ipaconfig: Validate emaildomain

When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

.pre-commit-config.yaml

@@ -26,7 +26,7 @@ repos:
   - id: yamllint
     files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 7.2.0
+  rev: 7.0.0
   hooks:
   - id: flake8
 - repo: https://github.com/pycqa/pylint

infra/azure/azure-pipelines.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 
 variables:
   ansible_version: "-core >=2.16,<2.17"

infra/azure/nightly.yml

@@ -10,7 +10,7 @@ schedules:
 trigger: none
 
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 
 variables:
   # We need to have two sets, as c8s is not supported by all ansible versions

infra/azure/pr-pipeline.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 
 variables:
   distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"

infra/image/shcontainer

@@ -4,20 +4,13 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
-# shellcheck disable=SC1091
-. "${SCRIPTDIR}/shdefaults"
-
-# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 
 container_create() {
     local name=${1}
     local image=${2}
     shift 2
-    declare -a extra_opts
+    declare -a extra_opts=()
-    readarray -t extra_opts < \
-        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
-        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue
@@ -26,7 +19,6 @@ container_create() {
             cpus=*) extra_opts+=("--${opt}") ;;
             memory=*) extra_opts+=("--${opt}") ;;
             capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
-            volume=*) extra_opts+=("--volume=${opt##*=}") ;;
             *) log error "container_create: Invalid option: ${opt}" ;;
         esac
     done
@@ -55,8 +47,6 @@ container_start() {
 
     log info "= Starting ${name} ="
     podman start "${name}"
-    # Ensure /etc/shadow is readable
-    podman exec "${name}" bash -c "chmod u+r /etc/shadow"
     echo
 }
 
@@ -205,15 +195,3 @@ container_fetch() {
     podman cp "${name}:${source}" "${destination}"
     echo
 }
-
-container_tee() {
-    local name=${1}
-    local destination=${2}
-    tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
-
-    log info "= Creating ${name}:${destination} from stdin ="
-    cat - > "${tmpfile}"
-    podman cp "${tmpfile}" "${name}:${destination}"
-    rm "${tmpfile}"
-    echo
-}

infra/image/shdefaults

@@ -1,9 +0,0 @@
-#!/bin/bash -eu
-# This file is meant to be source'd by other scripts
-
-# Set default capabilities options for freeipa containers.
-# Use +CAP to add the capability and -CAP to drop the capability.
-CAP_DEFAULTS=(
-    "+DAC_READ_SEARCH"  # Required for SSSD
-    "+SYS_PTRACE"       # Required for debugging
-)

plugins/module_utils/ansible_freeipa_module.py

@@ -33,7 +33,7 @@ __all__ = ["DEBUG_COMMAND_ALL", "DEBUG_COMMAND_LIST",
            "paths", "tasks", "get_credentials_if_valid", "Encoding",
            "DNSName", "getargspec", "certificate_loader",
            "write_certificate_list", "boolean", "template_str",
-           "urlparse", "normalize_sshpubkey"]
+           "urlparse", "normalize_sshpubkey", "Email"]
 
 DEBUG_COMMAND_ALL = 0b1111
 # Print the while command list:
@@ -116,6 +116,7 @@ try:
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
     from ipapython import kerberos
+    from ipapython.ipavalidate import Email
 
     try:
         from ipalib.x509 import Encoding

plugins/modules/ipaconfig.py

@@ -344,7 +344,7 @@ config:
 
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa, ipalib_errors
+    IPAAnsibleModule, compare_args_ipa, ipalib_errors, Email
 
 
 def config_show(module):
@@ -515,6 +515,13 @@ def main():
                 msg="Argument '%s' must be between %d and %d."
                     % (arg, minimum, maximum))
 
+    # verify email domain
+    emaildomain = params.get("ipadefaultemaildomain", None)
+    if emaildomain:
+        if not Email("test@{0}".format(emaildomain)):
+            ansible_module.fail_json(
+                msg="Invalid 'emaildomain' value: %s" % emaildomain)
+
     changed = False
     exit_args = {}
 

requirements-dev.txt

@@ -1,7 +1,7 @@
 -r requirements-tests.txt
 ipdb==0.13.4
 pre-commit==2.20.0
-flake8
+flake8==7.0.0
 flake8-bugbear
 pylint>=3.2
 wrapt==1.14.1

roles/ipaclient/library/ipaclient_setup_nss.py

@@ -279,7 +279,6 @@ def main():
     options.no_sssd = False
     options.sssd = not options.no_sssd
     options.no_ac = False
-    options.dns_over_tls = False
     nosssd_files = module.params.get('nosssd_files')
     selinux_works = module.params.get('selinux_works')
     krb_name = module.params.get('krb_name')
@@ -340,19 +339,17 @@ def main():
                                                       ca_subject)
         ca_certs_trust = [(c, n,
                            certstore.key_policy_to_trust_flags(t, True, u))
-                          for (c, n, t, u) in [x[0:4] for x in ca_certs]]
+                          for (c, n, t, u) in ca_certs]
 
         if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
             x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                [c for c, n, t, u in ca_certs if t is not False],
-                    if t is not False],
                 paths.KDC_CA_BUNDLE_PEM,
                 # mode=0o644
             )
         if hasattr(paths, "CA_BUNDLE_PEM"):
             x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                [c for c, n, t, u in ca_certs if t is not False],
-                    if t is not False],
                 paths.CA_BUNDLE_PEM,
                 # mode=0o644
             )
@@ -379,12 +376,7 @@ def main():
             ssh_config_dir = paths.SSH_CONFIG_DIR
         else:
             ssh_config_dir = services.knownservices.sshd.get_config_dir()
-        argspec_update_ssh_keys = getargspec(update_ssh_keys)
+        update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
-        # Hotfix for https://github.com/freeipa/freeipa/pull/7343
-        if "options" in argspec_update_ssh_keys.args:
-            update_ssh_keys(hostname, ssh_config_dir, options, cli_server[0])
-        else:
-            update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
 
         try:
             os.remove(CCACHE_FILE)

roles/ipaclient/module_utils/ansible_ipa_client.py

@@ -231,6 +231,8 @@ try:
                         cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
                         filename, client_domain, client_hostname, force=False,
                         configure_sssd=True):
+                    # pylint: disable=global-variable-not-assigned
+                    global options
                     options.force = force
                     options.sssd = configure_sssd
                     return ipa_client_install.configure_krb5_conf(

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -80,13 +80,6 @@ except ImportError:
 try:
     from contextlib import contextmanager as contextlib_contextmanager
     from ipapython.version import NUM_VERSION, VERSION
-    try:
-        from ipapython.version import parse_version
-    except ImportError:
-        # In IPA we either need pkg_resources or packaging Version
-        # class to compare versions with check_remote_version, so
-        # we let an exception to be raised if neither is available.
-        from pkg_resources import parse_version
 
     if NUM_VERSION < 30201:
         # See ipapython/version.py
@@ -106,6 +99,8 @@ try:
         import dns.resolver as dnsresolver
         import dns.reversename as dnsreversename
 
+        from pkg_resources import parse_version
+
         from ipaclient.install.ipachangeconf import IPAChangeConf
         from ipalib.install import certstore, sysrestore
         from ipapython.ipautil import ipa_generate_password
@@ -336,13 +331,6 @@ options.add_agents = False
 # ServerReplicaInstall
 options.subject_base = None
 options.ca_subject = None
-
-# Hotfix for https://github.com/freeipa/freeipa/pull/7343
-options.dns_over_tls = False
-options.dns_over_tls_key = None
-options.dns_over_tls_cert = None
-options.dot_forwarders = None
-options.dns_policy = None
 # pylint: enable=attribute-defined-outside-init
 
 

roles/ipaserver/module_utils/ansible_ipa_server.py

@@ -354,13 +354,6 @@ options.add_agents = False
 # no_msdcs is deprecated
 options.no_msdcs = False
 
-# Hotfix for https://github.com/freeipa/freeipa/pull/7343
-options.dns_over_tls = False
-options.dns_over_tls_key = None
-options.dns_over_tls_cert = None
-options.dot_forwarders = None
-options.dns_policy = None
-
 # For pylint
 options.external_cert_files = None
 options.dirsrv_cert_files = None

tests/config/test_config.yml

@@ -34,6 +34,16 @@
           ipaapi_context: "{{ ipa_context | default(omit) }}"
           emaildomain: ipa.test
 
+      - name: Ensure the default e-mail domain cannot be set to an invalid email domain.
+        ipaconfig:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          emaildomain: invalid@emaildomain
+        register: invalid_emaildomain
+        failed_when:
+          invalid_emaildomain.changed
+          or not (invalid_emaildomain.failed and "Invalid 'emaildomain' value:" in invalid_emaildomain.msg)
+
       - name: Set default shell to '/bin/sh'
         ipaconfig:
           ipaadmin_password: SomeADMINpassword

utils/setup_test_container.sh

@@ -79,20 +79,6 @@ shift
 prepare_container "${scenario}" "${IMAGE_TAG}"
 start_container "${scenario}"
 
-log info "Wait till systemd-journald is running"
-max=20
-wait=2
-count=0
-while ! podman exec "${scenario}" ps -x | grep -q "systemd-journald"
-do
-    if [ $count -ge $max ]; then
-        die "Timeout: systemd-journald is not starting up"
-    fi
-    count=$((count+1))
-    log none "Waiting ${wait} seconds .."
-    sleep ${wait}
-done
-
 # wait for FreeIPA services to be available (usually ~45 seconds)
 log info "Wait for container to be initialized."
 wait=15