Commit Graph

9406 Commits

Author SHA1 Message Date
Petr Spacek
8fefd63152 p11helper: clarify error message
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Petr Spacek
40f56e5f38 p11helper: use sizeof() instead of magic constants
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Petr Spacek
a6d7e8df60 p11helper: standardize indentation and other visual aspects of the code
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Martin Basti
4e2ddfb553 Remove unused method from ipap11pkcs helper module
Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
Martin Basti
508ad92b71 Fix memory leaks in ipap11helper
Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
Martin Basti
c411d6a908 DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
Timo Aaltonen
43f0418d63 sort freeipa-tests deps 2015-03-05 15:50:32 +02:00
Timo Aaltonen
d275653d61 control: Fix freeipa-tests depends. 2015-03-05 15:49:14 +02:00
root
5c3611481a Limit deadlocks between DS plugin DNA and slapi-nis
Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
	are updated at the same time.
	Schema-compat should ignore update on DNA config.

	https://fedorahosted.org/freeipa/ticket/4927

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 13:34:25 +00:00
Timo Aaltonen
2a677a5a05 add a TODO file 2015-03-05 15:27:03 +02:00
David Kupka
253f9adae7 Restore default.conf and use it to build API.
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.

https://fedorahosted.org/freeipa/ticket/4896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 12:18:00 +00:00
David Kupka
0344f246c2 Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.

https://fedorahosted.org/freeipa/ticket/4902

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2015-03-05 10:59:01 +01:00
Timo Aaltonen
4c24e667e7 Merge branch 'master' into master-next 2015-03-05 00:33:32 +02:00
Timo Aaltonen
5983241bea Merge branch 'upstream' into master-next 2015-03-05 00:33:22 +02:00
Timo Aaltonen
997da94cd0 releasing package freeipa version 4.0.5-3 2015-03-04 14:52:46 +02:00
Timo Aaltonen
122e36a6b4 fix stack size env typo 2015-03-04 14:35:20 +02:00
Timo Aaltonen
a935b07a70 freeipa-client.postinst: Fix bashism with echo. (Closes: #772242) 2015-03-04 12:27:33 +02:00
Timo Aaltonen
d80f5e3046 freeipa-client.postrm: Remove nssdb files on purge. (Closes: #775387) 2015-03-04 12:17:56 +02:00
Timo Aaltonen
d6095cbb02 rules: Set JAVA_STACK_SIZE to hopefully avoid FTBFS on exotic archs. 2015-03-04 12:11:27 +02:00
Gabe
ddd7fb6a68 ipatests: Add tests for valid and invalid ipa-advise
- Add test for invalid run of the ipa-advise command
- Add tests for valid runs of the ipa-advise command

https://fedorahosted.org/freeipa/ticket/4029

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-26 20:57:49 +01:00
Gabe
3ab7f551f8 ipa-replica-prepare should document ipv6 options
https://fedorahosted.org/freeipa/ticket/4877

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-26 00:55:30 +01:00
Sumit Bose
e8b3ed3596 ipa-range-check: do not treat missing objects as error
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.

Resolves https://fedorahosted.org/freeipa/ticket/4924

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-24 22:47:36 +01:00
Tomas Babej
96624f2189 idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.

https://fedorahosted.org/freeipa/ticket/4915

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-23 17:51:21 +01:00
Simo Sorce
840903c497 Stop including the DES algorythm from openssl.
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:27:22 +01:00
Simo Sorce
ecbef04692 Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:25:54 +01:00
Martin Kosek
4ddcca6435 Remove references to GPL v2.0 license
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:

- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c

Remove GPL v2.0 license files from LDIFs or template to keep
consistency.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-20 15:40:42 +01:00
Tomas Babej
73f6d69adf ipalib: Make sure correct attribute name is referenced for fax
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-19 18:36:16 +01:00
Tomas Babej
6667701315 ipatests: Add coverage for adding and removing sshpubkeys in ID overrides
Adds xmlrpc tests for:
  - Adding a user ID override with sshpubkey
  - Modifying a user ID override to contain sshpubkey
  - Removing a sshpubkey value from a user ID override

https://fedorahosted.org/freeipa/ticket/4868

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-19 17:03:06 +01:00
Petr Vobornik
bfef4d2496 ipatests: add missing ssh object classes to idoverrideuser
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-19 17:03:06 +01:00
Petr Vobornik
7f560c5da1 Become IPA 4.1.3 2015-02-18 14:18:54 +01:00
Martin Babinsky
c985de1ee6 Changing the token owner changes also the manager
This works if the change is made to a token which is owned and managed by the
same person. The new owner then automatically becomes token's manager unless
the attribute 'managedBy' is explicitly set otherwise.

https://fedorahosted.org/freeipa/ticket/4681

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-18 13:55:27 +01:00
Martin Kosek
2dd54c9f33 group-detach does not add correct objectclasses
https://fedorahosted.org/freeipa/ticket/4874

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-02-18 13:18:31 +01:00
Petr Vobornik
f1abbbca45 Fix TOTP Synchronization Window label
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-17 08:26:42 +01:00
Gabe
0ffe759d09 permission-add does not prompt for ipapermright in interactive mode
- Add flag "ask_create" to ipalib/plugins/permission.py
- Bump API version

https://fedorahosted.org/freeipa/ticket/4872

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-02-16 16:39:37 +01:00
Martin Babinsky
f7e6102ebf migrate-ds: exit with error message if no users/groups to migrate are found
'ipa migrate-ds' will now exit with error message if no suitable users/groups
are found on LDAP server during migration.

https://fedorahosted.org/freeipa/ticket/4846

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-16 16:33:46 +01:00
Alexander Bokovoy
6d6e924b1f ipa-kdb: reject principals from disabled domains as a KDC policy
Fixes https://fedorahosted.org/freeipa/ticket/4788

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:30:57 +01:00
Alexander Bokovoy
0d3b4cd3ec ipa-kdb: when processing transitions, hand over unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.

https://fedorahosted.org/freeipa/ticket/4791

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:29:59 +01:00
Simo Sorce
6162426999 Handle DAL ABI change in MIT 1.13
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.

Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.

Resolves: https://fedorahosted.org/freeipa/ticket/4861

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-13 08:54:34 +01:00
Jan Cholasta
caf70a11b2 Bump 389-ds-base and pki-ca dependencies for POODLE fixes
https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-02-10 15:37:41 +00:00
Martin Basti
2f4ed3cb32 Fix reference counting in pkcs11 extension
* removed unneeded reference increment
* added increment of Py_None

Part of ticket: https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-02-10 15:30:38 +00:00
Martin Babinsky
919f0db93f ipa-client-install: put eol character after the last line of altered config file(s)
https://fedorahosted.org/freeipa/ticket/4864

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-02-10 12:54:29 +01:00
Gabe
d251e5219e Typos in ipa-rmkeytab options help and man page
https://fedorahosted.org/freeipa/ticket/4890

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-10 08:30:46 +01:00
Martin Babinsky
5bad375656 OTP: emit a log message when LDAP entry for config record is not found
This patch proposes a fix to the following defect found by covscan of FreeIPA
master code:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling
"slapi_search_internal_get_entry" without checking return value (as is done
elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign:
Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked:
Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example
3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked:
Example 3 (cont.): "search_result" has its value checked in "search_result !=
0".  /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign:
Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5:
Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn,
NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5
(cont.): "ret" has its value checked in "ret == 10".
"""

The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
f28facb3f9 ipa-uuid: emit a message when unexpected mod type is encountered
This patch is related to the following defect reported by covscan of FreeIPA
master code:

"""
Error: DEADCODE (CWE-561): /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 1", taking false branch. Now the value of
"modtype" is equal to 1.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:796:
cond_const: Condition "modtype != 4", taking false branch. Now the value of
"modtype" is equal to 4.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:941:
equality_cond: Jumping to case "1".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:957: equality_cond: Jumping to
case "4".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: intervals: When
switching on "modtype", the value of "modtype" must be in one of the following
intervals: {[1,1], [4,4]}.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:940: dead_error_condition: The
switch value "modtype" cannot reach the default case.
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:1031: dead_error_begin:
Execution cannot reach this statement: "default:".
"""

The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
b5d29c7774 ipa-pwd-extop: added an informational comment about intentional fallthrough
This patch is related to this defect reported by covscan in FreeIPA code:

"""
Error: MISSING_BREAK (CWE-484):
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:631: unterminated_case: The
case for value "2" is not terminated by a 'break' statement.
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:638: fallthrough: The above
case falls through to this one.
"""

Added a comment informing about intentional falltrough in this place, so that
future generations reading the code don't get confused.

The patch is the part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
8242660cba OTP: failed search for the user of last token emits an error message
This patch fixes the following defect reported by covscan:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c:119:
check_return: Calling "slapi_search_internal_get_entry" without checking
return value (as is done elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207:
example_assign: Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212:
example_checked: Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651:
example_assign: Example 3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653:
example_checked: Example 3 (cont.): "search_result" has its value checked in
"search_result != 0".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035:
example_assign: Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817:
example_assign: Example 5: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820:
example_checked: Example 5 (cont.): "ret" has its value checked in "ret ==
10".
"""

this patch is a part of a series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
b0a8623a8f ipa-kdb: more robust handling of principal addition/editing
The patch addresses the following defect reported by covscan in FreeIPA
master:

"""
Error: FORWARD_NULL (CWE-476):
/daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning:
"principal" = "NULL".
/daemons/ipa-kdb/ipa_kdb_principals.c:1929:
var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods",
which dereferences it.
/daemons/ipa-kdb/ipa_kdb_principals.c:1491:9:
deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences
"principal".
/daemons/ipa-kdb/ipa_kdb_principals.c:1174:5:
deref_parm_in_call: Function "strdup" dereferences "value"
"""

This is a part of series of patches related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
8e56f49c29 always get PAC for client principal if AS_REQ is true
This patch proposes a fix for the following defect reported by covscan in
FreeIPA master code:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_mspac.c:2013: assignment: Assigning: "client_entry" =
"NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: null: At condition
"client_entry", the value of "client_entry" must be "NULL".
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077: dead_error_condition: The condition
"client_entry" cannot be true.
/daemons/ipa-kdb/ipa_kdb_mspac.c:2077:
dead_error_line: Execution cannot reach the expression "client_entry" inside
this statement: "kerr = ipadb_get_pac(contex...".
"""

This is a part of a series of patches related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Babinsky
e38c13e37a ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
This patch is related this defect reported by covscan on FreeIPA master:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""

This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Martin Basti
031bdca030 Use dyndns_update instead of deprecated sssd option
ipa_dyndns_update is deprecated in SSSD, dyndns_update should be used
instead.

https://fedorahosted.org/freeipa/ticket/4849

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-01-28 14:28:33 +01:00