Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.
https://pagure.io/freeipa/issue/6900
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault
This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.
https://pagure.io/freeipa/issue/6907
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.
https://pagure.io/freeipa/issue/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.
https://pagure.io/freeipa/issue/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.
https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.
If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.
https://pagure.io/freeipa/issue/6547
Reviewed-By: David Kupka <dkupka@redhat.com>
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.
Deprecate --out in cert-show in favor of --certificate-out.
https://pagure.io/freeipa/issue/6547
Reviewed-By: David Kupka <dkupka@redhat.com>
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.
https://fedorahosted.org/freeipa/ticket/6652
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.
https://pagure.io/freeipa/issue/6646
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.
Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.
https://fedorahosted.org/freeipa/ticket/6457
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.
Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs
Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.
https://fedorahosted.org/freeipa/ticket/6585
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch also contains some code changes to make the code easier to
test and to make the tests pass.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.
Note: python 3.6 supports bytes for json.loads()
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.
https://fedorahosted.org/freeipa/ticket/6539
Reviewed-By: Martin Basti <mbasti@redhat.com>
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA. Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values). Add the `--chain' flag for including the chain in the
result (chain is also included with `--all'). Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.
This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.
https://fedorahosted.org/freeipa/ticket/6490
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.
Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.
https://fedorahosted.org/freeipa/ticket/6169
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
When dnsrecord_add is called without options in interactive mode, it
prompts the user to enter a record type. The record type is expected to be
upper case further in the code, which causes non-upper case values not to
work correctly.
Fix this issue by upper casing the value after it is read.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.
This fixes the commands not having any output in CLI.
https://fedorahosted.org/freeipa/ticket/6182
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).
Note that the issue did not appear before because the 'value' field
had a flag no_display.
https://fedorahosted.org/freeipa/ticket/6157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Avoid need to instantiate all commands just to get information for
displaying help.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Rather than checking the server counterpart's NO_CLI, which may be False
even for commands supported on the server, check wheter the server
counterpart is a command defined on the server or a local placeholder.
https://fedorahosted.org/freeipa/ticket/6089
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.
https://fedorahosted.org/freeipa/ticket/6047
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
An extra parameter on client side command override of migrate-ds output
was causing errors.
https://fedorahosted.org/freeipa/ticket/6034
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967
Removed NO_CLI=True from client side plugins for vault.
https://fedorahosted.org/freeipa/ticket/6035
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add placeholders for remote plugins which are required by client-side
commands. They are used when the remote plugins are not available.
This fixes API initialization error when the remote server does not have
the plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This fixes API initialization errors when the remote server does not have
the overriden command.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Allow search by certificate data or file in cert-find.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Implement cert as an object with methods rather than a bunch of loosely
related commands.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Since output params are copied from object plugins, remove them from
command schema and include object name instead.
One exception to this are the output params used for failed members in
member add/remove commands. Move these to the client side, as they will
be replaced by warnings.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Do not include the `count` and `total` output values in CLI output in
env.output_for_cli by default.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Obtain the information provided by the `hint` kwarg and `dnsrecord_part`
and `dnsrecord_extra` flags by other means.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Use only object params and params defined in has_output_params as output
params. This removes unnecessary duplication of params defined both in
object plugins and as command arguments.
This requires all command output params to be properly defined in either
the object plugins or the command's has_output_params. Fix the plugins
where this wasn't true.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.
`server-del` nows performs these actions:
* check topology connectivity
* check that at least one CA/DNS server and DNSSec masters are left
after removal
* cleanup all LDAP entries/attributes exposing information about the master
* cleanup master DNS records
* remove master and service principals
* remove master entry from LDAP
* check that all segments pointing to the master were removed
`server-del` now accepts the following options:
* `--force`: force master removal even if it doesn't exist
* `--ignore-topology-disconnect`: ignore errors arising from disconnected
topology before and after master removal
* `--ignore-last-of-role`: remove master even if it is last DNS server,
and DNSSec key master. The last CA will *not* be removed regardless of
this option.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When IPA client is using Python 3, there is no str.decode() method
anymore.
ipa: ERROR: AttributeError: 'str' object has no attribute 'decode'
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run
sys.exit(api.Backend.cli.run(argv))
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli
qr = self._get_qrcode(output, uri, options['version'])
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode
qr_code = qr_output.getvalue().decode(encoding)
AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred
Fixes https://fedorahosted.org/freeipa/ticket/5938
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
location-show returns list of servers curently assigned to the location
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dynamically create plugin package for the remote server with modules and
commands based on the API schema when client API is finalizes. For in-tree
API instances, use ipalib.plugins directly.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
File arguments are relevant only on the client, on the server they are the
same as Str. Specify the arguments as Str in ipalib.plugins and override
them with File in ipaclient.plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Provide client-side overrides for command plugins which implement any of
the client-side `interactive_prompt_callback`, `forward` or
`output_for_cli` methods and move the methods from the original plugins to
the overrides.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Specify module topic by name rather than by name and summary. A topic
module of the topic name must exist. Summary is extracted from the
docstring of the topic module.
This changes makes topic handling more generic and consistent between
modules and commands.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move the rpcclient backend and commands which are executed on the client
to ipaclient.plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>