Commit Graph

11554 Commits

Author SHA1 Message Date
Tomas Krizek
f32784f4cb build: checkout *.po files at the end of makerpms.sh
*.po are re-generated during build. These changes shouldn't be
comitted to git unless translation have been updated (during
release).

Fixes https://pagure.io/freeipa/issue/6605

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-17 10:01:03 +02:00
Stanislav Laznicka
31a5cf588e conncheck: fix progression on failure
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 09:56:01 +02:00
Stanislav Laznicka
dbeb41efd6 kerberos: fix sorting Principal objects
When service-find was issued under Python 3, the command fails
because it tried to sort a list of Principal objects which was not
possible.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 09:56:01 +02:00
Fraser Tweedale
7995518921 Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.

We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.

https://pagure.io/freeipa/issue/7097

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-14 19:25:59 +02:00
Felipe Volpone
cac3475a04
Changing how commands handles error when it can't connect to IPA server
Creating a method to check if ipa client is configured. Also,
changing scripts to use it instead of duplicating the check.

https://pagure.io/freeipa/issue/6261

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:55:39 +02:00
Michal Reznik
a3c99367bf
test_caless: add SAN dNSName extensions for wildcard tests
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.

https://pagure.io/freeipa/issue/7100

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-11 13:53:44 +02:00
Tibor Dudlák
76357283ec
otptoken_yubikey.py: Removed traceback when package missing.
IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.

Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:51:04 +02:00
Christian Heimes
5f03329051
Misc Python 3 fixes for ipaserver.secrets
bytes/str fixes for LDAP data, JSON encoding and temp files.

Require jwcrpyto 0.4.2 with fix for RHBZ #1476150

https://pagure.io/freeipa/issue/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-11 13:47:35 +02:00
Petr Vobornik
038d192065
log progress of wait_for_open_ports
To know what to focus on when some check fail. E.g. to detect that
IPv6 address or its resolution for localhost is misconfigured.

https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 13:40:38 +02:00
Petr Vobornik
cc72db67e2
control logging of host_port_open from caller
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.

Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.

https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 13:40:38 +02:00
Abhijeet Kasurde
8d3924dc98
Vault testcase improvement
* Collect logs for install KRA

Related: https://pagure.io/freeipa/issue/7098

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:13:21 +02:00
Stanislav Laznicka
7d217c8c9b
host, service: fix adding host/svc with a cert
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.

The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.

https://pagure.io/freeipa/issue/7077

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 12:09:44 +02:00
Michal Reznik
1ff356241c
test_caless: add replica ca-less to ca-full test (master caless)
Add replica ca-less to ca-full test when master stays caless. Cover
Pagure issue: https://pagure.io/freeipa/issue/6226

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
7a5b1cc140
test_caless: add server_replica ca-less to ca-full test
Add server_replica ca-less to ca-full test as we are currently missing
one. Cover Pagure issue: https://pagure.io/freeipa/issue/6207

https://pagure.io/freeipa/issue/7086

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 12:04:32 +02:00
Michal Reznik
4caabb140e
tests: fix external_ca test suite failing due to missing SKI
external_ca test suite is failing during installation due to
missing SKI extension.

https://pagure.io/freeipa/issue/7099

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 10:54:05 +02:00
Stanislav Laznicka
d147948fcc server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-03 13:50:10 +02:00
Stanislav Laznicka
76904ba84d replica: fix SetuptoolsVersion comparison
Python 3 does not allow comparing SetuptoolsVersion and str
instances.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-03 13:48:12 +02:00
Stanislav Laznicka
1124eee2ff replica-prepare: run the script in py3 by default
https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:15:13 +02:00
Stanislav Laznicka
9fc2cab972 certs: write and read bytes as such
There were several cases in ipaserver.install.certs where bytes
would be read/written as normal strings, this commit fixes that.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:15:13 +02:00
Stanislav Laznicka
6f8d90d97a client: make ipa-client-install py3 compatible
This commit enables ipa-client-install to be installable in
Python 3 and makes it run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:13:18 +02:00
Tomas Krizek
8f92a9bdc1 freeipa-pr-ci: enable pull-request CI
This config file defines jobs to be executed as a part of the
pull-request CI. For more information, see:

https://github.com/freeipa/freeipa-pr-ci
https://www.freeipa.org/page/V4/Pull-Request_CI

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-07-31 08:52:38 +02:00
Stanislav Laznicka
c95617e714 cainstance: read cert file as bytes
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:55:21 +02:00
Stanislav Laznicka
0c848b791d ca: TypeError fix
We were trying to load a certificate as a string even though it
was an object already.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 16:53:00 +02:00
Stanislav Laznicka
276bef101b krainstance: fix writing str to file
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:51:09 +02:00
Felipe Volpone
75d26e1f01 py3: fixing zonemgr_callback
Since OptionParser behaves differently in Python 2/3,
zonemgr_callback now handles value as str in both version.

https://pagure.io/freeipa/issue/5990

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:48:49 +02:00
Stanislav Laznicka
06fbf4b312 replica-conncheck: log when failed to RPC connect
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:33:58 +02:00
Tomas Krizek
fc7e2565bd ipactl: log check_version exception
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:32:07 +02:00
Stanislav Laznicka
e1f88c844e Fixup of not-so-good PEM certs
certmonger returns PEM certificates with an additional newline
after the base64 encoded cert, remove it

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
1521296297 x509,certdb: handle certificates as bytes
Certificates, both in PEM and DER format, should be handled as bytes
in Python 3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
5ff1de8490 parameters: relax type checks
Previously, the type check of the Param class did only allow
the parameters to only have a value that's of a direct type.
However, that's nonsensically restrictive. For example, if
there's an interface implemented as an `ABCMeta` class then
the check for type fails since the interface's type is
`ABCMeta` instead of directly a `type`. Among others,
this is the case for cryptography.x509.Certificate.

Being a type is a transitive property of a Python object and we
should respect that in our framework.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
bf4dae70e0 tests: fix failing HTTPS connection
Recent certificate refactoring probably unclogged some failure
in handling certificates which causes test_changepw to correctly
fail since it is trying to connect using an HTTPS connection
without the CA certificate. This patch adds the CA cert to the
connection.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
43c74d3333 Introduce load_unknown_x509_certificate()
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Tomas Krizek
ba5f7afedc logging: make sure logging level is set to proper value
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-26 15:57:56 +02:00
Pavel Vomacka
0b8d460191 WebUI: fix jslint error
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 14:20:36 +02:00
Lewis Eason
bcfa6b533d Correct typo estabilish->establish in the install scripts
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-24 13:41:16 +02:00
David Kupka
d6787eea48 install: replica: Show message about key synchronization
https://pagure.io/freeipa/issue/6940

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-24 13:38:31 +02:00
Thierry Bordaz
0f0423cf53 NULL LDAP context in call to ldap_search_ext_s during search
KDC crashes on quite random interval while trying to reach LDAP
    https://pagure.io/freeipa/issue/7017

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 13:34:06 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Stanislav Laznicka
62f19fc082
README: Fix trailing whitespace
be2fba0 introduced a trailing whitespace in our README.md, this
patch removes it

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-07-21 09:47:36 +02:00
Pavel Vomacka
cfa157c1e5 WebUI: change validator of page size settings
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
7f10a5145c pylint: enable logging checks
Enable the logging-not-lazy and logging-format-interpolation checks.

🕯

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
bccb243b05 doc: sync guide.org with cli.py
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00