Commit Graph

647 Commits

Author SHA1 Message Date
Jan Cholasta
3b5dbf7cdb server install: fix KDC certificate validation in CA-less
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
David Kupka
b9fd123d61 ipapython.ipautil.run: Add option to set umask before executing command
https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
52730c786f certdb: use custom object for trust flags
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
David Kreitschmann
b8b28c3d09 Fix libkrb5 filename for macOS
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
Martin Basti
05984f171b ca_status: add HTTP timeout 30 seconds
CA sometimes "forgot to answer" so we have to add timeout for http
connection and ask again rather than wait for infinity.

https://pagure.io/freeipa/issue/6766

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-04 14:09:50 +02:00
Martin Basti
20f7689079 http_request: add timeout option
httplib.HTTPConnection supports timeout option so _httplib_request can
be updated to allow passing connection keyword arguments to
connection_factory.

We need connection timeout for cases when reply from server is not
received on time to ask again and not to wait for infinity.

https://pagure.io/freeipa/issue/6766

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-04 14:09:50 +02:00
Christian Heimes
26ab51ddf4 Correct PyPI package dependencies
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-26 12:31:11 +02:00
Stanislav Laznicka
aae9a918b6 Remove publish_ca_cert() method from NSSDatabase
NSSDatabase.publish_ca_cert() is not used anymore, remove it.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:06:29 +00:00
Jan Cholasta
720034f1b4 certdb: fix AttributeError in verify_ca_cert_validity
`NSSDatabase.verify_ca_cert_validity` tries to access a property of basic
constraints extension on the extension object itself rather than its value.

Access the attribute on the correct object to fix the issue.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-03 12:40:55 +00:00
Jan Cholasta
2b33230f66 setup, pylint, spec file: drop python-nss dependency
Remove the unused python-nss dependency.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Jan Cholasta
9183cf2a75 certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Christian Heimes
d06315de6b session storage parameters must be bytes
Fixes TypeError: bytes or integer address expected instead of str instance

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-31 12:18:43 +02:00
Christian Heimes
f5bf5466ed Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 15:02:06 +02:00
Simo Sorce
e07aefb886
Work around issues fetching session data
Unfortunately the MIT krb5 library has a severe limitation with FILE
ccaches when retrieving config data. It will always only search until
the first entry is found and return that one.

For FILE caches MIT krb5 does not support removing old entries when a
new one is stored, and storage happens only in append mode, so the end
result is that even if an update is stored it is never returned with the
standard krb5_cc_get_config() call.

To work around this issue we simply implement what krb5_cc_get_config()
does under the hood with the difference that we do not stop at the first
match but keep going until all ccache entries have been checked.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Simo Sorce
9a6ac74eb4
Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Jan Cholasta
e263cb46cb httpinstance: clean up /etc/httpd/alias on uninstall
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
David Kupka
4297ad6db0 ipapython.ipautil.nolog_replace: Do not replace empty value
When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX'
three (once for plain value, once for http quoted value and last time for shell
quoted value) times before every character (including terminating '\0') in the string.

https://pagure.io/freeipa/issue/6738

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-21 09:46:44 +01:00
Christian Heimes
42bc778c0c Python 3: Fix session storage
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-03-15 19:12:17 +01:00
Christian Heimes
602b395cf1 Fix Python 3 pylint errors
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 19:11:32 +01:00
Jan Cholasta
2fc9feddd0 install: re-introduce option groups
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
774d8d0a5d install CLI: remove magic option groups
Do not automatically create the "basic options" and "uninstall options"
option groups in the CLI code.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Simo Sorce
7cab959555 Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-10 12:40:08 +01:00
Jan Cholasta
abf25d3cb6 ipapython: fix DEFAULT_PLUGINS in version.py
Replace the placeholder with the actual value during build.

This fixes the client incorrectly assuming that the default version of all
plugins is 1.

https://pagure.io/freeipa/issue/6597

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-09 18:39:48 +01:00
Jan Cholasta
0c7ca279c7 config: re-add init_config and config
Re-add `init_config` and `config` to `ipapython.config`, because they are
used by Ipsilon (see https://pagure.io/ipsilon/issue/265).

This partially reverts commit 7b966e8577.

https://pagure.io/freeipa/issue/6707

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 16:08:30 +01:00
Simo Sorce
adf8aabf10
Use GSS-SPNEGO if connecting locally
GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incompatible services, and it is ok for us as we are only really
looking for speedups for the local short-lived connections performed
by the framework. Most other clients have longer lived connections,
so peformance improvements there are not as important.

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-07 20:09:57 +01:00
Stanislav Laznicka
24eeb4d6a3 Fix cookie with Max-Age processing
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-03-06 10:48:32 +00:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
Christian Heimes
a163ad77b3 certdb: Don't restore_context() of new NSSDB
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 13:42:01 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
76e8d7b35d Remove ipapython.nsslib as it is not used anymore
Previous changes allowed the removal of nsslib.

So long, and thanks for all the fish.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
0a54fac02c Remove NSSConnection from Dogtag
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.

A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
9ac068ad04 Don't prepend option names with additional '--'
The options now have '--' prepended by their names already, don't
add it.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-21 15:30:24 +01:00
Jan Cholasta
b4fa354f50 client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-20 13:00:50 +00:00
Martin Basti
53c8e9a53f ipactl restart: log httplib failues as debug
There are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.

https://fedorahosted.org/freeipa/ticket/6674

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-17 12:11:56 +01:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Stanislav Laznicka
ac6f573a30 Explicitly remove support of SSLv2/3
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-17 10:04:00 +01:00
Simo Sorce
f648c5631a Simplify NSSDatabase password file handling
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Basti
dd119f8aad py3: ipa_generate_password: do not compare None and Int
The one cannot compare None and Int in Py3
"""
unorderable types: NoneType() > int()
"""

Continue when class is disabled with None value

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-10 14:03:04 +01:00
Martin Basti
88b192a37e py3: modify_s: attribute name must be str not bytes
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-10 14:03:04 +01:00
Jan Cholasta
e920ae2252 ipaldap: preserve order of values in LDAPEntry._sync()
In Python 2, the order was preserved by accident.

This change makes sure the order is preserved in both Python 2 and 3.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 15:57:48 +01:00
Martin Basti
6bb5af7bea py3: get_memberofindirect: fix ByteWarnings
DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-08 15:41:39 +01:00
Martin Basti
d38540acd6 py3: DN: fix BytesWarning
User repr() instead of str() for bytes, it has the same effect, but it
is proper way how to print bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-08 15:41:39 +01:00
Martin Basti
ab53d80883 py3: ipaldap: properly encode DNSName to bytes
The encode method of LDAPClient didn't return DNSName as bytes but
string in py3. In py2 it returns non-unicode string so it can be encoded
safely by ascii as to_text() method returns only ascii characters.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00