- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.
dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.
Currently VPATH builds do not work for various reasons.
This should be fixed later on.
Most credit goes to these guys:
Christian Heimes <cheimes@redhat.com>
Petr Viktorin <pviktori@redhat.com>
Kevin Brown <kevin@kevin-brown.com>
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.
This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
`common.Continuous` class is a basis for uninstallers, which should execute
all the steps regardless of occuring errors. However, we would like the
installer to raise exceptions and return non-zero exit code during validation
phase when some preconditions are not met.
Add a separate exception handler which catches exceptions and logs them as
errors during execution phase only.
https://fedorahosted.org/freeipa/ticket/5725
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.
This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Link-local addresses received from netifaces contains '%suffix' that
causes parse error in IPNetwork class. We must remove %suffix before
it us used in IPNetwork objects.
https://fedorahosted.org/freeipa/ticket/6296
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
These debug prints were forgotten there and should be removed, because
str(DN) is often operation and we may save time with handling exceptions
and printing unwanted debug
Reviewed-By: David Kupka <dkupka@redhat.com>
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In order to authenticate with a principal alias it is necessary
to request canonicalization of the principal. This patch extends
the kinit_password with this option.
The option to indicate enterprise principal has been added as well.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).
The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.
https://fedorahosted.org/freeipa/ticket/5984
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.
Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.
From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.
This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
All these were unused so I'm removing them to keep the code clean and
easier to read. At this point it is clear that only difference between
netaddr.IPAddress and CheckedIPAddress is prefixlen attribute.
Reviewed-By: Martin Basti <mbasti@redhat.com>
This module implements a shared codebase to handle various types of Kerberos
principal names encountered during management of users, hosts nad services.
Common codebase aims to replace various ad-hoc functions and routines
scattered along the management framework.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
