Commit Graph

11554 Commits

Author SHA1 Message Date
Pavel Vomacka
0ee7db75e4 WebUI: Remove plugins symlink as it is unused
The plugins symlink points to non-existing directory and is currently
not used. It also causes errors in freeipa-pr-ci during creating
tarball.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
41a18bbbc8 Remove all old JSON files
JSON files were used as source of information for offline WebUI.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
6ad92d3a4f Revert "Web UI: Remove offline version of Web UI"
This reverts commit 24525fd086.
The reverted commit removed symlinks which allowed unit tests to
access FreeIPA code.

https://pagure.io/freeipa/issues/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Tomas Krizek
661e611d14
dnssec: fix localhsm.py utility script
See e6b2ed6b68 for details.

Fixes https://pagure.io/freeipa/issue/7116

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 16:00:23 +02:00
Felipe Volpone
0b7d9c5a7b
Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.

https://pagure.io/freeipa/issue/7108

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-30 15:51:39 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Martin Basti
dffddbd2c0 DNS update: reduce timeout for CA records
Timeout 120 seconds is quite long and it makes uninstallation too long
for. Given that this is non critical operation and may be executed
manually later, waiting 120 seconds is too much. Usually waiting longer
will not help at all to resolve missing record.

30 seconds is long enough 🕯

https://pagure.io/freeipa/issue/6176

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-30 13:02:59 +02:00
Florence Blanc-Renaud
ee5345ac05 Fix Certificate renewal (with ext ca)
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue

https://pagure.io/freeipa/issue/7106

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 12:58:58 +02:00
Stanislav Laznicka
170f7a778b certmonger: remove temporary workaround
During recent refactoring, a workaround was added to make it
possible for OpenSSL backend of python-cryptography to read PEM
certificates returned by dogtag-ipa-renew-agent-submit. This was
fixed in latest certmonger version.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:55:59 +02:00
Tomas Krizek
3091938c0b prci: add caless tests
Add TestServerReplicaCALessToCAFull to PR CI test suite.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 12:53:53 +02:00
Florence Blanc-Renaud
69bda6b440 Fix ipa-server-upgrade: This entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.

To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.

https://pagure.io/freeipa/issue/7125

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:47:53 +02:00
Stanislav Laznicka
1b78f79283 cert: fix wrong assumption of cert-show result type
cert-show returns a base64 encoded certificate yet the assumption
here was for a PEM bytes instance.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-30 12:44:46 +02:00
Stanislav Laznicka
e09b6c2602 rpc: don't encode bytes
bytes.encode() appeared in rpc.py by a mistake, should have been
bytes.decode()

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-30 12:44:46 +02:00
Fraser Tweedale
947ac4bc1f py3: handle bytes in schema response
If a server is running under py2 it could return a bytes value for
the 'topic_topic' field in the schema response.  A py3 client fails
to handle this (in one place it applies 'str' to it, which raises
BytesWarning; in other places it tries to serialise the schema to
JSON which fails because of the bytes value).

Handle the case where 'topic_topic' is not unicode, and handle bytes
values when serialising the schema to JSON.

Fixes: https://pagure.io/freeipa/issue/6809
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:05:20 +02:00
Fraser Tweedale
9cead4da2e py3: fix vault public key decoding
Part of: https://pagure.io/freeipa/issue/7033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:03:25 +02:00
Fraser Tweedale
cac7357ebd cert: fix application of 'str' to bytes when formatting otherName
Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:01:31 +02:00
Stanislav Laznicka
0be9a17211 py3: Fix searching for yubikeys
Bumping the requirements for the python-yubikey package. This is
unfortunately most probably fixed only in Fedora because there was no
upstream release for about a year and a half now. That also means
bumping the version in ipasetup.py.in would be pointless.

https://pagure.io/freeipa/issue/7121

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-29 12:59:23 +02:00
Fraser Tweedale
b1e1109679 py3: fix schema response for py2 server with py3 client
The schema RPC response can include a bytes value for the
'topic_topic' field (when the server is running in Python 2).
In this case, a Python 3 client fails to initialise the API
when a schema fetch is required, because it cannot serialise
the bytes values in the schema object to JSON.

Ensure the 'topic_topic' value is unicode.

Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 12:57:02 +02:00
Stanislav Laznicka
2bc5b7f044 py3: remove relative import
https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
e6a9de8a2e py3: remove Exception.message appearances
Exception.message is removed in Python3

https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
7a86ff5d9b Fix cert file creation during CA-less installation
When writing extracted certs and keys to the file, we opened the
same file at a different spot but the original file position
indicator would not be moved when the certificate is written there.
The result is that the certificate gets rewritten by the private
key.  This commit fixes it.

Fixes: https://pagure.io/freeipa/issue/7118
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:48:02 +02:00
Fraser Tweedale
477b3dca80 Fix incorrect 'with' statement in CA-less installation
Part of: https://pagure.io/freeipa/issue/7118

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:48:02 +02:00
Stanislav Laznicka
6ca8787cc7 Uninstall: fix BytesWarning exception
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:42:51 +02:00
Stanislav Laznicka
31142ead83 Unify storing certificates in LDAP
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:40:15 +02:00
Stanislav Laznicka
2151ab02c1 py3: fix caless to CA promotion on replica
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:25:19 +02:00
Alexander Bokovoy
928374ca7d dcerpc: support Python 3
Make 'ipa trust-add' work under Python 3. One needs patches from
https://lists.samba.org/archive/samba-technical/2017-July/121746.html
to Samba too.

Since we haven't switched whole ipa server environment to Python 3 yet,
following packages need to be installed to make trust code working under
Python 3:

 - python3-libsss_nss_idmap
 - python3-sss
 - python3-samba
 - python3-mod_wsgi

Fixes: https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-23 09:03:12 +02:00
Stanislav Laznicka
6fc7a96e11 cacert_manage: fix CA cert renewal
Since IPACertificate object is passed to CAInstance's
update_people_entry() and update_authority_entry(),
these are not be able to load this object as a certificate again and
thus would fail. This commit fixes that.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-23 08:59:54 +02:00
Rob Crittenden
a37e90530f Include the CA basic constraint in CSRs when renewing a CA
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:

  X509v3 Basic Constraints: critical
      CA:TRUE

Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.

Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.

https://pagure.io/freeipa/issue/7088

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 11:05:37 +02:00
Stanislav Laznicka
7ef6de931b python3: port certmonger requests script
This commit fixes requesting certificates via certmonger in Python 3.
This includes dogtag-ipa-ca-renew-agent-submit script and scripts
used during the scripts restarting.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
a3c11b01af crtmgr: fix bug if CERTMONGER_CERTIFICATE not set
If CERTMONGER_CERTIFICATE is not set in certain scenario, the
code would fail since None cannot be passed to loading certificates.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
0412625a2b certmonger: finish refactoring for request script
The recent certificate refactoring assures that ipaldap operations
are able to work with IPACertificate values when communication with
the LDAP server. Use these capabilities and prevent possible bugs.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
32be3ef622 certmonger: fix storing retrieved certificates
This was a forgotten part from previous certificate refactoring which
would cause issues since the second part of results throughout the
dogtag-ipa-ca-renew-agent-submit is expected to be a string.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Pavel Vomacka
2a73b5d739 WebUI: Add hyphenate versions of Host(Role) Based strings
The hyphenated forms are less ambiguous and easier to read.
(For more grammar background, see for example
"Hyphenate Complex Adjectives" in http://stylepedia.net/
Grammar-Hyphenation )

https://pagure.io/freeipa/issue/6582

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-22 10:38:10 +02:00
Stanislav Laznicka
9869d52bab
Make the IPA server run under Python 3 by default
Set python3-mod_wsgi as a requirement for FreeIPA in the spec file
if with_python3 is specified so that httpd runs IPA server under
Python 3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-21 15:47:33 +02:00
Stanislav Laznicka
5965e27b30
Turn IPA scripts to python3 -bb for testing
This is a commit which expands current scripts being run under
python3 by default. We set the -bb option so that any Bytes/Str
error breaks execution.

This commit shall be reverted before reaching production.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-21 15:47:33 +02:00
Stanislav Laznicka
7bf6eb7e19
py3: Depend on newer pyldap for server-upgrade
https://pagure.io/freeipa/issue/4985

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-21 11:29:07 +02:00
Stanislav Laznicka
b1fbdbefdb
ipautil: port host_port_open() to python 3
socket.send() expects `Bytes` instance, not string

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-18 11:48:51 +02:00
Tomas Krizek
f7d1a10f22
makerpms.sh: make git checkout optional
In case someone is using the script from tarball, outside of git,
the git checkout command shouldn't fail the script.

Related https://pagure.io/freeipa/issue/6605

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-18 11:46:13 +02:00
David Kupka
bda3dd722b
tests: certmap: Add test for user-{add,remove}-certmap
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
7bce62d5d4
tests: tracker: Add CertmapdataMixin tracker
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
e574f5d65e
tests: certmap: Add test for certmapconfig-{mod,show}
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
0ccde44501
tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
eabd397154
tests: certmap: Test permissions for certmap
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
c6a43ffcad
tests: certmap: Add basic tests for certmaprule commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
aee200816e
tests: tracker: Add CertmapTracker for testing certmap-* commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
3113bfb0cf
tests: tracker: Add ConfigurationTracker to test *config-{mod,show} commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
7b015a2e76
tests: tracker: Add EnableTracker to test *-{enable,disable} commands
https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
David Kupka
ac7712c93e
tests: tracker: Split Tracker into one-purpose Trackers
There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.

https://pagure.io/freeipa/issue/7105

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-18 11:40:21 +02:00
Rob Crittenden
9c1ab3ca50
Pass ipa-ca-agent credentials as PEM files
In Fedora 27 curl is proposing to switch to using OpenSSL as
the crypto backend instead of NSS. This requires a new set of
arguments to certmonger to bootstrap fetching the IPA RA cert.

https://pagure.io/freeipa/issue/7076

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-18 11:32:34 +02:00
Pavel Vomacka
ed7de96648 WebUI: fix incorrectly shown links in association tables
Previously all columns was shown as links, that was caused by setting
link attribute of each column to true. This true value was there because
of possibility to turn off links in whole table on self-service pages.

Now only column which is primary key is set to be shown as link.

https://pagure.io/freeipa/issue/7066

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 10:10:21 +02:00