The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0
https://fedorahosted.org/freeipa/ticket/6300
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix a regression in recent change to request cert via Dogtag REST
API. 'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed. Inspect the
request result to determine if the request completed, and raise if
it did not.
Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Test ipatests/test_ipaserver/test_ldap::test_Backend fails claiming service
cannot be found. Fixing this by not using api with in_tree parameter.
https://fedorahosted.org/freeipa/ticket/6312
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Trust tests fail if they are executed after external trust tests. This is
caused my missing cleanup. Providing cleanup that would enable correct
execution of the tests regardless of their order.
https://fedorahosted.org/freeipa/ticket/6306
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In integration trust tests some values are checked using regular expressions.
Some of these expressions from recently added coverage have minor mistakes
which causes the comparisons to fail. Providing fix for these regular
expressions.
https://fedorahosted.org/freeipa/ticket/6285
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.
https://fedorahosted.org/freeipa/ticket/5855
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also moving activate_action method several lines up - correcting logical order of methods.
https://fedorahosted.org/freeipa/ticket/5818
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.
This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted. Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.
Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409). Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError. The exception includes no
information about the response status.
Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.
To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'. It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.
https://fedorahosted.org/freeipa/ticket/6304
Reviewed-By: David Kupka <dkupka@redhat.com>
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.
This commit adds the ca-disable and ca-enable commands.
Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also the same for removing certificate hold.
https://fedorahosted.org/freeipa/ticket/6216
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The cert-show command needs to be called with cacn option. Cacn option is
passed using URL attribute.
https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Sometimes the entity_show command must be called with options which are gathered
from result of entity_find command. These options needs to be passed as
arguments in URL which points to details page.
This functionality is implemented to table facet. There is new property
'additional_navigation_arguments' which is prepared for array of attributes
which will be passed to URL.
Part of: https://fedorahosted.org/freeipa/ticket/6238
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This patch adds the config file for Travis CI. The config file instructs the
CI to:
* check pep8 errors in PR
* build RPMs in pulled in Fedora builder container
(docker.io/martbab/freeipa-fedora-builder)
These basic checks should eliminate basic errors that can break the build
itself (formatting errors, Syntax errors/undeclared variables, missing
BuildRequires, broken API.txt, etc.). It does not run any of our
integration/unit tests.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Link-local addresses received from netifaces contains '%suffix' that
causes parse error in IPNetwork class. We must remove %suffix before
it us used in IPNetwork objects.
https://fedorahosted.org/freeipa/ticket/6296
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Cache CommandError answer to schema command to avoid sending the command
to pre-schema servers every time. This information expires after some
time (1 hour) in order to start using schema as soon as the server is
upgraded.
https://fedorahosted.org/freeipa/ticket/6095
Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
When dnsrecord_add is called without options in interactive mode, it
prompts the user to enter a record type. The record type is expected to be
upper case further in the code, which causes non-upper case values not to
work correctly.
Fix this issue by upper casing the value after it is read.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Use super for proper handling of exceptions. msg property was added due
compatibility with the current code.
https://fedorahosted.org/freeipa/ticket/6294
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.
https://fedorahosted.org/freeipa/ticket/6278
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes the CLI not to always call the default version of a command even when
the version was explicitly specified.
https://fedorahosted.org/freeipa/ticket/6279
Reviewed-By: Martin Basti <mbasti@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.
This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Redirect bash error output to prevent displaying error
messages in bash completion for ipa command.
https://fedorahosted.org/freeipa/ticket/6273
Reviewed-By: David Kupka <dkupka@redhat.com>
When running test_install/test_updates and test_pkcs10/test_pkcs10 as
outoftree, these are skipped with reason 'Unable to find test update files'.
For outoftree tests wrong paths are checked for these files.
Changing file localization to provide proper test setup.
https://fedorahosted.org/freeipa/ticket/6284
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.
This fixes a crash in ipa-replica-install with --setup-ca.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.
https://fedorahosted.org/freeipa/ticket/6276
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
When a command is called on the server over RPC without its version
specified, assume version 1 instead of the highest known version.
This ensures backward compatibility with old clients, which do not support
versioned commands and understand only the first version of any given
command.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: David Kupka <dkupka@redhat.com>