Test external namesipatests: check that external names are resolvable by IPA namesever #38
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not print meaningful info when called on a non-existent cert id: Certificate operation cannot be completed: Unable to communicate with CMS Propagate the reason from the HTTP message in order to print 'Certificate ID 0x.. not found' Fixes: https://pagure.io/freeipa/issue/8704 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add tests for the ipa cert-remove-hold command. Scenario 1: add host entry, request cert, revoke cert with "hold" reason, remove hold Scenario 2: call ipa cert-move-hold with a non-existent cert ID and ensure that the exception mentions 'Certificate ID .. not found' Related: https://pagure.io/freeipa/issue/8704 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
As part of the effort for reducing differences between upstream and downstream releases, product naming in WebUI About dialog is changed from FreeIPA to IPA. Related: https://pagure.io/freeipa/issue/8669 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add prune option to ipa-cacert-manage, allowing to remove all expired certificates from the certificate store. Related: https://pagure.io/freeipa/issue/7404 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add test for prune option of ipa-cacert-manage. After a certificate is installed, a jump in time is performed to a date where the certificate is expired, and then it is pruned. Related: https://pagure.io/freeipa/issue/7404 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.
In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.
In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has
been reformatted.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This test assumes that the current environment has only IPv4, but for example, Azure Pipelines provides both IPv4 and IPv6. Fixes: https://pagure.io/freeipa/issue/8683 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`update-crypto-policies` tool from RPM package `crypto-policies-scripts` is required for tests. Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ACME uses nonce values to prevent replay attacks. Since the ipa-ca name can go to any of the IPA servers in order to verify the nonce the servers need to know the value that was set which relies on replication. Sometimes the client is faster than replication so a request can fail. This change returns the baseURL to the client as the name of the ACME server during discovery which should pin all requests to this one IPA server and alleviate the replication issue. Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://pagure.io/freeipa/issue/8712 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Put the ACME config files under normal IPA versioning so we can more seamlessly do updates to them. Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://pagure.io/freeipa/issue/8712 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
From the upgrade log it was not possible to see the current state of ACME which makes troubleshooting difficult. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Related: https://pagure.io/freeipa/issue/8712 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Trailing dots aren't permitted in sudo commands, as enforced explicitly in `get_dn`. Performing this check before adding the command prevents the user from entering invalid commands, which would otherwise trigger errors when accessing them afterwards. RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot. RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object. RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410 Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Check that sudocmd-add fails when trying to add a command containing a trailing dot. Signed-off-by: Antonio Torres <antorres@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update "previous" and "latest" templates with updated dependencies. Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With commit ec6698f , the error message has changed from Unable to communicate with CMS (503) to Request failed with status 503: Non-2xx response from CA REST API: 503. (503) Related: https://pagure.io/freeipa/issue/8704 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This option was inconsistent between invocations and there is no need to stop certmonger after stopping tracking. It was also apparently causing dbus timeout errors, probably due to the amount of work that certmonger does at startup. https://pagure.io/freeipa/issue/8506 https://pagure.io/freeipa/issue/8533 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
wladich
force-pushed
the
test-external-names
branch
from
4562784
to
f7be529
Compare
wladich
force-pushed
the
test-external-names
branch
from
f7be529
to
d41e0eb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to https://pagure.io/freeipa/issue/8710