Commit Graph

11044 Commits

Author SHA1 Message Date
Martin Babinsky
069948466e Make wait_for_entry raise exceptions
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
bd18b5f91e Move PKINIT configuration to a later stage of server/replica install
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:

    * CA is configured or PKCS#12 file is provided
    * LDAP, KDC and Apache are configured and the master role is thus
      completed and enabled

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
b5b23e073e Request PKINIT cert directly from Dogtag API on first master
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
95768de06f Make PKINIT certificate request logic consistent with other installers
The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.

The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Stanislav Laznicka
46d4d534c0 Remove pkinit from ipa-replica-prepare
The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.

https://pagure.io/freeipa/issue/6759

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:23:21 +01:00
Lukas Slebodnik
2a4f7f2cfa CONFIGURE: Improve detection of xmlrpc_c flags
The pkg-config files for xmlrpc_c libraries are shipped just
in fedora/rhel due to downstream patch. Debian does not have
pkg-config files for xmlrpc_c. Therefore we need to fallback to older
method of detection XMLRPC_*FLAGS which was reverted
by the commit 1e0143c159

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:13:00 +01:00
Jan Cholasta
990ce9eef3 spec file: always provide python package aliases
Provide python-ipa* aliases for python2-ipa* subpackages when the
python_provide RPM macro is not available.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 14:35:23 +00:00
Jan Cholasta
417f1926c4 spec file: support client-only build
nspr-devel, nss-devel and openssl-devel are required for client-only build,
move their respective BuildRequires from the server-specific BuildRequires
section to the main BuildRequires section.

Pass --enable-server or --disable-server to ./configure based on the value
of %{ONLY_CLIENT}.

Remove the `make client-check` call from %check, as the client-check target
does not exist anymore. Always call `make check` instead.

Do not package the /usr/share/ipa directory in freeipa-client-common, as it
is not created in client-only build.

https://pagure.io/freeipa/issue/6517

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 13:42:16 +00:00
Jan Cholasta
e42a846506 spec file: support build without ipatests
Build ipatests only if %with_ipatests RPM macro is specified.

By default the macro is specified if ONLY_CLIENT is not specified.

https://pagure.io/freeipa/issue/6517

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 13:39:47 +00:00
Christian Heimes
b280c7bb01 Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb
Debian packages should be installed under dist-packages, not
site-packages. Debian has patched distutils and setuptools to add a new
flag '--install-layout'. For --with-ipaplatform=debian,
PYTHON_INSTALL_EXTRA_OPTIONS is set to '--install-layout=deb'.

https://pagure.io/freeipa/issue/6764

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-15 13:48:23 +01:00
Christian Heimes
f1f63506ca Make pylint and jsl optional
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-15 12:42:36 +00:00
David Kupka
70889d4d5e rpcserver: x509_login: Handle unsuccessful certificate login gracefully
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-15 10:34:44 +01:00
Timo Aaltonen
e20ad9c251 ipaplatform/debian/paths: Add some missing values.
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 09:53:08 +01:00
Lukas Slebodnik
4fe9166ac9 CONFIGURE: Properly detect libpopt on el7
libpopt added pkg-config file in 1.16 but there are still distributions
which has older version of library (el6, el7). And new features from
libpopt are not used anywhere. Configure should try to detect as much as
possible and users should not use workarounds with explicitely enabled
variables as parameters e.g.
   ./configure POPT_LIBS="-lpopt "

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 08:55:44 +00:00
Jan Cholasta
b7329e31f5 slapi plugins: fix CFLAGS
Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is
used.

Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv.

Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h
includes nspr.h.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 08:55:12 +00:00
Martin Babinsky
1cdd5dee00 idviews: correctly handle modification of non-existent view
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-15 09:48:12 +01:00
Jan Cholasta
7ef4e9eb81 spec file: add unconditional python-setuptools BuildRequires
python-setuptools is required not only for lint, but to make the build
possible at all.

Move the python-setuptools BuildRequires from the lint section to the main
section.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-15 07:44:35 +00:00
Christian Heimes
a30d31b0c6 Ignore ipapython/.DEFAULT_PLUGINS
https://pagure.io/freeipa/issue/6597

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-15 06:19:00 +00:00
Pavel Vomacka
f4cd61f301 Remove allow_constrained_delegation from gssproxy.conf
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-03-14 18:56:03 +01:00
Pavel Vomacka
2c194d793c WebUI: Add support for management of user short name resolution
Added field into idview details page and into server config where
the order of domains used while searching for user. Domains can
be separated by ':' character.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 18:45:29 +01:00
Martin Babinsky
4e5e3eebb2 Re-use trust domain retrieval code in certmap validators
https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
544d66b710 idview: add domain_resolution_order attribute
`idview-add` and `idview-mod` can now set and validate the attribute.
The required objectclass is added on-demand after modification

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
1b5f56d154 ipaconfig: add the ability to manipulate domain resolution order
optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
594c87daf8 Short name resolution: introduce the required schema
Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Christian Heimes
08fc9d7a68 Run test_ipaclient test suite
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-14 17:14:26 +01:00
Jan Cholasta
f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
Stanislav Laznicka
ee6d031a6a Backup KDC certificate pair
KDC certificate pair was added but is not included in backup which
might cause issues when restoring the IPA service.

https://pagure.io/freeipa/issue/6748

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:47 +01:00
Timo Aaltonen
c194f74b12 ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
71db8c264e ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
1a47fcd3ee ipaplatform/debian/services: Fix is_running arguments.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Martin Basti
ca5b53adcc Add copy-schema-to-ca for RHEL6 to contrib/
Fixed version that works on RHEL6. Adding it to contrib to avoid loosing it.

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 15:16:20 +01:00
Martin Basti
f4c7f1dd8a Remove copy-schema-to-ca.py from master branch
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 15:16:20 +01:00
Pavel Vomacka
585547ee94 WebUI: add link to login page which for login using certificate
Also add error message when login failed.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Stanislav Laznicka
8980f4098e Don't fail more if cert req/cert creation failed
This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 15:02:42 +01:00
Stanislav Laznicka
992e6ecd1f Fix ipa-replica-prepare server-cert creation
Fixes an issue introduced in 0a54fac0, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 15:02:42 +01:00
Jan Cholasta
72de679eb4 csrgen: hide cert-get-requestdata in CLI
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 12:26:16 +00:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
c60d9c9744 cert: add output file option to cert-request
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Pavel Vomacka
f952757484 TESTS WebUI: Vaults management
Bunch of tests for WebUI Vault Management.

Covers:
Adding vaults
Modifying vaults
Adding members and owners to all types of vaults

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
0808504ba1 TESTS: Add support for sidebar with facets
Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
ab8c69f4c6 TESTS: Add support for KRA in ui_driver
https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
39d7ef3de4 WebUI: add vault management
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
  are not supported in WebUI. Also retrieving or archiving data
  is not supported.
- There aren't any container support right now

Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
587b7324fb WebUI: allow to show rows with same pkey in tables
Allows to show rows which have the same primary key. Used in Vault.

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
de4d4a51b5 WebUI: search facet's default actions might be overriden
While defining search facet and adding custom actions with the same name
as default actions in search facet. Custom actions will be used and their
definition will override default actions.

Part of:https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
8dfe692251 Add possibility to hide only one tab in sidebar
Removes item selected by name attribute from sidebar

Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
039a6f7b4f Possibility to set list of table attributes which will be added to _del command
'additional_table_attrs' can contain array of names of columns. Value from each
column with its name will be added to the batch _del command. in case that
the column with set name does not exists - the name is skipped.

Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
2e6e069886 Extend _show command after _find command in table facets
Allow pagination to table facets which needs to call _show on all rows
with additional parameter. 'show_command_additional_attr' can be set to any
attribute from result of _find command. This attribute is taken with its value
and added to options of _each command for each row.

Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
042e113db9 Add possibility to pass url parameter to update command of details page
'update_attribute' can contain a name of field in details page. In that case the value
of the field with field name will be appended to the update command options.

Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Pavel Vomacka
bbca1d9219 Add property which allows refresh command to use url value
'refresh_attribute' can be set to the name of url parameter name. This parameter with
its value is then passed to refresh command of the details facet.

Part of: https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00