We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail. Instead just use the file path provided.
Fixes: https://pagure.io/freeipa/issue/9619
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.
Fixes: https://pagure.io/freeipa/issue/9620
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.
Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.
Also add a manual ACI to allow reading the min/max
domain level.
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The behavior of ipa-replica-manage list-ruv was modified with
the commit 544652a and now displays host short names instead
of FQDN:port.
Fix the regular expression in order to return the FQDN:port again.
Fixes: https://pagure.io/freeipa/issue/9598
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
jwcrypto has turned JWK object into a dict-like structure in 2020 and
marked data wrappers as deprecated. The only exception for direct
foo['bar'] access is a key ID -- some keys might have no 'kid' property,
thus it is best to use jwk.get('kid') instead for those.
Fixes: https://pagure.io/freeipa/issue/9597
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Sometimes RUV's are missing the LDAP Url and max/min csns. This prevents
cleanallruv task from running. However, cleanallruv doesn't need to
know the LDAP URL or min/max csns. Added a new paramter to get_run()
called "strict", and when set to False it will still process and
include incomplete RUVs.
Fixes: https://pagure.io/freeipa/issue/9591
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.
Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.
Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.
Remove an unused arguments to hsm_version and hsm_validator.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
On a non-HSM, non-renewal-server replica we look in LDAP for
an updated certificate. If the certificates don't match then we
have a new one and write it out. If they match the assumption is
that it hasn't been renewed yet so go into CA_WORKING.
The problem is that for networked HSMs the cert will already be
visible in the database so certmonger will always be in CA_WORKING.
In this case we can assume that if the certs are the same then
that's just fine.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The PKI audit certificates require that trusted peer (P) be
set on the certificate. This is done already for the CA audit
certificate. Also set this on the KRA audit certificate on
renewal.
https://pagure.io/freeipa/issue/9353
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.
An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.
Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The bulk of the installer effort to enable HSM support without
having to provide an override file.
This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will be used so that when a replica is created it can
configure the HSM without relying on the user to pass in
the same token, library name, etc.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet
Fixes: https://pagure.io/freeipa/issue/3656
signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adds 'givenname', 'sn' and 'nsaccountlock' columns to the user group members
and makes columns in the users view and user group members unified.
i.e. Makes easy to see disabled users in the group.
Fixes: https://pagure.io/freeipa/issue/9390
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The hierarchy.select param has been removed in PKI 11.5 so
it doesn't need to be updated in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
I noticed that FreeIPA favicon is a bit squished. I would like to unsquish it.
And resize it to 32x32 pixels as it would look a bit better on HiDPI screens.
Fixes: https://pagure.io/freeipa/issue/9449
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Carla Martinez <carlmart@redhat.com>
The description of "Subordinate ID Selfservice User" role had
'subordiante' instead of 'subordinate'.
This patch corrects the default value and adds a replace to fix
existing deployments.
Related: https://pagure.io/freeipa/issue/9418
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In the future pkispawn will validate all path params so the
default values for pki_ca_signing_csr_path and
pki_ca_signing_cert_path need to be removed since they point
to non-existent files. When the params are actually used for
installing an external CA, CAInstance.__spawn_instance()
will initialize them with the correct paths.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In the future pkispawn will validate all path params so the
default value for pki_cert_chain_path needs to be removed
since it points to a non-existent file. When the param is
actually used (e.g. for installing with an external CA)
CAInstance.__spawn_instance() will configure the param to
point to the actual cert chain.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In the future the default value for pki_share_dbuser_dn might
change. To ensure that CA and KRA in IPA will use the same
database user, the pki_share_dbuser_dn needs to be defined
for CA to match the same param for KRA.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The subsystem.count param has actually been removed since
PKI 10.10 so it doesn't need to be set in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a "Passkey configuration" subtab in the "Policy" tab,
showing the settings for passkeyconfig.
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The passkey is a long string and not user-friendly.
Instead of showing the whole passkey in the webui, only show
the id part and a string for discoverable or server-side passkey.
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Display the passkey value for user or stageuser
in the user details page
Allow addition/removal of a passkey
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add new checkbox value "Passkey" for authentication type
(user page, config page)
Add new checkbox value "Passkey" for authentication indicator
(service page, host page)
Add new fields for Passkey krbptpolicy (max life, max renew)
Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Only three remaining scripts used this form, two of which are
for developers only and not shipped.
The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.
Fixes: https://pagure.io/freeipa/issue/8941
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Add also a dependency on sssd-krb5 for freeipa-client.
https://pagure.io/freeipa/issue/9267
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
IPA API commands to manage RBCD access controls.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.
This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9347
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html
>> Error: Error: QUnit has already been defined.
>> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2
>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>> at <anonymous>:175:24
>> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```
Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
dojo.require will simply return if the package is already loaded.
See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
override for developers who need the old behavior for testing.
Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.
This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.
Random Serial Numbers v3 must be enabled for this to work.
Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.
Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.
A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.
The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.
No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.
Fixes: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.
Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>