Commit Graph

10140 Commits

Author SHA1 Message Date
Oleg Fayans
22b0e8a9eb Removed incorrect check for returncode
The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0

https://fedorahosted.org/freeipa/ticket/6300

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-14 09:46:22 +02:00
Fraser Tweedale
1f1c93d2b5 cert-request: raise error when request fails
Fix a regression in recent change to request cert via Dogtag REST
API.  'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed.  Inspect the
request result to determine if the request completed, and raise if
it did not.

Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-13 17:22:34 +02:00
Lenka Doudova
8c6f677a16 Tests: Fix failing ldap.backend test
Test ipatests/test_ipaserver/test_ldap::test_Backend fails claiming service
cannot be found. Fixing this by not using api with in_tree parameter.

https://fedorahosted.org/freeipa/ticket/6312

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-13 15:37:52 +02:00
Lenka Doudova
b824013386 Tests: Add cleanup to integration trust tests
Trust tests fail if they are executed after external trust tests. This is
caused my missing cleanup. Providing cleanup that would enable correct
execution of the tests regardless of their order.

https://fedorahosted.org/freeipa/ticket/6306

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-13 15:35:43 +02:00
Lenka Doudova
fc5a99274c Tests: Fix regex errors in integration trust tests
In integration trust tests some values are checked using regular expressions.
Some of these expressions from recently added coverage have minor mistakes
which causes the comparisons to fail. Providing fix for these regular
expressions.

https://fedorahosted.org/freeipa/ticket/6285

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-09 16:54:05 +02:00
Martin Babinsky
003b364c5a netgroup: avoid extraneous LDAP search when retrieving primary key from DN
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.

https://fedorahosted.org/freeipa/ticket/5855

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-09 16:27:53 +02:00
Florence Blanc-Renaud
cd75eb3b25 Fix regression introduced in ipa-certupdate
The fix for 6288 was overwritten by commit 08b7683130.

https://fedorahosted.org/freeipa/ticket/6288

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-09 16:21:09 +02:00
Martin Basti
866e59bdce Tests: extend DNS cmdline tests with lowercased record type
https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-09-08 17:30:29 +02:00
Martin Babinsky
5b9516753c advise: Use name instead of __name__ to get plugin names
This change will allow ipa-advise to correctly handle advise plugins with
custom names.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-08 17:28:24 +02:00
Pavel Vomacka
c3374c6e16 Add 'Restore' option to action dropdown menu
Also moving activate_action method several lines up - correcting logical order of methods.

https://fedorahosted.org/freeipa/ticket/5818

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-08 09:44:20 +02:00
Martin Basti
b232ad463c Show warning when net/broadcast IP address is used in installer
https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
f3d379071a Allow multicast addresses in A/AAAA records
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
71ad8d4fc9 Allow broadcast ip addresses
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.

This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
81d64d530c Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Fraser Tweedale
daeaf2a823 Make host/service cert revocation aware of lightweight CAs
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted.  Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.

Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 13:21:29 +02:00
Fraser Tweedale
520ad7d865 cert-request: raise CertificateOperationError if CA disabled
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.

Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
4c35afccf3 Use Dogtag REST API for certificate requests
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409).  Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
c5cbc8de89 Add HTTPRequestError class
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError.  The exception includes no
information about the response status.

Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
2a42a7e90e Allow Dogtag RestClient to perform requests without logging in
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.

To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'.  It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Jan Cholasta
b7b6faf14a cert: fix cert-find --certificate when the cert is not in LDAP
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.

https://fedorahosted.org/freeipa/ticket/6304

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 12:46:35 +02:00
Fraser Tweedale
c7e0dbc4e1 Add ca-disable and ca-enable commands
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.

This commit adds the ca-disable and ca-enable commands.

Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 12:37:48 +02:00
Pavel Vomacka
7fea3914fb WebUI add support for sub-CAs while revoking certificates
Also the same for removing certificate hold.

https://fedorahosted.org/freeipa/ticket/6216

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-07 12:34:52 +02:00
Pavel Vomacka
64ac981ddd WebUI: Fix showing certificates issued by sub-CA
The cert-show command needs to be called with cacn option. Cacn option is
passed using URL attribute.

https://fedorahosted.org/freeipa/ticket/6238

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-09-07 09:17:49 +02:00
Pavel Vomacka
40f923f56b Add support for additional options taken from table facet
Sometimes the entity_show command must be called with options which are gathered
from result of entity_find command. These options needs to be passed as
arguments in URL which points to details page.

This functionality is implemented to table facet. There is new property
'additional_navigation_arguments' which is prepared for array of attributes
which will be passed to URL.

Part of: https://fedorahosted.org/freeipa/ticket/6238

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-09-07 09:17:49 +02:00
Martin Babinsky
37f3ad8867 Use Travis-CI for basic sanity checks
This patch adds the config file for Travis CI. The config file instructs the
CI to:
* check pep8 errors in PR
* build RPMs in pulled in Fedora builder container
    (docker.io/martbab/freeipa-fedora-builder)

These basic checks should eliminate basic errors that can break the build
itself (formatting errors, Syntax errors/undeclared variables, missing
BuildRequires, broken API.txt, etc.). It does not run any of our
integration/unit tests.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 17:43:38 +02:00
Martin Basti
db55bde15d Fix parse errors with link-local addresses
Link-local addresses received from netifaces contains '%suffix' that
causes parse error in IPNetwork class. We must remove %suffix before
it us used in IPNetwork objects.

https://fedorahosted.org/freeipa/ticket/6296

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-06 16:39:34 +02:00
David Kupka
ec24019174 schema cache: Store and check info for pre-schema servers
Cache CommandError answer to schema command to avoid sending the command
to pre-schema servers every time. This information expires after some
time (1 hour) in order to start using schema as soon as the server is
upgraded.

https://fedorahosted.org/freeipa/ticket/6095

Signed-off-by: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-06 16:25:23 +02:00
Martin Babinsky
415600fe45 ldapupdate: Use proper inheritance in BadSyntax exception
https://fedorahosted.org/freeipa/ticket/6294

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 13:06:39 +02:00
Jan Cholasta
38a51fa984 dns: fix crash in interactive mode against old servers
Add a client-side fallback of the dnsrecord_split_parts command for old
servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI
interactive mode.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Jan Cholasta
dce95a1459 dns: prompt for missing record parts in CLI
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Jan Cholasta
afea961631 dns: normalize record type read interactively in dnsrecord_add
When dnsrecord_add is called without options in interactive mode, it
prompts the user to enter a record type. The record type is expected to be
upper case further in the code, which causes non-upper case values not to
work correctly.

Fix this issue by upper casing the value after it is read.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Fraser Tweedale
08b7683130 Track lightweight CAs on replica installation
Add Certmonger tracking requests for lightweight CAs on replica
installation.  As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.

Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-06 12:11:53 +02:00
Florence Blanc-Renaud
b36ee723b7 Fix ipa-certupdate for CA-less installation
In a CA-less installation, ipa-certupdate fails with the error message:
  $ ipa-certupdate
  trying https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json
  Forwarding 'ca_is_enabled' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json'
  Forwarding 'ca_find/1' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json'
  CA is not configured
  The ipa-certupdate command failed.

The issue happens because ipa-certupdate tries to call ca_find even on a
CA_less deployment. The fix skips the call to ca_find in this case.

https://fedorahosted.org/freeipa/ticket/6288

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-06 07:50:55 +02:00
Martin Basti
00d43095da Fix ScriptError to always return string from __str__
Use super for proper handling of exceptions. msg property was added due
compatibility with the current code.

https://fedorahosted.org/freeipa/ticket/6294

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-05 18:15:45 +02:00
Christian Heimes
4ae4d0d690 Use RSA-OAEP instead of RSA PKCS#1 v1.5
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.

https://fedorahosted.org/freeipa/ticket/6278

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-05 18:11:46 +02:00
Jan Cholasta
a3d178b86d cli: use full name when executing a command
Fixes the CLI not to always call the default version of a command even when
the version was explicitly specified.

https://fedorahosted.org/freeipa/ticket/6279

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-05 18:03:52 +02:00
Martin Babinsky
82e754e9c5 raise ValidationError when deprecated param is passed to command
https://fedorahosted.org/freeipa/ticket/6190

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-09-05 09:23:37 +02:00
Martin Babinsky
4ca671788c Always fetch forest info from root DCs when establishing one-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to
the root domain DCs to resolve trust topology information.

This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob
helper used to establish one-way needs to explicitly contact root domain DCs
even in the case when an external trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Martin Babinsky
c789b17b2e factor out populate_remote_domain method into module-level function
This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Martin Babinsky
33f8685513 Always fetch forest info from root DCs when establishing two-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Tomas Krizek
9d49b4c7e7 Don't show error messages in bash completion
Redirect bash error output to prevent displaying error
messages in bash completion for ipa command.

https://fedorahosted.org/freeipa/ticket/6273

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-02 09:00:49 +02:00
Martin Basti
371254fc4b Bump master IPA devel version to 4.4.90
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-01 16:23:58 +02:00
Martin Basti
5a3c3c73c2 Become IPA 4.4.1 2016-09-01 14:50:34 +02:00
Lenka Doudova
72d7193ce2 Tests: Avoid skipping tests due to missing files
When running test_install/test_updates and test_pkcs10/test_pkcs10 as
outoftree, these are skipped with reason 'Unable to find test update files'.
For outoftree tests wrong paths are checked for these files.
Changing file localization to provide proper test setup.

https://fedorahosted.org/freeipa/ticket/6284

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-01 14:00:49 +02:00
Jan Cholasta
afcb3bd3c3 rpcserver: fix crash in XML-RPC system commands
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.

https://fedorahosted.org/freeipa/ticket/6217

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-01 13:20:14 +02:00
Jan Cholasta
17ea4ae6b9 custodia: force reconnect before retrieving CA certs from LDAP
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.

This fixes a crash in ipa-replica-install with --setup-ca.

https://fedorahosted.org/freeipa/ticket/6207

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-01 13:11:09 +02:00
Martin Basti
dd02741896 Revert "Enable LDAPS in replica promotion"
This reverts commit 89de60c5d8.

This commit breaks replica installation

https://fedorahosted.org/freeipa/ticket/6226

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-31 16:05:52 +02:00
Martin Babinsky
f32e0e4e52 do not use trusted forest name to construct domain admin principal
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-31 15:07:09 +02:00
Lenka Doudova
60e88038c4 Tests: Add missing attributes to test_xmlrpc/test_trust tests
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.

https://fedorahosted.org/freeipa/ticket/6276

Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
2016-08-31 15:05:41 +02:00
Jan Cholasta
8891465247 rpcserver: assume version 1 for unversioned command calls
When a command is called on the server over RPC without its version
specified, assume version 1 instead of the highest known version.

This ensures backward compatibility with old clients, which do not support
versioned commands and understand only the first version of any given
command.

https://fedorahosted.org/freeipa/ticket/6217

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-31 14:36:39 +02:00