Commit Graph

373 Commits

Author SHA1 Message Date
Tibor Dudlák
194518f11f Add --ntp-pool option to installers
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
fb28dfff93 FreeIPA server is time synchronization client only
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.

As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.

FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.

Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.

Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.

Removed behavior that there is always --no-ntp option set.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
ca9c4d70a0 Replace ntpd with chronyd in installation
Completely remove ipaserver/install/ntpinstance.py

This is no longer needed as chrony client configuration
is now handled in ipa-client-install.

Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
bfb544adfd Removes ntp from dependencies and behave as there is always -N option
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Christian Heimes
64438f8619 Cleanup and remove more files on uninstall
* /etc/nsswitch.conf.ipabkp
* /etc/openldap/ldap.conf.ipabkp
* /var/lib/ipa/sysrestore/*
* /var/named/dyndb-ldap/ipa/
* /var/lib/dirsrv/scripts-%s/

See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-28 21:18:48 +02:00
amitkuma
ccec8c6c41 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
Stanislav Laznicka
c9c41d2d90
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.

https://pagure.io/freeipa/issue/7430

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-06 13:00:23 +01:00
Christian Heimes
a8555d42a4 Update /etc/ipa/nssdb in client scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
88fd3f9435 certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
c85bf376f0
certupdate: don't update HTTPD NSS db
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).

https://pagure.io/freeipa/issue/3757

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Aleksei Slaikovskii
6c5a7464b2
Fixing translation problems
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.

Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.

Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.

pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-01-31 16:03:19 +01:00
Christian Heimes
beb6d74b81 LGTM: unnecessary else in for loop
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Rob Crittenden
79432cbdc6 Log contents of files created or modified by IPAChangeConf
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.

Fixes: https://pagure.io/freeipa/issue/7218

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-04 16:34:37 +01:00
Christian Heimes
1c9f0a4b19 Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.

See https://pagure.io/freeipa/issue/7326

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-19 13:26:39 +01:00
Christian Heimes
8cb756a229 Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.

See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-18 11:51:14 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
93d53e5cd0 CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install).  Refactor
ipa_certupdate.CertUpdate to make it easy to do that.  In
particular, make it possible to use an already-initialised API
object.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
03786ad9f3 csrgen_ffi: cast the DN value to unsigned char *
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:46:41 +02:00
Stanislav Laznicka
61605d28d8 parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
c9d710a446 csrgen: update docstring for py3
https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
2b90c8a20e csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
61dde27f70 csrgen_ffi: pass bytes where "char *" is required
In Python 3, "char *" corresponds to bytes rather than string.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Florence Blanc-Renaud
3de30177f7 py3: fix ipa cert-request --database ...
Fix bytes vs str issues in ipa cert-request

https://pagure.io/freeipa/issue/7148
2017-10-25 09:44:37 +02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Aleksei Slaikovskii
fad88b358b ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text

This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.

https://pagure.io/freeipa/issue/7185

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 10:55:49 +02:00
Stanislav Laznicka
c4505f0804 client: fix retrieving certs from HTTP
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-13 10:38:08 +02:00
Stanislav Laznicka
be9da19de3 uninstall: remove deprecation warning
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-12 17:43:23 +02:00
Stanislav Laznicka
b57f87c9a0 pylint: fix no-member in schema plugin
The `module.register` member is added just a few lines
before pylint warns there's none such thing.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
806784dbd9 csrgen: fix incorrect codec for pyasn BitString
https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
c14aa6cdac
Remove unused variable
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-09-01 10:48:34 +02:00
Alexander Bokovoy
79378c9051
csrgen: support openssl 1.0 and 1.1
Support both openssl 1.0 and 1.1 APIs where sk_* functions got prefixed
with OPENSSL_ in the latter version.

Since referencing a symbol from a dynamically loaded library generates
exception, use the AttributeError exception to catch it and fall back to
the older method.

Fixes https://pagure.io/freeipa/issue/7110

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-31 13:46:00 +02:00
Fraser Tweedale
947ac4bc1f py3: handle bytes in schema response
If a server is running under py2 it could return a bytes value for
the 'topic_topic' field in the schema response.  A py3 client fails
to handle this (in one place it applies 'str' to it, which raises
BytesWarning; in other places it tries to serialise the schema to
JSON which fails because of the bytes value).

Handle the case where 'topic_topic' is not unicode, and handle bytes
values when serialising the schema to JSON.

Fixes: https://pagure.io/freeipa/issue/6809
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:05:20 +02:00
Fraser Tweedale
9cead4da2e py3: fix vault public key decoding
Part of: https://pagure.io/freeipa/issue/7033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:03:25 +02:00
Felipe Volpone
cac3475a04
Changing how commands handles error when it can't connect to IPA server
Creating a method to check if ipa client is configured. Also,
changing scripts to use it instead of duplicating the check.

https://pagure.io/freeipa/issue/6261

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:55:39 +02:00
Tibor Dudlák
76357283ec
otptoken_yubikey.py: Removed traceback when package missing.
IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.

Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:51:04 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
f62a0fdb90 logging: port to standard Python logging
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.

Disable the logging-not-lazy and logging-format-interpolation pylint
checks.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
69d05b86b7
topology.py: Removes error message from dictionary.
IPA will not print error message header when maximum
number of agreements per replica exceeded in topology.

Resolves: https://pagure.io/freeipa/issue/6533
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-14 09:23:17 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Martin Basti
3f59721c55 py3: vault: data must be bytes
Use bytes for vault data

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
f3537297be Remove network and broadcast address warnings
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Stanislav Laznicka
c8cc62564b Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm()
Added a docstring and made a tiny miny refactor to
IPADiscovery.ipadnssearchkrbrealm()

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
Stanislav Laznicka
1cab1e980c ipadiscovery: Return realm as a string
We don't have a use for realm as a bytes instance, return it as a
string, otherwise there's a use of str() on bytes in py3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
David Kreitschmann
bf0ba9b36e Disable pylint in get_help function because of type confusion.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
David Kreitschmann
d5bb541061 Store help in Schema before writing to disk
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
Tibor Dudlák
dfc271fdf4 sssd.py: Deprecating no-sssd option.
Resolves: https://pagure.io/freeipa/issue/5860
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 15:47:16 +02:00
Tibor Dudlák
eae8714026 client.py: Replace hardcoded 'admin' with options.principal
Fixes: https://pagure.io/freeipa/issue/5406
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-08 15:45:29 +02:00
Martin Basti
6637980af6 Only warn when specified server IP addresses don't match intf
In containers local addresses differ from public addresses and we need
a way to provide only public address to installers.

https://pagure.io/freeipa/issue/2715
https://pagure.io/freeipa/issue/4317

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-06-06 18:10:33 +02:00
Stanislav Laznicka
1ed1717e99 ca/cert-show: check certificate_out in options
If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None.

This check was done properly in the ca plugin. Lets' just unify how this
is handled and improve user experience by announcing which option causes
the failure.

https://pagure.io/freeipa/issue/6885

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-24 13:33:09 +00:00
Jan Cholasta
f769045f0a server install: fix KDC PKINIT configuration
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
David Kreitschmann
f1c6a5d8de Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
David Kupka
e415da22f3 otptoken-add-yubikey: When --digits not provided use default value
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-16 11:39:43 +02:00
Alex Zeleznikov
8ec8e24015 Sort SRV records by priority
In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.

Update ipadiscovery.py

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-16 09:43:56 +02:00
Jan Cholasta
21f4cbf8da renew agent: get rid of virtual profiles
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.

This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Christian Heimes
bd5a5012d2 Slim down dependencies
* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-09 17:17:29 +02:00
Florence Blanc-Renaud
26dbab1fd4 ipa-client-install: remove extra space in pkinit_anchors definition
ipa-client-install modifies /etc/krb5.conf and defines the following line:
    pkinit_anchors = FILE: /etc/ipa/ca.crt

The extra space between FILE: and /etc/ipa/ca.crt break pkinit.

https://pagure.io/freeipa/issue/6916

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-02 13:46:55 +02:00
Florence Blanc-Renaud
d5c41ed4ad vault: piped input for ipa vault-add fails
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-28 13:19:51 +02:00
Christian Heimes
26ab51ddf4 Correct PyPI package dependencies
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-26 12:31:11 +02:00
Christian Heimes
bf67974459 Use entry_points for ipa CLI
Fix problem with hard-coded shebang in ipa command line tool by using
a proper setuptools entry point for the console script. ipaclient is now
an executable Python package, too.

```
$ python -m ipaclient ping
```

is equivalent to

```
$ ipa ping
```

Related: https://pagure.io/freeipa/issue/6653
Closes: https://pagure.io/freeipa/issue/6850
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-11 13:29:50 +02:00
Ben Lipton
a53e17830c csrgen: Beginnings of NSS database support
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
e7588ab2dc csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Christian Heimes
abefb64bea Simplify KRA transport cert cache
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 08:10:03 +00:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Jan Cholasta
72de679eb4 csrgen: hide cert-get-requestdata in CLI
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 12:26:16 +00:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
c60d9c9744 cert: add output file option to cert-request
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
98bb5397c5 vault: cache the transport certificate on client
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-13 16:02:16 +01:00
Jan Cholasta
2fc9feddd0 install: re-introduce option groups
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
1cfe06c79e client install: split off SSSD options into a separate class
Split off SSSD knob definitions from the ClientInstallInterface class into
a new SSSDInstallInterface class.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
0298ecf441 certmap: load certificate from file in certmap-match CLI
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-13 08:03:53 +00:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Christian Heimes
177f07e163 Chain CSR generator file loaders
First try custom location, then csrgen subdir in confdir and finally
fall back to package data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Christian Heimes
ed7a03a1af Vault: port key wrapping to python-cryptography
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 14:22:11 +01:00
Christian Heimes
3be696c92f Drop in-memory copy of schema zip file
The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.

File locking has been replaced with a temporary file and atomic rename.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Christian Heimes
332dbab1ff Speed up client schema cache
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m13.608s
user    0m10.316s
sys     0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m9.330s
user    0m7.635s
sys     0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a9d1fb7d9 Remove NSSConnection from otptoken plugin
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
4350dcdea2 csrgen: Allow overriding the CSR generation profile
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
39a5d9c5aa csrgen: Automate full cert request flow
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Jan Cholasta
19060db1b8 compat: fix Any params in batch and dnsrecord
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:53:50 +01:00
Stanislav Laznicka
0fffeabe02 Fix error in ca_cert_files validator
ClientInstall expects a single ca_cert_file as a string but the
framework gives it a list.

https://fedorahosted.org/freeipa/ticket/6694

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-21 15:31:54 +01:00
Jan Cholasta
b4fa354f50 client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-20 13:00:50 +00:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Martin Basti
7eb2ef6190 DNS: dns-update-system-record can create nsupdate file
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Stanislav Laznicka
08c71703a4 Remove is_fips_enabled checks in installers and ipactl
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-13 18:10:55 +01:00
Ben Lipton
a26cf0d791 tests: Add tests for CSR autogeneration
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
afd7c05d11 csrgen: Use data_sources option to define which fields are rendered
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Jan Cholasta
26630db9d0 client install: correctly report all failures
In commit 5249eb817e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-20 17:34:07 +01:00
Martin Babinsky
566c86a782 disable hostname canonicalization by Kerberos library
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-01-11 16:18:24 +01:00
David Kupka
d15ccde20f ipaclient: schema cache: Handle malformed server info data gracefully
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.

https://fedorahosted.org/freeipa/ticket/6578

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-09 09:13:36 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
David Kupka
388ed93935 schema_cache: Make handling of string compatible with python3
https://fedorahosted.org/freeipa/ticket/6559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 18:30:00 +01:00
Timo Aaltonen
0ff12de338 client, platform: Use paths.SSH* instead of get_config_dir().
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 17:50:03 +01:00
Christian Heimes
987d24f784 Silence pylint import errors of ipaserver in ipalib and ipaclient
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 09:50:28 +01:00
David Kupka
d841a79dc1 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Jan Cholasta
4fff09978e server install: fix external CA install
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-12-08 12:08:49 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00
Christian Heimes
235f685247 Wheel bundles fixes
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 16:44:38 +01:00
Christian Heimes
ed9645b2ac Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-30 13:32:30 +01:00
Jan Cholasta
a260fd8058 ipaclient: remove hard dependency on ipaplatform
Hard-code the user cache directory path in ipaclient.remote_plugins.schema.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
70c3cd7f48 ipaclient: move install modules to the install subpackage
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend
on ipaplatform.

Move them to ipaclient.install as they are used only from the client
installer.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d43b57d2ce ipalib: remove hard dependency on ipapython
Hard-code the path to /bin/false in SubprocessError doc string.

Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a2c5888973 ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7d5c680ace ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
75b70e3f0d ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d911f49348 ipautil: remove the timeout argument of run()
The argument depends on the platform-specific timeout binary and is used
only in ipaclient.ntpconf.

Call the timeout binary explicitly in ipaclient.ntpconf and remove the
argument.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
fba6c21da3 certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.

Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
9117a5d5a6 paths: remove DEV_NULL
The platform-specific path to /dev/null is provided by the Python standard
library in os.devnull.

Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
38e8719f72 Python3 pylint fixes
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Christian Heimes
2cbaf15604 Replace LooseVersion
pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.

https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity. But pkg_resources.parse_version() is a heavy weight solution
with reduced functionality, e.g. no access to major version.

For API_VERSION and plugin version we can use a much simpler and faster
approach.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-24 15:46:40 +01:00
Christian Heimes
8346e1b067 Add install requirements to Python packages
https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-16 22:58:39 +01:00
Christian Heimes
a22a5dd676 Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR
ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.

Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-14 13:57:26 +01:00
Jan Cholasta
09423acb65 install: migrate client install to the new class hierarchy
Migrate ipa-client-install from the custom script to the new installer
class hierarchy classes.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Jan Cholasta
a8fdb8de82 install: introduce installer class hierarchy
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Stanislav Laznicka
b068d3336a Added file permissions option to IPAChangeConf.newConf()
Also added information about why os.chmod is called sometimes
after newConf() calls.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:13:56 +01:00
Stanislav Laznicka
990e1acb1a Fix to ipachangeconf docstrings
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
847b6eddab client: use correct code for failed uninstall
Hardcoded value 1 means CLIENT_INSTALL_ERROR, but this part belongs to
uninstallation so it should be CLIENT_UNINSTALL_ERROR

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
5249eb817e client: use exceptions instead of return states
Python has builtin exceptions which can be used very well to handling
errors in python instead of returning error states (C style)

Exception will allow better client-server integration in future

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
b3786730e5 client: move install cleanup from ipa-client-install to module
Cleanup should be part of installation function

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
bbad08900b client: move clean CCACHE to module
According 04b8575c52 cleaning CCACHE is
needed after installation. This commit moves this cleanup from
ipa-client-install to client.install() function

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
83fe6b626f client: move custom env variable into client module
There is no need to have env as parameter because this is used only
once, so it can eb safely moved to client.py module

NOTE: PATH should be overwritten to safe values before we execute any
command
https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
fcea3b3fb8 client: extract checks from uninstall to uninstall_check
Checks if uninstallation is possible should be moved to uninstall_check

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Martin Basti
3f690a0a3a client: extract checks from install to install_check
client install contained installation check that have been moved to
install_check function

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00