[Freeipa-devel] [freeipa PR#2852][opened] Add more tests for --external-ca-profile handling
URL: https://github.com/freeipa/freeipa/pull/2852
Author: frasertweedale
Title: #2852: Add more tests for --external-ca-profile handling
Action: opened
PR body:
"""
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2852/head:pr2852
git checkout pr2852
From 094152cdb5cce2fca25a4fa9bbf1066934d33bc7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 20 Feb 2019 18:34:33 +1100
Subject: [PATCH] Add more tests for --external-ca-profile handling
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
---
ipatests/test_integration/test_external_ca.py | 163 +-
1 file changed, 162 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 5e099ebbcc..dfaad673f6 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -31,7 +31,7 @@
from itertools import chain, repeat
from ipatests.create_external_ca import ExternalCA, ISSUER_CN
-from ipaserver.install.cainstance import MSCSTemplateV1
+from ipaserver.install.cainstance import MSCSTemplateV1, MSCSTemplateV2
IPA_CA = 'ipa_ca.crt'
ROOT_CA = 'root_ca.crt'
@@ -411,3 +411,164 @@ def test_master_install_ca2(self):
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR,
'-n', cert_nick])
assert "CN=RootCA2" in result.stdout_text
+
+
+class TestExternalCAProfileV1(IntegrationTest):
+"""
+Test that --external-ca-profile=Foo gets propagated to the CSR.
+
+The default template extension when --external-ca-type=ms-cs,
+a V1 extension with value "SubCA", already gets tested by the
+``TestExternalCA`` class.
+
+We only need to do Step 1 of installation, then check the CSR.
+
+"""
+def test_invalid_v1_template(self):
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+'--external-ca-type=ms-cs',
+'--external-ca-profile=NotAnOid:1',
+]
+)
+assert result.returncode != 0
+assert '--external-ca-profile' in result.stderr_text
+
+def test_valid_v1_template(self):
+template_name = 'TemplateOfAwesome'
+
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+'--external-ca-type=ms-cs',
+f'--external-ca-profile={template_name}',
+]
+)
+assert result.returncode == 0
+
+ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
+check_mscs_extension(ipa_csr, MSCSTemplateV1(template_name))
+
+
+class TestExternalCAProfileV2MajorOnly(IntegrationTest):
+"""
+Test that V2 template specifiers without minor version get
+propagated to CSR. This class also tests all error modes in
+specifying a V2 template, those being:
+
+- no major version specified
+- too many parts specified (i.e. major, minor, and then some more)
+- major version is not an int
+- major version is negative
+- minor version is not an int
+- minor version is negative
+
+We only need to do Step 1 of installation, then check the CSR.
+
+"""
+def test_v2_template_too_few_parts(self):
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+'--external-ca-type=ms-cs',
+'--external-ca-profile=1.2.3.4',
+]
+)
+assert result.returncode != 0
+assert '--external-ca-profile' in result.stderr_text
+
+def test_v2_template_too_many_parts(self):
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+'--external-ca-type=ms-cs',
+'--external-ca-profile=1.2.3.4:100:200:300',
+]
+)
+assert result.returncode != 0
+assert '--external-ca-profile' in result.stderr_text
+
+def test_v2_template_major_version_not_int(self):
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+'--external-ca-type=ms-cs',
+'--external-ca-profile=1.2.3.4:wat:200',
+]
+)
+assert result.returncode != 0
+assert '--external-ca-profile' in result.stderr_text
+
+def test_v2_template_major_version_negative(self):
+result = install_server_external_ca_step1(
+self.master,
+extra_args=[
+
[Freeipa-devel] [freeipa PR#2851][opened] [testing_f28] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/2851 Author: freeipa-pr-ci Title: #2851: [testing_f28] Nightly PR Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2851/head:pr2851 git checkout pr2851 From 62b80eb4abf208fc3c3a236cd26e1929a2b53cdc Mon Sep 17 00:00:00 2001 From: root Date: Tue, 19 Feb 2019 23:00:11 + Subject: [PATCH] automated commit --- .freeipa-pr-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..9b34383159 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/nightly_f28.yaml \ No newline at end of file ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2840][closed] [testing_f28] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/2840 Author: freeipa-pr-ci Title: #2840: [testing_f28] Nightly PR Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2840/head:pr2840 git checkout pr2840 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2849][closed] [Backport][ipa-4-7] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
URL: https://github.com/freeipa/freeipa/pull/2849 Author: fcami Title: #2849: [Backport][ipa-4-7] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2849/head:pr2849 git checkout pr2849 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2848][closed] [Backport][ipa-4-6] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
URL: https://github.com/freeipa/freeipa/pull/2848 Author: fcami Title: #2848: [Backport][ipa-4-6] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2848/head:pr2848 git checkout pr2848 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2850][opened] [Backport][ipa-4-7] Web UI: Increase timeouts for UI tests in Nightly PR configuration
URL: https://github.com/freeipa/freeipa/pull/2850
Author: serg-cymbaluk
Title: #2850: [Backport][ipa-4-7] Web UI: Increase timeouts for UI tests in
Nightly PR configuration
Action: opened
PR body:
"""
Manual backport of #2838
Some test suites for WebUI in Nightly PR configuration have timeouts without
any reserve.
So these tests fails randomly.
Timeout values for these test was increased to {real duration} + ~30%
https://pagure.io/freeipa/issue/7864
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2850/head:pr2850
git checkout pr2850
From b3a509716bcbdcbd8eb7d711bf3de178a286392e Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk
Date: Thu, 14 Feb 2019 10:48:15 +0100
Subject: [PATCH] Web UI: Increase timeouts for UI tests in Nightly PR
configuration
Some test suites for WebUI in Nightly PR configuration have timeouts without any reserve.
So these tests fails randomly.
Timeout values for these test was increased to {real duration} + ~30%
https://pagure.io/freeipa/issue/7864
---
ipatests/prci_definitions/nightly_f28.yaml | 6 +++---
ipatests/prci_definitions/nightly_master.yaml | 6 +++---
ipatests/prci_definitions/nightly_rawhide.yaml | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_f28.yaml b/ipatests/prci_definitions/nightly_f28.yaml
index 29872c5f98..ae2d8b9def 100644
--- a/ipatests/prci_definitions/nightly_f28.yaml
+++ b/ipatests/prci_definitions/nightly_f28.yaml
@@ -661,7 +661,7 @@ jobs:
build_url: '{fedora-28/build_url}'
test_suite: test_webui/test_cert.py
template: *ci-master-f28
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-28/test_webui_general:
@@ -792,7 +792,7 @@ jobs:
build_url: '{fedora-28/build_url}'
test_suite: test_webui/test_service.py
template: *ci-master-f28
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-28/test_webui_users:
@@ -806,7 +806,7 @@ jobs:
test_webui/test_group.py
test_webui/test_user.py
template: *ci-master-f28
-timeout: 3600
+timeout: 4800
topology: *ipaserver
fedora-28/test_pkinit_manage:
diff --git a/ipatests/prci_definitions/nightly_master.yaml b/ipatests/prci_definitions/nightly_master.yaml
index 5f7a86dfa0..090b37d9c7 100644
--- a/ipatests/prci_definitions/nightly_master.yaml
+++ b/ipatests/prci_definitions/nightly_master.yaml
@@ -661,7 +661,7 @@ jobs:
build_url: '{fedora-29/build_url}'
test_suite: test_webui/test_cert.py
template: *ci-master-f29
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-29/test_webui_general:
@@ -792,7 +792,7 @@ jobs:
build_url: '{fedora-29/build_url}'
test_suite: test_webui/test_service.py
template: *ci-master-f29
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-29/test_webui_users:
@@ -806,7 +806,7 @@ jobs:
test_webui/test_group.py
test_webui/test_user.py
template: *ci-master-f29
-timeout: 3600
+timeout: 4800
topology: *ipaserver
fedora-29/test_pkinit_manage:
diff --git a/ipatests/prci_definitions/nightly_rawhide.yaml b/ipatests/prci_definitions/nightly_rawhide.yaml
index 2f5c3ef640..b3854610a3 100644
--- a/ipatests/prci_definitions/nightly_rawhide.yaml
+++ b/ipatests/prci_definitions/nightly_rawhide.yaml
@@ -649,7 +649,7 @@ jobs:
build_url: '{fedora-rawhide/build_url}'
test_suite: test_webui/test_cert.py
template: *ci-master-frawhide
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-rawhide/test_webui_general:
@@ -780,7 +780,7 @@ jobs:
build_url: '{fedora-rawhide/build_url}'
test_suite: test_webui/test_service.py
template: *ci-master-frawhide
-timeout: 1800
+timeout: 2400
topology: *ipaserver
fedora-rawhide/test_webui_users:
@@ -794,7 +794,7 @@ jobs:
test_webui/test_group.py
test_webui/test_user.py
template: *ci-master-frawhide
-timeout: 3600
+timeout: 4800
topology: *ipaserver
fedora-rawhide/test_pkinit_manage:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2846][closed] ipa_sam: remove dependency to talloc_strackframe.h
URL: https://github.com/freeipa/freeipa/pull/2846 Author: sumit-bose Title: #2846: ipa_sam: remove dependency to talloc_strackframe.h Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2846/head:pr2846 git checkout pr2846 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2849][opened] [Backport][ipa-4-7] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
URL: https://github.com/freeipa/freeipa/pull/2849
Author: fcami
Title: #2849: [Backport][ipa-4-7] tests: fix failure in
test_topology_TestTopologyOptions:test_add_remove_segment
Action: opened
PR body:
"""
This PR was opened automatically because PR #2841 was pushed to master and
backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2849/head:pr2849
git checkout pr2849
From b2d9ac838a8d11a79de0b3c6c3186c4793a2c8fd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Fri, 15 Feb 2019 16:19:08 +0100
Subject: [PATCH] tests: fix failure in
test_topology_TestTopologyOptions:test_add_remove_segment
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
---
ipatests/test_integration/test_topology.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index fed82d11b0..bc0aabca2c 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -140,8 +140,8 @@ def test_add_remove_segment(self):
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
-replica1_ldap = self.replicas[0].ldap_connect()
-tasks.wait_for_replication(replica1_ldap)
+master_ldap = self.master.ldap_connect()
+tasks.wait_for_replication(master_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(deleteme not in result3), "%s: segment still exists" % deleteme
@@ -150,8 +150,7 @@ def test_add_remove_segment(self):
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
-dest_ldap = self.replicas[1].ldap_connect()
-tasks.wait_for_replication(dest_ldap)
+tasks.wait_for_replication(master_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
# We end up having a line topology: master <-> replica1 <-> replica2
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2848][opened] [Backport][ipa-4-6] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
URL: https://github.com/freeipa/freeipa/pull/2848
Author: fcami
Title: #2848: [Backport][ipa-4-6] tests: fix failure in
test_topology_TestTopologyOptions:test_add_remove_segment
Action: opened
PR body:
"""
This PR was opened automatically because PR #2841 was pushed to master and
backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2848/head:pr2848
git checkout pr2848
From 5b7d4636087083cd0045d6a7af83249e0a225ce3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Fri, 15 Feb 2019 16:19:08 +0100
Subject: [PATCH] tests: fix failure in
test_topology_TestTopologyOptions:test_add_remove_segment
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
---
ipatests/test_integration/test_topology.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index abc9dc7d95..a84de6b321 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -160,8 +160,8 @@ def test_add_remove_segment(self):
assert returncode == 0, error
# Wait till replication ends and make sure replica1 does not have
# segment that was deleted on master
-replica1_ldap = self.replicas[0].ldap_connect()
-tasks.wait_for_replication(replica1_ldap)
+master_ldap = self.master.ldap_connect()
+tasks.wait_for_replication(master_ldap)
result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
DOMAIN_SUFFIX_NAME]).stdout_text
assert(deleteme not in result3), "%s: segment still exists" % deleteme
@@ -170,8 +170,7 @@ def test_add_remove_segment(self):
self.master.run_command(['ipa', 'user-add', 'someuser',
'--first', 'test',
'--last', 'user'])
-dest_ldap = self.replicas[1].ldap_connect()
-tasks.wait_for_replication(dest_ldap)
+tasks.wait_for_replication(master_ldap)
result4 = self.replicas[1].run_command(['ipa', 'user-find'])
assert('someuser' in result4.stdout_text), 'User not found: someuser'
# We end up having a line topology: master <-> replica1 <-> replica2
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2841][closed] tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
URL: https://github.com/freeipa/freeipa/pull/2841 Author: flo-renaud Title: #2841: tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2841/head:pr2841 git checkout pr2841 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2847][opened] pkinit setup: fix regression on master install
URL: https://github.com/freeipa/freeipa/pull/2847 Author: flo-renaud Title: #2847: pkinit setup: fix regression on master install Action: opened PR body: """ ## pkinit setup: fix regression on master install The commit 7785210 intended to fix ipa-pkinit-manage enable on a replica without any CA but introduced a regression: ipa-server-install fails to configure pkinit with the fix. This commit provides a proper fix without the regression: pkinit needs to contact Dogtag directly only in case there is no CA instance yet (for ex. because we are installing the first master). Fixes: https://pagure.io/freeipa/issue/7795 ## test: add non-reg test checking pkinit after server install Add a test with the following scenario: ipa-server-install (with ca and pkinit enabled) check that pkinit is properly enabled: ipa-pkinit-manage status must return "enabled" the KDC cert must be signed by IPA CA Related to: https://pagure.io/freeipa/issue/7795 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2847/head:pr2847 git checkout pr2847 From de6bc315eff939d843f8250292ab5cfad16fef20 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 19 Feb 2019 09:25:24 +0100 Subject: [PATCH 1/2] pkinit setup: fix regression on master install The commit 7785210 intended to fix ipa-pkinit-manage enable on a replica without any CA but introduced a regression: ipa-server-install fails to configure pkinit with the fix. This commit provides a proper fix without the regression: pkinit needs to contact Dogtag directly only in case there is no CA instance yet (for ex. because we are installing the first master). Fixes: https://pagure.io/freeipa/issue/7795 --- ipaserver/install/krbinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 4ed94ddf7e..247d1d1364 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -429,13 +429,14 @@ def _call_certmonger(self, certmonger_ca='IPA'): prev_helper = None # on the first CA-ful master without '--no-pkinit', we issue the # certificate by contacting Dogtag directly -localhost_has_ca = self.fqdn in find_providing_servers( +ca_instances = find_providing_servers( 'CA', conn=self.api.Backend.ldap2, api=self.api) + use_dogtag_submit = all( [self.master_fqdn is None, self.pkcs12_info is None, self.config_pkinit, - localhost_has_ca]) + len(ca_instances) == 0]) if use_dogtag_submit: ca_args = [ From d3a1d693fae0b667bcea3dc59f5602600fbe88eb Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 19 Feb 2019 13:30:20 +0100 Subject: [PATCH 2/2] test: add non-reg test checking pkinit after server install Add a test with the following scenario: ipa-server-install (with ca and pkinit enabled) check that pkinit is properly enabled: ipa-pkinit-manage status must return "enabled" the KDC cert must be signed by IPA CA Related to: https://pagure.io/freeipa/issue/7795 --- ipatests/test_integration/test_pkinit_manage.py | 17 + 1 file changed, 17 insertions(+) diff --git a/ipatests/test_integration/test_pkinit_manage.py b/ipatests/test_integration/test_pkinit_manage.py index e74ad43559..3371d86f88 100644 --- a/ipatests/test_integration/test_pkinit_manage.py +++ b/ipatests/test_integration/test_pkinit_manage.py @@ -126,3 +126,20 @@ def test_pkinit_on_replica(self): self.replicas[0].run_command(['ipa-pkinit-manage', 'enable']) check_pkinit(self.replicas[0], enabled=True) + + +class TestPkinitInstall(IntegrationTest): +"""Tests that ipa-server-install properly configures pkinit. + +Non-regression test for issue 7795. +""" +num_replicas = 0 + +@classmethod +def install(cls, mh): +# Install the master +tasks.install_master(cls.master) + +def test_pkinit(self): +# Ensure that pkinit is properly configured +check_pkinit(self.master, enabled=True) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2846][opened] ipa_sam: remove dependency to talloc_strackframe.h
URL: https://github.com/freeipa/freeipa/pull/2846
Author: sumit-bose
Title: #2846: ipa_sam: remove dependency to talloc_strackframe.h
Action: opened
PR body:
"""
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2846/head:pr2846
git checkout pr2846
From dcc855ee5745ba0e265bf355d76b6941ce2cc439 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 19 Feb 2019 12:30:40 +0100
Subject: [PATCH] ipa_sam: remove dependency to talloc_strackframe.h
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
---
daemons/ipa-sam/ipa_sam.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b1e0294e34..ac0aa48f18 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -19,7 +19,6 @@
#include
#include
#include
-#include
#ifndef _SAMBA_UTIL_H_
bool trim_string(char *s, const char *front, const char *back);
@@ -880,9 +879,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
struct dom_sid *user_sid = NULL;
int rc;
enum idmap_error_code err;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ goto done;
+ }
+
/* Fast fail if we get a request for uidNumber=0 because it currently
* will never exist in the directory
* Saves an expensive LDAP call of which failure will never be cached
@@ -967,9 +970,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
size_t c;
int rc;
enum idmap_error_code err;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct unixid id;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ goto done;
+ }
+
filter = talloc_asprintf(tmp_ctx,
"(|(&(gidNumber=%u)"
"(objectClass=%s))"
@@ -3620,7 +3627,8 @@ static void ipasam_free_private_data(void **vp)
(*ipasam_state)->result = NULL;
}
if ((*ipasam_state)->domain_dn != NULL) {
- SAFE_FREE((*ipasam_state)->domain_dn);
+ free((*ipasam_state)->domain_dn);
+ (*ipasam_state)->domain_dn = NULL;
}
*ipasam_state = NULL;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
