Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.
Except for DMLDAP, handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.
The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.
Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.
See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.
See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.
Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.
Fast testing execute all unit tests that do not depend on ipalib.api.
In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.
Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.
A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.
With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.
To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.
A choice which API to use is made at configure time.
In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.
As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.
Fixes https://pagure.io/freeipa/issue/5464
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.
This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.
This partially reverts commit 38c66896de.
https://pagure.io/freeipa/issue/7053
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Replace empty string with a single space in the third argument of
`AC_CHECK_LIB` (`action-if-found`) where applicable.
Empty string in the argument causes `AC_CHECK_LIB` to use the default
action when a library is found which includes adding the library to `LIBS`,
which specifies libraries to be linked in every binary and library in the
project.
This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to
every binary and library in IPA, even where unused.
https://pagure.io/freeipa/issue/6846
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
To create a wheel bundle with ipaserver and its dependencies:
make wheel_bundle IPA_SERVER_WHEELS=1
To include additional dependencies:
make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.
`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:
* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
These are platform specific, add values for Debian and default values
for Fedora/RHEL.
Also, use prettier output when checking the extra python install options.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The pkg-config files for xmlrpc_c libraries are shipped just
in fedora/rhel due to downstream patch. Debian does not have
pkg-config files for xmlrpc_c. Therefore we need to fallback to older
method of detection XMLRPC_*FLAGS which was reverted
by the commit 1e0143c159https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Debian packages should be installed under dist-packages, not
site-packages. Debian has patched distutils and setuptools to add a new
flag '--install-layout'. For --with-ipaplatform=debian,
PYTHON_INSTALL_EXTRA_OPTIONS is set to '--install-layout=deb'.
https://pagure.io/freeipa/issue/6764
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.
Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.
It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
libpopt added pkg-config file in 1.16 but there are still distributions
which has older version of library (el6, el7). And new features from
libpopt are not used anywhere. Configure should try to detect as much as
possible and users should not use workarounds with explicitely enabled
variables as parameters e.g.
./configure POPT_LIBS="-lpopt "
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.
https://pagure.io/freeipa/issue/6714
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
I also renamed the base directory to pypi and added a new build target
pypi_packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.
Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.
Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
--without-ipatests skips building and installation of the ipatests
package. By default the ipatests package is always build and installed
by make install.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).
DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596
Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.
Use explicit KDB version dependency in Fedora 26+ via BuildRequires.
With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.
https://fedorahosted.org/freeipa/ticket/6619
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If configure script was executed with --enable-pylint then
it behaved the same as --disable-pylint. It does not make
any sense.
Resolves:
https://fedorahosted.org/freeipa/ticket/6604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.
tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.
https://fedorahosted.org/freeipa/ticket/6418
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Spaces are causing problems in libtool, makefiles, autoconf itself, gettextize
framework etc. so this issue cannot be easily fixed.
Return on investment is too small to invest into this. Let's detect the
whitespace early and error out with descriptive error message.
https://fedorahosted.org/freeipa/ticket/6537
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
configure option --with/without-pylint was replaced by
--enable/disable-pylint. Pylint is always called as $(PYTHON) -m python.
If you need to override Pylint version, use command "make pylint PYTHON=xxx".
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The lower version is needed while building on RHEL.
Also po/Rules-quot file is deleted and added to .gitignore.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Let's relax the check for .git from directory to exists in order to
support freeipa in a git submodule. Submodules have a .git file with
content like
gitdir: ../.git/modules/freeipa
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.
There is a problem that Python sub-directories depend on ipasetup.py
which is one level above the sub-directory. This means that depedencies
are the other way around that expected. This is being worked around
using hack from
http://lists.gnu.org/archive/html/automake/2009-03/msg00011.htmlhttps://fedorahosted.org/freeipa/ticket/6498
Reviewed-By: Martin Basti <mbasti@redhat.com>
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.
https://fedorahosted.org/freeipa/ticket/6498
Reviewed-By: Martin Basti <mbasti@redhat.com>
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.
https://fedorahosted.org/freeipa/ticket/6498
Reviewed-By: Martin Basti <mbasti@redhat.com>
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.
https://fedorahosted.org/freeipa/ticket/6498
Reviewed-By: Martin Basti <mbasti@redhat.com>
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.
https://fedorahosted.org/freeipa/ticket/6498
Reviewed-By: Martin Basti <mbasti@redhat.com>
configure is easiest option how to automatically generate POTFILES.in.
Attempts to add it to po/Makefile* have big potential to create cyclic
depedencies and cause other trouble.
Given how rare operation adding a source file is, I think it is sufficient
to document that configure needs to be run again after adding a source file
with translatable strings.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
The target was added to top-level Makefile.am as well so the maintainer
does not need to jump between directories when doing Zanata pull/push
and strip-po.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
We now use standard framework generatedby "gettextize" utility.
It has two limitations which I do not consider sufficiently important
to invest into hand-made solution:
1. It can automatically gather strings only from files which have some
file extension like .c or .py. Right now we do not have any
translatable strings in Python files without extensions. Given that these
files will be removed from source tree and replaced with entry points
from setuptools I do not see a reason to invest into supporting this.
2. It does not automatically strip untranslated strings from po files.
This is a manual step in mainteiner's in workflow anyway so I will
add separate Makefile target for it later on.
This commit contains gettextize instrastructure + filled-in files
Makevars and POTFILES.in.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Setuptools will print only warnings. The option has to be used before
setuptools command specification, otherwise it will not apply to sub-commands.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is a huge hack. rpms target will touch VERSION.m4 file. This change
is then detected by automake Makefiles which subsequently re-execute configure
and make.
We have to workaround fact that variables in new make targets
(executed after new configure) are different than original ones.
Also, we have to 'bake-in' precise snapshot version from Git to
VERSION.m4 inside of RPM tarball so the RPM does not depend on git
anymore.
All this magic slows build down a bit.
Do not enable IPA_VERSION_IS_GIT_SNAPSHOT if you want fastest possible builds.
The option IPA_VERSION_IS_GIT_SNAPSHOT is now enabled by default as it
was before we started the build system refactoring effort.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>