Commit Graph

515 Commits

Author SHA1 Message Date
Jan Cholasta
7ef4e9eb81 spec file: add unconditional python-setuptools BuildRequires
python-setuptools is required not only for lint, but to make the build
possible at all.

Move the python-setuptools BuildRequires from the lint section to the main
section.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-15 07:44:35 +00:00
Martin Basti
f4c7f1dd8a Remove copy-schema-to-ca.py from master branch
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 15:16:20 +01:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Martin Basti
4514ec1505 pylint: bump dependency to version >= 1.6
Older pylint versions produces false positive errors

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 16:05:25 +01:00
David Kupka
c37254e1b1 Bump required version of gssproxy to 0.7.0
https://pagure.io/freeipa/issue/6671
https://pagure.io/freeipa/issue/6698

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-10 14:17:29 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Florence Blanc-Renaud
ea34e17a46 IdM Server: list all Employees with matching Smart Card
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-08 15:08:41 +01:00
Petr Vobornik
5e0ca17ca0
Change README to use Markdown
So that it will be nicely formatted on FreeIPA Pagure landing page.
  https://pagure.io/freeipa

Some links were updated as other projects also moved to Pagure.io.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 16:55:57 +01:00
Christian Heimes
b4c1bf1c7d Add with_wheels global to install wheel and PyPI packaging dependencies
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-02 14:43:37 +01:00
Christian Heimes
e2b9ea2fd5 Add python-wheel as build requirement
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-02 14:43:37 +01:00
Florence Blanc-Renaud
eaa87c75b9 Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-17 14:58:06 +01:00
Alexander Bokovoy
593ea7da9a ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-02-15 14:24:05 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
38c66896de Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Stanislav Laznicka
5b56952a54 Bump required python-cryptography version
Since we started using 'Certificate.serial_number' instead of
'.serial' from python-cryptography, bump the required version
to the one where the above mentioned transition happened.

https://fedorahosted.org/freeipa/ticket/6631

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-14 16:59:13 +01:00
Tomas Krizek
6cb7bca684 Bump required version of bind-dyndb-ldap to 11.0-2
Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf
old style API to the new style API. This package version is required
to enable upgrade of existing IPA installations to new version.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-02-14 15:30:12 +01:00
Tomas Krizek
5de7065fe5 bump required version of BIND, bind-dyndb-ldap
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 16:34:53 +01:00
Martin Basti
bd83fdf516 pki-base: use pki-base-python2 as dependency
pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.

Source: cheimes@redhat.com

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-07 13:18:27 +01:00
Martin Basti
66fa0585aa pki: add missing depedency pki-base[-python3]
FreeIPA server modules requires pki module

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-07 13:18:27 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Abhijeet Kasurde
c56e02b3c5 Remove deprecated ipa-upgradeconfig command
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:51:39 +01:00
Lukas Slebodnik
b82d285a4a SPEC: Fix build in mock
Neither pylint nor jsl is installed by default because rpm macro with_lint
is not defined in spec file. However, configure script tried to
find pylint/jsl anyway.

  checking for Pylint... /usr/bin/python2: No module named pylint
  configure: error: cannot find pylint for /usr/bin/python2

  RPM build errors:
  error: Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
      Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Martin Basti
35ba724de9 Py3: Fix ToASCII method
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5935

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-06 12:48:10 +01:00
Jan Cholasta
eb1f05d598 spec file: revert to the previous Release tag
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:

* `0` sorts before `1`, which is usually used as the initial release number
  in downstream packages,

* the information provided by `%{?dist}` is useful, as packages built on
  one OS are not always installable on another OS.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-02 12:09:25 +01:00
Jan Cholasta
1b85e59cee spec file: do not define with_lint inside a comment
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.

Escape the percent sign in '%global' in the comment to prevent this.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-19 13:39:17 +01:00
Petr Spacek
21a0987601 Build: specify BuildRequires for Python 3 pylint
python3-samba is intentionally ommited because it is not in Fedora repos.
Pylint somehow magically ignores this missing package.
Keep in mind that server will not work until this this solved.

https://fedorahosted.org/freeipa/ticket/157

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-13 14:36:11 +01:00
Petr Spacek
b7d70baee7 Build: makerpms.sh generates Python 2 & 3 packages at the same time
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-13 14:36:11 +01:00
Pavel Vomacka
a8b7dbff8a Add python-pyasn1-modules into dependencies
Python-pyasn1-modules is needed because of this import:
     from pyasn1_modules import rfc2459
in ipalib/x509.py.

Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.

https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-05 13:57:00 +01:00
Christian Heimes
289982e02f Require python-cryptography >= 1.3.1
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.

Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-30 17:33:32 +01:00
Christian Heimes
8559791e0d Require python-gssapi >= 1.2.0
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.

Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-30 16:24:41 +01:00
Jan Cholasta
fba6c21da3 certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.

Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a1f260d021 ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Martin Basti
a291c6ded9 DNS: URI records: bump python-dns requirements
Support for DNS URI records has been added in python-dns 1.13

https://fedorahosted.org/freeipa/ticket/6344

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-29 14:28:42 +01:00
Petr Spacek
132b475c25 Build: workaround bug while calling parallel make from rpmbuild
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 12:57:11 +01:00
Petr Spacek
4842231074 Build: use standard infrastructure for translations
We now use standard framework generatedby "gettextize" utility.

It has two limitations which I do not consider sufficiently important
to invest into hand-made solution:

1. It can automatically gather strings only from files which have some
   file extension like .c or .py. Right now we do not have any
   translatable strings in Python files without extensions. Given that these
   files will be removed from source tree and replaced with entry points
   from setuptools I do not see a reason to invest into supporting this.

2. It does not automatically strip untranslated strings from po files.
   This is a manual step in mainteiner's in workflow anyway so I will
   add separate Makefile target for it later on.

This commit contains gettextize instrastructure + filled-in files
Makevars and POTFILES.in.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Christian Heimes
64af88fee4 Port ipapython.dnssec.odsmgr to xml.etree
The module ipapython.dnssec.odsmgr is the only module in ipalib,
ipaclient, ipapython and ipaplatform that uses lxml.etree.

https://fedorahosted.org/freeipa/ticket/6469

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-16 23:37:46 +01:00
Petr Spacek
27e7a89a62 Build: workaround bug 1005235 related to Python paths in auto-generated Requires
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-16 09:12:07 +01:00
Petr Spacek
5a5373464f Build: document what should be in %install section of SPEC file
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-15 17:00:32 +01:00
Petr Spacek
1fa0ed954b Build: move web UI file installation from SPEC to Makefile.am
This is next step towards fully functional make install.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-15 17:00:32 +01:00
Petr Spacek
20918579ac Build: move server directory handling from SPEC to Makefile.am
This is next step towards fully functional make install.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-15 17:00:32 +01:00
Petr Spacek
636aaa7dbc Build: move client directory handling from SPEC to Makefile.am
This is next step towards fully functional make install.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-15 17:00:32 +01:00
Jan Cholasta
a8fdb8de82 install: introduce installer class hierarchy
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Jan Cholasta
a929ac3338 install: use standard Python classes to declare knob types
Use type(None) rather than bool to define knobs which are represented as
command line flags. This allows declaring both "--option" and
"--option={0,1}"-style command line options.

Use enum.Enum subclasses instead of set literals to declare enumerations.

Use typing.List[T] instead of (list, T) to declare lists. (Note that a
minimal reimplementation of typing.List is used instead of the Python 2
backport of the typing module due to non-technical reasons.)

Use CheckedIPAddress instead of 'ip' and 'ip-local' to declare IP
addresses.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Martin Basti
f98faec478 ipa-client-install: move client install to module
This commit only moves the code from ipa-client-install to module
ipaclient/install/client.py and fixes PEP8.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Petr Spacek
961773bd04 Build: pass down %{release} from SPEC to configure
This is required in order to bake-in precise vendor version to
version.py.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-11 10:41:38 +01:00
Petr Spacek
75a944e980 Build: fix KDC proxy installation and remove unused kdcproxy.conf
The only useful file is /etc/ipa/kdcproxy/kdcproxy.conf so I've removed
the other copy of the file in /usr.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
4ce3aa3b12 Build: remove unused dirs /var/cache/ipa/{sysupgrade,sysrestore} from SPEC
These directories were not used at all.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
dc5699a8a4 Build: do not compress manual pages at install time
At the time of this writting
https://fedoraproject.org/wiki/Packaging:Guidelines#Manpages
says this:
  When installing man pages, note that they should be installed uncompressed
  as the build system will compress them as needed. The compression method
  may change, so it is important to reference the pages in the %files section
  with a pattern that takes this into account:
  %{_mandir}/man1/foo.1*

Removing the compression also allows to remove several install-data-hook
targets from Makefile.am files.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
6cb0271509 Build: create /var/run directories at install time
Directory creating was moved from SPEC file to install-data-hook.
At the same time, it is using systemd-tmpfiles to create the directories
so we do not risk any inconsistency between SPEC file and tmpfilesd
configuration.

systemd-tmpfiles call is non-critical on purpose: The build would fail
when run under unprivileged user because systemd-tmpfiles tries to
change ownership. Luckily it creates all the files and just do not
change ownership so it works even under unprivileged user.

Interestingly, systemd-tmpfiles continues if user does not have
sufficient permissions to change ownership but fails if target username
does not exist at all. For this reason there is BuildRequires on httpd.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00