[Freeipa-devel] [freeipa PR#5008][opened] EPN: handle empty attributes
URL: https://github.com/freeipa/freeipa/pull/5008
Author: rcritten
Title: #5008: EPN: handle empty attributes
Action: opened
PR body:
"""
The admin user doesn't have a givenname and mail is empty by default. Handle
those in a general way.
Add test for this case.
Based on https://github.com/freeipa/freeipa/pull/5006/
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5008/head:pr5008
git checkout pr5008
From 24ba3df7e66a681acf3d4938b5191dd929459bee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:07:36 +0200
Subject: [PATCH 1/4] IPA-EPN: Use a helper to retrieve LDAP attributes from an
entry
Allow for empty attributes.
---
ipaclient/install/ipa_epn.py | 22 +++---
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 65f9f3d47f..0d1ae2addf 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -122,22 +122,30 @@ def __len__(self):
"""Return len(self)."""
return len(self._expiring_password_user_dq)
+def get_ldap_attr(self, entry, attr):
+"""Get a single value from a multi-valued attr in a safe way"""
+return str(entry.get(attr, [""]).pop(0))
+
def add(self, entry):
"""Parses and appends an LDAP user entry with the uid, cn,
givenname, sn, krbpasswordexpiration and mail attributes.
"""
try:
self._sorted = False
+if entry.get("mail") is None:
+logger.error("IPA-EPN: No mail address defined for: %s",
+ entry.dn)
+return
self._expiring_password_user_dq.append(
dict(
-uid=str(entry["uid"].pop(0)),
-cn=str(entry["cn"].pop(0)),
-givenname=str(entry["givenname"].pop(0)),
-sn=str(entry["sn"].pop(0)),
-krbpasswordexpiration=str(
-entry["krbpasswordexpiration"].pop(0)
+uid=self.get_ldap_attr(entry, "uid"),
+cn=self.get_ldap_attr(entry, "cn"),
+givenname=self.get_ldap_attr(entry, "givenname"),
+sn=self.get_ldap_attr(entry, "sn"),
+krbpasswordexpiration=(
+self.get_ldap_attr(entry,"krbpasswordexpiration")
),
-mail=str(entry["mail"]),
+mail=str(entry.get("mail")),
)
)
except IndexError as e:
From 9d6bbb0244c2388906ce273bc40bae7bcb7377db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:13:19 +0200
Subject: [PATCH 2/4] IPA-EPN: fix configuration file typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami
---
client/share/epn.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/client/share/epn.conf b/client/share/epn.conf
index 0e590dfc3b..e3645801cb 100644
--- a/client/share/epn.conf
+++ b/client/share/epn.conf
@@ -23,7 +23,7 @@ smtp_port = 25
# Default None (empty value).
# smtp_password =
-# pecifies the number of seconds to wait for SMTP to respond.
+# Specifies the number of seconds to wait for SMTP to respond.
smtp_timeout = 60
# Specifies the type of secure connection to make. Options are: none,
From 8e157ce02595c115c36983fd90110189d0e0bf07 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 6 Aug 2020 18:57:10 -0400
Subject: [PATCH 3/4] IPA-EPN: Test that users without givenname and/or mail
are handled
The admin user does not have a givenname by default, allow for that.
Report errors for users without a default e-mail address.
Update the SHA256 hash with the typo fix.
---
ipatests/test_integration/test_epn.py | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
index f4c123c6d8..946e8e602a 100644
--- a/ipatests/test_integration/test_epn.py
+++ b/ipatests/test_integration/test_epn.py
@@ -231,7 +231,7 @@ def test_EPN_config_file(self):
assert epn_conf in cmd1.stdout_text
assert epn_template in cmd1.stdout_text
cmd2 = self.master.run_command(["sha256sum", epn_conf])
-ck = "4c207b5c9c760c36db0d3b2b93da50ea49edcc4002d6d1e7383601f0ec30b957"
+ck = "192481b52fb591112afd7b55b12a44c6618fdbc7e05a3b1866fd67ec579c51df"
assert cmd2.stdout_text.find(ck) == 0
def test_EPN_smoketest_1(self):
@@ -487,3 +487,23 @@ def test_EPN_delay_config(self, cleanupmail):
self.master.put_file_contents('/etc/ipa/epn.conf', epn_conf)
result = tasks.ipa_epn(self.master, raiseonerr=False)
assert "smtp_delay cannot be less than zero"
[Freeipa-devel] [freeipa PR#5006][closed] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006 Author: fcami Title: #5006: IPA-EPN: use entry.get() to retrieve attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5006/head:pr5006 git checkout pr5006 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5007][opened] ipatests: fix TestIpaHealthCheckWithoutDNS failure
URL: https://github.com/freeipa/freeipa/pull/5007
Author: flo-renaud
Title: #5007: ipatests: fix TestIpaHealthCheckWithoutDNS failure
Action: opened
PR body:
"""
TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.
When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.
In order to avoid this issue, call chronyc waitsync to make sure the
date was adjusted back.
Fixes: https://pagure.io/freeipa/issue/8447
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5007/head:pr5007
git checkout pr5007
From f49bc2ece03a4ec21c124903a8f12c05cd03414f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 6 Aug 2020 18:53:35 +0200
Subject: [PATCH 1/2] ipatests: fix TestIpaHealthCheckWithoutDNS failure
TestIpaHealthCheckWithoutDNS is launched after
TestIpaHealthCheck::test_ipa_healthcheck_expiring that is playing with
the date. At the end of test_ipa_healthcheck_expiring, the date is
reset using systemctl start chronyd but the date may need time to adjust
and the subsequent tests may be launched with a system date set in the
future.
When this happens, dnf install fails because the certificate for
the package repo is seen as expired, and TestIpaHealthCheckWithoutDNS
fails.
In order to avoid this issue, call chronyc waitsync to make sure the
date was adjusted back.
Fixes: https://pagure.io/freeipa/issue/8447
---
ipatests/test_integration/test_ipahealthcheck.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index cf406f56c0..773af9c3d6 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -876,6 +876,9 @@ def execute_expiring_check(check):
execute_expiring_check(check)
self.master.run_command(['systemctl', 'start', 'chronyd'])
+# After restarting chronyd, the date may need some time to get synced
+# Use chronyc waitsync to make sure we are back to current date
+self.master.run_command([paths.CHRONYC, 'waitsync', '3'])
def test_ipa_healthcheck_remove(self):
"""
From 36d856b718bbc2b6f9462bf5bd188702542cc7ff Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 6 Aug 2020 19:00:02 +0200
Subject: [PATCH 2/2] Temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 8
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..9c98b0d5c3 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/test_ipahealthcheck:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_ipahealthcheck.py::TestIpaHealthCheck test_integration/test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
template: *ci-master-latest
-timeout: 3600
-topology: *master_1repl_1client
+timeout: 4800
+topology: *master_1repl
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5005][closed] [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/5005 Author: rcritten Title: #5005: [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5005/head:pr5005 git checkout pr5005 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5003][closed] [Backport][ipa-4-8] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/5003 Author: tiran Title: #5003: [Backport][ipa-4-8] Don't configure authselect in containers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5003/head:pr5003 git checkout pr5003 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4983][closed] Tests for fake_mname parameter setup
URL: https://github.com/freeipa/freeipa/pull/4983 Author: kaleemsiddiqu Title: #4983: Tests for fake_mname parameter setup Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4983/head:pr4983 git checkout pr4983 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5006][opened] IPA-EPN: use entry.get() to retrieve attributes
URL: https://github.com/freeipa/freeipa/pull/5006
Author: fcami
Title: #5006: IPA-EPN: use entry.get() to retrieve attributes
Action: opened
PR body:
"""
Use entry.get() to retrieve attributes to avoid tripping on missing attrs.
Fixes: TBD
Signed-off-by: François Cami
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5006/head:pr5006
git checkout pr5006
From b3c69af0013378a96b956a1f995aec266beb3d34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?=
Date: Thu, 6 Aug 2020 17:07:36 +0200
Subject: [PATCH] IPA-EPN: use entry.get() to retrieve attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use entry.get() to retrieve attributes to avoid tripping on missing attrs.
Fixes: TBD
Signed-off-by: François Cami
---
ipaclient/install/ipa_epn.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/ipaclient/install/ipa_epn.py b/ipaclient/install/ipa_epn.py
index 6e1b001464..c7ce58fdba 100644
--- a/ipaclient/install/ipa_epn.py
+++ b/ipaclient/install/ipa_epn.py
@@ -131,14 +131,14 @@ def add(self, entry):
self._sorted = False
self._expiring_password_user_dq.append(
dict(
-uid=str(entry["uid"].pop(0)),
-cn=str(entry["cn"].pop(0)),
-givenname=str(entry["givenname"].pop(0)),
-sn=str(entry["sn"].pop(0)),
+uid=str(entry.get("uid")),
+cn=str(entry.get("cn")),
+givenname=str(entry.get("givenname")),
+sn=str(entry.get("sn")),
krbpasswordexpiration=str(
-entry["krbpasswordexpiration"].pop(0)
+entry.get("krbpasswordexpiration")
),
-mail=str(entry["mail"]),
+mail=str(entry.get("mail")),
)
)
except IndexError as e:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4936][closed] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/4936 Author: stanislavlevin Title: #4936: ipatests: Add compatibility against python-cryptography 3.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4936/head:pr4936 git checkout pr4936 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5005][opened] [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0
URL: https://github.com/freeipa/freeipa/pull/5005
Author: rcritten
Title: #5005: [Backport][ipa-4-8] ipatests: Add compatibility against
python-cryptography 3.0
Action: opened
PR body:
"""
This PR was opened automatically because PR #4936 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5005/head:pr5005
git checkout pr5005
From 2cdda9869df14eee00c8a91a249bf68b29327603 Mon Sep 17 00:00:00 2001
From: Stanislav Levin
Date: Thu, 23 Jul 2020 15:04:49 +0300
Subject: [PATCH] ipatests: Add compatibility against python-cryptography 3.0
The recently released python-cryptography 3.0 has backward incompatible
changes. One of them [0] breaks FreeIPA self-tests.
Note: this requires python-cryptography 2.7+.
[0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b
Fixes: https://pagure.io/freeipa/issue/8428
Signed-off-by: Stanislav Levin
---
.../integration/create_caless_pki.py | 23 ++-
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
index f2a98f5a78..930661b5cd 100644
--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
+++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
@@ -20,11 +20,13 @@
import os.path
import six
+from cryptography import __version__ as cryptography_version
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID
+from pkg_resources import parse_version
from pyasn1.type import univ, char, namedtype, tag
from pyasn1.codec.der import encoder as der_encoder
from pyasn1.codec.native import decoder as native_decoder
@@ -150,13 +152,22 @@ def profile_ca(builder, ca_nick, ca):
critical=False,
)
else:
-ski = ca.cert.extensions.get_extension_for_class(
-x509.SubjectKeyIdentifier)
-builder = builder.add_extension(
-x509.AuthorityKeyIdentifier
-.from_issuer_subject_key_identifier(ski),
-critical=False,
+ski_ext = ca.cert.extensions.get_extension_for_class(
+x509.SubjectKeyIdentifier
)
+auth_keyidentifier = (x509.AuthorityKeyIdentifier
+ .from_issuer_subject_key_identifier)
+'''
+cryptography < 2.7 accepts only Extension object.
+Remove this workaround when all supported platforms update
+python-cryptography.
+'''
+if (parse_version(cryptography_version) >= parse_version('2.7')):
+extension = auth_keyidentifier(ski_ext.value)
+else:
+extension = auth_keyidentifier(ski_ext)
+
+builder = builder.add_extension(extension, critical=False)
return builder
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5000][closed] [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/5000 Author: flo-renaud Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5000/head:pr5000 git checkout pr5000 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5004][opened] [Backport][ipa-4-8] Simplify and make more reliable the server and client installation checks
URL: https://github.com/freeipa/freeipa/pull/5004
Author: rcritten
Title: #5004: [Backport][ipa-4-8] Simplify and make more reliable the server
and client installation checks
Action: opened
PR body:
"""
This PR was opened manually because PR #4895 was pushed to master and backport
to ipa-4-8 is required.
The merge conflict was due to 53d472b490ac7a14fc78516b448d4aa312b79b7f being
only in master. Fixing this was straightforward.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5004/head:pr5004
git checkout pr5004
From 753d110a1541b337ff4c0cae407ed89e06ffc929 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 7 Jul 2020 16:24:35 -0400
Subject: [PATCH 1/5] Simplify determining if an IPA server installation is
complete
When asking the quesiton "is my IPA server configured?" right now
we look at whether the installation backed up any files and set
any state. This isn't exactly precise.
Instead set a new state, installation, to True as soon as IPA
is restarted at the end of the installer.
On upgrades existing installations will automatically get this
state.
This relies on the fact that get_state returns None if no state
at all is set. This indicates that this "new" option isn't available
and when upgrading an existing installation we can assume the
install at least partly works.
The value is forced to False at the beginning of a fresh install
so if it fails, or is in a transient state like with an external
CA, we know that the installation is not complete.
https://pagure.io/freeipa/issue/8384
Signed-off-by: Rob Crittenden
Reviewed-By: Alexander Bokovoy
Reviewed-By: Francois Cami
---
ipaserver/install/installutils.py | 22 ++
ipaserver/install/server/install.py| 6 ++
ipaserver/install/server/replicainstall.py | 6 ++
ipaserver/install/server/upgrade.py| 4
4 files changed, 18 insertions(+), 20 deletions(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ba98e8bed3..f19f64fbe8 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -700,28 +700,10 @@ def rmtree(path):
def is_ipa_configured():
"""
-Using the state and index install files determine if IPA is already
-configured.
+Use the state to determine if IPA has been configured.
"""
-installed = False
-
sstore = sysrestore.StateFile(paths.SYSRESTORE)
-fstore = sysrestore.FileStore(paths.SYSRESTORE)
-
-for module in IPA_MODULES:
-if sstore.has_state(module):
-logger.debug('%s is configured', module)
-installed = True
-else:
-logger.debug('%s is not configured', module)
-
-if fstore.has_files():
-logger.debug('filestore has files')
-installed = True
-else:
-logger.debug('filestore is tracking no files')
-
-return installed
+return sstore.get_state('installation', 'complete')
def run_script(main_function, operation_name, log_file_name=None,
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b53c58e2a6..4822c222ce 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -795,6 +795,9 @@ def install(installer):
# failure to enable root cause investigation
installer._installation_cleanup = False
+# Be clear that the installation process is beginning but not done
+sstore.backup_state('installation', 'complete', False)
+
if installer.interactive:
print("")
print("The following operations may take some minutes to complete.")
@@ -998,6 +1001,8 @@ def install(installer):
bind.create_file_with_system_records()
# Everything installed properly, activate ipa service.
+sstore.delete_state('installation', 'complete')
+sstore.backup_state('installation', 'complete', True)
services.knownservices.ipa.enable()
print("==="
@@ -1201,6 +1206,7 @@ def uninstall(installer):
if fstore.has_files():
logger.error('Some files have not been restored, see '
'%s/sysrestore.index', SYSRESTORE_DIR_PATH)
+sstore.delete_state('installation', 'complete')
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d6c4108c0..b8e896ac7c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1205,6 +1205,7 @@ def install(installer):
ca_enabled = installer._ca_enabled
kra_enabled = installer._kra_enabled
fstore = installer._fstore
+sstore = installer._sstore
config = installer._config
cafile = installer._ca_file
dirsrv_pkcs12_info =
[Freeipa-devel] [freeipa PR#5001][closed] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5001 Author: mrizwan93 Title: #5001: ipatests: Test certmonger rekey command works fine Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5001/head:pr5001 git checkout pr5001 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5001][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5001
Author: mrizwan93
Title: #5001: ipatests: Test certmonger rekey command works fine
Action: opened
PR body:
"""
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5001/head:pr5001
git checkout pr5001
From 3aea605e4bc500c59770183e64e6faee317605d9 Mon Sep 17 00:00:00 2001
From: Sergey Orlov
Date: Wed, 5 Aug 2020 16:37:05 +0200
Subject: [PATCH 1/2] Fix password file permission
Invalid permission makes file unreadable by owner if he is not root.
Reviewed-By: Alexander Bokovoy
---
ipatests/test_integration/test_cert.py | 40 ++
1 file changed, 40 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 865578941c..0bdec34c46 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -9,6 +9,7 @@
import ipaddress
import pytest
import re
+import time
from ipaplatform.paths import paths
from cryptography import x509
@@ -216,6 +217,45 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs):
raise AssertionError("certmonger request is "
"in state {}". format(status))
+def test_certmonger_rekey_option(self):
+"""Test certmonger rekey command works fine
+
+Certmonger's rekey command was throwing an error as
+unrecognized command. Test is to check if it is working fine.
+
+related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
+"""
+result = self.master.run_command([
+'ipa-getcert', 'request',
+'-f', '/etc/pki/tls/certs/test_rekey.pem',
+'-k', '/etc/pki/tls/private/test.key',
+'-K', 'test/{}'.format(self.master.hostname)])
+request_id = re.findall(r'\d+', result.stdout_text)
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test_rekey.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+assert cert.public_key().key_size == 2048
+
+# rekey with key size 3072
+self.master.run_command(['getcert', 'rekey',
+ '-i', request_id[0],
+ '-g', '3072'])
+time.sleep(60)
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test_rekey.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+# check if rekey command updated the key size
+assert cert.public_key().key_size == 3072
+
+self.master.run_command(['getcert', 'stop-tracking'
+ '-i', request_id[0]])
+
class TestCertmongerInterruption(IntegrationTest):
num_replicas = 1
From 72d24dac1f72334f6d8534b68378725dc3426990 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Thu, 6 Aug 2020 16:56:45 +0530
Subject: [PATCH 2/2] ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
---
ipatests/test_integration/test_cert.py | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 0bdec34c46..fd478116ab 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -9,7 +9,6 @@
import ipaddress
import pytest
import re
-import time
from ipaplatform.paths import paths
from cryptography import x509
@@ -231,6 +230,10 @@ def test_certmonger_rekey_option(self):
'-k', '/etc/pki/tls/private/test.key',
'-K', 'test/{}'.format(self.master.hostname)])
request_id = re.findall(r'\d+', result.stdout_text)
+
+status = tasks.wait_for_request(self.master, request_id[0], 50)
+assert status == "MONITORING"
+
certdata = self.master.get_file_contents(
'/etc/pki/tls/certs/test_rekey.pem'
)
@@ -243,7 +246,10 @@ def test_certmonger_rekey_option(self):
self.master.run_command(['getcert', 'rekey',
'-i', request_id[0],
'-g', '3072'])
-time.sleep(60)
+
+status = tasks.wait_for_request(self.master, request_id[0], 50)
+assert status == "MONITORING"
+
certdata = self.master.get_file_contents(
'/etc/pki/tls/certs/test_rekey.pem'
)
___
[Freeipa-devel] [freeipa PR#5002][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5002
Author: mrizwan93
Title: #5002: ipatests: Test certmonger rekey command works fine
Action: opened
PR body:
"""
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5002/head:pr5002
git checkout pr5002
From 2534890332571cb77f8177c6a5195d45d51ef60b Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Thu, 6 Aug 2020 17:06:21 +0530
Subject: [PATCH] ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
---
ipatests/test_integration/test_cert.py | 46 ++
1 file changed, 46 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 865578941c..fd478116ab 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -216,6 +216,52 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs):
raise AssertionError("certmonger request is "
"in state {}". format(status))
+def test_certmonger_rekey_option(self):
+"""Test certmonger rekey command works fine
+
+Certmonger's rekey command was throwing an error as
+unrecognized command. Test is to check if it is working fine.
+
+related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
+"""
+result = self.master.run_command([
+'ipa-getcert', 'request',
+'-f', '/etc/pki/tls/certs/test_rekey.pem',
+'-k', '/etc/pki/tls/private/test.key',
+'-K', 'test/{}'.format(self.master.hostname)])
+request_id = re.findall(r'\d+', result.stdout_text)
+
+status = tasks.wait_for_request(self.master, request_id[0], 50)
+assert status == "MONITORING"
+
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test_rekey.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+assert cert.public_key().key_size == 2048
+
+# rekey with key size 3072
+self.master.run_command(['getcert', 'rekey',
+ '-i', request_id[0],
+ '-g', '3072'])
+
+status = tasks.wait_for_request(self.master, request_id[0], 50)
+assert status == "MONITORING"
+
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test_rekey.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+# check if rekey command updated the key size
+assert cert.public_key().key_size == 3072
+
+self.master.run_command(['getcert', 'stop-tracking'
+ '-i', request_id[0]])
+
class TestCertmongerInterruption(IntegrationTest):
num_replicas = 1
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4895][closed] Simplify and make more reliable the server and client installation checks
URL: https://github.com/freeipa/freeipa/pull/4895 Author: rcritten Title: #4895: Simplify and make more reliable the server and client installation checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4895/head:pr4895 git checkout pr4895 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4999][closed] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/4999 Author: tiran Title: #4999: Don't configure authselect in containers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4999/head:pr4999 git checkout pr4999 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5003][opened] [Backport][ipa-4-8] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/5003 Author: tiran Title: #5003: [Backport][ipa-4-8] Don't configure authselect in containers Action: opened PR body: """ This PR was opened automatically because PR #4999 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5003/head:pr5003 git checkout pr5003 From b9f758945591f193480d3a641d8c8c6050f493a0 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Aug 2020 12:44:32 +0200 Subject: [PATCH] Don't configure authselect in containers freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes --- ipaclient/install/client.py | 8 ipaplatform/README.md| 50 ipaplatform/base/tasks.py| 5 +++ ipaplatform/fedora_container/__init__.py | 2 +- ipaplatform/fedora_container/tasks.py| 23 ++- ipaplatform/rhel_container/__init__.py | 2 +- ipaplatform/rhel_container/tasks.py | 23 ++- 7 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 ipaplatform/README.md diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index ad03c81fd1..3df2cf9dcd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2160,6 +2160,14 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) +# --mkhomedir is not supported by fedora_container and rhel_container +if not tasks.is_mkhomedir_supported() and options.mkhomedir: +raise ScriptError( +"Option '--mkhomedir' is incompatible with the 'authselect' tool " +"provided by this distribution for configuring system " +"authentication resources", +rval=CLIENT_INSTALL_ERROR) + # when installing with '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: diff --git a/ipaplatform/README.md b/ipaplatform/README.md new file mode 100644 index 00..a1aff58069 --- /dev/null +++ b/ipaplatform/README.md @@ -0,0 +1,50 @@ +# IPA platform abstraction + +The ``ipaplatform`` package provides an abstraction layer for +supported Linux distributions and flavors. The package contains +constants, paths to commands and config files, services, and tasks. + +* **base** abstract base platform +* **debian** Debian- and Ubuntu-like +* **redhat** abstract base for Red Hat platforms +* **fedora** Fedora +* **fedora_container** freeipa-container on Fedora +* **rhel** RHEL and CentOS +* **rhel_container** freeipa-container on RHEL and CentOS +* **suse** OpenSUSE and SLES + +``` +[base] + ├─ debian + ├─[redhat] + │ ├─ fedora + │ │ └─ fedora_container + │ └─ rhel + │ └─ rhel_container + └─ suse +``` +(Note: Debian and SUSE use some definitions from Red Hat namespace.) + + +## freeipa-container platform + +The **fedora_container** and **rhel_container** platforms are flavors +of the **fedora** and **rhel** platforms. These platform definitions +are specifically designed for +[freeipa-container](https://github.com/freeipa/freeipa-container). +The FreeIPA server container implements a read-only container. Paths +like ``/etc``, ``/usr``, and ``/var`` are mounted read-only and cannot +be modified. The image uses symlinks to store all variable data like +config files and LDAP database in ``/data``. + +* Some commands don't write through dangling symlinks. The IPA + platforms for containers prefix some paths with ``/data``. +* ``ipa-server-upgrade`` verifies that the platform does not change + between versions. To allow upgrades of old containers, sysupgrade + maps ``$distro_container`` to ``$distro`` platform. +* The container images come with authselect pre-configured with + ``sssd with-sudo`` option. The tasks ``modify_nsswitch_pam_stack`` + and ``migrate_auth_configuration`` are no-ops. ``ipa-restore`` + does not restore authselect settings. ``ipa-backup`` still stores + authselect settings in backup data. +* The ``--mkhomedir`` option is not supported. diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 2e35dfd424..ad1e90d398 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -208,7 +208,12 @@ def is_nosssd_supported(self): """ Check if the flag --no-sssd is supported for client install. """ +return True +def is_mkhomedir_supported(self): +""" +Check if the flag --mkhomedir is supported for client install. +""" return True def backup_auth_configuration(self, path): diff --git a/ipaplatform/fedora_container/__init__.py b/ipaplatform/fedora_container/__init__.py index
[Freeipa-devel] [freeipa PR#4998][closed] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/4998 Author: mrizwan93 Title: #4998: ipatests: Test certmonger rekey command works fine Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4998/head:pr4998 git checkout pr4998 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5000][opened] [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/5000
Author: flo-renaud
Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644
in CA-less installs
Action: opened
PR body:
"""
This PR was opened automatically because PR #4989 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5000/head:pr5000
git checkout pr5000
From 80792c240fd2e2f184977589e1f9a9b27e22f906 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 4 Aug 2020 15:09:56 -0400
Subject: [PATCH 1/2] Set mode of /etc/ipa/ca.crt to 0644 in CA-less
installations
It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.
https://pagure.io/freeipa/issue/8441
---
ipaserver/install/certs.py | 2 +-
ipaserver/install/server/install.py | 5 ++---
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 22ee79bd1d..51d9f92219 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -329,7 +329,7 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
ipautil.backup_file(cacert_fname)
root_nicknames = self.find_root_cert(nickname)[:-1]
with open(cacert_fname, "w") as f:
-os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+os.fchmod(f.fileno(), 0o644)
for root in root_nicknames:
result = self.run_certutil(["-L", "-n", root, "-a"],
capture_output=True)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b53c58e2a6..6a593602fc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -891,9 +891,8 @@ def install(installer):
ca.install_step_0(False, None, options, custodia=custodia)
else:
-# Put the CA cert where other instances expect it
-x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
-os.chmod(paths.IPA_CA_CRT, 0o444)
+# /etc/ipa/ca.crt is created as a side-effect of
+# dsinstance::enable_ssl() via export_ca_cert()
if not options.no_pkinit:
x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
From 83ddfbfd6db62a45852959af8440d9c35532813a Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 4 Aug 2020 15:12:20 -0400
Subject: [PATCH 2/2] ipatests: Check permissions of /etc/ipa/ca.crt new
installations
It should be 0644 root:root for both CA-ful and CA-less installs.
https://pagure.io/freeipa/issue/8441
---
ipatests/test_integration/test_caless.py | 8
ipatests/test_integration/test_installation.py | 10 ++
2 files changed, 18 insertions(+)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1ea7d9896f..16dfbb320b 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -394,6 +394,14 @@ def verify_installation(self):
host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
assert cert_from_ldap == expected_cacrt
+result = host.run_command(
+["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+)
+(owner, group, mode) = result.stdout_text.strip().split(':')
+assert owner == "root"
+assert group == "root"
+assert mode == "644"
+
# Verify certmonger was not started
result = host.run_command(['getcert', 'list'], raiseonerr=False)
assert result.returncode == 0
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 100a5a7666..fb19900838 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -346,6 +346,16 @@ def test_certmonger_reads_token_HSM(self):
status = tasks.wait_for_request(self.master, request_id[0], 300)
assert status == "MONITORING"
+def test_ipa_ca_crt_permissions(self):
+"""Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
+result = self.master.run_command(
+["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+)
+out = str(result.stdout_text.strip())
+(owner, group, mode) = out.split(':')
+assert mode == "644"
+assert owner == "root"
+assert group == "root"
class TestInstallWithCA_KRA1(InstallTestBase1):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
[Freeipa-devel] [freeipa PR#4989][closed] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs
URL: https://github.com/freeipa/freeipa/pull/4989 Author: rcritten Title: #4989: Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4989/head:pr4989 git checkout pr4989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4999][opened] Don't configure authselect in containers
URL: https://github.com/freeipa/freeipa/pull/4999 Author: tiran Title: #4999: Don't configure authselect in containers Action: opened PR body: """ freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4999/head:pr4999 git checkout pr4999 From 48c127d259eaed90bb1abc6b59e07c569481215a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Aug 2020 12:44:32 +0200 Subject: [PATCH] Don't configure authselect in containers freeipa-container images come with authselect pre-configured. There is no need to configure, migrate, or restore authselect. The --mkhomedir option is not supported, too. Related: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes --- ipaclient/install/client.py | 8 ipaplatform/README.md| 50 ipaplatform/base/tasks.py| 5 +++ ipaplatform/fedora_container/__init__.py | 2 +- ipaplatform/fedora_container/tasks.py| 23 ++- ipaplatform/rhel_container/__init__.py | 2 +- ipaplatform/rhel_container/tasks.py | 23 ++- 7 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 ipaplatform/README.md diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index ad03c81fd1..3df2cf9dcd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2160,6 +2160,14 @@ def install_check(options): "authentication resources", rval=CLIENT_INSTALL_ERROR) +# --mkhomedir is not supported by fedora_container and rhel_container +if not tasks.is_mkhomedir_supported() and options.mkhomedir: +raise ScriptError( +"Option '--mkhomedir' is incompatible with the 'authselect' tool " +"provided by this distribution for configuring system " +"authentication resources", +rval=CLIENT_INSTALL_ERROR) + # when installing with '--no-sssd' option, check whether nss-ldap is # installed if not options.sssd: diff --git a/ipaplatform/README.md b/ipaplatform/README.md new file mode 100644 index 00..a1aff58069 --- /dev/null +++ b/ipaplatform/README.md @@ -0,0 +1,50 @@ +# IPA platform abstraction + +The ``ipaplatform`` package provides an abstraction layer for +supported Linux distributions and flavors. The package contains +constants, paths to commands and config files, services, and tasks. + +* **base** abstract base platform +* **debian** Debian- and Ubuntu-like +* **redhat** abstract base for Red Hat platforms +* **fedora** Fedora +* **fedora_container** freeipa-container on Fedora +* **rhel** RHEL and CentOS +* **rhel_container** freeipa-container on RHEL and CentOS +* **suse** OpenSUSE and SLES + +``` +[base] + ├─ debian + ├─[redhat] + │ ├─ fedora + │ │ └─ fedora_container + │ └─ rhel + │ └─ rhel_container + └─ suse +``` +(Note: Debian and SUSE use some definitions from Red Hat namespace.) + + +## freeipa-container platform + +The **fedora_container** and **rhel_container** platforms are flavors +of the **fedora** and **rhel** platforms. These platform definitions +are specifically designed for +[freeipa-container](https://github.com/freeipa/freeipa-container). +The FreeIPA server container implements a read-only container. Paths +like ``/etc``, ``/usr``, and ``/var`` are mounted read-only and cannot +be modified. The image uses symlinks to store all variable data like +config files and LDAP database in ``/data``. + +* Some commands don't write through dangling symlinks. The IPA + platforms for containers prefix some paths with ``/data``. +* ``ipa-server-upgrade`` verifies that the platform does not change + between versions. To allow upgrades of old containers, sysupgrade + maps ``$distro_container`` to ``$distro`` platform. +* The container images come with authselect pre-configured with + ``sssd with-sudo`` option. The tasks ``modify_nsswitch_pam_stack`` + and ``migrate_auth_configuration`` are no-ops. ``ipa-restore`` + does not restore authselect settings. ``ipa-backup`` still stores + authselect settings in backup data. +* The ``--mkhomedir`` option is not supported. diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index 2e35dfd424..ad1e90d398 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -208,7 +208,12 @@ def is_nosssd_supported(self): """ Check if the flag --no-sssd is supported for client install. """ +return True +def is_mkhomedir_supported(self): +""" +Check if the flag --mkhomedir is supported for client install. +""" return True def
[Freeipa-devel] preparing FreeIPA 4.8.9 release
Hi, it is time for another FreeIPA 4.8 release. My plan is to do a release either tomorrow, Friday, August 7th, or early next week, depending how fast the following pull requests would be acked and backported to ipa-4-8: PyCryptography 2.7+ compatibility: https://github.com/freeipa/freeipa/pull/4936 CA cert permissions in CA-less setup: https://github.com/freeipa/freeipa/pull/4989 Figuring out translations' updates: https://github.com/freeipa/freeipa/pull/4981 and off-band research. I might push the changes manually directly to Pagure to shortcut the process as these are robot-produced ones and initial commit will be huge. Container platforms support: https://github.com/freeipa/freeipa/pull/4992 Reliable client and server installation checks: https://github.com/freeipa/freeipa/pull/4895 Web UI fixes for object class evaluator of user details facet: https://github.com/freeipa/freeipa/pull/4720 We also have a breakage in Fedora Rawhide right now where Dogtag was rebuilt against Java 11 and currently does not work due to missing dependencies: https://bugzilla.redhat.com/show_bug.cgi?id=1866570 This one is being investigated by the Dogtag team, hopefully will be fixed before the release. Current draft of the release notes for ipa-4-8 branch are available at https://vda.li/drafts/freeipa-4.8.9-release-notes.html As usual, you can add release notes by modifying a 'changelog' field of the corresponding Pagure ticket. For changes known in advance please add them directly in the commit messages with RN: prefix. If you know changes that warrant to do a release note but don't have time to add the changelog entries yourself, please respond to this thread with your comments and I'll incorporate them myself. The list is generated using a slightly modified version of a release notes tool from freeipa-tools. The changes are mostly around providing bugzilla references from 'rhbz' field in Pagure ticket. I'll push my changes soon but if you are interested in the run arguments for the release notes tool, they are python3 release/release-notes.py \ 4.8.9 2020-08-07 4.8.8 4.8 release-4-8-8..origin/ipa-4-8 "FreeIPA 4.8" \ --links --token-file ~/.ipa/pagure.token --repo ~/src/freeipa-clean \ --nomilestones > ~/todo/freeipa-4.8.9-release-notes.txt -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4998][opened] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/4998
Author: mrizwan93
Title: #4998: ipatests: Test certmonger rekey command works fine
Action: opened
PR body:
"""
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4998/head:pr4998
git checkout pr4998
From 7a3cba77bdad8ad7cf628b8df8e99b2c8f449702 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Thu, 6 Aug 2020 14:16:31 +0530
Subject: [PATCH] ipatests: Test certmonger rekey command works fine
Certmonger's rekey command was throwing an error as
unrecognized command. Test is to check if it is working fine.
related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
Signed-off-by: Mohammad Rizwan
---
ipatests/test_integration/test_cert.py | 40 ++
1 file changed, 40 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 865578941c..747c16ec3c 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -9,6 +9,7 @@
import ipaddress
import pytest
import re
+import time
from ipaplatform.paths import paths
from cryptography import x509
@@ -216,6 +217,45 @@ def test_getcert_list_profile_using_subca(self, test_subca_certs):
raise AssertionError("certmonger request is "
"in state {}". format(status))
+def test_certmonger_rekey_option(self):
+"""Test certmonger rekey command works fine
+
+Certmonger's rekey command was throwing an error as
+unrecognized command. Test is to check if it is working fine.
+
+related: https://bugzilla.redhat.com/show_bug.cgi?id=1249165
+"""
+result = self.master.run_command([
+'ipa-getcert', 'request',
+'-f', '/etc/pki/tls/certs/test.pem',
+'-k', '/etc/pki/tls/private/test.key',
+'-K', 'test/{}'.format(self.master.hostname)])
+request_id = get_certmonger_fs_id(result.stdout_text)
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+assert cert.public_key().key_size == 2048
+
+# rekey with key size 3072
+self.master.run_command(['getcert', 'rekey',
+ '-i', request_id,
+ '-g', '3072'])
+time.sleep(60)
+certdata = self.master.get_file_contents(
+'/etc/pki/tls/certs/test.pem'
+)
+cert = x509.load_pem_x509_certificate(
+certdata, default_backend()
+)
+# check if rekey command updated the key size
+assert cert.public_key().key_size == 3072
+
+self.master.run_command(['getcert', 'stop-tracking'
+ '-i', request_id])
+
class TestCertmongerInterruption(IntegrationTest):
num_replicas = 1
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
