Commit Graph

11470 Commits

Author SHA1 Message Date
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Michal Reznik
284658e08e test_caless: remove xfail in wildcard certificate tests
As we are now generating proper wildcard certificates, remove xfail
in wildcard certificate tests.

https://pagure.io/freeipa/issue/5603

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-26 16:02:18 +02:00
Tomas Krizek
ba5f7afedc logging: make sure logging level is set to proper value
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-26 15:57:56 +02:00
Pavel Vomacka
0b8d460191 WebUI: fix jslint error
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 14:20:36 +02:00
Lewis Eason
bcfa6b533d Correct typo estabilish->establish in the install scripts
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-24 13:41:16 +02:00
David Kupka
d6787eea48 install: replica: Show message about key synchronization
https://pagure.io/freeipa/issue/6940

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-24 13:38:31 +02:00
Thierry Bordaz
0f0423cf53 NULL LDAP context in call to ldap_search_ext_s during search
KDC crashes on quite random interval while trying to reach LDAP
    https://pagure.io/freeipa/issue/7017

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 13:34:06 +02:00
Michal Reznik
64375ba65b
test_caless: introduce new python makepki + fix SKI extension issue
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().

The new makepki adds SKI and AKI extensions for correct
cert validation.

Other minor changes needed as we do not use NSS to store our
certificates on the test controller.

https://pagure.io/freeipa/issue/7030

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-21 09:49:18 +02:00
Stanislav Laznicka
62f19fc082
README: Fix trailing whitespace
be2fba0 introduced a trailing whitespace in our README.md, this
patch removes it

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-07-21 09:47:36 +02:00
Pavel Vomacka
cfa157c1e5 WebUI: change validator of page size settings
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
7f10a5145c pylint: enable logging checks
Enable the logging-not-lazy and logging-format-interpolation checks.

🕯

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
bccb243b05 doc: sync guide.org with cli.py
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
9d19654cbd logging: use the actual root logger as the root logger
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.

Always configure logging on the root logger.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
f62a0fdb90 logging: port to standard Python logging
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.

Disable the logging-not-lazy and logging-format-interpolation pylint
checks.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
464516489f logging: do not configure any handlers by default
Do not configure stderr handler by default and let the application do the
configuration.

Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
0562359f31 wsgi, oddjob: remove needless uses of Env
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Fraser Tweedale
227cf8d4e9
cert-request: simplify request processing
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.

Implement the following simplifications:

- Search all user/host/service accounts at once, by krbPrincipalName
  (error if no account found).  Use principal canonical name to
  determine the type of the principal.

- Update subject principals userCertificate attribute uniformly,
  instead of dispatching to user/host/service-mod based on type of
  principal.

Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-14 09:24:20 +02:00
Tibor Dudlák
69d05b86b7
topology.py: Removes error message from dictionary.
IPA will not print error message header when maximum
number of agreements per replica exceeded in topology.

Resolves: https://pagure.io/freeipa/issue/6533
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-14 09:23:17 +02:00
Stanislav Laznicka
a36f2aed63
Ensure network is online prior to an upgrade
Fedora system upgrades don't necessary require the network to be up.
However, we do, so we have to make sure the network is online before
performing an upgrade.

https://pagure.io/freeipa/issue/7039

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-07-14 09:20:40 +02:00
Martin Basti
041982f073
baseldap: fix format string
Fixes missing type specification in format string.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-14 09:19:11 +02:00
Aleksei Slaikovskii
c39da523ad
ipapython/graph.py redundant variable fix
Changed deletion of edges in remove_vertex method because there's no
need to store redundant variable in memory.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 09:16:13 +02:00
Aleksei Slaikovskii
fe913b9c9f
ipapython/graph.py String formatting
Changed string formatting for Value Errors raise.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 09:16:13 +02:00
Aleksei Slaikovskii
52a435978b
ipapython/graph.py complexity optimization
Hi!

I've just read the code and I saw that graph bfs uses not optimal
for Python solution. So I've edited it with more optimal one.

https://pagure.io/freeipa/issue/7051

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 09:16:13 +02:00
Martin Basti
f18ce01355
IPAOptionParser: fix dict comprehension
The statement can be simplified and be more resources friendly

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-07-14 09:15:00 +02:00
Tomas Krizek
7f8d79f637
ipatests: do not finalize api when IPA is not configured
Pytest can be executed from a machine that doesn't have IPA configured.
In this case, api can't be finalized because values such as basedn are
unknown and missing.

Fixes https://pagure.io/freeipa/issue/7046

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 09:12:36 +02:00
Simo Sorce
c565fa1781 Always check peer has keys before connecting
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.

Ticket #6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2017-07-13 10:04:11 +02:00
Felipe Volpone
be2fba08ce Adding section "Building FreeIPA from source" on README
https://pagure.io/freeipa/issue/6725

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-07-12 16:56:37 +02:00
Tibor Dudlák
19f3eda790 Add test: test_xmlrpc/test_whoami_plugin.py
Tests for whoami command with user,
host, and service principal's tgt.

Resolves: https://pagure.io/freeipa/issue/6745
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-07-12 15:54:55 +02:00
Martin Basti
aa1c0cf3e8 py3: run already ported scripts under py3 by default
To prevent regressions in py3, all ported scripts should be run by py3
by default.

This is temporary and will be removed once porting to py3 is done

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-12 15:41:04 +02:00
Martin Basti
17103e53cb py3: temporary set dependencies to both py2 and py3 packages
We are slowly migrating python scripts to py3 and setting py3 as default
for them. Thus we need to depend on both py2 and py3 packages until
everything is migrated.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-12 15:41:04 +02:00
Alexander Bokovoy
3ab6a68e91 ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.

Use new smbldap API to set the LDAP bind callback.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Alexander Bokovoy
11d43a1603 ipa-sam: use own private structure, not ldapsam_privates
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.

Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Tibor Dudlák
17f03a7952 whoami.py: Type error when running tests
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.

Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-07 14:44:42 +02:00
Martin Babinsky
e2e380e83b Do not remove the old masters when setting the attribute fails
If the setting of server attribute fails (e.g. due to master not having
the associated role enabled) the error would pop up *after* the old
values were cleared from LDAP. Fix this behavior so that all checks are
performed before manipulating any data.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Martin Babinsky
f4d77533f5 *config-show: Do not show empty roles/attributes
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to  the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Tibor Dudlák
22b0ae440a Create indexes for 'serverhostname' attribute
IPA installation with large number of host entries gets timeout
when invoking ipaserver.plugins.host.get_dn() method.

Resolves: https://pagure.io/freeipa/issue/6939
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:40:52 +02:00
Jan Cholasta
ba3963b4dc config: provide defaults for xmlrpc_uri, ldap_uri and basedn
Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`.
Derive the default value of `basedn` from `domain`.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Petr Spacek
3f6411a49c ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default.
This patch removes hardcoded default so the so the code which depends
on these values blows up early and does not do crazy stuff
with default values instead of real ones.

This should help to uncover issues caused by improper ipalib
initialization.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
4736fef6bb ldap2: remove URI argument from ldap2 constructor
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
8f849a77f5 test_ldap: drop redundant URI argument
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument. The default URI might be ldapi://, so make sure
autobind is not attempted where the custom URI was ldap://.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
935fcaea2e {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
e9cb74fd27 user, migration: use LDAPClient for ad-hoc LDAP connections
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Babinsky
53c5c0ad7b smart-card-advises: ensure that krb5-pkinit is installed on client
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0cf7090f3 smart card advise: use password when changing trust flags on HTTP cert
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
4d57aef7a5 smart card advises: use a wrapper around Bash for loops
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00