Commit Graph

7 Commits

Author SHA1 Message Date
Christian Heimes
186d739d7f Fix E722 do not use bare 'except'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
4a58adf79e Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:

  DeprecationWarning: invalid escape sequence

There is still one warning that keeps repeating, though:

  source:264: DeprecationWarning: invalid escape sequence \d

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 10:23:03 +02:00
Fraser Tweedale
a7b18372ed certprofile: reject config with multiple profileIds
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID.  This leads to:

- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)

To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).

https://pagure.io/freeipa/issue/7503

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-19 08:57:53 -04:00
Fraser Tweedale
09a65df684 Reuse self.api when executing ca_enabled_check
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled.  When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.

Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
fec4c32ff1 certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-14 18:08:33 +01:00
Jan Cholasta
ae5f11b4de server: define missing virtual attributes
Move virtual attributes defined in output params of methods into params of
the related object.

This fixes the virtual attributes being ommited in CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00