Commit Graph

122 Commits

Author SHA1 Message Date
David Kreitschmann
f1c6a5d8de Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
David Kupka
e415da22f3 otptoken-add-yubikey: When --digits not provided use default value
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-16 11:39:43 +02:00
Christian Heimes
bd5a5012d2 Slim down dependencies
* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-09 17:17:29 +02:00
Florence Blanc-Renaud
d5c41ed4ad vault: piped input for ipa vault-add fails
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-28 13:19:51 +02:00
Ben Lipton
e7588ab2dc csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Christian Heimes
abefb64bea Simplify KRA transport cert cache
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 08:10:03 +00:00
Jan Cholasta
72de679eb4 csrgen: hide cert-get-requestdata in CLI
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 12:26:16 +00:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
c60d9c9744 cert: add output file option to cert-request
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
98bb5397c5 vault: cache the transport certificate on client
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-13 16:02:16 +01:00
Jan Cholasta
0298ecf441 certmap: load certificate from file in certmap-match CLI
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-13 08:03:53 +00:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Christian Heimes
ed7a03a1af Vault: port key wrapping to python-cryptography
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 14:22:11 +01:00
Stanislav Laznicka
2a9d1fb7d9 Remove NSSConnection from otptoken plugin
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
4350dcdea2 csrgen: Allow overriding the CSR generation profile
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
39a5d9c5aa csrgen: Automate full cert request flow
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Martin Basti
7eb2ef6190 DNS: dns-update-system-record can create nsupdate file
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Ben Lipton
a26cf0d791 tests: Add tests for CSR autogeneration
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
David Kupka
d841a79dc1 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Christian Heimes
a22a5dd676 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.

Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-14 13:57:26 +01:00
Martin Basti
4628522c53 Pylint: fix the rest of unused local variables
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Tomas Krizek
ef9c718e3a Prompt for forwarder in dnsforwardzone-add
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.

https://fedorahosted.org/freeipa/ticket/6169

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-09-26 18:45:49 +02:00
Jan Cholasta
38a51fa984 dns: fix crash in interactive mode against old servers
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Jan Cholasta
dce95a1459 dns: prompt for missing record parts in CLI
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Jan Cholasta
afea961631 dns: normalize record type read interactively in dnsrecord_add
When dnsrecord_add is called without options in interactive mode, it
prompts the user to enter a record type. The record type is expected to be
upper case further in the code, which causes non-upper case values not to
work correctly.

Fix this issue by upper casing the value after it is read.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Abhijeet Kasurde
95a594af4c Handled empty hostname in server-del command
Fixes: https://fedorahosted.org/freeipa/ticket/6248

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-24 15:50:25 +02:00
Petr Spacek
0f4df2f03d migrate-ds: Mention --enable-migration in error message about migration mode
https://fedorahosted.org/freeipa/ticket/6234

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-22 17:59:38 +02:00
David Kupka
1b79ac67d7 client: Do not create instance just to check isinstance
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-17 14:16:04 +02:00
Jan Cholasta
20ee4a73e7 client: add missing output params to client-side commands
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.

This fixes the commands not having any output in CLI.

https://fedorahosted.org/freeipa/ticket/6182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 10:27:00 +02:00
Florence Blanc-Renaud
cad6a551d6 Fix ipa hbactest output
ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).

Note that the issue did not appear before because the 'value' field
had a flag no_display.

https://fedorahosted.org/freeipa/ticket/6157

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-04 17:13:16 +02:00
Jan Cholasta
1a73477e15 vault: add missing salt option to vault_mod
The option was accidentally removed in commit
4b119e21a2.

https://fedorahosted.org/freeipa/ticket/6154

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-04 14:20:06 +02:00
David Kupka
29f7f822ab frontend: Change doc, summary, topic and NO_CLI to class properties
Avoid need to instantiate all commands just to get information for
displaying help.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
David Kupka
8ab0ad5b9e vault: Catch correct exception in decrypt
ValueError is raised when decryption fails.

https://fedorahosted.org/freeipa/ticket/6160

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-03 13:40:34 +02:00
Jan Cholasta
f563d982f2 client: fix hiding of commands which lack server support
Rather than checking the server counterpart's NO_CLI, which may be False
even for commands supported on the server, check wheter the server
counterpart is a command defined on the server or a local placeholder.

https://fedorahosted.org/freeipa/ticket/6089

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2016-07-28 10:24:45 +02:00
Jan Cholasta
ea62f2745d Revert "Enable vault-* commands on client"
This reverts commit 9feeaca9fb.

https://fedorahosted.org/freeipa/ticket/6089

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2016-07-28 10:24:45 +02:00
Martin Babinsky
a1a7ecdc7b vault-add: set the default vault type on the client side if none was given
`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.

https://fedorahosted.org/freeipa/ticket/6047

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-13 18:46:31 +02:00
Stanislav Laznicka
6c74bd2bcc Removed unused method parameter from migrate-ds
An extra parameter on client side command override of migrate-ds output
was causing errors.

https://fedorahosted.org/freeipa/ticket/6034

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-13 18:40:22 +02:00
Martin Basti
9feeaca9fb Enable vault-* commands on client
Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967

Removed NO_CLI=True from client side plugins for vault.

https://fedorahosted.org/freeipa/ticket/6035

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-12 16:03:07 +02:00
Jan Cholasta
8278da6967 client: add placeholders for required remote plugins
Add placeholders for remote plugins which are required by client-side
commands. They are used when the remote plugins are not available.

This fixes API initialization error when the remote server does not have
the plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
c1d8c710e7 client: ignore override errors in command overrides
This fixes API initialization errors when the remote server does not have
the overriden command.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
1a03bd322d cert: fix CLI output of cert_remove_hold
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
894be1bd50 dns: fix dns_update_system_records to work with thin client
https://fedorahosted.org/freeipa/ticket/2008
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 13:03:14 +02:00
Jan Cholasta
b00dbca98f cert: allow search by certificate
Allow search by certificate data or file in cert-find.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Jan Cholasta
d44ffdad42 cert: add object plugin
Implement cert as an object with methods rather than a bunch of loosely
related commands.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Jan Cholasta
91faf3ecd7 schema: remove output_params
Since output params are copied from object plugins, remove them from
command schema and include object name instead.

One exception to this are the output params used for failed members in
member add/remove commands. Move these to the client side, as they will
be replaced by warnings.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
3ec7a52aea permission: handle ipapermright deprecated CLI alias on the client
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
71de8878bd passwd: handle sort order of passwd argument on the client
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
5382864909 misc: skip count and total output in env.output_for_cli
Do not include the `count` and `total` output values in CLI output in
env.output_for_cli by default.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
234270dc75 dns: do not rely on custom param fields in record attributes
Obtain the information provided by the `hint` kwarg and `dnsrecord_part`
and `dnsrecord_extra` flags by other means.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
f554078291 frontend: don't copy command arguments to output params
Use only object params and params defined in has_output_params as output
params. This removes unnecessary duplication of params defined both in
object plugins and as command arguments.

This requires all command output params to be properly defined in either
the object plugins or the command's has_output_params. Fix the plugins
where this wasn't true.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Martin Babinsky
a6eb87bd68 server-del: perform full master removal in managed topology
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.

`server-del` nows performs these actions:
  * check topology connectivity
  * check that at least one CA/DNS server and DNSSec masters are left
    after removal
  * cleanup all LDAP entries/attributes exposing information about the master
  * cleanup master DNS records
  * remove master and service principals
  * remove master entry from LDAP
  * check that all segments pointing to the master were removed

  `server-del` now accepts the following options:
  * `--force`: force master removal even if it doesn't exist
  * `--ignore-topology-disconnect`: ignore errors arising from disconnected
    topology before and after master removal
  * `--ignore-last-of-role`: remove master even if it is last DNS server,
    and DNSSec key master. The last CA will *not* be removed regardless of
    this option.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Basti
e23159596e DNS Locations: command dns-update-system-records
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Abhijeet Kasurde
6873ac5b03 Added missing translation to automount.py method
Fixes: https://fedorahosted.org/freeipa/ticket/5920

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-16 08:57:55 +02:00
Jan Cholasta
365d973763 misc: fix empty CLI output of env and plugins commands
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Alexander Bokovoy
29d669fec1 otptoken: support Python 3 for the qr code
When IPA client is using Python 3, there is no str.decode() method
anymore.

ipa: ERROR: AttributeError: 'str' object has no attribute 'decode'
Traceback (most recent call last):
 File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run
   sys.exit(api.Backend.cli.run(argv))
 File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run
   rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
 File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli
   qr = self._get_qrcode(output, uri, options['version'])
 File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode
   qr_code = qr_output.getvalue().decode(encoding)
AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred

Fixes https://fedorahosted.org/freeipa/ticket/5938

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 08:09:33 +02:00
Martin Basti
79544aa51a DNS Location: location-show: return list of servers in location
location-show returns list of servers curently assigned to the location

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Yuri Chornoivan
fd4386d5c9 Fix minor typo
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-03 15:25:15 +02:00
Jan Cholasta
ec841e5d7a ipaclient: implement thin client
Dynamically create plugin package for the remote server with modules and
commands based on the API schema when client API is finalizes. For in-tree
API instances, use ipalib.plugins directly.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
2f7df393fd ipalib: move File command arguments to ipaclient
File arguments are relevant only on the client, on the server they are the
same as Str. Specify the arguments as Str in ipalib.plugins and override
them with File in ipaclient.plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
4c7be74526 ipalib: split off client-side plugin code into ipaclient
Provide client-side overrides for command plugins which implement any of
the client-side `interactive_prompt_callback`, `forward` or
`output_for_cli` methods and move the methods from the original plugins to
the overrides.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
cd5ecdbaee help, makeapi: specify module topic by name
Specify module topic by name rather than by name and summary. A topic
module of the topic name must exist. Summary is extracted from the
docstring of the topic module.

This changes makes topic handling more generic and consistent between
modules and commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
327d95296a ipalib: move client-side plugins to ipaclient
Move the rpcclient backend and commands which are executed on the client
to ipaclient.plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
f1ad3e67ae ipaclient: introduce ipaclient.plugins
Load plugins from ipaclient.plugins in client API instances.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00