Closed abompard closed 4 years ago
Maybe you can check it out @ryanlerch ?
@abompard it seems it was a regression that was introduced in this commit:
https://github.com/fedora-infra/noggin/commit/349c96757df1c01be21a4c4d20b6d19a1478f9c8
if i roll back to this commit, i don't see any agreements in a users' list. Although, i fixed that with this change when i was rebuilding the cassettes:
I'm a little perplexed on how this ever worked, as there hasnt been any changes (major) changes to freeipa-fas to cause a regression like this.
I'll poke at this a little.
Here's what I understand of commit 349c967:
user_settings_agreements()
queried all (enabled) agreements with their members and checked if the current username was in their list of users to indicate membership in the UI.User.agreements
which is mapped to memberof_agreements
on the IPA side.Unfortunately, memberof_agreements
doesn't seem to be included in the result from the user_or_404()
IPA query. Here's what I got when using the debugger to break at the end of test_ipa_client_fasagreement_add_user()
in noggin/tests/unit/security/test_ipa.py
:
ipdb> urec = user_or_404(ipa, "dummy")
ipdb> ppr.pprint(urec)
{'cn': ['Dummy User'],
'displayname': ['Dummy User'],
'dn': 'uid=dummy,cn=users,cn=accounts,dc=noggin,dc=test',
'fascreationtime': [{'__datetime__': '20200811101511Z'}],
'gecos': ['Dummy User'],
'gidnumber': ['113800236'],
'givenname': ['Dummy'],
'has_keytab': True,
'has_password': True,
'homedirectory': ['/home/dummy'],
'initials': ['DU'],
'ipauniqueid': ['8a98f82e-dbbb-11ea-88f6-5254007be86f'],
'krbcanonicalname': ['dummy@NOGGIN.TEST'],
'krblastpwdchange': [{'__datetime__': '20200811101512Z'}],
'krbpasswordexpiration': [{'__datetime__': '20201109101512Z'}],
'krbprincipalname': ['dummy@NOGGIN.TEST'],
'loginshell': ['/bin/bash'],
'mail': ['dummy@example.com'],
'memberof_group': ['ipausers'],
'nsaccountlock': False,
'objectclass': ['top',
'person',
'organizationalperson',
'inetorgperson',
'inetuser',
'posixaccount',
'krbprincipalaux',
'krbticketpolicyaux',
'ipaobject',
'ipasshuser',
'fasuser',
'ipaSshGroupOfPubKeys',
'mepOriginEntry'],
'preserved': False,
'sn': ['User'],
'uid': ['dummy'],
'uidnumber': ['113800236']}
ipdb>
At the moment I don't know what's needed to change in order that IPA returns the agreement memberships with the user, but I'll try to find out.
@nphilipp i think i may have figured out what has happened here.
It was around this time that @abompard changed all the default branch names from master to dev.
It appears that there are a handful of PRs that are not in dev, but were merged into master, and were lost:
https://github.com/fedora-infra/freeipa-fas/pulls?q=is%3Apr+is%3Aclosed
AFAICT, this includes this one, that makes freeipa return what was being expected here:
Okay, there is now the following PR ready to be merged, that puts back 4 commits that were lost, and should resolve this issue:
nphilipp moved this from To do to Done within Sprint in AAA 2 days ago ryanlerch moved this from Done within Sprint to Overall Done in AAA 6 hours ago
squints
Apparently the user dict that is returned from FreeIPA does not contain the
memberof_fasagreement
that the representation was relying on to list the agreements a user has signed. As a result the user's agreements are all shown as unsigned even if they actually are.