Commit Graph

89 Commits

Author SHA1 Message Date
Christian Heimes
395a68d208 Defer import of ipaclient.csrgen
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.

Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-04-10 07:58:52 +02:00
Stanislav Laznicka
c9c41d2d90
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.

https://pagure.io/freeipa/issue/7430

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-06 13:00:23 +01:00
Christian Heimes
1c9f0a4b19 Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.

See https://pagure.io/freeipa/issue/7326

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-19 13:26:39 +01:00
Christian Heimes
8cb756a229 Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.

See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-18 11:51:14 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
61605d28d8 parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
2b90c8a20e csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Aleksei Slaikovskii
fad88b358b ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text

This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.

https://pagure.io/freeipa/issue/7185

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 10:55:49 +02:00
Fraser Tweedale
9cead4da2e py3: fix vault public key decoding
Part of: https://pagure.io/freeipa/issue/7033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:03:25 +02:00
Tibor Dudlák
76357283ec
otptoken_yubikey.py: Removed traceback when package missing.
IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.

Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:51:04 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
69d05b86b7
topology.py: Removes error message from dictionary.
IPA will not print error message header when maximum
number of agreements per replica exceeded in topology.

Resolves: https://pagure.io/freeipa/issue/6533
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-14 09:23:17 +02:00
Martin Basti
3f59721c55 py3: vault: data must be bytes
Use bytes for vault data

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Stanislav Laznicka
1ed1717e99 ca/cert-show: check certificate_out in options
If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None.

This check was done properly in the ca plugin. Lets' just unify how this
is handled and improve user experience by announcing which option causes
the failure.

https://pagure.io/freeipa/issue/6885

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-24 13:33:09 +00:00
David Kreitschmann
f1c6a5d8de Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
David Kupka
e415da22f3 otptoken-add-yubikey: When --digits not provided use default value
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-16 11:39:43 +02:00
Christian Heimes
bd5a5012d2 Slim down dependencies
* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-09 17:17:29 +02:00
Florence Blanc-Renaud
d5c41ed4ad vault: piped input for ipa vault-add fails
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-28 13:19:51 +02:00
Ben Lipton
e7588ab2dc csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Christian Heimes
abefb64bea Simplify KRA transport cert cache
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 08:10:03 +00:00
Jan Cholasta
72de679eb4 csrgen: hide cert-get-requestdata in CLI
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 12:26:16 +00:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
c60d9c9744 cert: add output file option to cert-request
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
98bb5397c5 vault: cache the transport certificate on client
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-13 16:02:16 +01:00
Jan Cholasta
0298ecf441 certmap: load certificate from file in certmap-match CLI
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-13 08:03:53 +00:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Christian Heimes
ed7a03a1af Vault: port key wrapping to python-cryptography
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 14:22:11 +01:00
Stanislav Laznicka
2a9d1fb7d9 Remove NSSConnection from otptoken plugin
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
4350dcdea2 csrgen: Allow overriding the CSR generation profile
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
39a5d9c5aa csrgen: Automate full cert request flow
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Martin Basti
7eb2ef6190 DNS: dns-update-system-record can create nsupdate file
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Ben Lipton
a26cf0d791 tests: Add tests for CSR autogeneration
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
David Kupka
d841a79dc1 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Christian Heimes
a22a5dd676 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.

Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-14 13:57:26 +01:00
Martin Basti
4628522c53 Pylint: fix the rest of unused local variables
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Tomas Krizek
ef9c718e3a Prompt for forwarder in dnsforwardzone-add
When the command ipa dnsforwardzone-add is invoked without
specifying the forwarder as an argument and the forward
policy is not set to none, prompt for DNS forwarder.

https://fedorahosted.org/freeipa/ticket/6169

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-09-26 18:45:49 +02:00
Jan Cholasta
38a51fa984 dns: fix crash in interactive mode against old servers
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Jan Cholasta
dce95a1459 dns: prompt for missing record parts in CLI
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00