Commit Graph

1990 Commits

Author SHA1 Message Date
Martin Basti
135047d03c Pylint: remove unused variables in ipaserver package
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Stanislav Laznicka
889f0863b8 Make installer quit more nicely on external CA installation
cainstance.__spawn_instance() exits in rather weird manner on
successful external CA install. This masks the weird implementation
from the user. :-&

https://fedorahosted.org/freeipa/ticket/6230

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-10-06 07:06:38 +02:00
Petr Spacek
c56256e2a2 Raise errors from service.py:_ldap_mod() by default
This is to prevent situations when installer prints
CRITICAL Failed to load ....ldif
and continues just to crash later on because of non-existing LDAP container
or so on.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-04 14:14:30 +02:00
Martin Babinsky
ee96384c3e mod_nss: use more robust quoting of NSSNickname directive
The code which handles configuration of mod_nss module must be more robust
when handling NSS nicknames generated from subject names containing quoted RDN
values.

https://fedorahosted.org/freeipa/ticket/5809

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-10-03 13:42:34 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Fraser Tweedale
ff490b6c40 sudorule: add SELinux transition examples to plugin doc
It is not obvious how to add SELinux type and role transitions to a
Sudo rule.  Update the 'sudorule' plugin documentation with examples
of how to do this.

Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 14:59:43 +02:00
Martin Basti
9b68d2a1f8 Pylint: enable global-variable-not-assigned check
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 09:23:41 +02:00
Fraser Tweedale
97d4ffc2dc Fix cert revocation when removing all certs via host/service-mod
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not.  Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).

Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-23 08:10:11 +02:00
Jan Barta
9bc57a01e1 pylint: fix old-style-class
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
568f9da331 pylint: fix redefine-in-handler
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
275e85d076 pylint: fix unneeded-not
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Stanislav Laznicka
330a3ca931 Remove update_from_dict() method
update_from_dict() method is not used anywhere in the project,
it only makes the tests fail. Removed it and its tests.

https://fedorahosted.org/freeipa/ticket/6311

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-22 13:02:57 +02:00
Pavel Vomacka
0e6d6e4032 WebUI: Change group name from 'normal' to 'Non-POSIX'
It will correspond with CLI and will be more self-explanatory.

https://fedorahosted.org/freeipa/ticket/6334

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-21 13:20:21 +02:00
Tomas Krizek
75f77e0f2a Add help info about certificate revocation reasons
Inform the user where to find additional information
about certificate revocation reasons.

https://fedorahosted.org/freeipa/ticket/6327

Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-21 13:05:13 +02:00
Martin Basti
8f8e3d008f Use constant for user and group patterns
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Martin Basti
3720080611 Fix regexp patterns in parameters to not enforce length
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Tomas Krizek
2bc70a5d5f Keep NSS trust flags of existing certificates
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.

https://fedorahosted.org/freeipa/ticket/5791

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-19 17:57:05 +02:00
Jan Cholasta
e5f7a612fb dns: re-introduce --raw in dnsrecord-del
The flag was removed in commit ff52c25ae2
because it is unused. Add it back for compatibility with old clients.

https://fedorahosted.org/freeipa/ticket/5644

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-19 17:36:20 +02:00
Florence Blanc-Renaud
0c4a91348a Add cert checks in ipa-server-certinstall
When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert
validity.

https://fedorahosted.org/freeipa/ticket/6263

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-19 07:58:44 +02:00
Martin Basti
d13a4c2f39 Add check for IP addresses into DNS installer
https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-14 15:30:55 +02:00
Martin Basti
cd2c10d7ca Fix missing config.ips in promote_check
When replica is installed with --setup-dns config.ips is not defined.

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-14 15:30:55 +02:00
Martin Basti
1c96ff7a6c Abstract procedures for IP address warnings
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-14 15:30:55 +02:00
Martin Basti
271a4f0982 Catch DNS exceptions during emptyzones named.conf upgrade
For some reasons named may not be runnig and this cause fail of this
upgrade step. This step is not critical so only ERROR message with
recommendation is shown.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-14 14:57:07 +02:00
Martin Basti
22fd6f0209 Start named during configuration upgrade.
Some upgrade steps require bind running, to be succesfull. Upgrader
makes sure that bind starts.

https://fedorahosted.org/freeipa/ticket/6205

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-14 14:57:07 +02:00
Martin Babinsky
f3f9087ee8 ipa passwd: use correct normalizer for user principals
Commit c2af032c03 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.

https://fedorahosted.org/freeipa/ticket/6329

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-14 13:08:53 +02:00
Martin Babinsky
b0d40b80e8 trust-fetch-domains: contact forest DCs when fetching trust domain info
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.

https://fedorahosted.org/freeipa/ticket/6328

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-14 10:38:07 +02:00
Fraser Tweedale
1f1c93d2b5 cert-request: raise error when request fails
Fix a regression in recent change to request cert via Dogtag REST
API.  'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed.  Inspect the
request result to determine if the request completed, and raise if
it did not.

Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-13 17:22:34 +02:00
Martin Babinsky
003b364c5a netgroup: avoid extraneous LDAP search when retrieving primary key from DN
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.

https://fedorahosted.org/freeipa/ticket/5855

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-09 16:27:53 +02:00
Martin Babinsky
5b9516753c advise: Use name instead of __name__ to get plugin names
This change will allow ipa-advise to correctly handle advise plugins with
custom names.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-08 17:28:24 +02:00
Pavel Vomacka
c3374c6e16 Add 'Restore' option to action dropdown menu
Also moving activate_action method several lines up - correcting logical order of methods.

https://fedorahosted.org/freeipa/ticket/5818

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-08 09:44:20 +02:00
Martin Basti
b232ad463c Show warning when net/broadcast IP address is used in installer
https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
f3d379071a Allow multicast addresses in A/AAAA records
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
81d64d530c Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Fraser Tweedale
daeaf2a823 Make host/service cert revocation aware of lightweight CAs
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted.  Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.

Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 13:21:29 +02:00
Fraser Tweedale
520ad7d865 cert-request: raise CertificateOperationError if CA disabled
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.

Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
4c35afccf3 Use Dogtag REST API for certificate requests
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409).  Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
c5cbc8de89 Add HTTPRequestError class
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError.  The exception includes no
information about the response status.

Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
2a42a7e90e Allow Dogtag RestClient to perform requests without logging in
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.

To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'.  It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Jan Cholasta
b7b6faf14a cert: fix cert-find --certificate when the cert is not in LDAP
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.

https://fedorahosted.org/freeipa/ticket/6304

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 12:46:35 +02:00
Fraser Tweedale
c7e0dbc4e1 Add ca-disable and ca-enable commands
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.

This commit adds the ca-disable and ca-enable commands.

Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 12:37:48 +02:00
Martin Babinsky
415600fe45 ldapupdate: Use proper inheritance in BadSyntax exception
https://fedorahosted.org/freeipa/ticket/6294

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 13:06:39 +02:00
Jan Cholasta
dce95a1459 dns: prompt for missing record parts in CLI
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Fraser Tweedale
08b7683130 Track lightweight CAs on replica installation
Add Certmonger tracking requests for lightweight CAs on replica
installation.  As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.

Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-06 12:11:53 +02:00
Martin Babinsky
c789b17b2e factor out populate_remote_domain method into module-level function
This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Martin Babinsky
33f8685513 Always fetch forest info from root DCs when establishing two-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Jan Cholasta
afcb3bd3c3 rpcserver: fix crash in XML-RPC system commands
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.

https://fedorahosted.org/freeipa/ticket/6217

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-01 13:20:14 +02:00
Jan Cholasta
17ea4ae6b9 custodia: force reconnect before retrieving CA certs from LDAP
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.

This fixes a crash in ipa-replica-install with --setup-ca.

https://fedorahosted.org/freeipa/ticket/6207

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-01 13:11:09 +02:00