Commit Graph

8475 Commits

Author SHA1 Message Date
Petr Viktorin
5435a8a32a Use absolute imports
In Python 3, implicit relative imports will not be supported.
Use fully-qualified imports everywhere.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
262faec70a Import 'reduce' from functools
The reduce function is no longer a built-in in Python 3.
Importing it from functools works on both py2 and py3.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
6a741b51da Replace dict.has_key with the 'in' operator
The deprecated has_key method will be removed from dicts in Python 3.

For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
8b88caa110 Modernize function and method attribute names
Python 3 uses double-underscored names for internal function attributes.
In Python 2.7, these names exist as aliases to the old 'func_*' and
'im_*' names.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Jan Cholasta
a651be3eec install: Fix server and replica install options
https://fedorahosted.org/freeipa/ticket/5184

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-12 16:42:01 +02:00
Martin Babinsky
55feea500b idranges: raise an error when local IPA ID range is being modified
also show the message about the way UID/GID ranges are managed in FreeIPA in
the idrange-mod's help message

https://fedorahosted.org/freeipa/ticket/4826

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 16:38:27 +02:00
Petr Vobornik
7d7ffb6252 validate mutually exclusive options in vault-add
https://fedorahosted.org/freeipa/ticket/5195

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 16:27:57 +02:00
Petr Vobornik
196ef09bd2 adjust search so that it works for non-admin users
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services

(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.

https://fedorahosted.org/freeipa/ticket/5167

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 16:14:21 +02:00
Fraser Tweedale
ba7e5df194 Fix KRB5PrincipalName / UPN SAN comparison
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.

Normalise both side of the comparison to ensure that the principal
names contain realm information.

Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 17:31:25 +02:00
Fraser Tweedale
9bbc798741 Fix default CA ACL added during upgrade
The upgrade script is adding the default CA ACL with incorrect
attributes - usercategory=all instead of servicecategory=all.  Fix
it to create the correct object.

Fixes: https://fedorahosted.org/freeipa/ticket/5185
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 17:26:24 +02:00
Tomas Babej
1fc21e980b adtrust-install: Correctly determine 4.2 FreeIPA servers
We need to detect a list of FreeIPA 4.2 (and above) servers, since
only there is the required version of SSSD present.

Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
to generate the list.

https://fedorahosted.org/freeipa/ticket/5199

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-11 16:59:22 +02:00
Fraser Tweedale
e92f25bd50 Work around python-nss bug on unrecognised OIDs
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string.  If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.

Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.

Once the python-nss bug is fixed, this workaround should be
reverted.  https://bugzilla.redhat.com/show_bug.cgi?id=1246729

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 15:28:28 +02:00
Fraser Tweedale
812ab600a3 Add profile for DNP3 / IEC 62351-8 certificates
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension.  Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.

Also update cert-request to accept CSRs containing this extension.

Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 14:57:41 +02:00
Fraser Tweedale
aafc0e980b Allow SAN extension for cert-request self-service
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames).  Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).

Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 12:25:51 +02:00
Fraser Tweedale
6f8b0ed4fa Give more info on virtual command access denial
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited.  Add more information to the ACIError message.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 12:25:51 +02:00
Martin Basti
d7be2fd1bd Fix upgrade of sidgen and extdom plugins
If configuration entries already exist, upgrade will not add them
again.

https://fedorahosted.org/freeipa/ticket/5151

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-10 15:03:54 +02:00
Petr Vobornik
ebc7ab1efe webui: add LDAP vs Kerberos behavior description to user auth types
https://fedorahosted.org/freeipa/ticket/4935

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-08-10 14:54:16 +02:00
Endi S. Dewata
c8882f7d1c Fixed missing KRA agent cert on replica.
The code that exports the KRA agent certificate has been moved
such that it will be executed both on master and replica.

https://fedorahosted.org/freeipa/ticket/5174

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-10 13:04:34 +02:00
Tomas Babej
c906784ded dcerpc: Simplify generation of LSA-RPC binding strings
https://fedorahosted.org/freeipa/ticket/5183

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-07 18:06:02 +02:00
Alexander Bokovoy
ee377a20cd Fix selector of protocol for LSA RPC binding string
For Windows Server 2012R2 and others which force SMB2 protocol use
we have to specify right DCE RPC binding options.

For using SMB1 protocol we have to omit specifying SMB2 protocol and
anything else or otherwise SMB1 would be considered a pipe to connect
to. This is by design of a binding string format.

https://fedorahosted.org/freeipa/ticket/5183

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-07 17:55:48 +02:00
Tomas Babej
7688bbcc33 Fix incorrect type comparison in trust-fetch-domains
Value needs to be unpacked from the list and converted before comparison.

https://fedorahosted.org/freeipa/ticket/5182

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-06 10:16:30 +02:00
Fraser Tweedale
e28a450720 Fix otptoken-remove-managedby command summary
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-05 12:27:48 +02:00
Michael Simacek
f0b4c4487e Port from python-kerberos to python-gssapi
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.

https://fedorahosted.org/freeipa/ticket/5147

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-05 08:08:00 +02:00
Martin Babinsky
3257ac6b87 store certificates issued for user entries as userCertificate;binary
This patch forces the user management CLI command to store certificates as
userCertificate;binary attribute. The code to retrieve of user information was
modified to enable outputting of userCertificate;binary attribute to the
command line.

The modification also fixes https://fedorahosted.org/freeipa/ticket/5173

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-04 13:57:33 +02:00
Martin Babinsky
555229e33e test suite for user/host/service certificate management API commands
These tests excercise various scenarios when using new class of API commands
to add or remove certificates to user/service/host entries.

Part of http://www.freeipa.org/page/V4/User_Certificates

Reviewed-By: Milan Kubík <mkubik@redhat.com>
2015-08-03 14:40:12 +02:00
Fraser Tweedale
896783bae8 user-show: add --out option to save certificates to file
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.

https://fedorahosted.org/freeipa/ticket/5171

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 16:11:17 +02:00
Christian Heimes
a4ade199aa certprofile-import: do not require profileId in profile data
certprofile-import no longer requires profileId in profile data. Instead
the profile ID from the command line is taken and added to the profile
data internally.

If profileId is set in the profile, then it still has to match the CLI
option.

https://fedorahosted.org/freeipa/ticket/5090

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 16:00:57 +02:00
Milan Kubík
3f90aa0c18 tests: Allow Tracker.dn be an instance of Fuzzy
Some of the IPA LDAP entries are using ipaUniqueID as
the "primary key". To match this UUID based attribute
in assert_deepequal, an instance of Fuzzy class must
be used. This change adds the possibility to assign
the Fuzzy object as the DN for the tracked entry.

The user may need to override the rdn and name
properties for the class using the Fuzzy DN.

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2015-07-31 15:50:05 +02:00
Christian Heimes
8e28ddd8fa Validate vault's file parameters
A user can pass file names for password, public and private key files to
the vault plugin. The plugin attempts to read from these files. If any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.

https://fedorahosted.org/freeipa/ticket/5155

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-31 15:33:49 +02:00
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Christian Heimes
a908be2785 Replace M2Crypto RC4 with python-cryptography ARC4
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:

>>> from M2Crypto import RC4
>>> from ipaserver.dcerpc import arcfour_encrypt
>>> RC4.RC4(b'key').update(b'data')
'o\r@\x8c'
>>> arcfour_encrypt(b'key', b'data')
Traceback (most recent call last):
...
ValueError: Invalid key size (24) for RC4.

Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:

>>> arcfour_encrypt(b'key12', b'data')
'\xcd\xf80d'
>>> RC4.RC4(b'key12').update(b'data')
'\xcd\xf80d'

http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
https://fedorahosted.org/freeipa/ticket/5148

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 13:33:02 +02:00
Christian Heimes
4e18a62dd5 Require Dogtag PKI >= 10.2.6
Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x
instances:

  https://fedorahosted.org/pki/ticket/1495
  https://fedorahosted.org/pki/ticket/1488

https://fedorahosted.org/freeipa/ticket/5140
https://fedorahosted.org/freeipa/ticket/5129

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-29 17:35:52 +02:00
Petr Vobornik
66bd2094f9 webui: fix regressions failed auth messages
1. after logout, krb auth no longer shows "session expired" but correct
"Authentication with Kerberos failed".

2. "The password or username you entered is incorrect." is showed on
failed forms-based auth.

https://fedorahosted.org/freeipa/ticket/5163

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-29 17:13:31 +02:00
Martin Basti
cea52ce186 ULC: Fix stageused-add --from-delete command
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
 * handle not found error
 * return new DN

https://fedorahosted.org/freeipa/ticket/5145

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-29 17:06:54 +02:00
Martin Basti
45c709112d Use 'mv -Z' in specfile to restore SELinux context
There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.

https://fedorahosted.org/freeipa/ticket/4923

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-29 16:44:13 +02:00
Martin Babinsky
a2ba937307 ACI plugin: correctly parse bind rules enclosed in parentheses
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.

https://fedorahosted.org/freeipa/ticket/5037

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-29 16:40:32 +02:00
Gabe
f7dbaa6382 Fix client ca.crt to match the server's cert
https://fedorahosted.org/freeipa/ticket/3809

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 18:04:53 +02:00
Niranjan Mallapadi
7d28230405 Use Exception class instead of StandardError
In except clause, use of "," is not recommended (PEP 3110)

Signed-off-by: Niranjan Mallapadi <mrniranjan@fedoraproject.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-07-27 18:01:34 +02:00
Christian Heimes
3c974c157f otptoken: use ipapython.nsslib instead of Python's ssl module
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.

https://fedorahosted.org/freeipa/ticket/5068

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 17:25:57 +02:00
Christian Heimes
2596adb312 certprofile-import: improve profile format documentation
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.

https://fedorahosted.org/freeipa/ticket/5089

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-07-27 17:21:16 +02:00
Oleg Fayans
e5acd01ed2 Added test - topology plugin is listed among DS plugins
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 17:17:33 +02:00
Martin Basti
2427b2c242 Remove ico files from Makefile
Icons were removed in a4be844809 but still
persist in Makefile. This patch fixes Makefile.

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-27 16:19:49 +02:00
Petr Vobornik
a4be844809 webui: add Kerberos configuration instructions for Chrome
* IE section moved at the end
* Chrome section added
* FF and IE icons removed

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 13:50:49 +02:00
Tomas Babej
5df48d74a0 replication: Fix incorrect exception invocation
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-24 11:27:22 +02:00
Tomas Babej
aa066f31a5 idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.

This patch introduces a objectclass check in idoverride*-del
commands to prevent that.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Tomas Babej
e0d3231f07 idviews: Restrict anchor to name and name to anchor conversions
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.

The same restriction applies for the opposite direction, when
converting the object name to it's SID.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Tomas Babej
970a5535c0 dcerpc: Add get_trusted_domain_object_type method
https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Martin Babinsky
7ceaa8e26c fix broken search for users by their manager
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.

https://fedorahosted.org/freeipa/ticket/5146

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-23 11:43:05 +02:00
Tomas Babej
cf59981cc2 dcerpc: Fix UnboundLocalError for ccache_name
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-22 14:30:22 +02:00