Commit Graph

1700 Commits

Author SHA1 Message Date
Petr Vobornik
196ef09bd2 adjust search so that it works for non-admin users
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services

(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.

https://fedorahosted.org/freeipa/ticket/5167

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 16:14:21 +02:00
Fraser Tweedale
ba7e5df194 Fix KRB5PrincipalName / UPN SAN comparison
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.

Normalise both side of the comparison to ensure that the principal
names contain realm information.

Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 17:31:25 +02:00
Fraser Tweedale
812ab600a3 Add profile for DNP3 / IEC 62351-8 certificates
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension.  Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.

Also update cert-request to accept CSRs containing this extension.

Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 14:57:41 +02:00
Fraser Tweedale
aafc0e980b Allow SAN extension for cert-request self-service
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames).  Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 12:25:51 +02:00
Fraser Tweedale
6f8b0ed4fa Give more info on virtual command access denial
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited.  Add more information to the ACIError message.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 12:25:51 +02:00
Petr Vobornik
ebc7ab1efe webui: add LDAP vs Kerberos behavior description to user auth types
https://fedorahosted.org/freeipa/ticket/4935

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-08-10 14:54:16 +02:00
Tomas Babej
7688bbcc33 Fix incorrect type comparison in trust-fetch-domains
Value needs to be unpacked from the list and converted before comparison.

https://fedorahosted.org/freeipa/ticket/5182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-06 10:16:30 +02:00
Fraser Tweedale
e28a450720 Fix otptoken-remove-managedby command summary
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-05 12:27:48 +02:00
Martin Babinsky
3257ac6b87 store certificates issued for user entries as userCertificate;binary
This patch forces the user management CLI command to store certificates as
userCertificate;binary attribute. The code to retrieve of user information was
modified to enable outputting of userCertificate;binary attribute to the
command line.

The modification also fixes https://fedorahosted.org/freeipa/ticket/5173

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-04 13:57:33 +02:00
Fraser Tweedale
896783bae8 user-show: add --out option to save certificates to file
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.

https://fedorahosted.org/freeipa/ticket/5171

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 16:11:17 +02:00
Christian Heimes
a4ade199aa certprofile-import: do not require profileId in profile data
certprofile-import no longer requires profileId in profile data. Instead
the profile ID from the command line is taken and added to the profile
data internally.

If profileId is set in the profile, then it still has to match the CLI
option.

https://fedorahosted.org/freeipa/ticket/5090

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 16:00:57 +02:00
Christian Heimes
8e28ddd8fa Validate vault's file parameters
A user can pass file names for password, public and private key files to
the vault plugin. The plugin attempts to read from these files. If any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.

https://fedorahosted.org/freeipa/ticket/5155

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 15:33:49 +02:00
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Martin Basti
cea52ce186 ULC: Fix stageused-add --from-delete command
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
 * handle not found error
 * return new DN

https://fedorahosted.org/freeipa/ticket/5145

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-29 17:06:54 +02:00
Christian Heimes
3c974c157f otptoken: use ipapython.nsslib instead of Python's ssl module
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.

https://fedorahosted.org/freeipa/ticket/5068

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 17:25:57 +02:00
Christian Heimes
2596adb312 certprofile-import: improve profile format documentation
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.

https://fedorahosted.org/freeipa/ticket/5089

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-07-27 17:21:16 +02:00
Tomas Babej
aa066f31a5 idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.

This patch introduces a objectclass check in idoverride*-del
commands to prevent that.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Tomas Babej
e0d3231f07 idviews: Restrict anchor to name and name to anchor conversions
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.

The same restriction applies for the opposite direction, when
converting the object name to it's SID.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Martin Babinsky
7ceaa8e26c fix broken search for users by their manager
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.

https://fedorahosted.org/freeipa/ticket/5146

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-23 11:43:05 +02:00
Tomas Babej
a76c92ccd4 idviews: Check for the Default Trust View only if applying the view
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:06:41 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
Tomas Babej
37b1af9a7c domainlevel: Fix incorrect initializations of InvalidDomainLevelError exceptions
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-20 13:53:21 +02:00
Tomas Babej
45958d6219 trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 17:04:17 +02:00
Yuri Chornoivan
75fde43491 Fix minor typos
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 14:33:30 +02:00
Martin Basti
a619a1e211 Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-17 04:57:54 +00:00
Martin Basti
a0ce9e6b09 fix selinuxusermap search for non-admin users
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.

Related to https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-16 15:38:47 +02:00
Petr Vobornik
2e80645ef2 fix hbac rule search for non-admin users
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.

Therefore all searches with filter set fail.

https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:37:24 +02:00
Petr Vobornik
9d69ad2428 do not import memcache on client
Fixes regression caused by cd3ca94ff2.

Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server

https://fedorahosted.org/freeipa/ticket/5133

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 11:23:40 +02:00
Martin Basti
c144ea6fef Stageusedr-activate: show username instead of DN
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.

https://fedorahosted.org/freeipa/ticket/5038

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-15 07:08:02 +00:00
Christian Heimes
4677ea29be Remove tuple unpacking from except clause ipalib/plugins/hbactest.py
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.

https://fedorahosted.org/freeipa/ticket/5120

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-14 13:43:50 +02:00
Tomas Babej
5106421961 Revert "Hide topology and domainlevel features"
This reverts commit 62e8002bc4.

Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-10 15:26:50 +02:00
Martin Basti
67b2b34085 Prevent to rename certprofile profile id
https://fedorahosted.org/freeipa/ticket/5074

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-10 09:01:05 +00:00
Petr Vobornik
f0e88e9b13 fix error message when certificate CN is invalid
The error message was probably copied from mail address check below.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-09 11:58:30 +02:00
Petr Vobornik
cf8b56cc75 webui: show multiple cert
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
7c481b1e90 webui: cert-request improvements
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
cd3ca94ff2 move session_logout command to ipalib/plugins directory
API refactoring caused that session_logout command was not registered.

Commands in ipalib/plugins directory are automatically registered.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:16:54 +02:00
Fraser Tweedale
ec7e5e0cac cert-request: enforce caacl for principals in SAN
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension.  Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.

Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Fraser Tweedale
e3c225317b caacl: fix incorrect construction of HbacRequest for hosts
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it.  Use split_any_principal to do the
splitting correctly, also taking realm into account.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Petr Vobornik
927391125c webui: caacl
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Endi S. Dewata
bf6df3df9b Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-08 06:30:23 +00:00
Alexander Bokovoy
2dd5b46d25 trust: support retrieving POSIX IDs with one-way trust during trust-add
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d5aa1ee04e trusts: add support for one-way trust and switch to it by default
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
47e1de7604 trusts: pass AD DC hostname if specified explicitly
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
03c2d76186 ipa-adtrust-install: add IPA master host principal to adtrust agents
Fixes https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Fraser Tweedale
462e0b9eb1 certprofile: add ability to update profile config in Dogtag
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.

Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:25:46 +02:00
Fraser Tweedale
bed6f402e2 certprofile: add option to export profile config
Add the `--out=FILENAME' option to `certprofile-show'.  When given,
it exports the profile configuration from Dogtag and writes it to
the named file.

Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:25:46 +02:00
Tomas Babej
62e8002bc4 Hide topology and domainlevel features
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:09:09 +02:00
Endi S. Dewata
475ade4bec Added ipaVaultPublicKey attribute.
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Endi S. Dewata
fc5c614950 Added symmetric and asymmetric vaults.
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Petr Vobornik
ba0a1c6b33 include more information in metadata
added to commands: doc, proper args, NO_CLI

added to options: default_from, cli_name, cli_short_name and others

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-03 10:42:16 +02:00