Commit Graph

286 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
1df1786b06 Migration from authconfig to authselect
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration

Fixes:
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Fraser Tweedale
852618fd65 csrgen: fix when attribute shortname is lower case
OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute.  This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").

Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *).  If that fails, upper-case the type string and try
again.

Add some tests for the required behaviour.

Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 14:41:12 +02:00
Fraser Tweedale
0ac1d3ea62 csrgen: drive-by docstring
Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 14:41:12 +02:00
Fraser Tweedale
7633d62d85 csrgen: support initialising OpenSSL adaptor with key object
As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 14:41:12 +02:00
Fraser Tweedale
53f87ee5cd py3: fix csrgen error handling
csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3.  Fix the error
handling.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 14:41:12 +02:00
amitkuma
07be3306c1 RFE: ipa client should setup openldap for GSSAPI
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA.  It currently sets:
URI
BASE
TLS_CACERT

This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI

Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-25 12:06:09 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Christian Heimes
395a68d208 Defer import of ipaclient.csrgen
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.

Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-04-10 07:58:52 +02:00
Tibor Dudlák
e279d891fe Configure chrony with pool when server not set
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
878cbaa232 Add enabling chrony daemon when not configured
Moves chrony enablement and sync attempt to new method
so chrony will be enabled even when not configured.

Add logger info about skipping configuration to client's
installation when not on master and -N is used.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
74c2b46cde Remove unnecessary option --force-chrony
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
dba87a47a7 Remove NTP server role while upgrading
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
5d9c749e83 Adding method to ipa-server-upgrade to cleanup ntpd
Removing ntpd configuration files and entry from LDAP.

Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.

Remove unused path for chrony-helper.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
194518f11f Add --ntp-pool option to installers
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
fb28dfff93 FreeIPA server is time synchronization client only
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.

As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.

FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.

Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.

Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.

Removed behavior that there is always --no-ntp option set.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
ca9c4d70a0 Replace ntpd with chronyd in installation
Completely remove ipaserver/install/ntpinstance.py

This is no longer needed as chrony client configuration
is now handled in ipa-client-install.

Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
bfb544adfd Removes ntp from dependencies and behave as there is always -N option
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Christian Heimes
64438f8619 Cleanup and remove more files on uninstall
* /etc/nsswitch.conf.ipabkp
* /etc/openldap/ldap.conf.ipabkp
* /var/lib/ipa/sysrestore/*
* /var/named/dyndb-ldap/ipa/
* /var/lib/dirsrv/scripts-%s/

See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-28 21:18:48 +02:00
amitkuma
ccec8c6c41 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
Stanislav Laznicka
c9c41d2d90
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.

https://pagure.io/freeipa/issue/7430

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-06 13:00:23 +01:00
Christian Heimes
a8555d42a4 Update /etc/ipa/nssdb in client scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
88fd3f9435 certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
c85bf376f0
certupdate: don't update HTTPD NSS db
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).

https://pagure.io/freeipa/issue/3757

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Aleksei Slaikovskii
6c5a7464b2
Fixing translation problems
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.

Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.

Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.

pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:03:19 +01:00
Christian Heimes
beb6d74b81 LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Rob Crittenden
79432cbdc6 Log contents of files created or modified by IPAChangeConf
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.

Fixes: https://pagure.io/freeipa/issue/7218

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-04 16:34:37 +01:00
Christian Heimes
1c9f0a4b19 Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.

See https://pagure.io/freeipa/issue/7326

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-19 13:26:39 +01:00
Christian Heimes
8cb756a229 Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.

See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-18 11:51:14 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
93d53e5cd0 CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install).  Refactor
ipa_certupdate.CertUpdate to make it easy to do that.  In
particular, make it possible to use an already-initialised API
object.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
03786ad9f3 csrgen_ffi: cast the DN value to unsigned char *
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:46:41 +02:00
Stanislav Laznicka
61605d28d8 parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
c9d710a446 csrgen: update docstring for py3
https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
2b90c8a20e csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
61dde27f70 csrgen_ffi: pass bytes where "char *" is required
In Python 3, "char *" corresponds to bytes rather than string.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Florence Blanc-Renaud
3de30177f7 py3: fix ipa cert-request --database ...
Fix bytes vs str issues in ipa cert-request

https://pagure.io/freeipa/issue/7148
2017-10-25 09:44:37 +02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Aleksei Slaikovskii
fad88b358b ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text

This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.

https://pagure.io/freeipa/issue/7185

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 10:55:49 +02:00
Stanislav Laznicka
c4505f0804 client: fix retrieving certs from HTTP
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-13 10:38:08 +02:00
Stanislav Laznicka
be9da19de3 uninstall: remove deprecation warning
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-12 17:43:23 +02:00
Stanislav Laznicka
b57f87c9a0 pylint: fix no-member in schema plugin
The `module.register` member is added just a few lines
before pylint warns there's none such thing.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
806784dbd9 csrgen: fix incorrect codec for pyasn BitString
https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
c14aa6cdac
Remove unused variable
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-09-01 10:48:34 +02:00
Alexander Bokovoy
79378c9051
csrgen: support openssl 1.0 and 1.1
Support both openssl 1.0 and 1.1 APIs where sk_* functions got prefixed
with OPENSSL_ in the latter version.

Since referencing a symbol from a dynamically loaded library generates
exception, use the AttributeError exception to catch it and fall back to
the older method.

Fixes https://pagure.io/freeipa/issue/7110

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-31 13:46:00 +02:00
Fraser Tweedale
947ac4bc1f py3: handle bytes in schema response
If a server is running under py2 it could return a bytes value for
the 'topic_topic' field in the schema response.  A py3 client fails
to handle this (in one place it applies 'str' to it, which raises
BytesWarning; in other places it tries to serialise the schema to
JSON which fails because of the bytes value).

Handle the case where 'topic_topic' is not unicode, and handle bytes
values when serialising the schema to JSON.

Fixes: https://pagure.io/freeipa/issue/6809
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:05:20 +02:00