Commit Graph

4021 Commits

Author SHA1 Message Date
Julien Rische
9f88188204 Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Julien Rische
d1a485a435 Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Mark Reynolds
eeade50933 ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail.  Instead just use the file path provided.

Fixes: https://pagure.io/freeipa/issue/9619

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 17:22:19 -04:00
Rob Crittenden
6c53a22a2c Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Mark Reynolds
efa5719363 ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.

Fixes: https://pagure.io/freeipa/issue/9620

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-11 13:59:16 +02:00
TAKAHASHI Masatsuna
52ea4ad46e ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.

Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-04 17:48:04 +02:00
Rob Crittenden
ebccaac3cf Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.

Also add a manual ACI to allow reading the min/max
domain level.

Fixes: https://pagure.io/freeipa/issue/9594

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-06-12 16:43:25 -04:00
Florence Blanc-Renaud
69c6a817ce ipa-replica-manage list-ruvs: display FQDN in the output
The behavior of ipa-replica-manage list-ruv was modified with
the commit 544652a and now displays host short names instead
of FQDN:port.
Fix the regular expression in order to return the FQDN:port again.

Fixes: https://pagure.io/freeipa/issue/9598

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2024-05-28 14:39:33 +02:00
Alexander Bokovoy
5368120805 custodia: do not use deprecated jwcrypto wrappers
jwcrypto has turned JWK object into a dict-like structure in 2020 and
marked data wrappers as deprecated. The only exception for direct
foo['bar'] access is a key ID -- some keys might have no 'kid' property,
thus it is best to use jwk.get('kid') instead for those.

Fixes: https://pagure.io/freeipa/issue/9597

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-23 15:12:27 -04:00
Mark Reynolds
544652aae4 Issue 9591 - Allow get_ruv() to handle incomplete RUV elements
Sometimes RUV's are missing the LDAP Url and max/min csns. This prevents
cleanallruv task from running.  However, cleanallruv doesn't need to
know the LDAP URL or min/max csns. Added a new paramter to get_run()
called "strict", and when set to False it will still process and
include incomplete RUVs.

Fixes: https://pagure.io/freeipa/issue/9591

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-20 14:52:12 -04:00
Rob Crittenden
6b6c1879c5 Call hsm_validator on KRA installs and validate the HSM password
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.

Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.

Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.

Remove an unused arguments to hsm_version and hsm_validator.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
c6f2d0212b dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
On a non-HSM, non-renewal-server replica we look in LDAP for
an updated certificate. If the certificates don't match then we
have a new one and write it out. If they match the assumption is
that it hasn't been renewed yet so go into CA_WORKING.

The problem is that for networked HSMs the cert will already be
visible in the database so certmonger will always be in CA_WORKING.
In this case we can assume that if the certs are the same then
that's just fine.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
b89aa91977 renew_ca_cert: set peer trust on the KRA audit certificate
The PKI audit certificates require that trusted peer (P) be
set on the certificate. This is done already for the CA audit
certificate. Also set this on the KRA audit certificate on
renewal.

https://pagure.io/freeipa/issue/9353

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
0708f603e2 renew_ca_cert: skip removing non-CA certs, fix nickname
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the  ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.

An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.

Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
93622005ba Add token support to the renew_ca_cert certmonger helper
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
82c0b19acc Add HSM configuration options to installer scripts
The bulk of the installer effort to enable HSM support without
having to provide an override file.

This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
d9efa728c5 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
This will be used so that when a replica is created it can
configure the HSM without relying on the user to pass in
the same token, library name, etc.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Mark Reynolds
cbe1873591 IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet

Fixes: https://pagure.io/freeipa/issue/3656

signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 15:49:42 -04:00
Francisco Trivino
305fcc25b4 kra: set RSA-OAEP as default wrapping algo when FIPS is enabled
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.

Fixes: https://pagure.io/freeipa/issue/9191

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-01-30 10:18:02 -05:00
007hacky007
49c090b976
webui: Unify user group members columns with users columns
Adds 'givenname', 'sn' and 'nsaccountlock' columns to the user group members
and makes columns in the users view and user group members unified.
i.e. Makes easy to see disabled users in the group.

Fixes: https://pagure.io/freeipa/issue/9390
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2024-01-12 15:26:45 +01:00
Endi S. Dewata
dc2ab91681 Remove unused pki_theme_* params
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-12-19 12:51:46 +01:00
Jeremy Frasier
c63fe925fb Fixes: Python SyntaxWarnings about invalid escape sequences
Otherwise we get some SyntaxWarnings about invalid escape sequences
such as '\d' and '\{', e.g.:
  /usr/sbin/ipa-replica-manage:393: SyntaxWarning: invalid escape sequence '\{'
    data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
  /usr/sbin/ipa-replica-manage:721: SyntaxWarning: invalid escape sequence '\d'
    (re.sub(':\d+', '', x), y)
  /usr/sbin/ipa-replica-manage:726: SyntaxWarning: invalid escape sequence '\d'
    (re.sub(':\d+', '', x), y)

Fixes: https://pagure.io/freeipa/issue/9483

Signed-off-by: Jeremy Frasier <jeremy.frasier@gwe.cisa.dhs.gov>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-11-16 15:06:26 -05:00
Endi S. Dewata
44349cfa76 Remove unused hierarchy.select
The hierarchy.select param has been removed in PKI 11.5 so
it doesn't need to be updated in renew_ca_cert.in.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-10-19 07:44:27 +02:00
Viktor Ashirov
fe005dd388 WebUI: update favicon.ico
I noticed that FreeIPA favicon is a bit squished. I would like to unsquish it.
And resize it to 32x32 pixels as it would look a bit better on HiDPI screens.

Fixes: https://pagure.io/freeipa/issue/9449

Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
2023-10-05 07:38:05 +02:00
Alexander Bokovoy
f123b01d81 updates: add ACIs for RBCD self-management
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-09-11 09:51:51 +02:00
Rafael Guterres Jeffman
82b129fe76 Fix typo in "Subordinate ID Selfservice User" role
The description of "Subordinate ID Selfservice User" role had
'subordiante' instead of 'subordinate'.

This patch corrects the default value and adds a replace to fix
existing deployments.

Related: https://pagure.io/freeipa/issue/9418

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-08-21 10:41:57 +02:00
Endi S. Dewata
33c2740d82 Remove default values for pki_ca_signing_*_path
In the future pkispawn will validate all path params so the
default values for pki_ca_signing_csr_path and
pki_ca_signing_cert_path need to be removed since they point
to non-existent files. When the params are actually used for
installing an external CA, CAInstance.__spawn_instance()
will initialize them with the correct paths.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-08-15 12:00:09 -04:00
Endi S. Dewata
a9ee2adec3 Remove non-existent default pki_cert_chain_path
In the future pkispawn will validate all path params so the
default value for pki_cert_chain_path needs to be removed
since it points to a non-existent file. When the param is
actually used (e.g. for installing with an external CA)
CAInstance.__spawn_instance() will configure the param to
point to the actual cert chain.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:58:17 +02:00
Endi S. Dewata
7233944e74 Add pki_share_dbuser_dn for CA
In the future the default value for pki_share_dbuser_dn might
change. To ensure that CA and KRA in IPA will use the same
database user, the pki_share_dbuser_dn needs to be defined
for CA to match the same param for KRA.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:57:31 +02:00
Endi S. Dewata
cfc4f47a10 Remove unused subsystem.count
The subsystem.count param has actually been removed since
PKI 10.10 so it doesn't need to be set in renew_ca_cert.in.

Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-08-11 09:56:33 +02:00
Florence Blanc-Renaud
14526c50bb Webui tests: fix test failure
Fix translation issues in webui unit tests

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
0075c8b8f6 passkeyconfig: require-user-verification is a boolean
ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
c016e271b2 Passkey: add "passkey configuration" to webui
Add a "Passkey configuration" subtab in the "Policy" tab,
showing the settings for passkeyconfig.

Related: https://pagure.io/freeipa/issue/9261

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
510f806a9f WebUI: improve passkey display
The passkey is a long string and not user-friendly.
Instead of showing the whole passkey in the webui, only show
the id part and a string for discoverable or server-side passkey.

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
c58e483095 Passkey support: show the passkey in webui
Display the passkey value for user or stageuser
in the user details page
Allow addition/removal of a passkey

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
f8580cae4b WebUI: add support for passkey auth type and auth indicator
Add new checkbox value "Passkey" for authentication type
(user page, config page)
Add new checkbox value "Passkey" for authentication indicator
(service page, host page)
Add new fields for Passkey krbptpolicy (max life, max renew)

Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a21214cb9e API: add new commands for passkey mappings
- ipa user-add-passkey
- ipa user-remove-passkey
- ipa stageuser-add-passkey
- ipa stageuser-remove-passkey

Fixes: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
4bd1be9e90 API: add new commands for ipa passkeyconfig-show | mod
Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
af569508c1 New schema for Passkey mappings
Add attributetypes and objectclasses for Passkey config object
and Passkey mappings.

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Rob Crittenden
a1ed0ff77e Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3
Only three remaining scripts used this form, two of which are
for developers only and not shipped.

The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.

Fixes: https://pagure.io/freeipa/issue/8941

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-05-31 09:21:48 +02:00
Timo Aaltonen
a83ae63578 Drop duplicate includedir from krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.

Add also a dependency on sssd-krb5 for freeipa-client.

https://pagure.io/freeipa/issue/9267

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-27 08:52:51 +02:00
Alexander Bokovoy
4239b77a6d IPA API changes to support RBCD
IPA API commands to manage RBCD access controls.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Jarl Gullberg
a59f6e00d9 install: Fix missing dyndb keytab directive
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.

This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.

Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-03 16:58:27 -04:00
Alexander Bokovoy
ebac8f6f9b Use system-wide chromium for webui tests
Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Stanislav Levin
64fa6b7241 tests: webui: Update vendored qunit
Updated qunit to latest supported version from
https://code.jquery.com/qunit.

See https://qunitjs.com/intro/#release-channels for details.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Stanislav Levin
a7e13f9719 tests: webui: Load qunit only once
webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html

>> Error: Error: QUnit has already been defined.
>>     at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2

>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>>     at <anonymous>:175:24
>>     at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>>     at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>>     at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>>     at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>>     at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>>     at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>>     at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```

Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
  dojo.require will simply return if the package is already loaded.

See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Stanislav Levin
5c35405e78 tests: webui: Allow file access from files in tests
https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
  override for developers who need the old behavior for testing.

Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Rob Crittenden
724c8314b5 Fix setting values of 0 in ACME pruning
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.

Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.

Also indicate that the search time limit is in seconds.

Fixes: https://pagure.io/freeipa/issue/9325

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-09 13:28:23 -05:00
Rob Crittenden
78298fd4e1 ipa-acme-manage: add certificate/request pruning management
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.

This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.

Random Serial Numbers v3 must be enabled for this to work.

Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.

Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.

A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.

The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.

No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.

Fixes: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-02 07:36:16 +01:00
Florence Blanc-Renaud
5154f8e639 automember-rebuild: add a notice about high CPU usage
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.

Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-02 07:33:36 +01:00