Commit Graph

21868 Commits

Author SHA1 Message Date
Timo Aaltonen
8a91716abb source: Update extend-diff-ignore. 2023-06-07 14:59:25 +03:00
Timo Aaltonen
78ec530871 drop upstreamed patches 2023-06-07 14:49:16 +03:00
Timo Aaltonen
f52e2b0a2c version bump 2023-06-07 14:46:39 +03:00
Timo Aaltonen
1099db0fdb Merge branch 'upstream' 2023-06-07 14:46:19 +03:00
Antonio Torres
2fd9cbbe44
Become IPA 4.10.2 2023-06-06 10:01:01 +02:00
Antonio Torres
03b92fb42f
Update list of contributors
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-06-06 09:43:34 +02:00
Antonio Torres
e3797ca2e0
Update translations to FreeIPA ipa-4-10 state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2023-06-06 09:40:38 +02:00
Florence Blanc-Renaud
283f5463f0 ipatest: remove xfail from test_smb
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.

Remove the xfail.

Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2023-06-05 14:00:17 +02:00
Rob Crittenden
58017abeb8 Don't allow a group to be converted to POSIX and external
This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.

Fixes: https://pagure.io/freeipa/issue/8990

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-02 18:30:08 -04:00
Alexander Bokovoy
f2b821abca ipa-kdb: be compatible with krb5 1.19 when checking for server referral
Related: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-06-02 16:01:41 -04:00
Rob Crittenden
325a13196b Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3
Only three remaining scripts used this form, two of which are
for developers only and not shipped.

The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.

Fixes: https://pagure.io/freeipa/issue/8941

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-06-02 10:00:57 +02:00
Alexander Bokovoy
11ce2b2133 ipalib/x509.py: Add signature_algorithm_parameters
Python-cryptography 41.0.0 new abstract method.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Alexander Bokovoy
1b55e9b1cb ipa-kdb: skip verification of PAC full checksum
MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.

This should have no functional difference.

Related: https://pagure.io/freeipa/issue/9371

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Alexander Bokovoy
bd8fcd6f5b ipa-kdb: process out of realm server lookup during S4U
Kerberos principal aliases lookup had a long-standing TODO item to
support server referrals for host-based aliases. This commit implements
server referrals for hosts belonging to trusted domains. The use-case is
a part of S4U processing in a two-way trust when an IPA service requests
a ticket to a host in a trusted domain (e.g. service on AD DC). In such
situation, the server principal in TGS request will be a normal principal
in our domain and KDC needs to respond with a server referral. This
referral can be issued by a KDB driver or by the KDC itself, using
'domain_realms' section of krb5.conf. Since KDB knows all suffixes
associated with the trusted domains, implement the logic there.

Fixes: https://pagure.io/freeipa/issue/9164

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Alexander Bokovoy
fefa024829 ipa-kdb: postpone ticket checksum configuration
Postpone ticket checksum configuration after KDB module was initialized.
This, in practice, should now happen when a master key is retrieved.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Alexander Bokovoy
803a44777f ipa-kdb: protect against context corruption
Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.

Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.

Do not call any free() call because the whole context is corrupted as
tests do show.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Alexander Bokovoy
3d0decd9ef ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums.  If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer.  This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------

Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.

Fixes: https://pagure.io/freeipa/issue/9124

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-06-01 15:48:45 +02:00
Julien Rische
7ea3b86696 Filter out constrained delegation ACL from KDB entry
Commit f78dc0b163 was missing an exception for the constrained
delegation ACL TL data type during the principal entry update operation.
This ACL is not meant to be stored as encoded data in krbExtraData.

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:01:00 +02:00
Julien Rische
bbe545ff9f Tolerate absence of PAC ticket signature depending of server capabilities
Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.

However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.

This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.

On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.

This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.

This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.

For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.

Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.

Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:01:00 +02:00
Julien Rische
630cda5c06 kdb: Use krb5_pac_full_sign_compat() when available
In November 2022, Microsoft introduced a new PAC signature type called
"extended KDC signature" (or "full PAC checksum"). This new PAC
signature will be required by default by Active Directory in July 2023
for S4U requests, and opt-out will no longer be possible after October
2023.

Support for this new signature type was added to MIT krb5, but it relies
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
the code generating extended KDC signatures cannot be backported as it
is without backporting the full new KDB API code too. This would have
too much impact to be done.

As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
8 will include a downstream-only update adding the
krb5_pac_full_sign_compat() function, which can be used in combination
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.

Fixes: https://pagure.io/freeipa/issue/9373
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:01:00 +02:00
Florence Blanc-Renaud
a6f485fcad ACME tests: fix issue_and_expire_acme_cert method
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.

Fixes: https://pagure.io/freeipa/issue/9383

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2023-05-25 08:32:59 +02:00
Rob Crittenden
abe71fe145 Mention in ipa-client-install that nscd is disabled
Also warn that similar services may also need to be disabled.
An example is an nscd replacement named unscd.

Fixes: https://pagure.io/freeipa/issue/9086

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-05-24 17:57:22 -04:00
Jerry James
58173c0213 Change fontawesome-fonts requires to match fontawesome 4.x
fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.

This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.

Signed-off-by: Jerry James <loganjerry@gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-24 14:08:45 -04:00
Florence Blanc-Renaud
7830ab96cc user or group name: explain the supported format
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $

The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.

Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-23 20:59:03 +02:00
Mohammad Rizwan
edcdcf8345 ipatests: wait for sssd-kcm to settle after date change
In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.

Hence run kinit command repeatedly untill things get settle.

This patch removes the sleep and adds tasks.run_repeatedly()
method instead.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-22 08:02:30 +02:00
Rob Crittenden
81a6b9ad2d Return the <Message> value cert-find failures from the CA
If a cert-find fails on the CA side we get a Message tag
containing a string describing the failure plus the java stack
trace. Pull out the first part of the message as defined by the
first colon and include that in the error message returned to
the user.

The new message will appear as:

$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)

vs the old generic message:

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)

This can be reproduced by setting nssizelimit to 100 on the
pkidbuser. The internal PKI search returns err=4 but the CA
tries to convert all values into certificates and it fails. The
value needs to be high enough that the CA can start but low
enough that you don't have to create hundreds of certificates
to demonstrate the issue.

https://pagure.io/freeipa/issue/9369

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-05-16 16:23:47 -04:00
Florence Blanc-Renaud
627c1101a0 azure tests: move to fedora 38
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-16 14:37:21 -04:00
Michal Polovka
bc39443211 ipatests: commands: Wait for the SSSD to become available
Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.

Fixes: https://pagure.io/freeipa/issue/9377

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
2023-05-16 17:32:14 +02:00
Florence Blanc-Renaud
12d1aafe60 Tests: test on f37 and f38
Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-05-11 13:47:46 +02:00
Florence Blanc-Renaud
3a9a5bdae7 idview: improve performance of idview-show
The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser@ad.test.

The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.

Fixes: https://pagure.io/freeipa/issue/9372

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-08 13:55:15 -04:00
s1341
16a81062ba ipaplatform: add initial nixos support
Fixes: https://pagure.io/freeipa/issue/9299
Signed-off-by: Shmarya Rubenstein <github@shmarya.net>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-04 21:30:34 +02:00
Florence Blanc-Renaud
d95c4cf137 spec file: force nodejs < 20 on fedora < 39
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.

Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.

Fixes: https://pagure.io/freeipa/issue/9374

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-05-04 18:18:26 +02:00
mbhalodi
846c267f58 ipatests: add remove automember condition tests
Related: https://pagure.io/freeipa/issue/9332

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-04 16:12:25 +02:00
Florence Blanc-Renaud
717228c908 Nightly test: add +15min for test_ipahealthcheck
The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.

Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-05-04 14:31:59 +02:00
Alexander Bokovoy
1c43d914d9 Change doc theme to 'book'
RTD theam is not compatible with Sphinx 7.0+
https://github.com/readthedocs/readthedocs.org/issues/10279

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-04 10:52:40 +02:00
Sudhir Menon
76c788274a ipatests: ipa-adtrust-install command test scenarios
This patch includes additional testcase that can be run
against ipa-adtrust-install CLI tool.

test_adtrust_install_with_incorrect_netbios_name
test_adtrust_install_as_regular_ipa_user
test_adtrust_install_with_incorrect_admin_password
test_adtrust_install_with_invalid_rid_base_value
test_adtrust_install_with_invalid_secondary_rid_base
test_adtrust_reinstall_updates_ipaNTFlatName_attribute
test_adtrust_install_without_ipa_installed
test_samba_credential_cache_is_removed_post_uninstall
test_adtrust_install_without_integrated_dns
test_adtrust_install_with_debug_option
test_adtrust_install_cli_without_smbpasswd_file
test_adtrust_install_enable_compat
test_adtrust_install_invalid_ipaddress_option
test_syntax_error_in_ipachangeconf
test_unattended_adtrust_install_uses_default_netbios_name
test_smb_not_starting_post_adtrust_install

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-04-29 13:55:57 +02:00
Rafael Guterres Jeffman
8a7c068300 Fix "no entry" condition when searching PAC info
Fix Covscan-discovered DEADCODE block when searching for PAC info,
caused by a wrong condition being evaluated when entry is a trusted
domain object.

Fixes: https://pagure.io/freeipa/issue/9368

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-29 13:52:12 +02:00
Stanislav Levin
3d787c2107 ipasphinx: Correct import of progress_message for Sphinx 6.1.0+
Pylint reports false-negative result for Sphinx 6.1.0+:

```
************* Module ipasphinx.ipabase
ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util')
```

Actually `sphinx.util.progress_message` is still available in Sphinx 6.1
but it's deprecated and will be removed in 8.0:
https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis

Related change:
8c5e7013ea

Fixes: https://pagure.io/freeipa/issue/9361
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-29 13:50:44 +02:00
Florence Blanc-Renaud
918b6e0117 cert_find: fix call with --all
When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-29 13:49:09 +02:00
Timo Aaltonen
bdb77a3d81 Drop duplicate includedir from krb5.conf
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.

Add also a dependency on sssd-krb5 for freeipa-client.

https://pagure.io/freeipa/issue/9267

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-28 09:51:56 +02:00
Rob Crittenden
50dd79d1a3 Use the OpenSSL certificate parser in cert-find
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.

In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].

The downside is that this is comparatively slow. Here is the
parse time in microseconds:

OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136

The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.

It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.

Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.

pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.

cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.

CLI times from before and after:

original:

-------------------------------
Number of entries returned 5011
-------------------------------
real    0m21.155s
user    0m0.835s
sys     0m0.159s

using OpenSSL:

real    0m5.747s
user    0m0.864s
sys     0m0.148s

OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests.  See ipaserver/wsgi.py for the gory details.

Fixes: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-04-27 11:17:47 -04:00
Rob Crittenden
e2576670e6 Enforce sizelimit in cert-find
The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.

A value of 0 will retain old behavior and return all certificates.

The default value is the LDAP searchsizelimit.

Related: https://pagure.io/freeipa/issue/9331

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-04-27 11:17:47 -04:00
Michal Polovka
1f10aebcc5
ipatest: loginscreen: do not use hardcoded password
Use admin password obtained from local config instead of hardcoded
value, as the password may differ in different testing environments.

https://pagure.io/freeipa/issue/9226

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Erik Belko <ebelko@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-04-20 12:57:32 +02:00
Todd Zullinger
90d0f04987 spec: silence krb5 pkgconf errors in %krb5_base_version
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:

    Package krb5 was not found in the pkg-config search path.
    Perhaps you should add the directory containing `krb5.pc'
    to the PKG_CONFIG_PATH environment variable
    Package 'krb5', required by 'virtual:world', not found

`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build.  It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-18 15:24:43 +02:00
Todd Zullinger
3b64eaa153 spec: verify upstream source signature
Per the Fedora packaging guidelines¹.

The GPG key was generated using details found on the wiki².  The
following commands can be used to fetch the signing key via fingerprint
and extract it:

    fpr=0E63D716D76AC080A4A33513F40800B6298EB963
    gpg --keyserver keys.openpgp.org --receive-keys $fpr
    gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc

¹ https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
² https://www.freeipa.org/page/Verify_Release_Signature

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-18 15:24:43 +02:00
Christian Heimes
d63756eb08 Speed up installer by restarting DS after DNA plugin
DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.

DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.

Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-18 12:12:47 +02:00
Florence Blanc-Renaud
e2b08433cf ipatests: mark known failures for autoprivategroup
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)

Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-04-17 15:17:00 -04:00
mbhalodi
304fd55061
ipatests: Test for sequence processing failures with server context
1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.

Related: https://pagure.io/freeipa/issue/9349

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
2023-04-13 10:51:52 +02:00
Antonio Torres
9c6b4f4445 Extend API documentation
This includes:

* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
  permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-06 17:36:18 +02:00
Alexander Bokovoy
cb18ca3169 doc/designs/rbcd.md: document use of S-1-18-* SIDs
Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-06 08:53:32 +02:00