This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This patch removes a warning due to mixed usage of spaces and tabs
in freeipa.spec.in file.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
as the default group for new users is not POSIX (ipausers), the
command is expected to fail
- create a user with the --gid parameter
The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
As the UPG plugin is disabled, the user creation will not trigger
the creation of a group with the same name, and command is
expected to succeed
- re-enable the UPG plugin for other tests
Related to: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.
When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.
Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.
Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Dogtag 10.7.3 adds AES support for key export, enabling lightweight
CA key replication to use AES. Bump the Requires min version.
Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used. If the server
responds 404, fall back to a request *without* an algorithm
parameter. This handles both of the possible 404 scenarios:
a) It is an old server that does not support extra Custodia key
parameters;
b) The server supports extra parameters but the key does not exist,
in which case the fallback request will also fail with 404.
Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication). If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.
The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).
Client-side changes will occur in a subsequent commit.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler
arguments. Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.
Part of: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.
This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.
Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 ipa.example.test ipa
cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```
As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder.
It's not desirable to rely on this.
Let's clear test environment.
[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.
Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.
Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.
The fix adds the file to the list of files to include in a backup.
Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
lcontext may be NULL here, probably due to a restarted 389ds. Based on
a patch by Rob Crittenden.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:
"Failed to get request: bus, object_path and dbus_interface
must not be None."
This was often seen during upgrades.
Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.
https://pagure.io/freeipa/issue/7870
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.
By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.
https://pagure.io/freeipa/issue/8034
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The host password was defined as a Str type so would be
logged in cleartext in the Apache log.
A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.
The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.
This also removes the search option from passwords.
https://pagure.io/freeipa/issue/8017
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain
Related to: https://bugzilla.redhat.com/1685581
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.
New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.
Ticket: https://pagure.io/freeipa/issue/8031
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.
Ticket: https://pagure.io/freeipa/issue/7961
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.
This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.
Resolves: https://pagure.io/freeipa/issue/8067
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.
This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.
Group name can legaly contain this character and therefore the
common approach doesn't work in such case.
Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.
Here we implement two new separate calls for resolving users and
groups.
Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Fixup for commit eb2313920e.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We created a Kerberos kdcpolicy plugin to enforce user
pre-authentication policy for newly added pkinit and hardened policy.
In the past version of freeIPA, password enforcement exists but was done
by removing key data for a principal while parsing LDAP entry for it.
This hack is also removed and is now also enforced by kdcpolicy plugin
instead.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.
Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.
Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
