Commit Graph

48 Commits

Author SHA1 Message Date
Petr Viktorin
f19218f7d8 Remove duplicate and unused utility code
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
2012-05-09 11:54:20 +02:00
Martin Kosek
caf36e1f24 Improve error message in zonemgr validator
This patch consolidates zonemgr function to move the most of the
checks to common functions in order to provide consistent output.
The error messages produced by the validator should now be more
helpful when identifying the source of error.

https://fedorahosted.org/freeipa/ticket/1966
2012-04-29 19:38:19 -04:00
John Dennis
d317c2a0d1 Validate DN & RDN parameters for migrate command
Ticket #2555

We were generating a traceback (server error) if a malformed RDN was
passed as a parameter to the migrate command.

* add parameter validation functions validate_dn_param() and
  validate_rdn_param() to ipalib.util. Those functions simply invoke
  the DN or RDN constructor from our dn module passing it the string
  representation. If the constructor does not throw an error it's
  valid.

* Add the parameter validation function pointers to the Param objects
  in the migrate command.

* Make the usercontainer and groupcontainer parameters required.
  passing --usercontainer= on the command line will produce

  ipa: ERROR: 'user_container' is required

* Fix _get_search_bases() so if a container dn is empty it it just
  uses the base dn alone instead of faulting (currently
  bullet-proofing because now the containers are required).

* Update the doc for usercontainer and groupcontainer to reflect the
  fact they are DN's not RDN's. A RDN can only be one level and it
  should be possible to have a container more than one RDN removed
  from the base.
2012-04-16 08:35:03 +02:00
Ondrej Hamada
5cfee2338d Netgroup nisdomain and hosts validation
nisdomain validation:
Added pattern to the 'nisdomain' parameter to validate the specified
nisdomain name. According to most common use cases the same pattern as
for netgroup should fit. Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2448

'add_external_pre_callback' function was created to allow validation of
all external members. Validation is based on usage of objects primary
key parameter. The 'add_external_pre_callback' fucntion has to be called
directly from in the 'pre_callback' function. This change affects
netgroup, hbacrule and sudorule commands.

For hostname, the validator allows non-fqdn and underscore characters.
validate_hostname function in ipalib.util was modified and contains
additional option that allows hostname to contain underscore characters.
This option is disabled by default.

Unit-tests added.

https://fedorahosted.org/freeipa/ticket/2447
2012-03-28 16:23:37 +02:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00
Martin Kosek
7fe63f8233 Add SSHFP update policy for existing zones
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.

This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.

https://fedorahosted.org/freeipa/ticket/2394
2012-02-27 18:04:19 +01:00
Martin Kosek
e10af0b764 Ease zonemgr restrictions
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.

This patch also fixes default zonemgr value in help texts and man
pages.

https://fedorahosted.org/freeipa/ticket/2272
2012-02-20 15:34:45 +01:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Martin Kosek
52ea3a6b29 Refactor dnsrecord processing
Current DNS record processing architecture has many flaws,
including custom execute() methods which does not take advantage
of base LDAP commands or nonstandard and confusing DNS record
option processing.

This patch refactors DNS record processing with the following
improvements:
 * Every DNS record has now own Parameter type. Each DNS record
   consists from one or more "parts" which are also Parameters.
   This architecture will enable much easier implementation of
   future per-DNS-type API.
 * Validation is now not written as a separate function for
   every parameter but is delegated to DNS record parts.
 * Normalization is also delegated to DNS record parts.
 * Since standard LDAP base commands execute method is now used,
   dnsrecord-add and dnsrecord-mod correctly supports --setattr
   and --addattr options.
 * In order to prevent confusion unsupported DNS record types
   are now hidden. They are still present in the plugin so that
   old clients receive proper validation error.

The patch also contains several fixes:
 * Fix domain-name validation and normalization- allow domain
   names that are not fully qualified. For example --cname-rec=bar
   is a valid domain-name for bind which will translate it then
   as bar.<owning-domain>. This change implies, that fully qualified
   domain names must end with '.'.
 * Do not let user accidentally remove entire zone with command
   "ipa dnsrecord-del @ --del-all".
 * Fix --ttl and --class option processing in dnsrecord-add and
   dnsrecord-mod.

All API changes are compatible with clients without this patch.

https://fedorahosted.org/freeipa/ticket/2082
2012-01-12 09:43:05 +01:00
Jan Cholasta
9beb467d98 Fix attempted write to attribute of read-only object.
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.

Also fix few issues in the unit tests to enable them to succeed.

ticket 1959
2012-01-02 11:51:26 +03:00
Martin Kosek
3f0eb1417c Improve zonemgr validator and normalizer
The validator has been improved to support better both SOA format
(e-mail address in a domain name format, without '@') and standard
e-mail format. Allow '\.' character in a SOA format encoding the
standard '.' in the local-part of an e-mail. Normalization code
has been moved to one common function.

https://fedorahosted.org/freeipa/ticket/2053
2011-11-29 17:14:28 +01:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Martin Kosek
efc3e2c1f7 Improve DNS record data validation
Implement missing validators for DNS RR types so that we can capture
at least basic user errors. Additionally, a normalizer creating
a fully-qualified domain name has been implemented for several RRs
where name server may mis-interpret the domain name otherwise.

Unit tests exercising these new validators for the most common
RR types have been added. This patch also consolidates hard-coded
values in DNS test to one place.

https://fedorahosted.org/freeipa/ticket/1106
2011-11-10 18:48:41 -05:00
Martin Kosek
b26d0dcc04 Add --zonemgr/--admin-mail validator
Do at least a basic validation of DNS zone manager mail address.

Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.

https://fedorahosted.org/freeipa/ticket/1966
2011-10-26 08:52:50 +02:00
Rob Crittenden
dd69c7dbe6 Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32
2011-06-21 19:09:50 -04:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
6d51a48af8 Add ability to add/remove DNS records when adding/removing a host entry.
A host in DNS must have an IP address so a valid IP address is required
when adding a host. The --force flag will be needed too since you are
adding a host that isn't in DNS.

For IPv4 it will create an A and a PTR DNS record.

IPv6 isn't quite supported yet. Some basic work in the DNS installer
is needed to get this working. Once the get_reverse_zone() returns the
right value then this should start working and create an AAAA record and
the appropriate reverse entry.

When deleting a host with the --updatedns flag it will try to remove all
records it can find in the zone for this host.

ticket 238
2010-11-23 18:23:29 -05:00
Rob Crittenden
d2a9ccf407 Accept an incoming certificate as either DER or base64 in the service plugin.
The plugin required a base64-encoded certificate and always decoded it
before processing. This doesn't work with the UI because the json module
decodes binary values already.

Try to detect if the incoming value is base64-encoded and decode if
necessary. Finally, try to pull the cert apart to validate it. This will
tell us for sure that the data is a certificate, regardless of the format
it came in as.

ticket 348
2010-10-08 13:15:03 -04:00
Rob Crittenden
67a4549519 Remove some additional instances of krbV from ipa-client
Make two krbV imports conditional. These aren't used during a client
install so should cause no problems.

Also fix the client installer to use the new env option in ipautil.run.
We weren't getting the krb5 configuration set in the environment because
we were overriding the environment to set the PATH.

ticket 136
2010-09-10 17:04:01 -04:00
Pavel Zuna
f15758dbea Improve serialization to JSON.
- Make it recursive.
- Make Param classes serializable.
- Take python native data types into account.
2010-08-12 09:06:22 -04:00
Pavel Zuna
5797c8167a Make LDAPObject classes JSON serializable. 2010-08-12 09:01:56 -04:00
Rob Crittenden
d885339f1c Require that hosts be resolvable in DNS. Use --force to ignore warnings.
This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25
2010-08-06 15:31:57 -04:00
Jason Gerard DeRose
5c9437b9e6 Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00
Pavel Zuna
7d0bd4b895 Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
Rob Crittenden
64fa3dd4c3 Finish work replacing the errors module with errors2
Once this is committed we can start the process of renaming errors2 as errors.
I thought that combinig this into one commit would be more difficult to
review.
2009-04-20 13:58:26 -04:00
Rob Crittenden
1a8ec58602 Utility function to get the local hostname 2009-02-19 10:09:24 -05:00
Jason Gerard DeRose
4ab133c3cb Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this 2009-02-17 16:03:10 -05:00
Jason Gerard DeRose
18cecdc515 Removed depreciated xmlrpc_marshal() and xmlrpc_unmarshal() functions 2009-02-17 16:03:08 -05:00
Rob Crittenden
6b34f07720 Remove some duplicated code that was moved to ipaserver and use it Remove some unused files 2009-02-06 15:04:42 -05:00
Jason Gerard DeRose
db0168f7af Started reworking CLI class into cli plugin 2009-02-03 15:29:03 -05:00
Jason Gerard DeRose
4591057203 Removed depreciated rpc code from ipalib.util; removed corresponding unit tests in test_util 2008-12-08 15:15:50 -07:00
Jason Gerard DeRose
75bdea29be Added test_util.test_round_trip() test that tests use of xmlrpc_wrap() and xmlrpc_unwrap() with dumps(), loads(); fixed a bug in xmlrpc_unwrap() 2008-11-20 12:41:06 -07:00
Jason Gerard DeRose
cfe4ec2175 Added util.xmlrpc_wrap(), util.xmlrpc_unwrap() functions an corresponding unit tests 2008-11-19 16:11:23 -07:00
Jason Gerard DeRose
8ad5502354 Added util.make_repr() function; added corresponding unit tests 2008-11-13 21:07:47 -07:00
Jason Gerard DeRose
09161e399a Command.get_default() will now fill-in None for all missing non-required params 2008-11-12 01:47:37 -07:00
Jason Gerard DeRose
242a8183a7 Added custom log formatter util.LogFormatter that makes the human-readable time stamp in UTC 2008-10-31 20:25:33 -06:00
Jason Gerard DeRose
5269d1396c Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True 2008-10-31 18:55:32 -06:00
Jason Gerard DeRose
a23d41a57f Reoganized global option functionality to it is easy for any script to use the environment-related global options; lite-xmlrpc.py now uses same global options 2008-10-31 18:17:08 -06:00
Jason Gerard DeRose
cdfb7bfd5e Logging is now configured in API.bootstrap(); removed depreciated util.configure_logging() function 2008-10-31 13:27:42 -06:00
Jason Gerard DeRose
fbcb55bd11 lite-xmlrpc.py now uses api.bootstrap() property, logs to api.logger 2008-10-28 02:10:56 -06:00
Jason Gerard DeRose
a9f1c74a7f util.configure_logging() now only configures file logging if it can create the log_dir 2008-10-28 01:45:02 -06:00
Jason Gerard DeRose
316bd855d5 Added util.configure_logging() function; API.bootstrap() now calls util.configure_logging() 2008-10-28 01:39:02 -06:00
Jason Gerard DeRose
03accc5fb3 Copied plugin loading function from load_plugins.py to util.py; API.load_plugins() method now calls functions in util 2008-10-27 00:23:43 -06:00
Rob Crittenden
1daf319a19 Implement the host commands
In order for this to work against a v1 database the update host.update needs to
be applied
2008-10-22 17:54:04 -04:00
Jason Gerard DeRose
d84e27f0d4 Added ipalib/util.py with xmlrpc_marshal() and xmlrpc_unmarshal() functions; added corresponding unit tests 2008-10-02 19:09:13 -06:00
Jason Gerard DeRose
66bbe8bf2f 132: Removed test util.py file 2008-08-13 01:20:01 +00:00
Jason Gerard DeRose
d5b0bc1b54 125: Added some generic auto-import stuff 2008-08-13 00:40:13 +00:00