Commit Graph

3097 Commits

Author SHA1 Message Date
Simo Sorce
4fd89833ee Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Christian Heimes
8d3bea8acc Ditch version_info and use version number from ipapython.version
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Christian Heimes
e6129a76e7 Stable _is_null check
Avoid comparison of bytes with int in _is_null() check. b'' == 0
triggers a BytesWarning.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Christian Heimes
3d9bec2e87 cryptography has deprecated serial in favor of serial_number
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Christian Heimes
a33b25dea9 Enable additional warnings (BytesWarning, DeprecationWarning)
Closes: https://fedorahosted.org/freeipa/ticket/6631
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Martin Basti
387a1513bb DNSSEC: forwarders validation improvement
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-08 15:59:41 +01:00
Martin Basti
4c84341b8b py3: send Decimal number as string instead of base64 encoded value
for Decimal only from client to server direction uses __base64__
notation. Server replies with pure string for Decimal data, and also
server is able to parse string and create decimal values where needed.

without this we need ugly py3 code:
-        return {'__base64__': base64.b64encode(str(val))}
+        return {'__base64__': base64.b64encode(
+            str(val).encode('ascii')).decode('ascii')}

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
David Kupka
308c790ee9 ipalib.x509: Handle missing SAN gracefully
When extension is not present None is returned instead of empty iterable
or exception thrown.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
Martin Basti
91ab650ac4 py3: x509.py: return principal as unicode string
X509 return principal as unicode string

https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-07 11:36:38 +01:00
Fraser Tweedale
924794f62b Fix reference before assignment
In 'store_session_cookie', if the server does not set the session
cookie for some reason, the 'session_cookie' variable does not get
assigned, resulting in UnboundLocalError.  Set an initial value of
'None'.

Fixes: https://fedorahosted.org/freeipa/ticket/6636
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-06 17:28:39 +01:00
Martin Basti
980c8a5f9e py3: normalize_certificate: support both bytes and unicode
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
b8d6524d43 py3: strip_header: support both bytes and unicode
Various method passed various bytes or unicode as parameter

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
ccea23138b _resolve_records: fix assert, nameserver_ip can be none
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:58:06 +01:00
Stanislav Laznicka
721105c53d Generate sha256 ssh pubkey fingerprints for hosts
Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-12 11:09:46 +01:00
Christian Heimes
1e06a5195b Use pytest conftest.py and drop pytest.ini
Let's replace some ugly hacks with proper pytest conftest.py hooks.
Test initialization of ipalib.api is now handled in
pytest_cmdline_main(). Pytest plugins, markers and ignores are also
moved into conftest.py. Additional guards make it possible to run tests
without ipaserver installed.

I added confcutdir to ensure that pytest does not leave our project
space. Pytest used pytest.ini or setup.py before but pytest.ini is gone.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-05 17:37:02 +01:00
Christian Heimes
987d24f784 Silence pylint import errors of ipaserver in ipalib and ipaclient
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 09:50:28 +01:00
Stanislav Laznicka
25a6ddcce8 Clarify meaning of --domain and --realm in installers
Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 09:47:25 +01:00
Jan Cholasta
556fc21482 x509: use PyASN1 to parse PKCS#7
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.

https://fedorahosted.org/freeipa/ticket/6550

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-12-22 10:22:31 +01:00
Simo Sorce
397f2be9df Add compatibility code to retrieve headers
Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.

https://fedorahosted.org/freeipa/ticket/6558

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 17:54:11 +01:00
Martin Basti
0663faf258 fix: regression in API version comparison
Commint 2cbaf15604 introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-12-13 13:53:27 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Fraser Tweedale
c7ea56c049 Add function for extracting PEM certs from PKCS #7
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Jan Cholasta
4fff09978e server install: fix external CA install
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-12-08 12:08:49 +01:00
Simo Sorce
f167869371 Properly handle multiple cookies in rpc lib.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-08 12:03:12 +01:00
Simo Sorce
560ab9e317 Properly handle multiple cookies in rpcclient
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-08 12:03:12 +01:00
Florence Blanc-Renaud
9e3c17c6de Increase the timeout waiting for certificate issuance in installer
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-07 16:53:27 +01:00
Martin Babinsky
1300381d45 Add 'env_confdir' to constants
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.

https://fedorahosted.org/freeipa/ticket/6389

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-05 16:30:41 +01:00
Petr Vobornik
c2934aaa7e Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 15:05:33 +01:00
Christian Heimes
d4916254e9 Use env var IPA_CONFDIR to get confdir
The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Some scripts (e.g. servers, installers, and upgrades) set the confdir
explicitly and do not support the env var.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 15:05:33 +01:00
Martin Babinsky
64a4be26fe Fix pep-8 transgressions in ipalib/misc.py
Make the code moved from `ipaserver/plugins` pep-8 conformant.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Martin Babinsky
42307ae2dc Revert "Add 'ipa localenv' subcommand"
This reverts commit 1166fbc494. The proper fix
is to restore pre-thin client behavior of commands inheriting from
LocalOrRemote class.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Pavel Vomacka
7f301b00ce Adjustments for setup requirements v2
Remove setup requirement on wheel since it triggers download.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-02 09:45:14 +01:00
Christian Heimes
235f685247 Wheel bundles fixes
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 16:44:38 +01:00
Florence Blanc-Renaud
dbb98765d7 Check the result of cert request in replica installer
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 16:33:54 +01:00
Christian Heimes
ed9645b2ac Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-30 13:32:30 +01:00
Jan Cholasta
d43b57d2ce ipalib: remove hard dependency on ipapython
Hard-code the path to /bin/false in SubprocessError doc string.

Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a2c5888973 ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7d5c680ace ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
38e8719f72 Python3 pylint fixes
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
2cbaf15604 Replace LooseVersion
pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.

https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity. But pkg_resources.parse_version() is a heavy weight solution
with reduced functionality, e.g. no access to major version.

For API_VERSION and plugin version we can use a much simpler and faster
approach.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-24 15:46:40 +01:00
Christian Heimes
1166fbc494 Add 'ipa localenv' subcommand
ipa local-env simply dumps all values from api.env as sorted key="value"
pairs. It's a convenient helper for debugging and to write tests for
e.g. PR #182.

https://fedorahosted.org/freeipa/ticket/6490

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-18 14:48:48 +01:00
Martin Babinsky
9d7943f3da Turn replication manager group into ReplicationManager class member
https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00