Commit Graph

10379 Commits

Author SHA1 Message Date
Pavel Vomacka
7be585dbb2 Coverity - true branch can't be executed
The 'data' variable is always false because of previous condition.
Therefore there is direct assignment.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
ed74e14ab4 Coverity - removed dead code
There cannot be string value because of previous checks.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
4b63ce26eb Coverity - Accesing attribute of null
There is a possibility that widget is null and then there could be an error.
Therefore there is new check of widget variable.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
de8cb7585b Coverity - identical code for different branches
In both cases when the condition is true or false ut is set the same value.
Changed to assign the value directly.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
fa3982c7c8 Coverity - not initialized variable
The variable hasn't been initialized, now it is set to null by default.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
d4ad0ca04c Coverity - null pointer exception
Variable 'row' could be null in some cases. And set css to variable which is pointing to null
causes error. Therefore there is new check.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Pavel Vomacka
a2525ff645 Coverity - null pointer exception
Variable 'option' can be null and there will be error of reading property of null.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-11-10 18:58:38 +01:00
Tomas Krizek
a68c95d116 ipaldap: remove do_bind from LDAPClient
Remove do_bind() method that was a relict used in IPAdmin. Replace
its uses with simple / external binds.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-10 17:40:49 +01:00
Florence Blanc-Renaud
808b1436b4 Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Florence Blanc-Renaud
7462adec13 Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent
This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Simo Sorce
2775042787 Support DAL version 5 and version 6
https://fedorahosted.org/freeipa/ticket/6466

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2016-11-10 13:25:51 +01:00
Petr Spacek
d20f6a5ef2 Build: fix make clean to remove build artifacts from top-level directory
make lint and make dist were generating files which were not removed by
make clean.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-10 12:37:58 +01:00
Oleg Fayans
dc58f8f2a1 Automated ipa-replica-manage del tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Oleg Fayans
6d812a0d52 tests: Automated clean-ruv subcommand tests
https://fedorahosted.org/freeipa/ticket/6451

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-10 12:07:24 +01:00
Fraser Tweedale
b0430b67dc Remove __main__ code from ipalib.x509 and ipalib.pkcs10
This code was presumably once used for testing, but has been
subsumed by the actual test suite.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
c57dc890b2 x509: use pyasn1-modules X.509 specs
Remove our hand-rolled pyasn1 specifications for X.509 in favour of
those provided by the pyasn1-modules library.

This also avoids a bug in our _Extension spec wherein parsing fails
if the 'critical' field is absent.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
44c2d685f0 x509: avoid use of nss.data_to_hex
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints.  Add our own helper functions to format the
fingerprints as hex (with colons).

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
85487281cd pkcs10: remove pyasn1 PKCS #10 spec
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).

Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
66637f766d pkcs10: use python-cryptography for CSR processing
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
9522970bfa dn: support conversion from python-cryptography Name
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Tomas Krizek
9bb6d8643f gitignore: ignore tar ball
Add tar ball generated by build to gitignore.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-11-10 09:33:01 +01:00
Martin Babinsky
3ecda74d14 test_ipagetkeytab: use system-wide IPA CA cert location in tests
Since /etc/ipa/ca.crt should be always present on the test runner, we should
use it in bind method tests and not rely on its presence in user conf dir.

https://fedorahosted.org/freeipa/ticket/6409

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-11-09 16:39:39 +01:00
Tomas Krizek
33f7b8dc32 libexec scripts: ldap conn management
Certificate renewal scripts require connection to LDAP. Properly
handle connects and disconnects from LDAP.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-09 15:32:45 +01:00
Petr Spacek
c0674e89d1 Build: fix make clean for web UI
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
4498998f17 Build: add polint target for i18n tests
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
e3b537af18 Build: add makeapi lint target
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b54e9e86df Build: add makeaci lint target
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
f31a489d24 Build: add JS lint target
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
14c1c8dfd0 Build: add Python lint target
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
2df9877255 Build: remove obsolete instructions about BuildRequires from BUILD.txt
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
fee9bbd85a Build: add make rpms target and convenience script makerpms.sh
make rpms and ./makerpms.sh will produce the same RPM packages. The
advantage of makerpms.sh is that it will take care of initial
autoreconf & configure phases as needed.

rpm-build-4.13.0-1.fc24.x86_64 broke parallel build of RPMs.
If you get error
  INTERNAL: Exiting with 1 jobserver tokens available; should be 8!
undefine the MAKEFLAGS variable and do not specify neither -j nor -l.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
75a944e980 Build: fix KDC proxy installation and remove unused kdcproxy.conf
The only useful file is /etc/ipa/kdcproxy/kdcproxy.conf so I've removed
the other copy of the file in /usr.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
4ce3aa3b12 Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC
These directories were not used at all.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
dc5699a8a4 Build: do not compress manual pages at install time
At the time of this writting
https://fedoraproject.org/wiki/Packaging:Guidelines#Manpages
says this:
  When installing man pages, note that they should be installed uncompressed
  as the build system will compress them as needed. The compression method
  may change, so it is important to reference the pages in the %files section
  with a pattern that takes this into account:
  %{_mandir}/man1/foo.1*

Removing the compression also allows to remove several install-data-hook
targets from Makefile.am files.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
cc6382550f Build: distribute doc directory
Makefile in doc subdirectory should be integrated into the main build
system but I do not have time to do it now. For now it is enough
to distribute everything.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
6cb0271509 Build: create /var/run directories at install time
Directory creating was moved from SPEC file to install-data-hook.
At the same time, it is using systemd-tmpfiles to create the directories
so we do not risk any inconsistency between SPEC file and tmpfilesd
configuration.

systemd-tmpfiles call is non-critical on purpose: The build would fail
when run under unprivileged user because systemd-tmpfiles tries to
change ownership. Luckily it creates all the files and just do not
change ownership so it works even under unprivileged user.

Interestingly, systemd-tmpfiles continues if user does not have
sufficient permissions to change ownership but fails if target username
does not exist at all. For this reason there is BuildRequires on httpd.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
288d624336 Build: integrate init and init/systemd into build system
At the same time, I've renamed tmpfilesd config file to static name
"ipa.conf" instead of using package-specific name. It had no purpose
and just complicated build and packaging.

Variable substitution into configuration has to be done in Makefile
and not in Autoconf as documented in:
Autoconf v2.69 manual chapter 4.8.2 Installation Directory Variables:
  ... Most of these variables have values that rely on prefix or
  exec_prefix. ... Similarly, you should not rely on AC_CONFIG_FILES
  to replace bindir and friends in your shell scripts and other files;
  instead, let make manage their replacement.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
a027bf7398 Build: remove init/SystemV directory
FreeIPA has hard dependency on systemd for a long time already.
SystemV directory was just polluting the tarball (while being useless).

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
d3cab75d7e Build: integrate contrib directory into build system
BASH completion is now installed by make install.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
8ffd3bdf14 Build: remove ancient checks/check-ra.py
The functionality is covered by test_cert_plugin.py and the unused
checks directory was just polluting the tarball (and never executed).

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
312e780041 Build: integrate daemons/dnssec into build system
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
f229bb56b7 Build: fix distribution of daemons/ipa-slapi-plugins/topology files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
39b17ef2ab Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
74820fe3d8 Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
53cd71a63c Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
278cda7ede Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
c1652f92af Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
14bce67cf0 Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
4fb2f535ca Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00