Commit Graph

11448 Commits

Author SHA1 Message Date
Martin Basti
6637980af6 Only warn when specified server IP addresses don't match intf
In containers local addresses differ from public addresses and we need
a way to provide only public address to installers.

https://pagure.io/freeipa/issue/2715
https://pagure.io/freeipa/issue/4317

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-06-06 18:10:33 +02:00
Pavel Vomacka
566361e63d Turn off OCSP check
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:33:54 +02:00
Jan Cholasta
0772ef20b3 server upgrade: do not enable PKINIT by default
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.

Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
e131905f3e server certinstall: update KDC master entry
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Martin Babinsky
8ef4888af7 fix incorrect suffix handling in topology checks
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-05 18:37:37 +02:00
Alexander Bokovoy
e8a7e2e38a ipa-kdb: add pkinit authentication indicator in case of a successful certauth
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).

A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.

SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.

Fixes https://pagure.io/freeipa/issue/6736

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-06-05 18:35:27 +02:00
Felipe Volpone
44bd5e358b Changing cert-find to do not use only primary key to search in LDAP.
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-02 16:45:43 +02:00
Stanislav Laznicka
e1f8684e85 rpc: avoid possible recursion in create_connection
There was a recursion in RPCClient.create_connection() which under rare
circumstances would not have an ending condition. This commit removes
it and cleans up the code a bit as well.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
79d1752577 rpc: preparations for recursion fix
Made several improvements to coding style:
 - same use of KerberosError throughout the module
 - removed some unused variables
 - moved code from try-except blocks if it didn't have to be there
 - preparations for putting most of RPCClient.create_connection()
   to loop

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
81a808caeb Avoid possible endless recursion in RPC call
This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Sumit Bose
e8aed25248 ipa-kdb: reload certificate mapping rules periodically
With this patch the certificate mapping rules are reloaded every 5
minutes.

Resolves https://pagure.io/freeipa/issue/6963

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-02 16:40:24 +02:00
Fraser Tweedale
89eb162fcd py3: fix regression in schemaupdate
The python-ldap classes that process schema definitions require a
unicode string, not a byte string.  A recent py3 compatibility fix
(d89de4219d) changed the constructor
argument to a unicode string to dispel a warning, but this broke
schema update.  Change it back to a bytestring.

Part of: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-02 09:55:13 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Tomas Krizek
906c4c9459 ipatests: change logdir naming pattern for multihost tests
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.

Related: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Martin Basti
be1415b6cc pylint: explicitly depends on python2-pylint
F26 defaults to python3 with pylint package, we have to explicitly ask
for python2 version of pylint

https://pagure.io/freeipa/issue/6986

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:51:52 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Martin Basti
99771ceb9f py3: update_mod_nss_cipher_suite: ordering doesn't work with None
Py3 doesn't support ordering with None value

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
c6a57d8091 py3: urlfetch: use "file://" prefix with filenames
with py3 urlopen used internally with pyldap doesn't work with raw
filepaths without specifying "file://" prefix. This works on both
py2/py3

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
b09a941f34 py3: cainstance: fix BytesWarning
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d89de4219d py3: schemaupdate: fix BytesWarning
str() was called on bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
bc9addac30 py3: LDAP updates: use only bytes/raw values
Functions mix unicode and bytes, use only bytes.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d7a9e81fbd py3: softhsm key_id must be bytes
softhsm works with bytes, so key_id must be byte otherwise we get errors
from bytes and string comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
27f8f9f03d py3: ipaldap: encode Boolean as bytes
Python LDAP requires bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
6e7071d6ad py3: ConfigParser: replace deprecated readfd with read
ConfigParser.readfd() is deprecated in py3, we can use .read() which is
compatible with py2

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
2e63ec42d0 py3: use ConfigParser instead of SafeConfigParser
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Stanislav Laznicka
3b6892783e kdc.key should not be visible to all
While the world certainly is interested in our privates, we
should not just go ahead and show it to them.

https://pagure.io/freeipa/issue/6973

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-31 18:18:47 +02:00
Martin Basti
71adc8cd3f Add remote_plugins subdirectories to RPM
Subdirectories of remote plugins were forgotten in previous fix
d22ac59828cc4339d509804ddb3e2e1da9cfaa20 .

https://pagure.io/freeipa/issue/6927

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-31 10:32:57 +02:00
Martin Basti
a90a113b66 custodia dep: require explictly python2 version
python-custodia matches python3-custodia, but for py2 installations we
need python2-custodia explicitly

https://pagure.io/freeipa/issue/6962

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-05-31 10:28:06 +02:00
Martin Babinsky
1e5f55e791 Do not delete DS and PKI users during backup/restore tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Martin Babinsky
2624cf2e4c test_backup_restore: do not fail on missing KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.

https://pagure.io/freeipa/issue/6956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 13:31:28 +02:00
Jan Cholasta
ab71cd5a16 httpinstance: wait until the service entry is replicated
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.

This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.

https://pagure.io/freeipa/issue/6867

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:53:27 +02:00
Fraser Tweedale
bc6d499514 Add Subject Key Identifier to CA cert validity check
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction.  Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.

When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.

Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:39:15 +02:00
Tibor Dudlák
d73ec06cb3 user.py: replace user_mod with ldap.update_entry()
Refactoring user_add class to use 'ldap.update_entry()' call
instead of api call 'user_mod' when --noprivate option is used.

https://pagure.io/freeipa/issue/5788

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:35:41 +02:00
Alexander Bokovoy
49ce395b90 Fix index definition for ipaAnchorUUID
Fixes https://pagure.io/freeipa/issue/6975

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:32:34 +02:00
Christian Heimes
090eadbe4e Reimplement yield tests are parametrized tests
https://pagure.io/freeipa/issue/6591

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:28:51 +02:00
Christian Heimes
af140b0bc1 Silence pytest.yield_fixture deprecation warning
pytest >= 2.10 supports yield based fixtures with pytest.fixture. In
pytest < 2.10 pytest.yield_fixture is required. But that function
also raises a deprecation warning in pytest >= 3.0. FreeIPA has to stay
compatible with pytest < 2.10 for RHEL 7 testing.

https://docs.pytest.org/en/latest/fixture.html#fixture-finalization-executing-teardown-code

https://pagure.io/freeipa/issue/6591

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:28:51 +02:00
Florence Blanc-Renaud
f960450820 ipa-replica-conncheck: handle ssh not installed
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.

The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test

https://pagure.io/freeipa/issue/6935

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-30 12:02:13 +02:00
Martin Basti
7eb02a49ed pylint: ignore new checks added in 1.7
New checks will be temporarily disabled until fixed.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-29 18:37:41 +02:00
Martin Basti
5f640de76e Pylint: fix ipa_forbidden_import checker
Pylint 1.7 changed internals, so we have update our custom checker

https://pagure.io/freeipa/issue/6874

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-29 18:37:41 +02:00
Tibor Dudlák
a2f4a94925 Add 'TIP' to enable copr repo.
Copr repo @freeipa/freeipa-master provides dependencies
for freeipa/master branch.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-29 14:46:09 +02:00
Martin Basti
cba678d846 travis: fix pylint execution with py3
Python version was placed at wrong position, py3 hasn't been tested at
all in travis.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-29 14:44:29 +02:00
Martin Basti
6e67978356 py3: add missing py3 pylint depedencies
https://pagure.io/freeipa/issue/6874
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-29 14:44:29 +02:00
Stanislav Laznicka
35675ca2bb Change ConfigParser to RawConfigParser
In case ipa_generate_password() generates a sequence containing
'%', ConfigParser.set() will fail because it would think it is a
string that should be interpolated.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-26 17:04:11 +02:00
Martin Babinsky
8b6f8ed7d4 only stop/disable simple service if it is installed
The SimpleServiceInstance uninstaller assument that the service to
uninstall was always present on the system. This may not be valid in
some cases (e.g. containerized deployments) and thus we need to change
the service state only when we know that the unit file exists.

https://pagure.io/freeipa/issue/6977

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-26 16:15:53 +02:00
Martin Babinsky
58fd229a1d test_serverroles: Get rid of MockLDAP and use ldap2 instead
The test fixture haphazardly intermixed MockLDAP and ldap2 calls in
setup and teardown code, greatly hampering extension of the code and
also porting efforts to Python 3. Get rid of MockLDAP and use ldap2 for
all LDAP operations.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
99352731b4 Add pkinit-status command
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
f80553208e Add the list of PKINIT servers as a virtual attribute to global config
https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
d8bb23ac38 Add an attribute reporting client PKINIT-capable servers
A new multi-valued server attribute `pkinit_server` was added which
reports IPA masters that have PKINIT configuration usable by clients.

The existing tests were modified to allow for testing the new attribute.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
cac7e49daa Refactor the role/attribute member reporting code
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00