Commit Graph

36 Commits

Author SHA1 Message Date
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Fraser Tweedale
27988f1b83 Prohibit deletion of predefined profiles
Deletion of predefined profiles, including the default profile,
should not be allowed.  Detect this case and raise an error.

Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.

Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-18 19:44:43 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Fraser Tweedale
812ab600a3 Add profile for DNP3 / IEC 62351-8 certificates
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension.  Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.

Also update cert-request to accept CSRs containing this extension.

Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 14:57:41 +02:00
Fraser Tweedale
4cf2bfcaa6 Add profile_id parameter to 'request_certificate'
Add the profile_id parameter to the 'request_certificate' function
and update call sites.

Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Fraser Tweedale
b24fe0eb73 Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.

Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.

Fixes https://fedorahosted.org/freeipa/ticket/4002

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Fraser Tweedale
300b74fc7f Add certprofile plugin
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.

Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Martin Babinsky
a1f91247cc point the users to PKI-related logs when CA configuration fails
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.

https://fedorahosted.org/freeipa/ticket/4900

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-04-29 05:19:29 +00:00
Martin Basti
337faf5064 Using wget to get status of CA
This is just workaround

Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-10 16:59:56 +00:00
Rob Crittenden
5c0ad221e8 Use NSS protocol range API to set available TLS protocols
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.

This is overridable per client by setting tls_version_min and/or
tls_version_max.

https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-24 13:09:44 +00:00
Ade Lee
a25fe00c62 Add a KRA to IPA
This patch adds the capability of installing a Dogtag KRA
to an IPA instance.  With this patch,  a KRA is NOT configured
by default when ipa-server-install is run.  Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.

The KRA shares the same tomcat instance and DS instance as the
Dogtag CA.  Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems.  Certmonger is also confgured to
monitor the new subsystem certificates.

To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.

The install scripts have been refactored somewhat to minimize
duplication of code.  A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs.  This will become very useful when we add more PKI
subsystems.

The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca.  This means that replication
agreements created to replicate CA data will also replicate KRA
data.  No new replication agreements are required.

Added dogtag plugin for KRA.  This is an initial commit providing
the basic vault functionality needed for vault.  This plugin will
likely be modified as we create the code to call some of these
functions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

The uninstallation option in ipa-kra-install is temporarily disabled.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-22 09:59:31 +02:00
Jan Cholasta
044c5c833a Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Jan Cholasta
911f5e9eb7 PKI service restart after CA renewal failed
Fix both the service restart procedure and registration of old
pki-cad well known service name.

This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.

https://fedorahosted.org/freeipa/ticket/4092
2014-01-08 09:47:23 +01:00
Martin Kosek
dd3295ac32 Installer should always wait until CA starts up
Patch for ticket 3964 changed the installer so that it does not
always wait for CA if the proxy is not configured. However,
it was found out that it may freeze an installation when
a step subsequent after CA restart call the CA and receives no
reply.

Change the wait so that it always waits for CA to start up. If
HTTP proxy is already configured, it should wait on port 443.
If not, it should wait on local PKI port 8443.

https://fedorahosted.org/freeipa/ticket/3973
2013-10-17 12:07:52 +02:00
Petr Viktorin
9b7930b93d Make ipapython.dogtag log requests at debug level, not info 2013-02-01 13:45:03 -05:00
Petr Viktorin
d157413675 Use correct Dogtag configuration in get_pin and get_ca_certchain
Some install utilities used Dogtag configuration before Dogtag
was configured. Fix by passing the relevant dogtag_constants
where they're needed.
2012-11-23 12:19:19 +01:00
Ade Lee
18a210996d Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
2012-11-23 12:19:19 +01:00
Petr Viktorin
d6fbbd530e Make sure the CA is running when starting services
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
2012-10-23 22:02:21 -04:00
Martin Kosek
fff56ee1c8 Fix CA CRL migration crash in ipa-upgradeconfig
CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
"<service> is not configured" log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159
2012-10-10 14:15:46 +02:00
Martin Kosek
74ebd0fd75 Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
2012-10-09 16:00:01 +02:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
Rob Crittenden
b9e3685534 Add the -v option to sslget to provide more verbose errors
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.

https://fedorahosted.org/freeipa/ticket/2391
2012-02-23 11:26:06 +01:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Jan Cholasta
12bfed37d4 Add a function for formatting network locations of the form host:port for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).

ticket 1869
2011-10-05 10:58:25 +02:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Rob Crittenden
6ad7deb7ac Set the client auth callback after creating the SSL connection.
If we set the callback before calling connect() then if the connection
tries a network family type and fails, it will try other family types.
If this happens then the callback set on the first socket will be lost
when a new socket is created. There is no way to query for the callback
in an existing socket.

https://fedorahosted.org/freeipa/ticket/1349
2011-07-01 21:01:22 -04:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
0ad0f4ba6c Catch when we fail to get a cert chain from the CA during installation
Also don't free the XML document if it was never created.

ticket 404
2010-11-24 08:39:00 -05:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
Pavel Zuna
9dd082eb33 Fix http(s)_request in dogtag. Was blowing up because of unicode strings. 2010-03-30 15:11:56 -04:00
Rob Crittenden
8a4ab2a0e5 Move the HTTP/S request code to a common library
This moves code that does HTTP and HTTPS requests into a common library
that can be used by both the installer and the dogtag plugin.

These functions are not generic HTTP/S clients, they are designed
specifically to talk to dogtag, so use accordingly.
2010-02-09 03:26:01 -07:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
Rob Crittenden
13696ae18b Raise an exception if the certificate chain is not returned from the CA 2009-05-21 17:34:00 -04:00
Rob Crittenden
d5290a60f9 Utilities for dealing with dogtag 2009-04-24 16:22:38 -04:00