Commit Graph

573 Commits

Author SHA1 Message Date
Stanislav Laznicka
1e8db4b5c7 Add message about last KRA to WebUI Topology view
https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-13 16:10:28 +01:00
Stanislav Laznicka
670f8fb1db Add check to prevent removal of last KRA
https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-13 16:10:28 +01:00
Jan Cholasta
8fdd7a9ffc backend plugins: fix crashes in development mode
Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.

Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.

https://pagure.io/freeipa/issue/6625

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:06:22 +01:00
Alexander Bokovoy
381c1c7a8f add whoami command
Whoami command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.

Below is an example of how communication looks like for a host
principal:

   # kinit -k
   # ipa console
   (Custom IPA interactive Python console)
   >>> api.Command.whoami()
   {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
   >>>

Fixes https://pagure.io/freeipa/issue/6643

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-09 14:10:02 +01:00
Pavel Vomacka
61cd4372e1 WebUI: Add cermapmatch module
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 16:22:01 +01:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Florence Blanc-Renaud
ea34e17a46 IdM Server: list all Employees with matching Smart Card
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-08 15:08:41 +01:00
Pavel Vomacka
e1dfc51e48 Add support for custom table pagination size
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.

https://fedorahosted.org/freeipa/ticket/5742

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 14:54:56 +01:00
Pavel Vomacka
19426f32ff
WebUI: Add certmap module
Add facets for certmaprule and certmapconfigure entities.

https://fedorahosted.org/freeipa/ticket/6601

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 10:14:21 +01:00
Pavel Vomacka
070bc48dd6
WebUI: Change structure of Identity submenu
Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.

This change allows us to move ID views into Identity submenu.

https://pagure.io/freeipa/issue/6717

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-07 20:04:01 +01:00
Tomas Krizek
a06c71b126
Add SHA256 fingerprints for certs
https://fedorahosted.org/freeipa/ticket/6701

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-07 19:52:43 +01:00
Fraser Tweedale
3ba0375c83
rabase.get_certificate: make serial number arg mandatory
In rabase.get_certificate it does not make sense for the
serial_number argument to be optional.  Make it a mandatory
positional argument.

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-07 13:24:16 +01:00
Fraser Tweedale
11c9df2577
Extract method to map principal to princpal type
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-03 12:09:57 +01:00
Fraser Tweedale
2066a80be2
Remove redundant principal_type argument
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-03 12:09:57 +01:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
Fraser Tweedale
49f87f34be dogtag: remove redundant property definition
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 13:53:18 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
0a54fac02c Remove NSSConnection from Dogtag
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.

A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a1494c9ae Move RA agent certificate file export to a different location
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Fraser Tweedale
b81ac59640 ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 14:30:23 +00:00
Stanislav Laznicka
e2d1b21c50 Remove md5_fingerprints from IPA
MD5 is a grandpa and FIPS does not like it at all.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-23 18:59:01 +01:00
Simo Sorce
908d2eaba4 Fix session logout
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.

Fixes https://fedorahosted.org/freeipa/ticket/6685

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-22 10:15:50 +01:00
Simo Sorce
b895f4a34b Change session logout to kill only the cookie
Removing the ccache goes too far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-17 09:57:23 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b109f5d850 Drop use of kinit_as_http from trust code
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Gabe
a930ec824d Allow nsaccountlock to be searched in user-find command
This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-find` command without breaking API compatibility.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-14 17:09:45 +01:00
Christian Heimes
3d9bec2e87 cryptography has deprecated serial in favor of serial_number
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Martin Basti
6bb5af7bea py3: get_memberofindirect: fix ByteWarnings
DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-08 15:41:39 +01:00
Martin Basti
a584758cfb py3: _convert_to_idna: fix bytes/unicode mistmatch
ToASCII() returns bytes, it must be decoded to unicode

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
03d0a55e8a py3: DNS: get_record_entry_attrs: do not modify dict during iteration
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
a3d3b0ad25 py3: _ptrrecord_precallaback: use bytes with labels
DNS labels are bytes so bytes must be used for comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
a93b2bea5c py3: remove_entry_from_group: attribute name must be string
Do not encode attribute names

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
caa560ca79 py3: base64 encoding/decoding returns always bytes don't mix it
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
David Kupka
7e2d185ba0 stageuser: Add stageuser-{add,remove}-principal
https://fedorahosted.org/freeipa/ticket/6623

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
David Kupka
9c0e86530e stageuser: Add stageuser-{add,remove}-cert
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
Martin Basti
d5ab0637fe py3: fix CSR encoding inside framework
csr must be in string because framework excpects only strings, so we
have to decode it back

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
b37d18288d py3: can_read: attributelevelrights is already string
Remove decode() as it causes error in py3 because the attribute is
already string not bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
49333058c8 py3: get_effective_rights: values passed to ldap must be bytes
Values passed to LDAP must be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Jan Cholasta
85834abad6 cert: fix search limit handling in cert-find
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Jan Cholasta
d84edc43e5 dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0eb5a0e0ec dogtag.py: fix exception logging of JSON data
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
1e0f98a146 py3: convert_attribute_members: don't use bytes as parameter for DN
due perfomance improvement in e4930b3235
we have to decode value before it can be used in DN() constructor.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0a1d7f2e01 py3: add_entry_to_group: attribute name must be string not bytes
With bytes as attribute name pyldap raises type error

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Tomas Krizek
49855ca9de Fix coverity issue
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-16 14:44:54 +01:00
Fraser Tweedale
09a65df684 Reuse self.api when executing ca_enabled_check
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled.  When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.

Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Pavel Vomacka
be7865bf4f Change activity text while loading metadata
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.

Part of: https://fedorahosted.org/freeipa/ticket/6144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-01-05 19:13:37 +01:00