The -s option no longer exists, so remove it from the command usage.
Also, due to this fix, E128 occurred in pycodestyle, so the coding style was changed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to call import_included_profiles the dogtag RA plugin
needs to have been loaded. Modify the requirements to also allow
the installer context along with the ra_plugin value.
This lets us add missing profiles during a replica installation.
This is needed for ACME when installing a new replica in a
cluster of older servers that don't have support for ACME.
https://pagure.io/freeipa/issue/8738
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
update_dna_shared_config plugin now waits for presence of both
``dnaHostname=fqdn+dnaPortNum=0`` and
``dnaHostname=fqdn+dnaPortNum=389`` entries before it updates the
entries.
The commit also refactors the code of update_dna_shared_config for
subordinate id support.
Fixes: https://pagure.io/freeipa/issue/8831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
For add/remove member and remove_principal the LDAP connection
was being used directly, bypassing the LDAPClient overlay.
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The `hbacrule` module performs a call to `selinuxusermap-find`
during entry deletion. This can be optimized by passing pkey_only=True
to the search, skipping the post-callback function. Passing the full
DN of the hbacrule and detecting it in the selinuxusermap find
also saves one call to hbacrule-show, further reducing the searches.
Related: https://pagure.io/freeipa/issue/8784
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the experimental fix to workaround the issue with
PKI on Azure Pipelines. PKI is the most sensitive to slow
systems(at least, appropriate delays and timeouts should be
adjusted for such).
Somehow Azure's test envs became slower then they were earlier
(for example, CA subsystem start changed
~(20-30)sec -> ~(45-60)sec). This triggered various issues with
subsystems of PKI in CI.
PKI honors `PKISPAWN_STARTUP_TIMEOUT_SECONDS` env variable (if
not set the timeout is 60sec) for pkispawn tool. The default
timeout is inconsistent with IPA's one (startup_timeout=120sec), which in
particular, is used in ipa-pki-wait-running tool).
Related: https://pagure.io/freeipa/issue/8830
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.
The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.
Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This utilizes the new status option so that we only retrieve
VALID certificates when revoking certificates issued for a
specific host or service.
ae74d348c3 made a special case
in cert_find when searching for hosts and services so that if only
one host/service was searched on do a subject search. It only
works when there is exactly one option requested.
Since we want to restrict to only VALID certificates, pass
the hostname as subject directly when revoking certs when deleting
an entry to limit the number of certificates to consider.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.
Related: https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.
Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This saves at least one search per user-mod because the current
set of objectclasses are verified to ensure they are complete
on each update.
So always retrieve them in get_either_dn(). They are used by
every call but there is negligible overhead in retrieving
this from LDAP.
https://pagure.io/freeipa/issue/8801
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The pkey of services is krbprincipalname. The host plugin passes
this full value to service_del and service_disable if the service
hostname matches the requested host.
This limits the amount of data and post-processing done
when host_del and host_disable call service_find. It also saves
a presence query for keytab in each service found.
https://pagure.io/freeipa/issue/8787
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This may be called multiple times in a request and should
be impossible to change.
https://pagure.io/freeipa/issue/8797
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* move WSGI app code to main code base so it can be used with other
WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Combining the existence check with the sudoorder handling
allows to reduce the number of searches during a sudorule
modification by removing a call to sudorule-show.
Related: https://pagure.io/freeipa/issue/8780
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.
Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.
Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.
Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.
As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.
[0]: d2f5fc304f
[1]: 0e1b4a0c84
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired. 'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.
This heuristic is a bit too optimistic. If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.
Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:
"During handling of the above exception, another exception occurred"
The handling is in fact expected.
This changes the user-facing installer output from:
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
to
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.
Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.
https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.
Related: https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.
RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.
Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS
Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'
Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This should make it easier to troubleshoot low memory installation
failures from the logs.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.
We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.
With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
