Commit Graph

12001 Commits

Author SHA1 Message Date
Stanislav Laznicka
75845733f8
Backup ssl.conf when migrating from mod_nss
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
b21941360c
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
1ca68ea730
httpinstance fixup: remove commented-out lines
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
ee49947b6c
httpinstance: fix publishing of CA cert
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
8ea04ab3e3
httpinstance: verify priv key belongs to certificate
Verify the certificate issued during an installation belongs
to its private key.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
dde62ff883
httpinstance: backup mod_nss conf instead of just removing it
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
0c388d1e8f
service: rename import_ca_certs_* to export_*
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
92d91ed58b
fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
9a7c315984
Make ipa-server-certinstall store HTTPD cert in a file
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.

https://pagure.io/freeipa/issue/3757

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
c85bf376f0
certupdate: don't update HTTPD NSS db
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).

https://pagure.io/freeipa/issue/3757

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
60aa2c3b38
x509: Fix docstring of write_certificate()
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
8789afa18a
x509: Remove unused argument of load_certificate_from_file()
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
205675239a
httpinstance: handle supplied PKCS#12 files in installation
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
7dc923cc4c
mod_ssl migration: fix upload_cacrt.py plugin
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
fa135e6ef1
Update smart_card_auth advise script for mod_ssl
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
4d2c7a4a75
Add value in set_directive after a commented-out version
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
5531c9f26b
Don't backup nss.conf on upgrade with the switch to mod_ssl
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.

We already have a backup of nss.conf from pre-install. Stick with
that.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
4596674481
Enable upgrades from a mod_nss-installed master to mod_ssl
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
5c64e28512
Convert ipa-pki-proxy.conf to use mod_ssl directives
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
a0407f75f9
Remove main function from the certmonger library
This was useful during initial development and as a simple
in-tree unit test but it isn't needed anymore.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
68caeb8b19 Add mocked test for named crypto policy update
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
aee0d2180c Upgrade named.conf to include crypto policy
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Petr Vobornik
db2222fee4 temp commit to run the affected tests
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-02-20 15:17:13 +01:00
Petr Vobornik
6b214512b3 webui:tests: close big notifications in realm domains tests
Realm domains commands produce big fat warnings about DNS state/checks.
Given the length of these warnings, they stay displayed for longer time.
As Web UI automated tests progresses quickly more of the warnings can
be displayed at the same time and thus taking a lot of space and thus
covering UI needed for next test step.

By closing the notifications before next action we make sure that test
won't fail because notification covered the required UI.

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-02-20 15:17:13 +01:00
Petr Vobornik
d73d49f3f6 webui:tests: realm domain add with DNS check
Try adding and deleting with "Check DNS" (in html 'ok' button)

DNS check expects that the added domain will have DNS record:
    TXT _kerberos.$domain "$REALM"

When a new domain is added using dnszone-add it automatically adds
this TXT record and adds a realm domain. So in order to test without
external DNS we must get into state where realm domain is not added
(in order to add it) but DNS domain with the TXT record exists.

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-02-20 15:17:13 +01:00
Petr Vobornik
d7d13bc950 webui:tests: move DNS test data to separate file
So that the data can be used in other test without running
the DNS tests.

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-02-20 15:17:13 +01:00
Christian Heimes
9c2c3df0ab Add better CalledProcessError and run() logging
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.

The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.

Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-20 13:03:01 +01:00
John L
eaa5be3eec Remove special characters in host_add random OTP generation
Fixes a regression in 4.5.0 where special character set was limited.

Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.

Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.

https://pagure.io/freeipa/issue/7380

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 14:52:40 -05:00
Florence Blanc-Renaud
d647072642
ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

This commit also adds integration test for non-regression.

https://pagure.io/freeipa/issue/7342

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 15:51:44 +01:00
Petr Vobornik
f316eb83dd
fastcheck: do not test context in pycodestyle
`git diff` shows also context lines by default. When passed to pycodestyle
it can produce errors unrelated to changed lines. It prevents running of
subsequent checks.

Limiting context to 0 lines by `git diff -U0` enables to test only the
modified lines and allows to run subsequent checks.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-19 14:21:26 +01:00
Stanislav Laznicka
364ffd5a0f
Fix FileStore.backup_file() not to backup same file
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.

This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
2018-02-19 14:16:51 +01:00
Christian Heimes
631d3152fe freeipa-server no longer supports i686 arch on F28
389-ds-base 1.4 is going to drop 32bit i686 arch support in Fedora 28,
https://bugzilla.redhat.com/show_bug.cgi?id=1530832 . Skip server
related packages (freeipa-server, python[23]-ipaserver,
freeipa-server-common, freeipa-server-dns, freeipa-server-trust-ad).

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1544386
Fixes: https://pagure.io/freeipa/issue/7400
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-16 15:55:32 +01:00
Felipe Barreto
a5bd7bf766 WebUI Tests: changing the ActionsChains.move_to_element to a new approach
The approach ActionChains.move_to_element no longer works as said here [1],
so, it's necessary to change it to the new one. This means, running a
javascript script to move the page to where the element is.

There are more details in the link [1], but in summary the w3c spec is
not obvious if a click should scroll the page to the element or not.
In one hand Chrome and Edge does that, but Firefox don't. As we use
Firefox to run the tests, we need the workaround.

[1] https://github.com/mozilla/geckodriver/issues/776

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
81fb7e5a32 WebUI Tests: fixing test_user.py::test_test_noprivate_posix
When filling the combo box (the gidnumber) in the dialog to create a new
user, the Add button was also clicked; closing the dialog. The wait
makes it to not click.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
a072fe9718 WebUI Tests: Changing how the initial load process is done
Instead of always entering the address on the address bar and reloading the
application, now the code checks if that is necessary.

With the change, the logout process is done correctly and we do not keep any
AJAX call left behind. Which could cause the user not being logout properly and
breaking the tests.

More about the logout problem described in:
https://github.com/freeipa/freeipa/pull/1479

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
12da43c54f WebUI Tests: fixing test_range test case
As described in the commit [1] and ticket [2], it should not be possible to
change the range of a local IPA domain.

The basic_crud was changed to make it flexible to do not run the mod operation
if needed.

[1] 55feea500b
[2] https://pagure.io/freeipa/issue/4826

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
49a17e98b0 WebUI Tests: changing how the login screen is detected
The "rcue-login-screen" element does not exist anymore. Changing the
code to use the ".login-pf" instead.

With the change, it's also necessary to check if the login screen is still
visible when trying to fill the fields of new password, otherwise a
StaleElementReferenceException exception will be raised.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
7c3f9b79eb WebUI Tests: refactoring login method to be more readable
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
3fa4378bc4 WebUI Tests: fixing test_navigation
Removing old menu options, including idview and navigation on the
side bar

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
dae5bac39b WebUI Tests: fixing test_group
Removing old data that is not needed anymore.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Felipe Barreto
83ed8d2792 WebUI Tests: fixing test_hbac
Adding more wait_for_request between navigation and small
code refactor.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-02-16 09:57:07 +01:00
Christian Heimes
a349629fba ipa-custodia-checker now uses python3 shebang
https://pagure.io/freeipa/issue/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-16 08:31:20 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Christian Heimes
1b0c55a3b3 Unified ldap_initialize() function
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.

Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 18:32:17 +01:00
Florence Blanc-Renaud
c701cd21d3 389-ds OTP lasttoken plugin: Add unit test
Add a xmlrpc test checking that a user cannot delete his last
OTP token.

Related to
https://pagure.io/freeipa/issue/7012

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-02-15 14:10:48 +01:00
Florence Blanc-Renaud
8b6506a5f1 User must not be able to delete his last active otp token
The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.

This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).

Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.

The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.

Fixes:
https://pagure.io/freeipa/issue/7012

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-02-15 14:10:48 +01:00
Christian Heimes
0cc2a6cae0 Fix multiple uninstallation of server
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.

Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-02-15 14:02:03 +01:00
Christian Heimes
0ee3a26711 Fix i18n test for Chinese translation
Python 3's regular expression default to full range of unicode
characters. Restrict \w matches to ASCII and drop \b suffix check to fix
a problem with validation the Chinese translation zh_CN.

Co-Authored-By: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-15 11:45:31 +01:00