If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
threading.Lock() in ipa-replica-conncheck is an alias to
thread.allocate_lock() which creates a LockType object.
This object is an actual context manager but the alias
seems to confuse pylint a bit.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The batch param is not used anywhere therefore we can remove it.
https://pagure.io/freeipa/issue/7143
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When first installation of IPA has been done when whoami
plugin was not enabled in DS by default and then IPA was
upgraded to newer versions, then after upgrade to IPA 4.5
WebUI stops working. This is caused by new requirement on
whoami DS plugin which is used to obtain information about
logged in entity.
This fix adds the whoami plugin during update in case that the plugin
is not enabled.
https://pagure.io/freeipa/issue/7126
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
When running ``ipa-cacert-manage renew --external-ca`` with an IPA
CA having a subject DN that does not correspond to ``CN=Certificate
Authority, {subject-base}``, the CSR for submission to the external
CA does not generated. dogtag-ipa-ca-renew-agent-submit is wrongly
assuming the default form of the CA subject DN.
Update dogtag-ipa-ca-renew-agent-submit to look up the actual
subject DN.
Fixes: https://pagure.io/freeipa/issue/7123
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In case that there are no actions specified in spec object, the concatenation
of arrays causes that 'undefined' item is added into the array.
https://pagure.io/freeipa/issue/7052
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There was a bug that when user switch between two facets where is
required field and in one of them is writable and in second one
is not writable, then the asterisk which marks required field is
not shown. i.e. admin vs. user details page or global_passwd_policy
vs. other_passwd_policy details page.
That was caused by incorrect evaluation of required state of field.
Evaluation works that way: evaluate old required state, then evaluate
current required state and if states has changed then emit change event.
The evaluation depends on writable and read_only state of field.
Those two states are set before evaluation of required state, but
their old values (for evaluating previous required stated) were
not stored anywhere.
This commit adds two attributes which stores old writable
and read_only states. The required asterisk is then shown correctly.
https://pagure.io/freeipa/issue/6849
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Update link to our FreeIPA wiki page where unit tests are described.
The description of how to run those test was also updated.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Adds missing import which extends jquery's element with alert method.
Also fixes setting of breadcrumb and tabs in details spec - the code changes
behavior.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Link widget creates only one <label> and one <a> element not more as before.
Test changed accordingly.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Aci_widget doesn't use table elements anymore. Whole widget is created from
list element. Change in tests needed.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Register also details module to provide all objects from that module.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Basically add API version into the API request. The API version was not
required before.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
All files are up to date and there are only files which are needed for unit tests.
https://pagure.io/freeipa/issue/6974
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The plugins symlink points to non-existing directory and is currently
not used. It also causes errors in freeipa-pr-ci during creating
tarball.
https://pagure.io/freeipa/issue/6447
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This reverts commit 24525fd086.
The reverted commit removed symlinks which allowed unit tests to
access FreeIPA code.
https://pagure.io/freeipa/issues/6447
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.
This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.
This partially reverts commit 38c66896de.
https://pagure.io/freeipa/issue/7053
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue
https://pagure.io/freeipa/issue/7106
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During recent refactoring, a workaround was added to make it
possible for OpenSSL backend of python-cryptography to read PEM
certificates returned by dogtag-ipa-renew-agent-submit. This was
fixed in latest certmonger version.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.
To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.
https://pagure.io/freeipa/issue/7125
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit fixes requesting certificates via certmonger in Python 3.
This includes dogtag-ipa-ca-renew-agent-submit script and scripts
used during the scripts restarting.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If CERTMONGER_CERTIFICATE is not set in certain scenario, the
code would fail since None cannot be passed to loading certificates.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The recent certificate refactoring assures that ipaldap operations
are able to work with IPACertificate values when communication with
the LDAP server. Use these capabilities and prevent possible bugs.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This was a forgotten part from previous certificate refactoring which
would cause issues since the second part of results throughout the
dogtag-ipa-ca-renew-agent-submit is expected to be a string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Previously all columns was shown as links, that was caused by setting
link attribute of each column to true. This true value was there because
of possibility to turn off links in whole table on self-service pages.
Now only column which is primary key is set to be shown as link.
https://pagure.io/freeipa/issue/7066
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.
We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.
https://pagure.io/freeipa/issue/7097
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.
Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.
Reviewed-By: Martin Basti <mbasti@redhat.com>
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
certmonger returns PEM certificates with an additional newline
after the base64 encoded cert, remove it
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Add new validator which inherits from integer validator
and checks whether the integer is positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.
Reviewed-By: Martin Basti <mbasti@redhat.com>
IPA installation with large number of host entries gets timeout
when invoking ipaserver.plugins.host.get_dn() method.
Resolves: https://pagure.io/freeipa/issue/6939
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
python3-mod_wsgi expects that the application() method returns
bytes otherwise it breaks.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
https://pagure.io/freeipa/issue/6966
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load. Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.
Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
