[Freeipa-devel] [freeipa PR#5008][opened] EPN: handle empty attributes
URL: https://github.com/freeipa/freeipa/pull/5008 Author: rcritten Title: #5008: EPN: handle empty attributes Action: opened PR body: """ The admin user doesn't have a givenname and mail is empty by default. Handle those in a general way. Add test for this case. Based on https://github.com/freeipa/freeipa/pull/5006/ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5008/head:pr5008 git checkout pr5008 From 24ba3df7e66a681acf3d4938b5191dd929459bee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:07:36 +0200 Subject: [PATCH 1/4] IPA-EPN: Use a helper to retrieve LDAP attributes from an entry Allow for empty attributes. --- ipaclient/install/ipa_epn.py | 22 +++--- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py index 65f9f3d47f..0d1ae2addf 100644 --- a/ipaclient/install/ipa_epn.py +++ b/ipaclient/install/ipa_epn.py @@ -122,22 +122,30 @@ def __len__(self): """Return len(self).""" return len(self._expiring_password_user_dq) +def get_ldap_attr(self, entry, attr): +"""Get a single value from a multi-valued attr in a safe way""" +return str(entry.get(attr, [""]).pop(0)) + def add(self, entry): """Parses and appends an LDAP user entry with the uid, cn, givenname, sn, krbpasswordexpiration and mail attributes. """ try: self._sorted = False +if entry.get("mail") is None: +logger.error("IPA-EPN: No mail address defined for: %s", + entry.dn) +return self._expiring_password_user_dq.append( dict( -uid=str(entry["uid"].pop(0)), -cn=str(entry["cn"].pop(0)), -givenname=str(entry["givenname"].pop(0)), -sn=str(entry["sn"].pop(0)), -krbpasswordexpiration=str( -entry["krbpasswordexpiration"].pop(0) +uid=self.get_ldap_attr(entry, "uid"), +cn=self.get_ldap_attr(entry, "cn"), +givenname=self.get_ldap_attr(entry, "givenname"), +sn=self.get_ldap_attr(entry, "sn"), +krbpasswordexpiration=( +self.get_ldap_attr(entry,"krbpasswordexpiration") ), -mail=str(entry["mail"]), +mail=str(entry.get("mail")), ) ) except IndexError as e: From 9d6bbb0244c2388906ce273bc40bae7bcb7377db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:13:19 +0200 Subject: [PATCH 2/4] IPA-EPN: fix configuration file typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami --- client/share/epn.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/share/epn.conf b/client/share/epn.conf index 0e590dfc3b..e3645801cb 100644 --- a/client/share/epn.conf +++ b/client/share/epn.conf @@ -23,7 +23,7 @@ smtp_port = 25 # Default None (empty value). # smtp_password = -# pecifies the number of seconds to wait for SMTP to respond. +# Specifies the number of seconds to wait for SMTP to respond. smtp_timeout = 60 # Specifies the type of secure connection to make. Options are: none, From 8e157ce02595c115c36983fd90110189d0e0bf07 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 6 Aug 2020 18:57:10 -0400 Subject: [PATCH 3/4] IPA-EPN: Test that users without givenname and/or mail are handled The admin user does not have a givenname by default, allow for that. Report errors for users without a default e-mail address. Update the SHA256 hash with the typo fix. --- ipatests/test_integration/test_epn.py | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index f4c123c6d8..946e8e602a 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -231,7 +231,7 @@ def test_EPN_config_file(self): assert epn_conf in cmd1.stdout_text assert epn_template in cmd1.stdout_text cmd2 = self.master.run_command(["sha256sum", epn_conf]) -ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957" +ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df" assert cmd2.stdout_text.find(ck) == 0 def test_EPN_smoketest_1(self): @@ -487,3 +487,23 @@ def test_EPN_delay_config(self, cleanupmail): self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf) result = tasks.ipa_epn(self.master, raiseonerr=False) assert "smtp_delay cannot be less than zero"
[Freeipa-devel] [freeipa PR#5006][closed] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5007][opened] ipatests: fix TestIpaHealthCheckWithoutDNS failure
URL: https://github.com/freeipa/freeipa/pull/5007 Author: flo-renaud Title: #5007: ipatests: fix TestIpaHealthCheckWithoutDNS failure Action: opened PR body: """ TestIpaHealthCheckWithoutDNS is launched after TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with the date. At the end of test_ipa_healthcheck_expiring, the date is reset using systemctl start chronyd but the date may need time to adjust and the subsequent tests may be launched with a system date set in the future. When this happens, dnf install fails because the certificate for the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS fails. In order to avoid this issue, call chronyc waitsync to make sure the date was adjusted back. Fixes: https://pagure.io/freeipa/issue/8447 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5007/head:pr5007 git checkout pr5007 From f49bc2ece03a4ec21c124903a8f12c05cd03414f Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 6 Aug 2020 18:53:35 +0200 Subject: [PATCH 1/2] ipatests: fix TestIpaHealthCheckWithoutDNS failure TestIpaHealthCheckWithoutDNS is launched after TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with the date. At the end of test_ipa_healthcheck_expiring, the date is reset using systemctl start chronyd but the date may need time to adjust and the subsequent tests may be launched with a system date set in the future. When this happens, dnf install fails because the certificate for the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS fails. In order to avoid this issue, call chronyc waitsync to make sure the date was adjusted back. Fixes: https://pagure.io/freeipa/issue/8447 --- ipatests/test_integration/test_ipahealthcheck.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py index cf406f56c0..773af9c3d6 100644 --- a/ipatests/test_integration/test_ipahealthcheck.py +++ b/ipatests/test_integration/test_ipahealthcheck.py @@ -876,6 +876,9 @@ def execute_expiring_check(check): execute_expiring_check(check) self.master.run_command(['systemctl', 'start', 'chronyd']) +# After restarting chronyd, the date may need some time to get synced +# Use chronyc waitsync to make sure we are back to current date +self.master.run_command([paths.CHRONYC, 'waitsync', '3']) def test_ipa_healthcheck_remove(self): """ From 36d856b718bbc2b6f9462bf5bd188702542cc7ff Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 6 Aug 2020 19:00:02 +0200 Subject: [PATCH 2/2] Temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index e337068145..9c98b0d5c3 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_ipahealthcheck: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS template: *ci-master-latest -timeout: 3600 -topology: *master_1repl_1client +timeout: 4800 +topology: *master_1repl ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5005][closed] [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/5005 Author: rcritten Title: #5005: [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5005/head:pr5005 git checkout pr5005 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5003][closed] [Backport][ipa-4-8] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/5003 Author: tiran Title: #5003: [Backport][ipa-4-8] Don't configure authselect in containers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5003/head:pr5003 git checkout pr5003 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4983][closed] Tests for fake_mname parameter setup
URL: https://github.com/freeipa/freeipa/pull/4983 Author: kaleemsiddiqu Title: #4983: Tests for fake_mname parameter setup Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4983/head:pr4983 git checkout pr4983 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][opened] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: opened PR body: """ Use entry.get() to retrieve attributes to avoid tripping on missing attrs. Fixes: TBD Signed-off-by: François Cami """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 From b3c69af0013378a96b956a1f995aec266beb3d34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 6 Aug 2020 17:07:36 +0200 Subject: [PATCH] IPA-EPN: use entry.get() to retrieve attributes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use entry.get() to retrieve attributes to avoid tripping on missing attrs. Fixes: TBD Signed-off-by: François Cami --- ipaclient/install/ipa_epn.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py index 6e1b001464..c7ce58fdba 100644 --- a/ipaclient/install/ipa_epn.py +++ b/ipaclient/install/ipa_epn.py @@ -131,14 +131,14 @@ def add(self, entry): self._sorted = False self._expiring_password_user_dq.append( dict( -uid=str(entry["uid"].pop(0)), -cn=str(entry["cn"].pop(0)), -givenname=str(entry["givenname"].pop(0)), -sn=str(entry["sn"].pop(0)), +uid=str(entry.get("uid")), +cn=str(entry.get("cn")), +givenname=str(entry.get("givenname")), +sn=str(entry.get("sn")), krbpasswordexpiration=str( -entry["krbpasswordexpiration"].pop(0) +entry.get("krbpasswordexpiration") ), -mail=str(entry["mail"]), +mail=str(entry.get("mail")), ) ) except IndexError as e: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4936][closed] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/4936 Author: stanislavlevin Title: #4936: ipatests: Add compatibility against python-cryptography 3.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4936/head:pr4936 git checkout pr4936 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5005][opened] [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/5005 Author: rcritten Title: #5005: [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0 Action: opened PR body: """ This PR was opened automatically because PR #4936 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5005/head:pr5005 git checkout pr5005 From 2cdda9869df14eee00c8a91a249bf68b29327603 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Thu, 23 Jul 2020 15:04:49 +0300 Subject: [PATCH] ipatests: Add compatibility against python-cryptography 3.0 The recently released python-cryptography 3.0 has backward incompatible changes. One of them [0] breaks FreeIPA self-tests. Note: this requires python-cryptography 2.7+. [0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b Fixes: https://pagure.io/freeipa/issue/8428 Signed-off-by: Stanislav Levin --- .../integration/create_caless_pki.py | 23 ++- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py index f2a98f5a78..930661b5cd 100644 --- a/ipatests/pytest_ipa/integration/create_caless_pki.py +++ b/ipatests/pytest_ipa/integration/create_caless_pki.py @@ -20,11 +20,13 @@ import os.path import six +from cryptography import __version__ as cryptography_version from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.x509.oid import NameOID +from pkg_resources import parse_version from pyasn1.type import univ, char, namedtype, tag from pyasn1.codec.der import encoder as der_encoder from pyasn1.codec.native import decoder as native_decoder @@ -150,13 +152,22 @@ def profile_ca(builder, ca_nick, ca): critical=False, ) else: -ski = ca.cert.extensions.get_extension_for_class( -x509.SubjectKeyIdentifier) -builder = builder.add_extension( -x509.AuthorityKeyIdentifier -.from_issuer_subject_key_identifier(ski), -critical=False, +ski_ext = ca.cert.extensions.get_extension_for_class( +x509.SubjectKeyIdentifier ) +auth_keyidentifier = (x509.AuthorityKeyIdentifier + .from_issuer_subject_key_identifier) +''' +cryptography < 2.7 accepts only Extension object. +Remove this workaround when all supported platforms update +python-cryptography. +''' +if (parse_version(cryptography_version) >= parse_version('2.7')): +extension = auth_keyidentifier(ski_ext.value) +else: +extension = auth_keyidentifier(ski_ext) + +builder = builder.add_extension(extension, critical=False) return builder ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5000][closed] [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/5000 Author: flo-renaud Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5000/head:pr5000 git checkout pr5000 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5004][opened] [Backport][ipa-4-8] Simplify and make more reliable the server and client installation checks
URL: https://github.com/freeipa/freeipa/pull/5004 Author: rcritten Title: #5004: [Backport][ipa-4-8] Simplify and make more reliable the server and client installation checks Action: opened PR body: """ This PR was opened manually because PR #4895 was pushed to master and backport to ipa-4-8 is required. The merge conflict was due to 53d472b490ac7a14fc78516b448d4aa312b79b7f being only in master. Fixing this was straightforward. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5004/head:pr5004 git checkout pr5004 From 753d110a1541b337ff4c0cae407ed89e06ffc929 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 7 Jul 2020 16:24:35 -0400 Subject: [PATCH 1/5] Simplify determining if an IPA server installation is complete When asking the quesiton "is my IPA server configured?" right now we look at whether the installation backed up any files and set any state. This isn't exactly precise. Instead set a new state, installation, to True as soon as IPA is restarted at the end of the installer. On upgrades existing installations will automatically get this state. This relies on the fact that get_state returns None if no state at all is set. This indicates that this "new" option isn't available and when upgrading an existing installation we can assume the install at least partly works. The value is forced to False at the beginning of a fresh install so if it fails, or is in a transient state like with an external CA, we know that the installation is not complete. https://pagure.io/freeipa/issue/8384 Signed-off-by: Rob Crittenden Reviewed-By: Alexander Bokovoy Reviewed-By: Francois Cami --- ipaserver/install/installutils.py | 22 ++ ipaserver/install/server/install.py| 6 ++ ipaserver/install/server/replicainstall.py | 6 ++ ipaserver/install/server/upgrade.py| 4 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index ba98e8bed3..f19f64fbe8 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -700,28 +700,10 @@ def rmtree(path): def is_ipa_configured(): """ -Using the state and index install files determine if IPA is already -configured. +Use the state to determine if IPA has been configured. """ -installed = False - sstore = sysrestore.StateFile(paths.SYSRESTORE) -fstore = sysrestore.FileStore(paths.SYSRESTORE) - -for module in IPA_MODULES: -if sstore.has_state(module): -logger.debug('%s is configured', module) -installed = True -else: -logger.debug('%s is not configured', module) - -if fstore.has_files(): -logger.debug('filestore has files') -installed = True -else: -logger.debug('filestore is tracking no files') - -return installed +return sstore.get_state('installation', 'complete') def run_script(main_function, operation_name, log_file_name=None, diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b53c58e2a6..4822c222ce 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -795,6 +795,9 @@ def install(installer): # failure to enable root cause investigation installer._installation_cleanup = False +# Be clear that the installation process is beginning but not done +sstore.backup_state('installation', 'complete', False) + if installer.interactive: print("") print("The following operations may take some minutes to complete.") @@ -998,6 +1001,8 @@ def install(installer): bind.create_file_with_system_records() # Everything installed properly, activate ipa service. +sstore.delete_state('installation', 'complete') +sstore.backup_state('installation', 'complete', True) services.knownservices.ipa.enable() print("===" @@ -1201,6 +1206,7 @@ def uninstall(installer): if fstore.has_files(): logger.error('Some files have not been restored, see ' '%s/sysrestore.index', SYSRESTORE_DIR_PATH) +sstore.delete_state('installation', 'complete') has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 7d6c4108c0..b8e896ac7c 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1205,6 +1205,7 @@ def install(installer): ca_enabled = installer._ca_enabled kra_enabled = installer._kra_enabled fstore = installer._fstore +sstore = installer._sstore config = installer._config cafile = installer._ca_file dirsrv_pkcs12_info =
[Freeipa-devel] [freeipa PR#5001][closed] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5001 Author: mrizwan93 Title: #5001: ipatests: Test certmonger rekey command works fine Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5001/head:pr5001 git checkout pr5001 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5001][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5001 Author: mrizwan93 Title: #5001: ipatests: Test certmonger rekey command works fine Action: opened PR body: """ Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5001/head:pr5001 git checkout pr5001 From 3aea605e4bc500c59770183e64e6faee317605d9 Mon Sep 17 00:00:00 2001 From: Sergey Orlov Date: Wed, 5 Aug 2020 16:37:05 +0200 Subject: [PATCH 1/2] Fix password file permission Invalid permission makes file unreadable by owner if he is not root. Reviewed-By: Alexander Bokovoy --- ipatests/test_integration/test_cert.py | 40 ++ 1 file changed, 40 insertions(+) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 865578941c..0bdec34c46 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -9,6 +9,7 @@ import ipaddress import pytest import re +import time from ipaplatform.paths import paths from cryptography import x509 @@ -216,6 +217,45 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs): raise AssertionError("certmonger request is " "in state {}". format(status)) +def test_certmonger_rekey_option(self): +"""Test certmonger rekey command works fine + +Certmonger's rekey command was throwing an error as +unrecognized command. Test is to check if it is working fine. + +related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 +""" +result = self.master.run_command([ +'ipa-getcert', 'request', +'-f', '/etc/pki/tls/certs/test_rekey.pem', +'-k', '/etc/pki/tls/private/test.key', +'-K', 'test/{}'.format(self.master.hostname)]) +request_id = re.findall(r'\d+', result.stdout_text) +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test_rekey.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +assert cert.public_key().key_size == 2048 + +# rekey with key size 3072 +self.master.run_command(['getcert', 'rekey', + '-i', request_id[0], + '-g', '3072']) +time.sleep(60) +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test_rekey.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +# check if rekey command updated the key size +assert cert.public_key().key_size == 3072 + +self.master.run_command(['getcert', 'stop-tracking' + '-i', request_id[0]]) + class TestCertmongerInterruption(IntegrationTest): num_replicas = 1 From 72d24dac1f72334f6d8534b68378725dc3426990 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 6 Aug 2020 16:56:45 +0530 Subject: [PATCH 2/2] ipatests: Test certmonger rekey command works fine Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan --- ipatests/test_integration/test_cert.py | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 0bdec34c46..fd478116ab 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -9,7 +9,6 @@ import ipaddress import pytest import re -import time from ipaplatform.paths import paths from cryptography import x509 @@ -231,6 +230,10 @@ def test_certmonger_rekey_option(self): '-k', '/etc/pki/tls/private/test.key', '-K', 'test/{}'.format(self.master.hostname)]) request_id = re.findall(r'\d+', result.stdout_text) + +status = tasks.wait_for_request(self.master, request_id[0], 50) +assert status == "MONITORING" + certdata = self.master.get_file_contents( '/etc/pki/tls/certs/test_rekey.pem' ) @@ -243,7 +246,10 @@ def test_certmonger_rekey_option(self): self.master.run_command(['getcert', 'rekey', '-i', request_id[0], '-g', '3072']) -time.sleep(60) + +status = tasks.wait_for_request(self.master, request_id[0], 50) +assert status == "MONITORING" + certdata = self.master.get_file_contents( '/etc/pki/tls/certs/test_rekey.pem' ) ___
[Freeipa-devel] [freeipa PR#5002][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5002 Author: mrizwan93 Title: #5002: ipatests: Test certmonger rekey command works fine Action: opened PR body: """ Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5002/head:pr5002 git checkout pr5002 From 2534890332571cb77f8177c6a5195d45d51ef60b Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 6 Aug 2020 17:06:21 +0530 Subject: [PATCH] ipatests: Test certmonger rekey command works fine Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan --- ipatests/test_integration/test_cert.py | 46 ++ 1 file changed, 46 insertions(+) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 865578941c..fd478116ab 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -216,6 +216,52 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs): raise AssertionError("certmonger request is " "in state {}". format(status)) +def test_certmonger_rekey_option(self): +"""Test certmonger rekey command works fine + +Certmonger's rekey command was throwing an error as +unrecognized command. Test is to check if it is working fine. + +related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 +""" +result = self.master.run_command([ +'ipa-getcert', 'request', +'-f', '/etc/pki/tls/certs/test_rekey.pem', +'-k', '/etc/pki/tls/private/test.key', +'-K', 'test/{}'.format(self.master.hostname)]) +request_id = re.findall(r'\d+', result.stdout_text) + +status = tasks.wait_for_request(self.master, request_id[0], 50) +assert status == "MONITORING" + +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test_rekey.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +assert cert.public_key().key_size == 2048 + +# rekey with key size 3072 +self.master.run_command(['getcert', 'rekey', + '-i', request_id[0], + '-g', '3072']) + +status = tasks.wait_for_request(self.master, request_id[0], 50) +assert status == "MONITORING" + +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test_rekey.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +# check if rekey command updated the key size +assert cert.public_key().key_size == 3072 + +self.master.run_command(['getcert', 'stop-tracking' + '-i', request_id[0]]) + class TestCertmongerInterruption(IntegrationTest): num_replicas = 1 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4895][closed] Simplify and make more reliable the server and client installation checks
URL: https://github.com/freeipa/freeipa/pull/4895 Author: rcritten Title: #4895: Simplify and make more reliable the server and client installation checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4895/head:pr4895 git checkout pr4895 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4999][closed] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/4999 Author: tiran Title: #4999: Don't configure authselect in containers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4999/head:pr4999 git checkout pr4999 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5003][opened] [Backport][ipa-4-8] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/5003 Author: tiran Title: #5003: [Backport][ipa-4-8] Don't configure authselect in containers Action: opened PR body: """ This PR was opened automatically because PR #4999 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5003/head:pr5003 git checkout pr5003 From b9f758945591f193480d3a641d8c8c6050f493a0 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Aug 2020 12:44:32 +0200 Subject: [PATCH] Don't configure authselect in containers freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes --- ipaclient/install/client.py | 8 ipaplatform/README.md| 50 ipaplatform/base/tasks.py| 5 +++ ipaplatform/fedora_container/__init__.py | 2 +- ipaplatform/fedora_container/tasks.py| 23 ++- ipaplatform/rhel_container/__init__.py | 2 +- ipaplatform/rhel_container/tasks.py | 23 ++- 7 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 ipaplatform/README.md diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index ad03c81fd1..3df2cf9dcd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2160,6 +2160,14 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) +# --mkhomedir is not supported by fedora_container and rhel_container +if not tasks.is_mkhomedir_supported() and options.mkhomedir: +raise ScriptError( +"Option '--mkhomedir' is incompatible with the 'authselect' tool " +"provided by this distribution for configuring system " +"authentication resources", +rval=CLIENT_INSTALL_ERROR) + # when installing with '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: diff --git a/ipaplatform/README.md b/ipaplatform/README.md new file mode 100644 index 00..a1aff58069 --- /dev/null +++ b/ipaplatform/README.md @@ -0,0 +1,50 @@ +# IPA platform abstraction + +The ``ipaplatform`` package provides an abstraction layer for +supported Linux distributions and flavors. The package contains +constants, paths to commands and config files, services, and tasks. + +* **base** abstract base platform +* **debian** Debian- and Ubuntu-like +* **redhat** abstract base for Red Hat platforms +* **fedora** Fedora +* **fedora_container** freeipa-container on Fedora +* **rhel** RHEL and CentOS +* **rhel_container** freeipa-container on RHEL and CentOS +* **suse** OpenSUSE and SLES + +``` +[base] + ├─ debian + ├─[redhat] + │ ├─ fedora + │ │ └─ fedora_container + │ └─ rhel + │ └─ rhel_container + └─ suse +``` +(Note: Debian and SUSE use some definitions from Red Hat namespace.) + + +## freeipa-container platform + +The **fedora_container** and **rhel_container** platforms are flavors +of the **fedora** and **rhel** platforms. These platform definitions +are specifically designed for +[freeipa-container](https://github.com/freeipa/freeipa-container). +The FreeIPA server container implements a read-only container. Paths +like ``/etc``, ``/usr``, and ``/var`` are mounted read-only and cannot +be modified. The image uses symlinks to store all variable data like +config files and LDAP database in ``/data``. + +* Some commands don't write through dangling symlinks. The IPA + platforms for containers prefix some paths with ``/data``. +* ``ipa-server-upgrade`` verifies that the platform does not change + between versions. To allow upgrades of old containers, sysupgrade + maps ``$distro_container`` to ``$distro`` platform. +* The container images come with authselect pre-configured with + ``sssd with-sudo`` option. The tasks ``modify_nsswitch_pam_stack`` + and ``migrate_auth_configuration`` are no-ops. ``ipa-restore`` + does not restore authselect settings. ``ipa-backup`` still stores + authselect settings in backup data. +* The ``--mkhomedir`` option is not supported. diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 2e35dfd424..ad1e90d398 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -208,7 +208,12 @@ def is_nosssd_supported(self): """ Check if the flag --no-sssd is supported for client install. """ +return True +def is_mkhomedir_supported(self): +""" +Check if the flag --mkhomedir is supported for client install. +""" return True def backup_auth_configuration(self, path): diff --git a/ipaplatform/fedora_container/__init__.py b/ipaplatform/fedora_container/__init__.py index
[Freeipa-devel] [freeipa PR#4998][closed] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/4998 Author: mrizwan93 Title: #4998: ipatests: Test certmonger rekey command works fine Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4998/head:pr4998 git checkout pr4998 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5000][opened] [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/5000 Author: flo-renaud Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: opened PR body: """ This PR was opened automatically because PR #4989 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5000/head:pr5000 git checkout pr5000 From 80792c240fd2e2f184977589e1f9a9b27e22f906 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 4 Aug 2020 15:09:56 -0400 Subject: [PATCH 1/2] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations It was previously being set to 0444 which triggered a warning in freeipa-healthcheck. Even root needs DAC_OVERRIDE capability to write to a 0o444 file which may not be available in some environments. https://pagure.io/freeipa/issue/8441 --- ipaserver/install/certs.py | 2 +- ipaserver/install/server/install.py | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 22ee79bd1d..51d9f92219 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -329,7 +329,7 @@ def export_ca_cert(self, nickname, create_pkcs12=False): ipautil.backup_file(cacert_fname) root_nicknames = self.find_root_cert(nickname)[:-1] with open(cacert_fname, "w") as f: -os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) +os.fchmod(f.fileno(), 0o644) for root in root_nicknames: result = self.run_certutil(["-L", "-n", root, "-a"], capture_output=True) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b53c58e2a6..6a593602fc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,8 @@ def install(installer): ca.install_step_0(False, None, options, custodia=custodia) else: -# Put the CA cert where other instances expect it -x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) -os.chmod(paths.IPA_CA_CRT, 0o444) +# /etc/ipa/ca.crt is created as a side-effect of +# dsinstance::enable_ssl() via export_ca_cert() if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) From 83ddfbfd6db62a45852959af8440d9c35532813a Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 4 Aug 2020 15:12:20 -0400 Subject: [PATCH 2/2] ipatests: Check permissions of /etc/ipa/ca.crt new installations It should be 0644 root:root for both CA-ful and CA-less installs. https://pagure.io/freeipa/issue/8441 --- ipatests/test_integration/test_caless.py | 8 ipatests/test_integration/test_installation.py | 10 ++ 2 files changed, 18 insertions(+) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 1ea7d9896f..16dfbb320b 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -394,6 +394,14 @@ def verify_installation(self): host, cert_from_ldap.public_bytes(x509.Encoding.PEM)) assert cert_from_ldap == expected_cacrt +result = host.run_command( +["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] +) +(owner, group, mode) = result.stdout_text.strip().split(':') +assert owner == "root" +assert group == "root" +assert mode == "644" + # Verify certmonger was not started result = host.run_command(['getcert', 'list'], raiseonerr=False) assert result.returncode == 0 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 100a5a7666..fb19900838 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -346,6 +346,16 @@ def test_certmonger_reads_token_HSM(self): status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING" +def test_ipa_ca_crt_permissions(self): +"""Verify that /etc/ipa/ca.cert is mode 0644 root:root""" +result = self.master.run_command( +["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] +) +out = str(result.stdout_text.strip()) +(owner, group, mode) = out.split(':') +assert mode == "644" +assert owner == "root" +assert group == "root" class TestInstallWithCA_KRA1(InstallTestBase1): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#4989][closed] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/4989 Author: rcritten Title: #4989: Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4989/head:pr4989 git checkout pr4989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4999][opened] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/4999 Author: tiran Title: #4999: Don't configure authselect in containers Action: opened PR body: """ freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4999/head:pr4999 git checkout pr4999 From 48c127d259eaed90bb1abc6b59e07c569481215a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Aug 2020 12:44:32 +0200 Subject: [PATCH] Don't configure authselect in containers freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes --- ipaclient/install/client.py | 8 ipaplatform/README.md| 50 ipaplatform/base/tasks.py| 5 +++ ipaplatform/fedora_container/__init__.py | 2 +- ipaplatform/fedora_container/tasks.py| 23 ++- ipaplatform/rhel_container/__init__.py | 2 +- ipaplatform/rhel_container/tasks.py | 23 ++- 7 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 ipaplatform/README.md diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index ad03c81fd1..3df2cf9dcd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2160,6 +2160,14 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) +# --mkhomedir is not supported by fedora_container and rhel_container +if not tasks.is_mkhomedir_supported() and options.mkhomedir: +raise ScriptError( +"Option '--mkhomedir' is incompatible with the 'authselect' tool " +"provided by this distribution for configuring system " +"authentication resources", +rval=CLIENT_INSTALL_ERROR) + # when installing with '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: diff --git a/ipaplatform/README.md b/ipaplatform/README.md new file mode 100644 index 00..a1aff58069 --- /dev/null +++ b/ipaplatform/README.md @@ -0,0 +1,50 @@ +# IPA platform abstraction + +The ``ipaplatform`` package provides an abstraction layer for +supported Linux distributions and flavors. The package contains +constants, paths to commands and config files, services, and tasks. + +* **base** abstract base platform +* **debian** Debian- and Ubuntu-like +* **redhat** abstract base for Red Hat platforms +* **fedora** Fedora +* **fedora_container** freeipa-container on Fedora +* **rhel** RHEL and CentOS +* **rhel_container** freeipa-container on RHEL and CentOS +* **suse** OpenSUSE and SLES + +``` +[base] + ├─ debian + ├─[redhat] + │ ├─ fedora + │ │ └─ fedora_container + │ └─ rhel + │ └─ rhel_container + └─ suse +``` +(Note: Debian and SUSE use some definitions from Red Hat namespace.) + + +## freeipa-container platform + +The **fedora_container** and **rhel_container** platforms are flavors +of the **fedora** and **rhel** platforms. These platform definitions +are specifically designed for +[freeipa-container](https://github.com/freeipa/freeipa-container). +The FreeIPA server container implements a read-only container. Paths +like ``/etc``, ``/usr``, and ``/var`` are mounted read-only and cannot +be modified. The image uses symlinks to store all variable data like +config files and LDAP database in ``/data``. + +* Some commands don't write through dangling symlinks. The IPA + platforms for containers prefix some paths with ``/data``. +* ``ipa-server-upgrade`` verifies that the platform does not change + between versions. To allow upgrades of old containers, sysupgrade + maps ``$distro_container`` to ``$distro`` platform. +* The container images come with authselect pre-configured with + ``sssd with-sudo`` option. The tasks ``modify_nsswitch_pam_stack`` + and ``migrate_auth_configuration`` are no-ops. ``ipa-restore`` + does not restore authselect settings. ``ipa-backup`` still stores + authselect settings in backup data. +* The ``--mkhomedir`` option is not supported. diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 2e35dfd424..ad1e90d398 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -208,7 +208,12 @@ def is_nosssd_supported(self): """ Check if the flag --no-sssd is supported for client install. """ +return True +def is_mkhomedir_supported(self): +""" +Check if the flag --mkhomedir is supported for client install. +""" return True def
[Freeipa-devel] preparing FreeIPA 4.8.9 release
Hi, it is time for another FreeIPA 4.8 release. My plan is to do a release either tomorrow, Friday, August 7th, or early next week, depending how fast the following pull requests would be acked and backported to ipa-4-8: PyCryptography 2.7+ compatibility: https://github.com/freeipa/freeipa/pull/4936 CA cert permissions in CA-less setup: https://github.com/freeipa/freeipa/pull/4989 Figuring out translations' updates: https://github.com/freeipa/freeipa/pull/4981 and off-band research. I might push the changes manually directly to Pagure to shortcut the process as these are robot-produced ones and initial commit will be huge. Container platforms support: https://github.com/freeipa/freeipa/pull/4992 Reliable client and server installation checks: https://github.com/freeipa/freeipa/pull/4895 Web UI fixes for object class evaluator of user details facet: https://github.com/freeipa/freeipa/pull/4720 We also have a breakage in Fedora Rawhide right now where Dogtag was rebuilt against Java 11 and currently does not work due to missing dependencies: https://bugzilla.redhat.com/show_bug.cgi?id=1866570 This one is being investigated by the Dogtag team, hopefully will be fixed before the release. Current draft of the release notes for ipa-4-8 branch are available at https://vda.li/drafts/freeipa-4.8.9-release-notes.html As usual, you can add release notes by modifying a 'changelog' field of the corresponding Pagure ticket. For changes known in advance please add them directly in the commit messages with RN: prefix. If you know changes that warrant to do a release note but don't have time to add the changelog entries yourself, please respond to this thread with your comments and I'll incorporate them myself. The list is generated using a slightly modified version of a release notes tool from freeipa-tools. The changes are mostly around providing bugzilla references from 'rhbz' field in Pagure ticket. I'll push my changes soon but if you are interested in the run arguments for the release notes tool, they are python3 release/release-notes.py \ 4.8.9 2020-08-07 4.8.8 4.8 release-4-8-8..origin/ipa-4-8 "FreeIPA 4.8" \ --links --token-file ~/.ipa/pagure.token --repo ~/src/freeipa-clean \ --nomilestones > ~/todo/freeipa-4.8.9-release-notes.txt -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4998][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/4998 Author: mrizwan93 Title: #4998: ipatests: Test certmonger rekey command works fine Action: opened PR body: """ Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4998/head:pr4998 git checkout pr4998 From 7a3cba77bdad8ad7cf628b8df8e99b2c8f449702 Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Date: Thu, 6 Aug 2020 14:16:31 +0530 Subject: [PATCH] ipatests: Test certmonger rekey command works fine Certmonger's rekey command was throwing an error as unrecognized command. Test is to check if it is working fine. related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 Signed-off-by: Mohammad Rizwan --- ipatests/test_integration/test_cert.py | 40 ++ 1 file changed, 40 insertions(+) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 865578941c..747c16ec3c 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -9,6 +9,7 @@ import ipaddress import pytest import re +import time from ipaplatform.paths import paths from cryptography import x509 @@ -216,6 +217,45 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs): raise AssertionError("certmonger request is " "in state {}". format(status)) +def test_certmonger_rekey_option(self): +"""Test certmonger rekey command works fine + +Certmonger's rekey command was throwing an error as +unrecognized command. Test is to check if it is working fine. + +related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165 +""" +result = self.master.run_command([ +'ipa-getcert', 'request', +'-f', '/etc/pki/tls/certs/test.pem', +'-k', '/etc/pki/tls/private/test.key', +'-K', 'test/{}'.format(self.master.hostname)]) +request_id = get_certmonger_fs_id(result.stdout_text) +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +assert cert.public_key().key_size == 2048 + +# rekey with key size 3072 +self.master.run_command(['getcert', 'rekey', + '-i', request_id, + '-g', '3072']) +time.sleep(60) +certdata = self.master.get_file_contents( +'/etc/pki/tls/certs/test.pem' +) +cert = x509.load_pem_x509_certificate( +certdata, default_backend() +) +# check if rekey command updated the key size +assert cert.public_key().key_size == 3072 + +self.master.run_command(['getcert', 'stop-tracking' + '-i', request_id]) + class TestCertmongerInterruption(IntegrationTest): num_replicas = 1 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org