Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.
Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.
https://pagure.io/freeipa/issue/6625
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Whoami command allows to query details about currently
authenticated identity. The command returns following information:
* object class name
* function to call to get actual details about the object
* arguments to pass to the function
There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:
* users
* staged users
* hosts
* Kerberos services
* ID user override from the default trust view
The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.
The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.
Below is an example of how communication looks like for a host
principal:
# kinit -k
# ipa console
(Custom IPA interactive Python console)
>>> api.Command.whoami()
{u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
>>>
Fixes https://pagure.io/freeipa/issue/6643
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.
https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.
Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.
https://fedorahosted.org/freeipa/ticket/6457
Reviewed-By: Martin Basti <mbasti@redhat.com>
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.
https://fedorahosted.org/freeipa/ticket/6646
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.
https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.
This change allows us to move ID views into Identity submenu.
https://pagure.io/freeipa/issue/6717
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'. Remove the redundant property
definition.
Part of: https://pagure.io/freeipa/issue/3473
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.
A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.
https://fedorahosted.org/freeipa/ticket/5695https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
CAs consist of a FreeIPA and a corresponding Dogtag object. When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object. In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.
These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed. This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
https://pagure.io/freeipa/issue/6713
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
MD5 is a grandpa and FIPS does not like it at all.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Removing the ccache goes too far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.
Fixes https://fedorahosted.org/freeipa/ticket/6682
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-find` command without breaking API compatibility.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
csr must be in string because framework excpects only strings, so we
have to decode it back
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove decode() as it causes error in py3 because the attribute is
already string not bytes
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.
Detect and report if size limit was exceeded in the certificate search in
the CA.
Do not apply limits to the internal ca-find call.
https://fedorahosted.org/freeipa/ticket/6564
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.
Note: python 3.6 supports bytes for json.loads()
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
due perfomance improvement in e4930b3235
we have to decode value before it can be used in DN() constructor.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With bytes as attribute name pyldap raises type error
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled. When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.
Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.
This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.
Part of: https://fedorahosted.org/freeipa/ticket/6144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>