The tool gitleaks reports a potential data leak in
test_dns.py as it believes KEY_SECRET should not be exposed.

This is a test value that can be ignored. Mark as such with the
comment # notsecret

Same for other tests with passwords.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>

We should allow 32bit groups, by setting maxvalue we allow that.

Fixes: https://pagure.io/freeipa/issue/9953
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

freeipa-client package needs to creates directories in /var:
/var/lib/ipa-client
/var/lib/ipa-client/pki
/var/lib/ipa-client/sysrestore

Use tmpdfilesd to create the dirs in order to be compatible
with bootc images where /var is not updated when
bootc switch is called.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>

This allows an installation along with an ML-DSA
CA to complete an IPA installation where the IPA RA,
Apache and 389-ds keys are ML-DSA as requested on the
CLI.

PKINIT doesn't currently support PQC so that certificate
is forced to be RSA-2048.

This does not yet pass the key type into the CA
installer so an override is still necessary.

There are two very simple routines for determining
the profile to use which is fine for this limited use
case but will need to be replaced or the functions
enhanced, or both.

This uses the caMLDSAServerCert profile for the IPA
certificates. In the future we plan to try to update the
caIPAserverCert to support both RSA and ML-DSA.

Using a ML-DSA CA is not necessary to use ML-DSA for
the IPA certificates. If an ML-DSA CA is desired then
a pki-override file needs to be provided to the
installer.

X-Feature: PQC

Related: https://pagure.io/freeipa/issue/9883

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>

The test was failing in environments where IPv6 is disabled at the
kernel level because it attempted to add a temporary IPv6 address
without first checking if IPv6 is enabled on the interface.

This fix restructures the test to:
- Check if IPv6 is disabled via sysctl before attempting IPv6 setup
- Always run IPv4 allow-query and allow-transfer tests
- Only run IPv6-related tests when IPv6 is available

This ensures the test passes in IPv4-only environments while still
providing full coverage when IPv6 is enabled.

Fixes: https://pagure.io/freeipa/issue/9944
Signed-off-by: Pranav Thube pthube@redhat.com
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>

Tomcat in Fedora previously used some different locations
for scripts than upstream tomcat. In Fedora 45 these
customizations are being dropped.

Instead of being able to call /usr/sbin/tomcat directly the
scripts are split between /usr/libexec and /usr/share/tomcat/bin.

We used to call /usr/sbin/tomcat to get the version number for
backwards compatibility. We can use the script version.sh
instead of calling tomcat/catalina.sh directly.

Fixes: https://pagure.io/freeipa/issue/9832

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Convert self-service users tests from bash to Python and add them to the existing selfservice test file.

Tests verify that users can modify their own allowed attributes under default and custom selfservice rules,
that disallowed attributes are rejected with ACIError, and that cross-user modification is blocked.
Also covers atomic failure on mixed permissions, self-password-change, and user-find by phone, fax, and manager
(BZ 1188195, 781208, 985016, 967509, 985013).

Signed-off-by: Jay Gondaliya jgondali@redhat.com
Fixes: https://pagure.io/freeipa/issue/9945
Assisted-by: Claude noreply@anthropic.com
Reviewed-By: PRANAV THUBE <pthube@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

IPA locations should be migrated if we're migrating DNS entries,
functionality and test coverage added.

Fixes: https://pagure.io/freeipa/issue/9955
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>

Allows ipa-migrate to ignore replication conflict entries if the
server we are migrating from has some. Added test with a mockup
conflict entry.

Fixes: https://pagure.io/freeipa/issue/9954
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>

When ipa_otpd_t executes sssd MFA helper binaries (oidc_child,
passkey_child) labeled sssd_mfa_exec_t, use domtrans_pattern to
transition into sssd_mfa_t rather than running them in the ipa_otpd_t
domain. sssd_mfa_t already carries the correct network and device
permissions for those helpers.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

…ction

Four bare gen_require+allow blocks in the ipa_dnskey_t local policy
referenced external types (ndc_t, systemd_tmpfiles_t, fs_t, named_t)
outside of optional_policy, causing hard compilation failures if those
types are absent from the loaded policy. Wrap each block in
optional_policy to match the convention used throughout the rest of
the module.

Related: https://pagure.io/freeipa/issue/9948

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

sssd_mfa_t runs oidc_child and passkey_child. Add permissions needed
for their runtime operation:

- auth_use_nsswitch: NSS lookups (nsswitch.conf traversal)
- files_read_usr_files: OpenSSL crypto-policies config in /usr/share
- miscfiles_read_localization: timezone data
- kernel_read_crypto_sysctls: /proc/sys/crypto/fips_enabled check
- selinux_getattr_fs: SELinux status probe (is_selinux_enabled)
- dontaudit net_admin: suppress capability probe that is not required
- dontaudit init_t:unix_stream_socket: suppress noise from RADIUS
  socket leaked to child (should be close-on-exec in ipa-otpd)
- ps_process_pattern(syslogd_t): allow systemd-journal to read
  sssd_mfa_t process entries in /proc for structured log entries

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Add a new Declarative test class `test_selfservice_cli_add_del` covering CLI-level behaviour of the selfservice-add and selfservice-del commands:

- add_1002: bad attrs with valid permissions rejects with InvalidSyntax
- add_1003: valid attrs with invalid permissions rejects with ValidationError
- add_1004: valid attrs and permissions with --all --raw succeeds and
  returns the raw ACI string (BZ 772106)
- add_1005: bad attrs only rejects with InvalidSyntax
- add_1006: valid attrs only succeeds with default write permission
- del_1001: deleting an existing selfservice rule succeeds
- del_1002: deleting a non-existent rule raises NotFound

Signed-off-by: Jay Gondaliya <jgondali@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9945
Assisted-by: Claude noreply@anthropic.com
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

Add tests for internationalization support in user plugin:
- User creation/deletion with i18n givenname and sn
- Lastname modification with Swedish/European names (13 values)
- Firstname modification with European accented names (4 values)
- Firstname modification with single i18n characters (67 values)

Test data includes characters like Çándide, Örjan, Éric, ß, ü, etc.

Related: https://pagure.io/freeipa/issue/9959
Signed-off-by: Pranav Thube pthube@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>

The integration test test_sudo.py::TestSudo_Functional is unstable
in Azure CI, randomly fails and blocks the gating.

I had a look at the failures for PR #8218 and checked why
the test failed in azure:
 run 1 TestSudo_Functional.test_007_sudorule_offline_caching_option_command
 run 2 TestSudo_Functional.test_007_sudorule_offline_caching_option_command
 run 3 Insufficient access: SASL(-1) in ipa-server-install
 run 4 timeout
 run 5 timeout
 run 6 timeout
 run 7 Insufficient access: SASL(-1) in ipa-server-install
 run 8 TestSudo_Functional.test_007_sudorule_offline_caching_option_command
 run 9 TestSudo_Functional.test_007_sudorule_offline_caching_option_command
 run 10 Insufficient access: SASL(-1) in ipa-server-install
 run 11 TestSudo_Functional.test_007_sudorule_offline_caching_option_command

The majority of failures is related to a flaky test, which is executed
anyway in PRCI gating

As this test is also executed in the PRCI gating, we can remove it
from azure CI and keep it in PRCI gating only.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>

Below tests are added

1. Create ipauser with 32bit id.
2. Create ipagroup with 32Bit id.
3. Create ipauser with 32Bit groupid range.
4. Test ssh login with 32Bit id user.
5. Test that ipauser with 32Bit is replicated.
6. Test that 32Bit idrange is created in IPA-AD trust enviornment.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>

During server deployment, before SIDs are generated, ipactx->mspac is
NULL.  ipadb_enforce_pac() already handles this correctly: it logs a
warning and returns 0 so the TGT check passes.  However, if a
PAC-containing evidence ticket arrives at a KDC worker that has mspac
NULL (e.g. issued by another worker after a transient reinit, or the
reinit interval has since expired), the PAC verification path failed
with KRB5_KDB_DBNOTINITED ("Database has not been initialized"):

  check_logon_info_consistent()        ipa_kdb_mspac.c:1724
    if (!ipactx || !ipactx->mspac)
        return KRB5_KDB_DBNOTINITED;  /* hard fail */

  ipadb_check_logon_info()             ipa_kdb_mspac.c:2093
    if (!ipactx || !ipactx->mspac)
        return KRB5_KDB_DBNOTINITED;  /* hard fail */

This propagated up through ipadb_common_verify_pac() ->
ipadb_verify_pac()/ipadb_v9_issue_pac() -> handle_authdata, causing
the S4U2Proxy TGS_REQ to be denied.

ipadb_get_pac() already uses the correct pattern: return ENOENT when
mspac is NULL, letting callers treat the situation as "no PAC
available" rather than a database error.  ipadb_v9_issue_pac() already
catches ENOENT from ipadb_common_verify_pac() and converts it to 0.

Fix:
- Split the !ipactx and !ipactx->mspac guards in both locations.
  Keep KRB5_KDB_DBNOTINITED only for the truly fatal !ipactx case.
  Return ENOENT for !ipactx->mspac, matching ipadb_get_pac().
- In ipadb_sign_authdata() (DAL v6 path), add an ENOENT check after
  ipadb_verify_pac() so the v6 path handles it the same way as the
  v9 path already does at ipadb_v9_issue_pac():138.

Fixes: https://pagure.io/freeipa/issue/9962

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Julien Rische <jrische@redhat.com>

…itialized

When the MS-PAC generator is not initialized:
- DAL v6: Both PAC creation and verification proceed without PAC
- DAL v9: PAC verification works, but PAC creation fails with
  KRB5_PLUGIN_OP_NOTSUPP

This caused AS-REQ and S4U2Self requests to fail on DAL v9 when the
MS-PAC generator wasn't initialized, while the same requests succeeded
on DAL v6.

The issue was a redundant check in ipadb_v9_issue_pac() that returned
KRB5_PLUGIN_OP_NOTSUPP before ipadb_get_pac() could return ENOENT.
Remove this redundant check and add ENOENT handling after calling
ipadb_get_pac() and ipadb_common_verify_pac(), matching DAL v6
behavior.

DAL v6 and v9 now have consistent behavior: all operations proceed
without PAC when the MS-PAC generator is not initialized.

Related: https://pagure.io/freeipa/issue/9962

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Julien Rische <jrische@redhat.com>

When the MS-PAC generator is not initialized and a ticket is created
or verified without a PAC, log a warning message. This helps identify
deployments vulnerable to CVE-2025-7493.

A new warn_mspac_unavailable() helper function is introduced to avoid
code duplication. It takes a boolean parameter to distinguish between
ticket creation and verification contexts.

The warning is now consistently logged in all scenarios where tickets
proceed without PAC:
- DAL v6 and v9: PAC creation failures (AS-REQ, S4U2Self, S4U2Proxy)
- DAL v6 and v9: PAC verification failures
- KDC policy plugin: PAC enforcement check for local TGTs

Related: https://pagure.io/freeipa/issue/9962

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Julien Rische <jrische@redhat.com>

The patch for 9954 builds the list of objectclass values
before the call to normalize_attr. This results in an entry
with a non-normalized key for objectClass and the list of
values may be empty.

Normalize before building the list of values.

Fixes: https://pagure.io/freeipa/issue/9954
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: David Hanina <dhanina@redhat.com>