While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.
Resolves https://pagure.io/freeipa/issue/7172
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.
https://pagure.io/freeipa/issue/7124
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().
https://pagure.io/freeipa/issue/7131
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add caless to external CA test as the suite is currently
missing one.
https://pagure.io/freeipa/issue/7155
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure). `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".
To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update ipa-cacert-manage to support the MS V2 certificate template
extension.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.
This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument. Perform a small refactor to
improve these functions.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add the 'constructor' type to IPAOption to allow parsing arbitrary
types.
When using this type, supply the 'constructor' attribute with the
constructor of the type. The checker for the 'constructor' type
attempts to construct the data, returning if successful else raising
OptionValueError.
The 'knob' interface remains unchanged but now accepts arbitrary
constructors.
This feature subsumes the '_option_callback' mechanism, which has
been refactored away.
This feature also subsumes the "dn" type in IPAOption, but this
refactor is deferred.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.
Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.
https://pagure.io/freeipa/issue/7119
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.
Relaxing permissions is is needed to run the tests as the jenkins user.
Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.
https://pagure.io/freeipa/issue/7157
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We missed running some tests in python3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This was causing issues when adding/removing a CA in the
CA plugin.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This is import to avoid problems when migrating from olders
versions of IPA and using idoverrideuser-* commands.
https://pagure.io/freeipa/issue/7074
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ldif.LDIFRecordList handles all attribute names as utf-8 strings
and all attribute values as bytes. If we take the attribute value
and try to search for it in the entry (= dictionary), if it contains
the attribute name as a key (which is a string), their hashes match.
However, even if hashes match, Python needs to make sure those two
are the same in case of a hash collision, so it tries to compare them.
This causes BytesWarning exception when running in strict mode
because `bytes` and `str` instances cannot be compared. KeyError
would be thrown in a non-strict mode.
Also, when later passing the attr to replace_value(), we need for it
to be `str` otherwise the modifications handler fails because it
tries to sort the attributes it's modifying but that's a bit less
poetic issue than the first one.
https://pagure.io/freeipa/issue/7129
Reviewed-By: Michal Reznik <mreznik@redhat.com>
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When promoting a client to a replica we have to change sssd.conf,
deleting _srv_ part from 'ipa_server' property and setting
'ipa_server_mode' to true.
Previously, the wrong domain could be updated since the ipa_domain
variable was not being used properly.
https://pagure.io/freeipa/issue/7127
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Switch PR CI testing of master branch to Fedora 26.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
dnf makecache does not support the "fast" keyword in its
makecache subcommand in Fedora 26.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
