Makes sure that the first check that is performed when trustdomain-del
command is run is that the actual trusted domain exists. This is done to
prevent a subseqent error which might be misleading.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The trust_show command does not raise a properly formatted NotFound
error if the trust is not found, only a generic EmptyResult error
is raised.
This patch makes the trust_show tell us what actually could not be
found.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Instead of searching for all zones to identify the correct reverse zone, we
will first ask the resolver to return the name of zone that should contain the
desired record and then see if IPA manages this zone.
This patch also removes a duplicate function in bindinstance.py that is not
used anywhere.
https://fedorahosted.org/freeipa/ticket/5200
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Warning user that DNSSEC key master is not installed when commands
dnszone-add, dnszone-mod, dnszone-show when option dnssec=true
https://fedorahosted.org/freeipa/ticket/5290
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.
Ignore such cases and pass along the anchor in the raw format.
https://fedorahosted.org/freeipa/ticket/5322
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 3, the variable with the currently handled exception is unset
at the end of the except block. (This is done to break reference
cycles, since exception instances now carry tracebacks, which contain
all locals.)
Fix this in baseldap's error handler.
Use a simpler structure for the ipatests.raises utility that only uses the
exception inside the except block.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the types module no longer provide alternate names for
built-in types, e.g. `types.StringType` can just be spelled `str`.
NoneType is also removed; it needs to be replaced with type(None)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The initial fix of ticket 5247 rejected renames, but left the option
behind for API compatibility. Remove the option now, according to
the consensus that because it never worked, it is fine to remove it.
Fixes: https://fedorahosted.org/freeipa/ticket/5247
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
`ipa user-del` with `--preserve` option will now process multiple entries and
handle `--continue` option in a manner analogous to `ipa user-del` in normal
mode.
In addition, it is now no longer possible to permanently delete a user by
accidentally running `ipa user-del --preserve` twice.
https://fedorahosted.org/freeipa/ticket/5234https://fedorahosted.org/freeipa/ticket/5236
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In two places the vault plugin refers to rsa public or rsa private key
although the code can handle just any kind of asymmetric algorithms,
e.g. ECDSA. The patch just renames the occurences to avoid more
confusion in the future.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
For bidirectional trust if we have AD administrator credentials, we
should be using them with Kerberos authentication. If we don't have
AD administrator credentials, we should be using
HTTP/ipa.master@IPA.REALM credentials. This means we should ask
formatting 'creds' object in Kerberos style.
For one-way trust we'll be fetching trust topology as TDO object,
authenticating with pre-created Kerberos credentials cache, so in all
cases we do use Kerberos authentication to talk to Active Directory
domain controllers over cross-forest trust link.
Part of trust refactoring series.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Fixes: https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch replaces 'stageuser-add --from-delete' with new command
user-stage.
Original way always required to specify first and last name, and
overall combination of options was hard to manage. The new command
requires only login of deleted user (user-del --preserve).
https://fedorahosted.org/freeipa/ticket/5041
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault-find plugin has two additional arguments to list all
service vaults or user vaults. Since the name of a vault is only unique
for a particular user or service, the commands also print the vault user
or vault service. The virtual attributes were added in rev
01dd951ddc.
Example:
$ ipa vault-find --users
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault user: admin
Vault name: UserVault
Type: standard
Vault user: admin
----------------------------
Number of entries returned 2
----------------------------
$ ipa vault-find --services
----------------
2 vaults matched
----------------
Vault name: myvault
Type: standard
Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL
Vault name: myvault
Type: standard
Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL
----------------------------
Number of entries returned 2
----------------------------
https://fedorahosted.org/freeipa/ticket/5150
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.
The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA. Remove
the check.
Fixes: https://fedorahosted.org/freeipa/ticket/5205
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
