '-i', r'/selftests\.container\.order\.startup/d',
+ paths.CA_CS_CFG_PATH
+ ])
+ # dirsrv needs to be up in order to run ipa-cert-fix
+ self.master.run_command(['ipactl', 'start',
+ '--ignore-service-failures'])
+
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+
+ err_msg1 = "ERROR: 'selftests.container.order.startup'"
+ # check that pki-server cert-fix command fails
+ err_msg2 = ("ERROR: CalledProcessError(Command "
+ "['pki-server', 'cert-fix'")
+ warn_msg = ("WARNING: No selftests configured in "
+ f"{paths.CA_CS_CFG_PATH} "
+ "(selftests.container.order.startup)")
+
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('10.11.0')):
+ assert (err_msg1 in result.stderr_text
+ and err_msg2 in result.stderr_text)
+ else:
+ assert warn_msg in result.stdout_text
+
+ def test_expired_CA_cert(self, expire_ca_cert):
+ """Test to check ipa-cert-fix when CA certificate is expired
+
+ In order to fix expired certs using ipa-cert-fix, CA cert should be
+ valid. If CA cert expired, ipa-cert-fix won't work.
+
+ related: https://pagure.io/freeipa/issue/8721
+ """
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+ # check that pki-server cert-fix command fails
+ err_msg = ("ERROR: CalledProcessError(Command "
+ "['pki-server', 'cert-fix'")
+ assert err_msg in result.stderr_text
+
class TestIpaCertFixThirdParty(CALessBase):
"""
@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase):
'--pin', self.master.config.admin_password,
'-d', 'server.p12']
self.master.run_command(args)
- self.master.run_command(['ipactl', 'restart',])
+ self.master.run_command(['ipactl', 'restart'])
# Run ipa-cert-fix. This is basically a no-op but tests that
# the DS nickname is used and not a hardcoded value.
--
2.31.1

40
0027-webui-tests-fix-algo-for-finding-available-idrange.patch Normal file
View File

@ -0,0 +1,40 @@
From f7997ed0b7d5b915c0184bf8e8864ff935cd6232 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 16 Jul 2021 15:21:48 +0200
Subject: [PATCH] webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.
With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_webui/task_range.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_webui/task_range.py b/ipatests/test_webui/task_range.py
index db34f6f11..f0664d35a 100644
--- a/ipatests/test_webui/task_range.py
+++ b/ipatests/test_webui/task_range.py
@@ -64,6 +64,12 @@ class range_tasks(UI_driver):
max_rid = 0
for idrange in idranges:
+ # IPA.TEST_subid_range is automatically created near the end
+ # of the allowed ids, taking from 2,147,483,648 to 4,294,836,224
+ # Ignore this range when looking for available ids otherwise
+ # we won't find any value < max baseid 4,294,967,295
+ if idrange['cn'][0].endswith("_subid_range"):
+ continue
size = int(idrange['ipaidrangesize'][0])
base_id = int(idrange['ipabaseid'][0])
--
2.31.1

61
0028-ipatests-smbclient-k-use-kerberos-desired.patch Normal file
View File

@ -0,0 +1,61 @@
From 161d5844eb1214e60c636bdb73713c6a43f1e75c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 19 Jul 2021 15:59:01 +0200
Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_smb.py | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 399ad6209..b2b7ce2e4 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -166,9 +166,28 @@ class TestSMB(IntegrationTest):
encoding='utf-8')
assert file_contents_at_server == test_string
- # check access using smbclient utility
+ # Detect whether smbclient uses -k or --use-kerberos=required
+ # https://pagure.io/freeipa/issue/8926
+ # then check access using smbclient.
res = run_smb_client(
- ['smbclient', '-k', share['unc'], '-c', 'dir'])
+ [
+ "smbclient",
+ "-h",
+ ], raiseonerr=False
+ )
+ if "[-k|--kerberos]" in res.stderr_text:
+ smbclient_krb5_knob = "-k"
+ else:
+ smbclient_krb5_knob = "--use-kerberos=desired"
+ res = run_smb_client(
+ [
+ "smbclient",
+ smbclient_krb5_knob,
+ share["unc"],
+ "-c",
+ "dir",
+ ]
+ )
assert test_dir in res.stdout_text
# check file and dir removal from client side
--
2.31.1

81
0029-test_acme-refactor-with-tasks.patch Normal file
View File

@ -0,0 +1,81 @@
From 86869364a30f071ee79974b301ff68e80c0950ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:19:16 +0200
Subject: [PATCH] test_acme: refactor with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 11 +++++++++++
ipatests/test_integration/test_acme.py | 19 ++++---------------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba782..c2e548617 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
'is_package_installed: unknown platform %s' % platform
)
return result.returncode == 0
+
+
+def move_date(host, chrony_cmd, date_str):
+ """Helper method to move system date
+ :param host: host on which date is to be manipulated
+ :param chrony_cmd: systemctl command to apply to
+ chrony service, for instance 'start', 'stop'
+ :param date_str: date string to change the date i.e '3years2months1day1'
+ """
+ host.run_command(['systemctl', chrony_cmd, 'chronyd'])
+ host.run_command(['date', '-s', date_str])
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index d90f1ff7d..b4aa1b351 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -35,17 +35,6 @@ skip_mod_md_tests = osinfo.id not in ['rhel', 'fedora', ]
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
-def move_date(host, chrony_cmd, date_str):
- """Helper method to move system date
- :param host: host on which date is to be manipulated
- :param chrony_cmd: systemctl command to apply to
- chrony service, for instance 'start', 'stop'
- :param date_str: date string to change the date i.e '3years2months1day1'
- """
- host.run_command(['systemctl', chrony_cmd, 'chronyd'])
- host.run_command(['date', '-s', date_str])
-
-
def check_acme_status(host, exp_status, timeout=60):
"""Helper method to check the status of acme server"""
for _i in range(0, timeout, 5):
@@ -598,8 +587,8 @@ class TestACMERenew(IntegrationTest):
)
# move system date to expire acme cert
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'stop', '+90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'stop', '+90days')
self.clients[0].run_command(
['kinit', 'admin'],
stdin_text=cmd_input.format(
@@ -611,8 +600,8 @@ class TestACMERenew(IntegrationTest):
# move back date
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'start', '-90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'start', '-90days')
tasks.kinit_admin(host)
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
--
2.31.1

66
0030-test_acme-make-password-renewal-more-robust.patch Normal file
View File

@ -0,0 +1,66 @@
From 701adb9185c77194ba1ad0c5fd2f13484417ef6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:22:23 +0200
Subject: [PATCH] test_acme: make password renewal more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_acme.py | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index b4aa1b351..10195a95f 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest):
# request a standalone acme cert
certbot_standalone_cert(self.clients[0], self.acme_server)
- cmd_input = (
- # Password for admin@{REALM}:
- "{pwd}\n"
- # Password expired. You must change it now.
- # Enter new password:
- "{pwd}\n"
- # Enter it again:
- "{pwd}\n"
- )
# move system date to expire acme cert
for host in self.clients[0], self.master:
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
- self.clients[0].run_command(
- ['kinit', 'admin'],
- stdin_text=cmd_input.format(
- pwd=self.clients[0].config.admin_password
- )
+
+ tasks.get_kdcinfo(host)
+ # Note raiseonerr=False:
+ # the assert is located after kdcinfo retrieval.
+ result = host.run_command(
+ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
+ stdin_text='{0}\n{0}\n{0}\n'.format(
+ self.clients[0].config.admin_password
+ ),
+ raiseonerr=False
)
+ # Retrieve kdc.$REALM after the password change, just in case SSSD
+ # domain status flipped to online during the password change.
+ tasks.get_kdcinfo(host)
+ assert result.returncode == 0
yield
--
2.31.1

58
0031-tasks.py-fix-flake8-reported-issues.patch Normal file
View File

@ -0,0 +1,58 @@
From 5b826ab3582566b15a618f57cb2e002a9c16ef64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:29:00 +0200
Subject: [PATCH] tasks.py: fix flake8-reported issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index c2e548617..075c05cde 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -597,7 +597,9 @@ def install_adtrust(host):
dig_command = ['dig', 'SRV', '+short', '@localhost',
'_ldap._tcp.%s' % host.domain.name]
dig_output = '0 100 389 %s.' % host.hostname
- dig_test = lambda x: re.search(re.escape(dig_output), x)
+
+ def dig_test(x):
+ return re.search(re.escape(dig_output), x)
run_repeatedly(host, dig_command, test=dig_test)
@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user',
result = host.run_command(
"KRB5_TRACE=/dev/stdout kinit %s" % login,
stdin_text='{0}\n{1}\n{1}\n'.format(
- temp_password, password, raiseonerr=False
- )
+ temp_password, password
+ ), raiseonerr=False
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
@@ -2264,10 +2266,10 @@ class KerberosKeyCopier:
[paths.KLIST, "-eK", "-k", keytab], log_stdout=False)
keys_to_sync = []
- for l in result.stdout_text.splitlines():
- if (princ in l and any(e in l for e in self.valid_etypes)):
+ for line in result.stdout_text.splitlines():
+ if (princ in line and any(e in line for e in self.valid_etypes)):
- els = l.split()
+ els = line.split()
els[-2] = els[-2].strip('()')
els[-1] = els[-1].strip('()')
keys_to_sync.append(KeyEntry._make(els))
--
2.31.1

142
0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch Normal file
View File

@ -0,0 +1,142 @@
From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Jul 2021 11:54:20 +0200
Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ldapupdate.py | 14 +++++++---
.../nightly_ipa-4-9_latest.yaml | 12 +++++++++
.../nightly_ipa-4-9_previous.yaml | 12 +++++++++
.../test_integration/test_installation.py | 27 +++++++++++++++++++
4 files changed, 62 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 06cb78e0b..f0e7d6162 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
idrange_size = idmax - idstart + 1
subid_base_rid = constants.SUBID_RANGE_START - idrange_size
+ # uid / gid for autobind
+ # user is only defined when ipa-server-dns and bind are installed
+ try:
+ named_uid = platformconstants.NAMED_USER.uid
+ named_gid = platformconstants.NAMED_GROUP.gid
+ except ValueError:
+ named_uid = None
+ named_gid = None
+
return dict(
REALM=realm,
DOMAIN=domain,
@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
- # uid / gid for autobind
- NAMED_UID=platformconstants.NAMED_USER.uid,
- NAMED_GID=platformconstants.NAMED_GROUP.gid,
+ NAMED_UID=named_uid,
+ NAMED_GID=named_gid,
)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 939ee2b7d..1c8c5ddfc 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -547,6 +547,18 @@ jobs:
timeout: 4800
topology: *master_1repl_1client
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 03658a934..6d121d59f 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -547,6 +547,18 @@ jobs:
timeout: 4800
topology: *master_1repl_1client
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index e76fd0efe..e3c41eaa1 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest):
result = tasks.install_client(self.master, self.clients[0])
assert self.no_sudo_str not in result.stderr_text
assert self.sudo_version_str not in result.stdout_text
+
+
+class TestInstallWithoutNamed(IntegrationTest):
+ num_replicas = 1
+
+ @classmethod
+ def remove_named(cls, host):
+ # remove the bind package and make sure the named user does not exist.
+ # https://pagure.io/freeipa/issue/8936
+ result = host.run_command(['id', 'named'], raiseonerr=False)
+ if result.returncode == 0:
+ tasks.uninstall_packages(host, ['bind'])
+ host.run_command(['userdel', constants.NAMED_USER])
+ assert host.run_command(
+ ['id', 'named'], raiseonerr=False
+ ).returncode == 1
+
+ @classmethod
+ def install(cls, mh):
+ for tgt in (cls.master, cls.replicas[0]):
+ cls.remove_named(tgt)
+ tasks.install_master(cls.master, setup_dns=False)
+
+ def test_replica0_install(self):
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=False, setup_dns=False
+ )
--
2.31.1

68
0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch Normal file
View File

@ -0,0 +1,68 @@
From e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 28 Jul 2021 18:47:02 +0200
Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
---
freeipa.spec.in | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c33d2e216..9440f3602 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -328,11 +328,18 @@ BuildRequires: python3-m2r
# Build dependencies for lint and fastcheck
#
%if %{with lint}
-BuildRequires: git
-%if 0%{?fedora} < 34
+
+# python3-pexpect might not be available in RHEL9
+%if 0%{?fedora} || 0%{?rhel} < 9
+BuildRequires: python3-pexpect
+%endif
+
# jsl is orphaned in Fedora 34+
+%if 0%{?fedora} < 34
BuildRequires: jsl
%endif
+
+BuildRequires: git
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@@ -357,7 +364,6 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
-BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
-Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
+Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
--
2.31.1

365
0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch Normal file
View File

@ -0,0 +1,365 @@
From 42206df69adc9c1eefa3ee576891b2ae3ac269e0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 15 Jul 2021 15:11:28 -0400
Subject: [PATCH] ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:
- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
client/Makefile.am | 1 +
client/ipa-getkeytab.c | 221 +++++++++++++++++++++++++++++++++++++
client/man/ipa-getkeytab.1 | 5 +-
configure.ac | 10 ++
4 files changed, 236 insertions(+), 1 deletion(-)
diff --git a/client/Makefile.am b/client/Makefile.am
index 0031c04a5..72f4cb3dc 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -66,6 +66,7 @@ ipa_getkeytab_LDADD = \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
+ $(RESOLV_LIBS) \
$(INI_LIBS) \
$(NULL)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 04786be9e..d3673eb05 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -34,9 +34,11 @@
#include <time.h>
#include <krb5.h>
#include <ldap.h>
+#include <resolv.h>
#include <sasl/sasl.h>
#include <popt.h>
#include <ini_configobj.h>
+#include <openssl/rand.h>
#include "config.h"
@@ -46,6 +48,174 @@
#include "ipa_ldap.h"
+struct srvrec {
+ char *host;
+ uint16_t port;
+ int priority, weight;
+ struct srvrec *next;
+};
+
+static int
+srvrec_priority_sort(const void *a, const void *b)
+{
+ const struct srvrec *sa, *sb;
+
+ sa = a;
+ sb = b;
+ return sa->priority - sb->priority;
+}
+
+static int
+srvrec_sort_weight(const void *a, const void *b)
+{
+ const struct srvrec *sa, *sb;
+
+ sa = a;
+ sb = b;
+ return sa->weight - sb->weight;
+}
+
+/* Return a uniform random number between 0 and range */
+static double
+rand_inclusive(double range)
+{
+ long long r;
+
+ if (range == 0) {
+ return 0;
+ }
+
+ if (RAND_bytes((unsigned char *) &r, sizeof(r)) == -1) {
+ return 0;
+ }
+ if (r < 0) {
+ r = -r;
+ }
+ return ((double)r / (double)LLONG_MAX) * range;
+}
+
+static void
+sort_prio_weight(struct srvrec *res, int len)
+{
+ int i, j;
+ double tweight;
+ struct srvrec tmp;
+ double r;
+
+ qsort(res, len, sizeof(res[0]), srvrec_sort_weight);
+ for (i = 0; i < len - 1; i++) {
+ tweight = 0;
+ for (j = i; j < len; j++) {
+ /* Give records with 0 weight a small chance */
+ tweight += res[j].weight ? res[j].weight : 0.01;
+ }
+ r = rand_inclusive(tweight);
+ tweight = 0;
+ for (j = i; j < len; j++) {
+ tweight += res[j].weight ? res[j].weight : 0.01;
+ if (tweight >= r) {
+ break;
+ }
+ }
+ if (j >= len) {
+ continue;
+ }
+ memcpy(&tmp, &res[i], sizeof(tmp));
+ memcpy(&res[i], &res[j], sizeof(tmp));
+ memcpy(&res[j], &tmp, sizeof(tmp));
+ }
+}
+
+/* The caller is responsible for freeing the results */
+static int
+query_srv(const char *name, const char *domain, struct srvrec **results)
+{
+ int i, j, len;
+ unsigned char *answer = NULL;
+ size_t answer_len = NS_MAXMSG;
+ struct srvrec *res = NULL;
+ ns_msg msg;
+ ns_rr rr;
+ int rv = -1;
+
+ *results = NULL;
+ if ((name == NULL) || (strlen(name) == 0) ||
+ (domain == NULL) || (strlen(domain) == 0)) {
+ return -1;
+ }
+
+ res_init();
+ answer = malloc(answer_len + 1);
+ if (answer == NULL) {
+ return -1;
+ }
+ memset(answer, 0, answer_len + 1);
+ i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
+ if (i == -1) {
+ goto error;
+ }
+ answer_len = i;
+ memset(&msg, 0, sizeof(msg));
+ if (ns_initparse(answer, answer_len, &msg) != 0) {
+ goto error;
+ }
+ memset(&rr, 0, sizeof(rr));
+ for (i = 0; ns_parserr(&msg, ns_s_an, i, &rr) == 0; i++) {
+ continue;
+ }
+ if (i == 0) {
+ goto error;
+ }
+ len = i;
+ res = malloc(sizeof(*res) * i);
+ if (res == NULL) {
+ goto error;
+ }
+ memset(res, 0, sizeof(*res) * i);
+ for (i = 0, j = 0; i < len; i++) {
+ if (ns_parserr(&msg, ns_s_an, i, &rr) != 0) {
+ continue;
+ }
+ if (rr.rdlength < 6) {
+ continue;
+ }
+ res[j].host = malloc(rr.rdlength - 6 + 1);
+ if (res[j].host == NULL) {
+ goto error;
+ }
+ res[j].priority = ntohs(*(uint16_t *)rr.rdata);
+ res[j].weight = ntohs(*(uint16_t *)(rr.rdata + 2));
+ res[j].port = ntohs(*(uint16_t *)(rr.rdata + 4));
+ memcpy(res[j].host, rr.rdata + 6, rr.rdlength - 6);
+ if (ns_name_ntop(rr.rdata + 6, res[j].host, rr.rdlength - 6) == -1) {
+ continue;
+ }
+ res[j].host[rr.rdlength - 6] = '\0';
+ j++;
+ }
+ len = j;
+ qsort(res, len, sizeof(res[0]), srvrec_priority_sort);
+ i = 0;
+ while (i < len) {
+ j = i + 1;
+ while (j < len && (res[j].priority == res[i].priority)) {
+ j++;
+ }
+ sort_prio_weight(res + i, j - i);
+ i = j;
+ }
+ /* Fixup the linked-list pointers */
+ for (i = 0; i < len - 1; i++) {
+ res[i].next = &res[i + 1];
+ }
+ *results = res;
+ rv = 0;
+
+error:
+ free(answer);
+ return rv;
+}
+
static int check_sasl_mech(const char *mech)
{
int i;
@@ -619,6 +789,7 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
struct ipa_config {
const char *server_name;
+ const char *domain;
};
static int config_from_file(struct ini_cfgobj *cfgctx)
@@ -688,6 +859,11 @@ int read_ipa_config(struct ipa_config **ipacfg)
if (ret == 0 && obj != NULL) {
(*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
}
+ ret = ini_get_config_valueobj("global", "domain", cfgctx,
+ INI_GET_LAST_VALUE, &obj);
+ if (ret == 0 && obj != NULL) {
+ (*ipacfg)->domain = ini_get_string_config_value(obj, &ret);
+ }
return 0;
}
@@ -754,6 +930,7 @@ int main(int argc, const char *argv[])
static const char *sasl_mech = NULL;
static const char *ca_cert_file = NULL;
int quiet = 0;
+ int verbose = 0;
int askpass = 0;
int askbindpw = 0;
int permitted_enctypes = 0;
@@ -761,6 +938,8 @@ int main(int argc, const char *argv[])
struct poptOption options[] = {
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
_("Print as little as possible"), _("Output only on errors")},
+ { "verbose", 'v', POPT_ARG_NONE, &verbose, 0,
+ _("Print debugging information"), _("Output debug info")},
{ "server", 's', POPT_ARG_STRING, &server, 0,
_("Contact this specific KDC Server"),
_("Server Name") },
@@ -906,6 +1085,41 @@ int main(int argc, const char *argv[])
exit(2);
}
+ if (server && (strcasecmp(server, "_srv_") == 0)) {
+ struct srvrec *srvrecs, *srv;
+ struct ipa_config *ipacfg = NULL;
+
+ ret = read_ipa_config(&ipacfg);
+ if (ret == 0 && ipacfg->domain && verbose) {
+ fprintf(stderr, _("DNS discovery for domain %s\n"), ipacfg->domain);
+ }
+ if (query_srv("_ldap._tcp", ipacfg->domain, &srvrecs) == 0) {
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ if (verbose) {
+ fprintf(stderr, _("Discovered server %s\n"), srv->host);
+ }
+ }
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ server = strdup(srv->host);
+ if (verbose) {
+ fprintf(stderr, _("Using discovered server %s\n"), server);
+ }
+ break;
+ }
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ free(srv->host);
+ }
+ } else {
+ if (verbose) {
+ fprintf(stderr, _("DNS Discovery failed\n"));
+ }
+ }
+ if (strcasecmp(server, "_srv_") == 0) {
+ /* Discovery failed, fall through to option methods */
+ server = NULL;
+ }
+ }
+
if (!server && !ldap_uri) {
struct ipa_config *ipacfg = NULL;
@@ -915,10 +1129,17 @@ int main(int argc, const char *argv[])
ipacfg->server_name = NULL;
}
free(ipacfg);
+ if (verbose && server) {
+ fprintf(stderr, _("Using server from config %s\n"), server);
+ }
if (!server) {
fprintf(stderr, _("Server name not provided and unavailable\n"));
exit(2);
}
+ } else {
+ if (verbose) {
+ fprintf(stderr, _("Using provided server %s\n"), server);
+ }
}
if (server) {
ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri);
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index b57c5489c..07d2d73b3 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -78,7 +78,10 @@ arcfour\-hmac
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN). If this option is not
provided the server name is read from the IPA configuration file
-(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR.
+(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. If the
+value is _srv_ then DNS discovery will be used to determine a server.
+If this discovery fails then it will fall back to using the configuration
+file.
.TP
\fB\-q\fR
Quiet mode. Only errors are displayed.
diff --git a/configure.ac b/configure.ac
index dc79d5dce..9d7a33825 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,16 @@ LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+dnl ---------------------------------------------------------------------------
+dnl - Check for resolv library
+dnl ---------------------------------------------------------------------------
+
+SAVE_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
+AC_CHECK_LIB(resolv,main,RESOLV_LIBS=-lresolv)
+AC_CHECK_HEADERS(resolv.h)
+AC_SUBST(RESOLV_LIBS)
+
dnl ---------------------------------------------------------------------------
dnl - Check for OpenSSL Crypto library
dnl ---------------------------------------------------------------------------
--
2.31.1

55
0035-ipa-getkeytab-fix-compiler-warnings.patch Normal file
View File

@ -0,0 +1,55 @@
From 0114d24ea160676b784ef7010c19bbacc67ceea0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 15 Jul 2021 17:52:54 -0400
Subject: [PATCH] ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.
Use correct datatype of return value for ber_scanf to
correct different signedness comparision.
Fixed while working on https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
client/ipa-getkeytab.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index d3673eb05..309b3c704 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -291,7 +291,7 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s
return ret;
}
-int filter_keys(krb5_context krbctx, struct keys_container *keys,
+static int filter_keys(krb5_context krbctx, struct keys_container *keys,
ber_int_t *enctypes)
{
struct krb_key_salt *ksdata;
@@ -507,7 +507,7 @@ static int ldap_set_keytab(krb5_context krbctx,
BerElement *sctrl = NULL;
struct berval *control = NULL;
LDAPControl **srvctrl = NULL;
- int ret;
+ ber_tag_t ret;
int kvno, i;
ber_tag_t rtag;
ber_int_t *encs = NULL;
@@ -826,7 +826,7 @@ static int config_from_file(struct ini_cfgobj *cfgctx)
return 0;
}
-int read_ipa_config(struct ipa_config **ipacfg)
+static int read_ipa_config(struct ipa_config **ipacfg)
{
struct ini_cfgobj *cfgctx = NULL;
struct value_obj *obj = NULL;
--
2.31.1

92
0036-ipatests-test-ipa-getkeytab-server-option.patch Normal file
View File

@ -0,0 +1,92 @@
From 7a13200fd8b92dd90ebc4b6416ef25659df8aa71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 16 Jul 2021 12:59:47 -0400
Subject: [PATCH] ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_commands.py | 58 ++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index d64519eb7..2035ced56 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1467,6 +1467,64 @@ class TestIPACommand(IntegrationTest):
assert 'This account is currently not available' in \
result.stdout_text
+ def test_ipa_getkeytab_server(self):
+ """
+ Exercise the ipa-getkeytab server options
+
+ This relies on the behavior that without a TGT
+ ipa-getkeytab will quit and not do much of anything.
+
+ A bogus keytab and principal are passed in to satisfy the
+ minimum requirements.
+ """
+ tasks.kdestroy_all(self.master)
+
+ # Pass in a server name to use
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-s",
+ self.master.hostname,
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert 'Using provided server %s' % self.master.hostname in result
+
+ # Don't pass in a name, should use /etc/ipa/default.conf
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert (
+ 'Using server from config %s' % self.master.hostname
+ in result
+ )
+
+ # Use DNS SRV lookup
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-s",
+ "_srv_",
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert 'Discovered server %s' % self.master.hostname in result
+
class TestIPACommandWithoutReplica(IntegrationTest):
"""
--
2.31.1

91
0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch Normal file
View File

@ -0,0 +1,91 @@
From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 22 Jul 2021 14:55:50 +0530
Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
Related : https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index b2e65af1b..fd55898ca 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP
from ipatests.test_integration.base import IntegrationTest
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
+from ipapython.dn import DN
PASSWORD = "DummyPassword123"
@@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest):
master.run_command(['ipa', 'user-del', USER2])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
+
+ @pytest.fixture
+ def setup_otp_nsslapd(self):
+ # setting nsslapd-idletimeout
+ new_limit = 30
+ conn = self.master.ldap_connect()
+ dn = DN(('cn', 'config'))
+ entry = conn.get_entry(dn) # pylint: disable=no-member
+ orig_limit = entry.single_value.get('nsslapd-idletimeout')
+ ldap_query = textwrap.dedent("""
+ dn: cn=config
+ changetype: modify
+ replace: nsslapd-idletimeout
+ nsslapd-idletimeout: {limit}
+ """)
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ yield
+ # cleanup
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
+
+ def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd):
+ """Test for OTP when the LDAP connection timed out.
+
+ Test for : https://pagure.io/freeipa/issue/6587
+
+ ipa-otpd was exiting with failure when LDAP connection timed out.
+ Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
+ 60s sleep) then the ipa-otpd process should exit without error.
+ """
+ since = time.strftime('%H:%M:%S')
+ tasks.kinit_admin(self.master)
+ otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
+ try:
+ # kinit with OTP auth
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
+ time.sleep(60)
+ failed_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "ipa-otpd" not in failed_services.stdout_text
+ cmd_jornalctl = self.master.run_command(
+ ['journalctl', '--since={}'.format(since)]
+ )
+ regex = r".*ipa-otpd@.*\sSucceeded"
+ assert re.search(regex, cmd_jornalctl.stdout_text)
+ finally:
+ del_otptoken(self.master, otpuid)
--
2.31.1

51
0038-ipatests-verify-that-getcert-output-includes-the-iss.patch Normal file
View File

@ -0,0 +1,51 @@
From 826b5825bd644fc69a9bee17626d71fe03cc0190 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Jul 2021 16:14:19 -0400
Subject: [PATCH] ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.
Verify that it is present in the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_cert.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index b6bb2f08a..9a90db5e2 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -19,6 +19,7 @@ from ipaplatform.paths import paths
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
+from pkg_resources import parse_version
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
@@ -257,6 +258,16 @@ class TestInstallMasterClient(IntegrationTest):
raise AssertionError("certmonger request is "
"in state {}". format(status))
+ def test_getcert_notafter_output(self):
+ """Test that currrent certmonger includes NotBefore in output"""
+ result = self.master.run_command(["certmonger", "-v"]).stdout_text
+ if parse_version(result.split()[1]) < parse_version('0.79.14'):
+ raise pytest.skip("not_before not provided in this version")
+ result = self.master.run_command(
+ ["getcert", "list", "-f", paths.HTTPD_CERT_FILE]
+ ).stdout_text
+ assert 'issued:' in result
+
class TestCertmongerRekey(IntegrationTest):
--
2.31.1

43
0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch Normal file
View File

@ -0,0 +1,43 @@
From 96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 2 Aug 2021 19:26:28 +0530
Subject: [PATCH] ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 394e85603..f3cf59afc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -241,16 +241,14 @@ class TestIpaCertFix(IntegrationTest):
# check that pki-server cert-fix command fails
err_msg2 = ("ERROR: CalledProcessError(Command "
"['pki-server', 'cert-fix'")
- warn_msg = ("WARNING: No selftests configured in "
- f"{paths.CA_CS_CFG_PATH} "
- "(selftests.container.order.startup)")
+ warn_msg = "WARNING: No selftests configured in"
if (tasks.get_pki_version(self.master)
< tasks.parse_version('10.11.0')):
assert (err_msg1 in result.stderr_text
and err_msg2 in result.stderr_text)
else:
- assert warn_msg in result.stdout_text
+ assert warn_msg in result.stderr_text
def test_expired_CA_cert(self, expire_ca_cert):
"""Test to check ipa-cert-fix when CA certificate is expired
--
2.31.1

56
0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch Normal file
View File

@ -0,0 +1,56 @@
From 9ae23e1257478bfee04b08b54f36dda7f5850348 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 5 Aug 2021 11:37:35 +0200
Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_adtrust_install.py | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index bbbb385a5..f23221186 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -257,8 +257,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
- tasks.create_active_user(self.master, user, passwd, extra_args=[
- '--homedir', '/home/{}'.format(user)])
+ tasks.create_active_user(
+ self.master, user, passwd,
+ extra_args=["--homedir", "/home/{}".format(user)],
+ krb5_trace=True
+ )
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
@@ -282,8 +285,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
- tasks.create_active_user(self.master, user, passwd, extra_args=[
- '--homedir', '/home/{}'.format(user)])
+ tasks.create_active_user(
+ self.master, user, passwd,
+ extra_args=["--homedir", "/home/{}".format(user)],
+ krb5_trace=True
+ )
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
--
2.31.1

45
0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch Normal file
View File

@ -0,0 +1,45 @@
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:03:21 +0530
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 2035ced56..e3a0d867e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
# Run the command again after cache is removed
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
+ def test_basesearch_compat_tree(self):
+ """Test ldapsearch against compat tree is working
+
+ This to ensure that ldapsearch with base scope is not failing.
+
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
+ """
+ tasks.kinit_admin(self.master)
+ base_dn = str(self.master.domain.basedn)
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.31.1

44
0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch Normal file
View File

@ -0,0 +1,44 @@
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:23:15 +0530
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e3a0d867e..4d9a81652 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
from ipaserver.install.installutils import realm_to_serverid
+from pkg_resources import parse_version
logger = logging.getLogger(__name__)
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
+ version = self.master.run_command(
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
+ )
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
+ version.stdout_text) <= parse_version("0.56.7"):
+ pytest.skip("Test requires slapi-nis with fix on fedora")
tasks.kinit_admin(self.master)
base_dn = str(self.master.domain.basedn)
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
--
2.31.1

89
0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch Normal file
View File

@ -0,0 +1,89 @@
From eac03d6828d0bac1925c897090fc77e250eaee04 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 12:27:38 +0530
Subject: [PATCH] ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.
Related: https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_otp.py | 31 ++++++++++++++++-----------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index fd55898ca..353470897 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -313,6 +313,13 @@ class TestOTPToken(IntegrationTest):
@pytest.fixture
def setup_otp_nsslapd(self):
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
# setting nsslapd-idletimeout
new_limit = 30
conn = self.master.ldap_connect()
@@ -326,13 +333,6 @@ class TestOTPToken(IntegrationTest):
nsslapd-idletimeout: {limit}
""")
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
- # Be sure no services are running and failed units
- self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
- check_services = self.master.run_command(
- ['systemctl', 'list-units', '--state=failed']
- )
- assert "0 loaded units listed" in check_services.stdout_text
- assert "ipa-otpd" not in check_services.stdout_text
yield
# cleanup
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
@@ -346,7 +346,7 @@ class TestOTPToken(IntegrationTest):
Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
"""
- since = time.strftime('%H:%M:%S')
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
tasks.kinit_admin(self.master)
otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
try:
@@ -354,14 +354,19 @@ class TestOTPToken(IntegrationTest):
otpvalue = totp.generate(int(time.time())).decode("ascii")
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
time.sleep(60)
+
+ def test_cb(cmd_jornalctl):
+ # check if LDAP connection is timed out
+ expected_msg = "Can't contact LDAP server"
+ return expected_msg in cmd_jornalctl
+
+ # ipa-otpd don't flush its logs to syslog immediately
+ cmd = ['journalctl', '--since={}'.format(since)]
+ tasks.run_repeatedly(
+ self.master, command=cmd, test=test_cb, timeout=90)
failed_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed']
)
assert "ipa-otpd" not in failed_services.stdout_text
- cmd_jornalctl = self.master.run_command(
- ['journalctl', '--since={}'.format(since)]
- )
- regex = r".*ipa-otpd@.*\sSucceeded"
- assert re.search(regex, cmd_jornalctl.stdout_text)
finally:
del_otptoken(self.master, otpuid)
--
2.31.1

68
freeipa.spec
View File

@ -196,7 +196,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 4%{?rc_version:.%rc_version}%{?dist}.1
Release: 5%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -236,6 +236,29 @@ Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch
Patch0020: 0020-Index-Fix-definition-for-memberOf.patch
Patch0021: 0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch
Patch0022: 0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch
Patch0023: 0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch
Patch0024: 0024-ipatests-test_installation-move-tracking_reqs-depend.patch
Patch0025: 0025-webui-tests-close-notification-when-revoking-cert.patch
Patch0026: 0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch
Patch0027: 0027-webui-tests-fix-algo-for-finding-available-idrange.patch
Patch0028: 0028-ipatests-smbclient-k-use-kerberos-desired.patch
Patch0029: 0029-test_acme-refactor-with-tasks.patch
Patch0030: 0030-test_acme-make-password-renewal-more-robust.patch
Patch0031: 0031-tasks.py-fix-flake8-reported-issues.patch
Patch0032: 0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch
Patch0033: 0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch
Patch0034: 0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch
Patch0035: 0035-ipa-getkeytab-fix-compiler-warnings.patch
Patch0036: 0036-ipatests-test-ipa-getkeytab-server-option.patch
Patch0037: 0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch
Patch0038: 0038-ipatests-verify-that-getcert-output-includes-the-iss.patch
Patch0039: 0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch
Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
@ -344,11 +367,18 @@ BuildRequires: python3-m2r
# Build dependencies for lint and fastcheck
#
%if %{with lint}
BuildRequires: git
%if 0%{?fedora} < 34
# python3-pexpect might not be available in RHEL9
%if 0%{?fedora} || 0%{?rhel} < 9
BuildRequires: python3-pexpect
%endif
# jsl is orphaned in Fedora 34+
%if 0%{?fedora} < 34
BuildRequires: jsl
%endif
BuildRequires: git
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@ -373,7 +403,6 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
@ -894,11 +923,11 @@ Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
@ -1717,6 +1746,35 @@ fi
%endif
%changelog
* Tue Aug 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-5
- Resolves: rhbz#1988383 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
- ipa-getkeytab: add option to discover servers using DNS SRV
- ipa-getkeytab: fix compiler warnings
- ipatests: test ipa-getkeytab server option
- Resolves: rhbz#1986329 ipa-server install failure without DNS
- Fix ldapupdate.get_sub_dict() for missing named user
- Resolves: rhbz#1980734 Remove python3-pexpect as dependency for ipatests pkg
- freeipa.spec.in: remove python3-pexpect from Requires
- Resolves: rhbz#1992538 Backport recent test fixes in python3-ipatests
- ipatests: use whole date when calling journalctl --since
- ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
- ipatests: test_ipahealthcheck: print a message if a system is healthy
- ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
- webui tests: close notification when revoking cert
- ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
- webui tests: fix algo for finding available idrange
- ipatests: smbclient "-k" => "--use-kerberos=desired"
- test_acme: refactor with tasks
- test_acme: make password renewal more robust
- tasks.py: fix flake8-reported issues
- ipatests: Test for OTP when the LDAP connection timed out.
- ipatests: verify that getcert output includes the issued date
- ipatests: Look for warning into stderr instead of stdout
- ipatests: use krb5_trace in TestIpaAdTrustInstall
- ipatests: Test ldapsearch with base scope works with compat tree.
- ipatests: skip test_basesearch_compat_tree on fedora.
- ipatests: Refactor test_check_otpd_after_idle_timeout
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.6-4.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688