Commit Graph

643 Commits

Author SHA1 Message Date
Stanislav Laznicka
33f13b6df9 sudocmd: fix unsupported assignment
sudocmd.get_dn() was trying to assign in an item of a tuple
which is not possible.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
353d4934af pylint: Iterate through dictionaries
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Florence Blanc-Renaud
a077c705fe
Fix ipa config-mod --ca-renewal-master
commit bddb90f38a added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.

When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.

https://pagure.io/freeipa/issue/7120

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-05 14:13:46 +02:00
Stanislav Laznicka
1b78f79283 cert: fix wrong assumption of cert-show result type
cert-show returns a base64 encoded certificate yet the assumption
here was for a PEM bytes instance.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-30 12:44:46 +02:00
Fraser Tweedale
cac7357ebd cert: fix application of 'str' to bytes when formatting otherName
Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:01:31 +02:00
Fraser Tweedale
b1e1109679 py3: fix schema response for py2 server with py3 client
The schema RPC response can include a bytes value for the
'topic_topic' field (when the server is running in Python 2).
In this case, a Python 3 client fails to initialise the API
when a schema fetch is required, because it cannot serialise
the bytes values in the schema object to JSON.

Ensure the 'topic_topic' value is unicode.

Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 12:57:02 +02:00
Stanislav Laznicka
2bc5b7f044 py3: remove relative import
https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
e6a9de8a2e py3: remove Exception.message appearances
Exception.message is removed in Python3

https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
6ca8787cc7 Uninstall: fix BytesWarning exception
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:42:51 +02:00
Stanislav Laznicka
31142ead83 Unify storing certificates in LDAP
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:40:15 +02:00
Pavel Vomacka
2a73b5d739 WebUI: Add hyphenate versions of Host(Role) Based strings
The hyphenated forms are less ambiguous and easier to read.
(For more grammar background, see for example
"Hyphenate Complex Adjectives" in http://stylepedia.net/
Grammar-Hyphenation )

https://pagure.io/freeipa/issue/6582

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-22 10:38:10 +02:00
Stanislav Laznicka
7d217c8c9b
host, service: fix adding host/svc with a cert
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.

The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.

https://pagure.io/freeipa/issue/7077

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 12:09:44 +02:00
Stanislav Laznicka
d147948fcc server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-03 13:50:10 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Fraser Tweedale
227cf8d4e9
cert-request: simplify request processing
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.

Implement the following simplifications:

- Search all user/host/service accounts at once, by krbPrincipalName
  (error if no account found).  Use principal canonical name to
  determine the type of the principal.

- Update subject principals userCertificate attribute uniformly,
  instead of dispatching to user/host/service-mod based on type of
  principal.

Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-14 09:24:20 +02:00
Martin Basti
041982f073
baseldap: fix format string
Fixes missing type specification in format string.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-14 09:19:11 +02:00
Tibor Dudlák
17f03a7952 whoami.py: Type error when running tests
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.

Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-07 14:44:42 +02:00
Martin Babinsky
f4d77533f5 *config-show: Do not show empty roles/attributes
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to  the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Jan Cholasta
4736fef6bb ldap2: remove URI argument from ldap2 constructor
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
e9cb74fd27 user, migration: use LDAPClient for ad-hoc LDAP connections
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Basti
c422206cc7 py3: dogtag.py: fix bytes warnings
/usr/lib/python3.5/site-packages/ipaserver/plugins/dogtag.py:1438: BytesWarning: str() on a bytes instance
   "parse_result:\\n%s" % (parse_func.__name__, xml_text, result))

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
6024165101 CheckedIPAddress: remove match_local param
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Felipe Volpone
36532031cf
Changing cert-find to go through the proxy instead of using the port 8080
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.

https://pagure.io/freeipa/issue/6966

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-16 08:56:53 +02:00
Tibor Dudlák
74d36a8af6 dnsserver.py: dnsserver-find no longer returns internal server error
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.

Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:51:06 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Felipe Volpone
44bd5e358b Changing cert-find to do not use only primary key to search in LDAP.
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-02 16:45:43 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Tibor Dudlák
d73ec06cb3 user.py: replace user_mod with ldap.update_entry()
Refactoring user_add class to use 'ldap.update_entry()' call
instead of api call 'user_mod' when --noprivate option is used.

https://pagure.io/freeipa/issue/5788

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:35:41 +02:00
Martin Babinsky
99352731b4 Add pkinit-status command
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
f80553208e Add the list of PKINIT servers as a virtual attribute to global config
https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
cac7e49daa Refactor the role/attribute member reporting code
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
bddb90f38a Allow for multivalued server attributes
In order to achieve the task, the following changes were required:

* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
  accepts/returns single-value lists in order to not break Liskov
  substitution principle
* Existing attributes inherit from the child class

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Stanislav Laznicka
24099d0f80 Remove pkinit-anonymous command
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. The pkinit-anonymous command was supposed
to enable/disable anonymous pkinit by locking/unlocking the
anonymous principal. We can't allow this for FreeIPA to work
so we are removing the command as it was never supported anyway.

https://pagure.io/freeipa/issue/6936

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-23 18:05:22 +02:00
Florence Blanc-Renaud
a02a0a95f2 server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 18:45:52 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Felipe Volpone
d51af28bdb Fixing adding authenticator indicators to host
The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-05-16 10:29:00 +02:00
Felipe Volpone
d973168e89 Fixing the cert-request comparing whole email address case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-16 09:50:22 +02:00
Stanislav Laznicka
0d406fcb78 Refresh Dogtag RestClient.ca_host property
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-02 17:33:25 +02:00
Christian Heimes
5197422ef6 Vault: Explicitly default to 3DES CBC
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-04-28 08:25:03 +02:00
Gabe
38276d3473 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-26 10:20:42 +00:00
Jan Cholasta
eb6d4c3037 cert: defer cert-find result post-processing
Rather than post-processing the results of each internal search,
post-process the combined result.

This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.

https://pagure.io/freeipa/issue/6808

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-19 11:28:27 +00:00
Alexander Bokovoy
e560899cce trust: always use oddjobd helper for fetching trust information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-11 14:16:39 +02:00
Florence Blanc-Renaud
70743c8c48
idrange-add: properly handle empty --dom-name option
When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-05 10:15:51 +02:00