Commit Graph

150 Commits

Author SHA1 Message Date
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Stanislav Laznicka
af1b8513ab Remove the message attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-06 09:19:46 +02:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Petr Vobornik
c2934aaa7e Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 15:05:33 +01:00
Jan Cholasta
d43b57d2ce ipalib: remove hard dependency on ipapython
Hard-code the path to /bin/false in SubprocessError doc string.

Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Fraser Tweedale
c5cbc8de89 Add HTTPRequestError class
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError.  The exception includes no
information about the response status.

Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Alexander Bokovoy
6332cb3125 trust: automatically resolve DNS trust conflicts for triangle trusts
For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org,

there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.

This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.

A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:

   1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
   2. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.

This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:

   1. Attempt to establish trust and update trust topology information.
   2. If trust topology conflict is detected as result of (1):
   2.1. Fetch trust topology infromation for the conflicting forest
        trust
   2.2. Add exclusion entry to our domain to the trust topology obtained
        in (2.1)
   2.3. Update trust topology for the conflicting forest trust
   3. Re-establish trust between ipa.example.com and example.org

We cannot do the same for shared secret trust and for external trust,
though:

   1. For shared secret trust we don't have administrative credentials
      in the forest reporting the conflict

   2. For the external trust we cannot set topology information due to
      MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
      definition and thus setting topology information will fail.

To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.

Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Fraser Tweedale
3fab1b6350 cert-request: better error msg when 'add' not supported
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".

Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.

Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-30 15:42:06 +02:00
David Kupka
4b97cabb52 schema: Add known_fingerprints option to schema command
When client requests schema it can list fingerprints of cached schemas
and server responds with SchemaUpToDate exception specifying fingeprint
of schema to use.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 15:11:19 +02:00
Yuri Chornoivan
a95e0777ac Fix minor typos
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 13:49:32 +02:00
Martin Babinsky
a6eb87bd68 server-del: perform full master removal in managed topology
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.

`server-del` nows performs these actions:
  * check topology connectivity
  * check that at least one CA/DNS server and DNSSec masters are left
    after removal
  * cleanup all LDAP entries/attributes exposing information about the master
  * cleanup master DNS records
  * remove master and service principals
  * remove master entry from LDAP
  * check that all segments pointing to the master were removed

  `server-del` now accepts the following options:
  * `--force`: force master removal even if it doesn't exist
  * `--ignore-topology-disconnect`: ignore errors arising from disconnected
    topology before and after master removal
  * `--ignore-last-of-role`: remove master even if it is last DNS server,
    and DNSSec key master. The last CA will *not* be removed regardless of
    this option.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Petr Spacek
70794c7b1d Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.

DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Jan Cholasta
a30bc8a351 plugable: switch API to Registry-based plugin discovery
Merge Registrar into Registry. Use the Registry instance of each plugin
module to discover plugins in the module instead of the global Registrar
instance.

This removes the side-effect of all plugins in a module being re-registered
every time the module is imported.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Abhijeet Kasurde
3d07c889ce Added fix for notifying user about locked user account in WebUI
User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message

Fixes : https://fedorahosted.org/freeipa/ticket/5076

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-04-28 17:04:37 +02:00
Abhijeet Kasurde
2a20c74633 Added fix for notifying user about Kerberos principal expiration in WebUI
- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-04-15 17:58:04 +02:00
Martin Babinsky
1f0959735f differentiate between limit types when LDAP search exceeds configured limits
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Petr Viktorin
b71fd2d3c9 Add message property to IPA's errors and warnings under Python 3
Python 3 removes the "message" attribute from exceptions, in favor
of just calling str().
Add it back for IPA's own exception types.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-13 14:16:32 +02:00
Robert Kuska
01da4a8de3 Replace StandardError with Exception
StandardError was removed in Python3 and instead
Exception should be used.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-30 10:51:36 +02:00
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
5435a8a32a Use absolute imports
In Python 3, implicit relative imports will not be supported.
Use fully-qualified imports everywhere.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Tomas Babej
8a4e79c9e6 ipalib: Fix missing format for InvalidDomainLevelError
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-10 15:01:22 +02:00
Tomas Babej
f3010498af Add Domain Level feature
https://fedorahosted.org/freeipa/ticket/5018

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-05-26 11:59:47 +00:00
Tomas Babej
e11e8235ac baseldap: Handle missing parent objects properly in *-find commands
The find_entries function in ipaldap does not differentiate between
a LDAP search that returns error code 32 (No such object) and LDAP
search returning error code 0 (Success), but returning no results.

In both cases errors.NotFound is raised. In turn, LDAPSearch
commands interpret NotFound exception as no results.

To differentiate between the cases, a new error EmptyResult
was added, which inherits from NotFound to preserve the compatibility
with the new code.

This error is raised by ipaldap.find_entries in case it is performing
a search with and the target dn does not exist.

https://fedorahosted.org/freeipa/ticket/4659

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-01-13 16:16:14 +00:00
Alexander Bokovoy
90227f817e ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
Part of https://fedorahosted.org/freeipa/ticket/4463

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Martin Basti
ca001814ab Allow to add host if AAAA record exists
http://fedorahosted.org/freeipa/ticket/4164

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-11 16:01:38 +02:00
Nathaniel McCallum
e477130281 Fix login password expiration detection with OTP
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.

After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.

https://fedorahosted.org/freeipa/ticket/4412

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-21 16:36:28 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Petr Viktorin
22f0feba28 ipalib.errors: Fix TaskTimeout doctest
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-04-09 15:24:35 +02:00
Adam Misnyovszki
8b91d9a6e8 automember rebuild nowait feature added
automember-rebuild uses asynchronous 389 task, and returned
success even if the task didn't run. this patch fixes this
issue adding a --nowait parameter to 'ipa automember-rebuild',
defaulting to False, thus when the script runs without it,
it waits for the 'nstaskexitcode' attribute, which means
the task has finished. Old usage can be enabled using --nowait,
and returns the DN of the task for further polling.
New tests added also.

https://fedorahosted.org/freeipa/ticket/4239

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-09 13:45:32 +02:00
Petr Spacek
34fc447c00 Add wait_for_dns option to default.conf.
This option makes record changes in DNS tree synchronous.
IPA calls will wait until new data are visible over DNS protocol
or until timeout.

It is intended only for testing. It should prevent tests from
failing if there is bigger delay between changes in LDAP and DNS.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-04-04 11:56:34 +02:00
Ana Krivokapic
b8b573a966 Deprecate HBAC source hosts from CLI
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.

Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).

https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Petr Viktorin
664248d5b8 Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py
These used ipautil.get_ipa_basedn. Convert that to use the new wrappers.

Beef up the error handling in ipaldap to accomodate the errors we catch
in the server discovery.
Add a DatabaseTimeout exception to errors.py.

These were the last uses of ipautil.convert_ldap_error, remove that.

https://fedorahosted.org/freeipa/ticket/3487
https://fedorahosted.org/freeipa/ticket/3446
2013-03-13 12:36:33 +01:00
Petr Viktorin
8af5369cba Add ipalib.messages
The messages module contains message classes that can be added
to a RPC response to provide additional information or warnings.

This patch adds only the module with a single public message,
VersionMissing, and unit tests.
Since message classes are very similar to public errors, some
functionality and unit tests were shared.

Design page: http://freeipa.org/page/V3/Messages
Ticket: https://fedorahosted.org/freeipa/ticket/2732
2013-02-21 16:26:09 +01:00
John Dennis
a1991aeac1 Use secure method to acquire IPA CA certificate
Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2013-01-23 14:26:42 -05:00
Lynn Root
173ee4d141 Switch %r specifiers to '%s' in Public errors
This switch drops the preceding 'u' from strings within Public error messages.

This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function.

Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com.

Ticket: https://fedorahosted.org/freeipa/ticket/3121
Ticket: https://fedorahosted.org/freeipa/ticket/2588
2012-12-11 10:52:06 +01:00
Alexander Bokovoy
88262a75ff Add instructions support to PublicError
When long additional text should follow the error message, one can
supply instructions parameter to a class derived from PublicError.

This will cause following text added to the error message:

    Additional instructions:
    <additional text>

`instructions' optional parameter could be a list or anything that coerces
into unicode(). List entries will be joined with '\n'.

https://fedorahosted.org/freeipa/ticket/3167
2012-10-11 16:30:58 -04:00
Alexander Bokovoy
6f45de10d7 support multi-line error messages in exceptions 2012-10-09 10:18:40 +02:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Yuri Chornoivan
8bbb42b410 Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089
2012-09-18 08:45:28 +02:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
4f03aed5e6 prevent last admin from being disabled
We prevent the last member of the admin group from being deleted. The
same check needs to be performed when disabling a user.

* Moved the code in del_user to the common subroutine
  check_protected_member() and call it from both user_del and
  user_disable. Note, unlike user_del user_disable does not have a
  'pre' callback therefore the check function is called in
  user_disable's execute routine.

* Make check_protected_member() aware of disabled members. It's not
  sufficient to check which members of the protected group are
  present, one must only consider those members which are enabled.

* Add tests to test_user_plugin.py.

  - verify you cannot delete nor disable the last member of the admin
    group

  - verify when the admin group contains disabled users in addition to
    enabled users only the enabled users are considered when
    determining if the last admin is about to be disabled or deleted.

* Replace duplicated hardcoded values in the tests with variables or
  subroutines, this makes the individual tests a bit more succinct and
  easier to copy/modify.

* Update error msg to reflect either deleting or disabling is an error.

https://fedorahosted.org/freeipa/ticket/2979
2012-09-03 18:11:49 +02:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Petr Viktorin
f8e7b516d9 Prevent deletion of the last admin
Raise an error when trying to delete the last user in the
'admins' group, or remove the last member from the group,
or delete the group itself.

https://fedorahosted.org/freeipa/ticket/2564
2012-06-06 21:57:12 -04:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
Petr Viktorin
efb37739ab Add common helper for interactive prompts
This patch adds a common method, textui.prompt_helper, that handles
encoding, decoding and error handling for interactive prompts.
On EOFError (Ctrl+D) or  KeyboardInterrupt (Ctrl+C), it raises
a new InvocationError, PromptFailed.

The helper is used in prompt, prompt_yesno, and prompt_password,
each of which originally only handled one of Ctrl+C and Ctrl+D.
This fixes https://fedorahosted.org/freeipa/ticket/2345
And it means prompt_yesno will no longer return None on error.

A minor fix restores errors.py's ability print out the list of
errors when run as a script.
2012-02-19 20:23:20 -05:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Jan Cholasta
9beb467d98 Fix attempted write to attribute of read-only object.
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.

Also fix few issues in the unit tests to enable them to succeed.

ticket 1959
2012-01-02 11:51:26 +03:00
Rob Crittenden
2d6eeb205e Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
2011-12-12 17:36:45 -05:00