forked from freeipa/freeipa
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[testing_master_testing_selinux] Nightly PR #1565
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pylint 2.10 introduced new checker `redundant-u-string-prefix`: > Used when we detect a string with a u prefix. These prefixes were necessary in Python 2 to indicate a string was Unicode, but since Python 3.0 strings are Unicode by default. There are ~31K emitted warnings right now. They can be fixed on refactorings without any rush. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.11 introduced new checker: > Used when we detect a string that is being formatted with format() or % which could potentially be a f-string. The use of f-strings is preferred. Requires Python 3.6 and ``py-version >= 3.6``. - f-strings are not mandatory - format can be more readable - there are ~5.5K spotted issues Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.10 introduced new checkers: > Emitted when using dict() to create an empty dictionary instead of the literal {}. The literal is faster as it avoids an additional function call. > Emitted when using list() to create an empty list instead of the literal []. The literal is faster as it avoids an additional function call. Too many unessential changes. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.10 introduced new checker: > It is better to specify an encoding when opening documents. Using the system default implicitly can create problems on other operating systems. See https://www.python.org/dev/peps/pep-0597/ According to that PEP: > open(filename) isn't explicit about which encoding is expected: - If ASCII is assumed, this isn't a bug, but may result in decreased performance on Windows, particularly with non-Latin-1 locale encodings - If UTF-8 is assumed, this may be a bug or a platform-specific script - If the locale encoding is assumed, the behavior is as expected (but could change if future versions of Python modify the default) IPA requires UTF-8 environments. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9.0 new checker: > Emitted when accessing only the first or last element of str.split(). The first and last element can be accessed by using str.split(sep, maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
__convert_to_gssapi_replication has been added in a0bfbec and then removed in ce2bb47 without clean up. Found by Pylint: ``` ipaserver/install/krbinstance.py:589: [W0238(unused-private-member), KrbInstance.__convert_to_gssapi_replication] Unused private member `KrbInstance.__convert_to_gssapi_replication(self)`) ``` Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
__remove_lightweight_ca_key_retrieval_custodia has been added in 8700101, but it was never used. Caught by Pylint: ``` ipaserver/install/cainstance.py:1308: [W0238(unused-private-member), CAInstance.__remove_lightweight_ca_key_retrieval_custodia] Unused private member `CAInstance.__remove_lightweight_ca_key_retrieval_custodia(self)`) ``` Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The private member `__finalized` has been added in 7db3aae, later removed in 6b8abb0, but `_API__finalized` (access via mangled attribute name) was not cleaned up and finally refactored back to `__finalized` in b1fc875. Found by Pylint: ``` ipalib/plugable.py:807: [W0238(unused-private-member), API.finalize] Unused private member `API.__finalized`) ``` Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
See pylint-dev/pylint#4756 for details Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
> This mangling is done without regard to the syntactic position of the identifier, as long as it occurs within the definition of a class. `__set_attr` is called for instance of the class within its classmethod. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9.0 introduced new checker: > Emitted when a private member of a class is defined but not used Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`__home` has been added in 8ca44bc, later `tests.util` was refactored in fd43b39, but `__home` wasn't cleaned up. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
__convert_iter was added in 24b6cb8, but it was never used. Found by Pylint: ``` ipalib/frontend.py:696: [W0238(unused-private-member), Command.__convert_iter] Unused private member `Command.__convert_iter(self, kw)`) ``` Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There is no actual usage of deprecated classes for Python3. Pylint complains about such for Python2. Since Python2 is no longer supported these imports were removed. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9 introduced new check: > Emitted when iterating over the dictionary items (key-item pairs) and accessing the value by index lookup. The value can be accessed directly instead. Note: in Python3 removing from dict during an iteration is not possible even. For example, ``` cat a.py d = {"a": 1} for k, v in d.items(): if v is not None: del d[k] python3 a.py Traceback (most recent call last): File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module> for k, v in d.items(): RuntimeError: dictionary changed size during iteration ``` Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9 introduced new checker: > The decorator is marked as deprecated and will be removed in the future. - @abstractproperty has been deprecated since Python3.3 [0] - @abstractclassmethod has been deprecated since Python3.3 [1] [0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty [1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The type of value to be compared is class attribute. Today's Pylint doesn't support this. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Teach pylint or skip newly exposed no-members. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixed newly exposed unused variables. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The klass property is referenced to class attribute. Today's Pylint doesn't support this. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9 introduced new check: > New checker consider-using-dict-items. Emitted when iterating over dictionary keys and then indexing the same dictionary with the key within loop body. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
See pylint-dev/pylint#4772 for details. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pylint.pycqa.org/en/latest/user_guide/message-control.html#detecting-useless-disables: > As pylint gets better and false positives are removed, disables that became useless can accumulate and clutter the code. In order to clean them you can enable the useless-suppression warning. This doesn't enforce useless-suppression warnings as errors. The idea is cleanup of these warings on every Pylint's bump. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.12.0 introduced new checker: > Used when Pylint detects that collection literal comparison is being used to check for emptiness; Use implicit booleaness insteadof a collection classes; empty collections are considered as false Comparison of variable to equality to collection: > Lexicographical comparison between built-in collections works as follows: For two collections to compare equal, they must be of the same type, have the same length, and each pair of corresponding elements must compare equal (for example, [1,2] == (1,2) is false because the type is not the same). Collections that support order comparison are ordered the same as their first unequal elements (for example, [1,2,x] <= [1,2,y] has the same value as x <= y). If a corresponding element does not exist, the shorter collection is ordered first (for example, [1,2] < [1,2,3] is true). So, `assert value == {}` is not the same as `assert not value`. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.9.0 introduced new checker which was a subset of arguments-differ: > Used when a method parameter has a different name than in the implemented interface or in an overridden method. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint 2.11.0 extends consider-using-in check to work for attribute access. > To check if a variable is equal to one of many values,combine the values into a tuple and check if the variable is contained "in" it instead of checking for equality against each of the values.This is faster and less verbose. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Python3.7 switched to `X509_VERIFY_PARAM_set1_host`/`X509_VERIFY_PARAM_set1_ip` and deprecated `match_hostname` without replacement. Probably, on removal `match_hostname` the similar functionality may be implemented on IPA side. https://docs.python.org/3/library/ssl.html#ssl.match_hostname Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As of Python3 `currentThread`, `thread.getName` are aliases for `threading.current_thread()` and `threading.Thread.name` respectively. In Python3.10: > bpo-43723: The following threading methods are now deprecated and should be replaced: currentThread => threading.current_thread() activeCount => threading.active_count() Condition.notifyAll => threading.Condition.notify_all() Event.isSet => threading.Event.is_set() Thread.setName => threading.Thread.name thread.getName => threading.Thread.name Thread.isDaemon => threading.Thread.daemon Thread.setDaemon => threading.Thread.daemon Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint thinks that the values are None because doesn't support flow analysis. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Found by new Pylint: > ipaclient/install/client.py:1926: [W1310(format-string-without-interpolation), get_ca_certs] Using formatting for a string that does not have any interpolated variables) Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Cleanup up no longer used Pylint's disables where possible. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint doesn't handle flow control and thus, doesn't understand that a key of type `str` is not reachable at this point: > ipalib/base.py:472: [E1126(invalid-sequence-index), NameSpace.__getitem__] Sequence index is not an int, slice, or instance with __index__) Note: I faced this error on Python3.9 and didn't see it using Python3.10. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In some contexts, filesystem mounts may be owned by unmapped users (e.g. `emptyDir` mounts in Kubernetes / OpenShift when using user namespaces). This causes `systemd-tmpfiles(8)` to fail, as a consequence of systemd's path processing routines which reject this scenario. Therefore, in Fedora container context, if the `IPA_TMPFILES_PROG` environment value is set, use the program specified by its value instead of `/bin/systemd-tmpfiles`. Signed-off-by: Fraser Tweedale <ftweedal@redhat.com> Fixes: https://pagure.io/freeipa/issue/9126 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The subCA keys are loaded out-of-band after creation into the CA so they may have been replicated but not loaded. Give more time for them to appear in the remote CA. Use a loop for the checking instead of a raw sleep because most of the time this is very fast (< 15 seconds) but sometimes it requires just a bit more. Allow up to 60 seconds. To avoid output difference, strip the token name out of certutil output. We don't care about the token a certificate is stored in, the internal or the FIPS token. We just care that they exist on both servers and that the keys match. Apparently in some cases the token name is displayed and not in others so lets normalize the output to make comparisons more consistent. Fixes: https://pagure.io/freeipa/issue/9096 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org>
New calls, getorigbyusername() and getorigbygroupname(), are added to libsss_nss_idmap. They allow to query the AD specific attributes for a user or a group directly. Besides a minor performance benefit it helps to avoid issues if there are users and groups with the same name and the group is not a user-private group but a real group with members. Fixes: https://pagure.io/freeipa/issue/9127 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from the template in install/share/kdc.conf.template. Master key encryption type specified there is used to bootstrap the master key in LDAP database. Once it is done, actual deployment does not rely on the master_key_type value anymore. The actual master key(s) get loaded from LDAP database where they stored in a BER-encoded format, preserving all parameters, including encryption type. This means we can safely migrate to AES256-SHA2 as the default master key encryption type for new installations. Replicas will get their master key encryption type details from the server they were provisioned from. MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is the earliest supported version as it provides krb5 1.15.1. Current supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this change does not affect old releases. Migration from the previously deployed master key encryption type is described by MIT Kerberos upstream in http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key One would need to use '-x ipa-setup-override-restrictions' to allow the `kdb5_util` utility to modify the data over IPA KDB driver. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
paramiko cannot be used in FIPS mode. We have few tests that import generic methods from test_otp (add_token/del_token) and those tests fail in FIPS mode due to unconditional 'import paramiko'. Instead, move 'import paramiko' to the ssh_2f() helper which is not used in FIPS mode (the whole SSH 2FA test is skipped then). Related: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
SPAKE is based on the crypto primitives which are not FIPS compliant yet. This means that in FIPS mode use of 'hardened' authentication indicator is not possible. Skip corresponding tests in FIPS mode. Related: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping algorithm since the plugin was introduced. Allow use of AES-128-CBC as alternative wrapping algorithm for transport of secrets. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit sets AES-128-CBC as default wrapping algorithm as TripleDES (des-ede3-cbc) is not supported anymore in C9S. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
When minlife > maxlife specified on commandline, it says: "ipa: ERROR: invalid 'maxlife': Maximum password life must be greater than minimum." But when minlife == maxlife specfied, It works. This test check that error message says what exactly it does related: https://pagure.io/freeipa/issue/9038 Signed-off-by: Mohammad Rizwan <myusuf@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When an entry is loaded the incoming values are converted into python datatypes automatically based on the _SYNTAX_MAPPING value in ipaldap. When using delattr to remove a mapped value it will fail because the datatypes do not match up. For example date types are datetime.datetime structions and won't match a generalized time string. So try to map the value to delete using _SYNTAX_MAPPING before trying to remove the value. Fall back to trying to remove the raw value if the mapping fails. This won't work for some mapping types, DNs for example. Providing only the RDN value for a DN-type, manager for example, lacks the context to know how to construct the DN (RDN and contaner). Fixes: https://pagure.io/freeipa/issue/9004 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.