freeipa.git/ipatests/test_cmdline, branch fix_ber_scanf FreeIPA patches Fix wrong use of identity operation 2019-09-04T08:30:07+00:00 Christian Heimes cheimes@redhat.com 2019-09-03T11:55:27+00:00 0fc4b8c25cb4f1ee49cbf9b47610168b24a9ee56 Strings should not be compared with the identity operation 'is' or 'is not'. Fixes: https://pagure.io/freeipa/issue/8057 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Strings should not be compared with the identity operation 'is' or
'is not'.

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Fix expected return code in tests when server is uninstalled 2019-06-07T09:24:45+00:00 Rob Crittenden rcritten@redhat.com 2019-06-06T14:29:38+00:00 cef4edd384baeda913e309ebcc9a9dd8753dc744 It is likely that these were fixed by the original change b96906156be37a7b29ee74423b82f04070c84e22 but was uncaught because these tests are not executed in CI because the server is configured. https://pagure.io/freeipa/issue/7836 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
It is likely that these were fixed by the original change
b96906156be37a7b29ee74423b82f04070c84e22 but was uncaught because
these tests are not executed in CI because the server is configured.

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-pwd-extop: do not remove MagicRegen mod, replace it 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-16T10:12:38+00:00 a9bcf531a69b8a39ee2df86b4eb783023b33928e In 2012, ldbm backend in 389-ds started checking entry modification after running betxnpreop plugins by comparing a number of modifications before and after. If that number didn't change, it is considered that plugins didn't modify the list. ipa-pwd-extop actually removed and re-added modification to ipaNTHash if it contained 'MagicRegen' value. This did not work since commit https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43 but we were lucky nothing in FreeIPA code actually relied on that except some code paths in ipasam Samba passdb driver. However, Samba didn't reach the point where the code was triggered -- until now. With support to run Samba as a domain member in IPA domain, that code path is triggered for Kerberos service principals of domain members (cifs/client.example.test, ...) and NT hash extraction from Kerberos keys does not work. Fix ipa-pwd-extop to follow recommendations in https://pagure.io/389-ds-base/issue/387#comment-120145 and https://pagure.io/389-ds-base/issue/50369#comment-570696 Fixes: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_ipagetkeytab: test retrieval of explicit encryption types 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-17T11:27:46+00:00 46234f0cb91ad892b7420eb061e758e26c64e3c7 In order to test a fix for https://pagure.io/freeipa/issue/7953, we need to create a keytab with a particular encryption type (arcfour-hmac) and attempt to request generation of ipaNTHash attribute from Kerberos keys in LDAP. Add a test case that performs this operation. Related: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.

Add a test case that performs this operation.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_ipagetkeytab: factor out DM password reader 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-17T11:50:03+00:00 0f891c6a3fef7b75cb4b0a125e26e6e80b0bdcf3 Related: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
test_ipagetkeytab: allow testing LDAP connection beyond bind operation 2019-05-28T06:55:51+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-17T11:25:25+00:00 6163cbc16658930f49794ebecd5a6ac14ba8cfd4 Convert use_keytab() function into a context manager to allow additional operations to be done as part of the test. Also pass proper credentials cache file to the backend while connecting to LDAP so that right creds are in use. This is required to perform actual tests for use of the retrieved keys. Related: https://pagure.io/freeipa/issue/7953 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.

This is required to perform actual tests for use of the retrieved keys.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Test: add new tests for ipa-crlgen-manage 2019-03-14T08:39:55+00:00 Florence Blanc-Renaud flo@redhat.com 2019-02-22T16:24:45+00:00 4e3a64f70316c98a18e403486f6f8afcec5e24e4 Add new integration tests for the new command ipa-crlgen-manage, and test_cmdline tests. Related to: https://pagure.io/freeipa/issue/5803 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> 
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.

Related to: https://pagure.io/freeipa/issue/5803

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
ipa-getkeytab: resolve symlink 2019-01-30T07:06:02+00:00 Christian Heimes cheimes@redhat.com 2018-12-12T15:41:01+00:00 53e0b2255d92c9c21c19306cf37cc8de0476dc9c Resolve one level of symbolic links to support a dangling symlink as keytab target. To prevent symlink attacks, only resolve symlink when the symlink is owned by the current effective user and group, or by root. Fixes: https://pagure.io/freeipa/issue/4607 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Resolve one level of symbolic links to support a dangling symlink as
keytab target. To prevent symlink attacks, only resolve symlink when the
symlink is owned by the current effective user and group, or by root.

Fixes: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Address inconsistent-return-statements 2018-11-13T12:37:58+00:00 Christian Heimes cheimes@redhat.com 2018-11-09T10:13:38+00:00 85286beb5b4da390e24ee35b9c3cd4c2455a1961 Pylint warns about inconsistent return statements when some paths of a function return None implicitly. Make all implicit returns either explicit or raise a proper exception. See: https://pagure.io/freeipa/issue/7758 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix test_cli_fsencoding on Python 3.7, take 2 2018-11-08T15:03:21+00:00 Christian Heimes cheimes@redhat.com 2018-11-07T16:52:03+00:00 e569afb04eddc7eb0b287d9046de05ed8de4772d 0a5a7bdef7c300cb8f8a8128ce6cf5b115683cbe introduced another problem. The test is now failing on systems without a full IPA client or server installation. Use IPA_CONFDIR env var to override location of default.conf, so that the command always fails. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com> 
0a5a7bdef7c300cb8f8a8128ce6cf5b115683cbe introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>