Bug 1645708

Summary: authselect enable-features should error on unknown features
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 29CC: awilliam, edewata, orion, pbrezina
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authselect-1.0.2-1.fc29 authselect-1.0.2-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1651637 (view as bug list) Environment:
Last Closed: 2018-11-27 03:30:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1651637    

Description Orion Poplawski 2018-11-02 22:17:50 UTC
Description of problem:

# authselect current
Profile ID: sssd
Enabled features: None
# authselect enable-feature blah
# authselect current
Profile ID: sssd
Enabled features:
- blah

Version-Release number of selected component (if applicable):
authselect-1.0.1-2.fc29.x86_64

I get into trouble because to enable smartcard you enable "with-smartcard" instead of "with-smartcard".

Comment 1 Pavel Březina 2018-11-06 09:47:06 UTC
Thank you.

Upstream ticket:
https://github.com/pbrezina/authselect/issues/107

Comment 2 Pavel Březina 2018-11-20 12:55:48 UTC
Can you please try this scratch build?
https://koji.fedoraproject.org/koji/taskinfo?taskID=31016568

Calling `authselect select $profile unknown-feature` will result an
error and it will suggest the most relevant feature in case it is
only a typo.

$ authselect select sssd with-smartcards
[error] Unknown profile feature [with-smartcards], did you mean [with-smartcard]?
[error] Unable to activate profile [sssd] [22]: Invalid argument
Unable to activate profile [22]: Invalid argument

If feature is removed from profile, calling `authselect apply-changes`
will disable this feature and it will report it as a warning. This of course should not be common use case as profile should not drop a feature without a strong reason.

After manually removing with-sudo feature fortesting purpose:
$ sudo authselect apply-changes --warn 
[warn] Profile feature [with-sudo] is no longer supported, removing it...
Changes were successfully applied.

Comment 3 Orion Poplawski 2018-11-20 23:07:43 UTC
Thanks, that looks a lot better.  To be a little nit-picky - the errors seem a bit too verbose:

[error] Unknown profile feature [sudo], did you mean [with-sudo]?
[error] Unable to activate profile [sssd] [22]: Invalid argument
Unable to enable feature [22]: Invalid argument

Could it just be a single line like:

[error] Unknown profile feature [sudo] for profile [sssd], did you mead [with-sudo]?

But either way, this will help a lot.

Comment 4 Fedora Update System 2018-11-24 12:36:25 UTC
authselect-1.0.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-eef7934b44

Comment 5 Fedora Update System 2018-11-24 12:59:28 UTC
authselect-1.0.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32941d1d45

Comment 6 Pavel Březina 2018-11-24 13:05:35 UTC
Thank you for testing. I kept the error reporting as is for now. I might improve it in the future across the whole code base.

Comment 7 Fedora Update System 2018-11-25 04:09:08 UTC
authselect-1.0.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32941d1d45

Comment 8 Fedora Update System 2018-11-25 04:45:00 UTC
authselect-1.0.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-eef7934b44

Comment 9 Fedora Update System 2018-11-27 03:30:54 UTC
authselect-1.0.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Endi Sukma Dewata 2018-11-27 16:16:33 UTC
This seems to be breaking IPA uninstallation, which fails PKI CI. Could you take a look? Thanks.

Forcing removal of master.pki.test
------------------------------------
Deleted IPA server "master.pki.test"
------------------------------------
Shutting down all IPA services
Unconfiguring KRA
Unconfiguring CA
Unconfiguring named
Unconfiguring ipa-dnskeysyncd
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Unconfiguring ipa-otpd
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
WARNING: Unable to revert to the pre-installation state ('authconfig' tool has been deprecated in favor of 'authselect'). The default sssd profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir
Failed to remove krb5/LDAP configuration: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', '', '--force'] returned non-zero exit status 1: '[error] Unknown profile feature []\n[error] Unable to activate profile [sssd] [22]: Invalid argument\nUnable to activate profile [22]: Invalid argument\n')
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information
The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information
Removing IPA client configuration
Uninstall of client side components failed!

Comment 11 Fedora Update System 2018-11-27 17:12:51 UTC
authselect-1.0.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Adam Williamson 2018-11-28 00:53:07 UTC
Endi: I caught that too (unfortunately after the update went stable, as the Fedora critpath definition is not being properly updated so authselect is not considered to be critpath, so openQA didn't test the authselect update :<).

It's really a bug in FreeIPA, I'd say: I've sent a patch - https://github.com/freeipa/freeipa/pull/2610 . It was passing an entirely empty features arg to authselect, which is kinda a dumb thing to do. You can actually see this in the error message if you look carefully:

"Command ['/usr/bin/authselect', 'select', 'sssd', '', '--force'] returned non-zero exit status 1"

note the '' in that list. authselect *could* be smart enough to ignore the arg if it's just an empty string, I guess, but fixing FreeIPA to just not send an empty arg like that seems reasonable.

Comment 13 Pavel Březina 2018-11-28 11:42:26 UTC
Darn... its always the simple things that are least expected. Next time, I will ping someone from ipa to tests new release.

In my opinion, calling command with empty parameter that is not supposed to be empty is a bug. But yes, authselect does not have any need to fail in such situation. I opened upstream ticket:
https://github.com/pbrezina/authselect/issues/122

Comment 14 Adam Williamson 2018-11-30 17:41:33 UTC
Ideally, openQA tests would have run on the update while it was in updates-testing and caught the problem before it went stable. Unfortunately, because Bodhi doesn't think authselect is in the critpath and openQA is set to only run tests on critpath updates (we don't have enough resources to test all updates), that didn't happen :(

I've added authselect to the openQA scheduler's special packages-to-test whitelist now, so going forward, authselect updates will be tested. Look out for failures on the 'Automated Tests' tab of future updates; if you see any, and have any trouble understanding whether it's a real bug and what the problem is, just ping me. Thanks!

Comment 15 Fedora Update System 2018-12-04 20:42:22 UTC
dogtag-pki-10.6.8-1.fc29 freeipa-4.7.2-1.fc29 jss-4.5.1-1.fc29 nuxwdog-1.0.5-3.fc29 pki-core-10.6.8-3.fc29 tomcatjss-7.3.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f

Comment 16 Fedora Update System 2018-12-04 20:42:28 UTC
dogtag-pki-10.6.8-1.fc29 freeipa-4.7.2-1.fc29 jss-4.5.1-1.fc29 nuxwdog-1.0.5-3.fc29 pki-core-10.6.8-3.fc29 tomcatjss-7.3.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f

Comment 17 Fedora Update System 2018-12-04 20:42:48 UTC
dogtag-pki-10.6.8-1.fc28 freeipa-4.7.2-1.fc28 jss-4.5.1-1.fc28 nuxwdog-1.0.5-3.fc28 pki-core-10.6.8-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e

Comment 18 Fedora Update System 2018-12-04 20:42:54 UTC
dogtag-pki-10.6.8-1.fc28 freeipa-4.7.2-1.fc28 jss-4.5.1-1.fc28 nuxwdog-1.0.5-3.fc28 pki-core-10.6.8-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e

Comment 19 Fedora Update System 2018-12-05 03:06:29 UTC
dogtag-pki-10.6.8-3.fc28, freeipa-4.7.2-1.fc28, jss-4.5.1-1.fc28, nuxwdog-1.0.5-3.fc28, pki-core-10.6.8-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-115068f60e

Comment 20 Fedora Update System 2018-12-05 03:53:39 UTC
dogtag-pki-10.6.8-3.fc29, freeipa-4.7.2-1.fc29, jss-4.5.1-1.fc29, nuxwdog-1.0.5-3.fc29, pki-core-10.6.8-3.fc29, tomcatjss-7.3.6-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3241dd6a7f

Comment 21 Fedora Update System 2018-12-13 02:15:49 UTC
dogtag-pki-10.6.8-3.fc29, freeipa-4.7.2-1.fc29, jss-4.5.1-1.fc29, nuxwdog-1.0.5-3.fc29, pki-core-10.6.8-3.fc29, tomcatjss-7.3.6-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2018-12-13 02:47:01 UTC
dogtag-pki-10.6.8-3.fc28, freeipa-4.7.2-1.fc28, jss-4.5.1-1.fc28, nuxwdog-1.0.5-3.fc28, pki-core-10.6.8-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.