Commit Graph

498 Commits

Author SHA1 Message Date
Milan Kubík
8e83b9715a ipapython: Extend kinit_password to support principal canonicalization
In order to authenticate with a principal alias it is necessary
to request canonicalization of the principal. This patch extends
the kinit_password with this option.

The option to indicate enterprise principal has been added as well.

https://fedorahosted.org/freeipa/ticket/6142

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-29 09:04:42 +02:00
Martin Basti
f8bf8a6240 Use copy when replacing files to keep SELinux context
When installer replaces any file with newer, it must use 'copy' instead of
'mv' to keep SELinux context valid.

https://fedorahosted.org/freeipa/ticket/6111

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 16:46:55 +02:00
Florence Blanc-Renaud
bc7eb99a29 Fix session cookies
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).

The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.

https://fedorahosted.org/freeipa/ticket/5984

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 16:30:32 +02:00
Fraser Tweedale
b12db92414 Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-19 14:18:04 +02:00
Petr Spacek
5e78b54d7c Fix internal errors in host-add and other commands caused by DNS resolution
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Petr Spacek
ce1f9ca51b Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
All these were unused so I'm removing them to keep the code clean and
easier to read. At this point it is clear that only difference between
netaddr.IPAddress and CheckedIPAddress is prefixlen attribute.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Martin Babinsky
974eb7b5ef ipalib: introduce Principal parameter
This patch introduces a separate Principal parameter that allows the framework
to syntactically validate incoming/outcoming principals by using a single
shared codebase.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
de6abc7af2 ipapython module for Kerberos principal manipulation and parsing
This module implements a shared codebase to handle various types of Kerberos
principal names encountered during management of users, hosts nad services.
Common codebase aims to replace various ad-hoc functions and routines
scattered along the management framework.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Florence Blanc-Renaud
3c40d3aa9e Do not allow installation in FIPS mode
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2016-06-29 16:17:27 +02:00
Petr Spacek
7be50ea715 Use NSS for name->resolution in IPA installer
This fixes scenarios where IPA server is not able to resolve own name
and option --ip-address was not specified by the user.

This partially reverts changes from commit
dc405005f5

https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-29 14:19:59 +02:00
Fraser Tweedale
f0b1e37d2e ipaldap: turn LDAP filter utility functions into class methods
The LDAP filter utilities do not use any instance attributes, so
collectively turn them into class methods to promote reuse.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 08:52:29 +02:00
Jan Cholasta
4284d4fb4d plugable: support plugin versioning
Allow multiple incompatible versions of a plugin using the same name. The
current plugins are assumed to be version '1'.

The unique identifier of plugins was changed from plugin name to plugin
name and version. By default, the highest version available at build time
is used. If the plugin is an unknown remote plugin, version of '1' is used
by default.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Barta
94909d21db pylint: fix: multiple-statements
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-21 13:51:28 +02:00
Jan Cholasta
b484667d15 ldap: fix handling of binary data in search filters
This fixes a UnicodeDecodeError when passing non-UTF-8 binary data to
LDAPClient.make_filter() and friends.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Yuri Chornoivan
a95e0777ac Fix minor typos
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 13:49:32 +02:00
Yuri Chornoivan
dd6645afa9 Fix minor typos
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-16 08:47:20 +02:00
David Kupka
9f48c39649 installer: index() raises ValueError
Expecting IndexError instead of ValueError led to traceback instead of correctly
reporting the error situation.

https://fedorahosted.org/freeipa/ticket/5945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 18:04:40 +02:00
Martin Basti
971b4bf009 Fix resolve_rrsets: RRSet is not hashable
We cannot use set() with RRSet objects, because RRSet object is not
hashable. A set was replaced by list.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-09 15:42:10 +02:00
Florence Blanc-Renaud
53524fbbff add context to exception on LdapEntry decode error
When reading the content of an invalid LDAP entry, the exception
only displays the attribute name and value, but not the DN of the entry.
Because of this, it is difficult to identify the root cause of the
problem.

The fix raises a ValueError exception which also contains the entry DN.

https://fedorahosted.org/freeipa/ticket/5434

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-09 14:31:40 +02:00
Fraser Tweedale
4660bb7ff0 Add custodia store for lightweight CA key replication
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself.  This requires a
PKIArchiveOptions format (signing key wrapped with host CA key) -
PKCS #12 cannot be used because that would require decrypting the
key in Dogtag's memory, albeit temporarily.

Add a new custodia store that executes a 'pki' command to acquire
the wrapped key.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
0d37d230c0 Optionally add service name to Custodia key DNs
Lightweight CAs support introduces new service principals for
Dogtag, with Custodia keys.  The current Custodia key creation uses
a DN that contains only they key type and the hostname, so keys for
multiple services on the same host cannot be created.

Add the 'generate_keys' method to generate keys for a host or an
arbitrary service.  When a service name is given, add the key
entries in a nested container with RDN 'cn=<service name>'.  (The
container is assumed to exist).

This change does not affect searching because subtree search is
used, filtering on the ipaKeyUsage and memberPrincipal attributes.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
f94ccca676 Allow CustodiaClient to be used by arbitrary principals
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab.  Update call sites accordingly.

Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 10:16:28 +02:00
Petr Spacek
e45a80308c DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
c978ad5b42 Add function ipapython.dnsutil.related_to_auto_empty_zone()
It allows to test if given DNS name is sub/super domain
of an automatic empty zone.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
dc405005f5 Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
This is to make it reusable from other modules and to avoid future code
duplication.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
0c75df4bf3 Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
This is preparatory work to avoid (future) cyclic import between
ipapython.dnsutil and ipapython.ipautil.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Viktorin
c192c1ae3e ipaldap: Convert dict items to list before iterating
In Python 3, dict.items() returns a view.
When such a view is iterated over, the dict cannot change size.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 16:44:08 +02:00
Petr Viktorin
75d0a73bbc ipapython.secrets.kem: Use ConfigParser from six.moves
In Python 3, the module name changed from 'ConfigParser' to
'configparser'. Use the appropriate location from six.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 16:44:08 +02:00
Petr Viktorin
36094b2a54 ipaldap: Keep attribute names as text, not bytes
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 16:44:08 +02:00
Martin Basti
93332bcf4d Remove unused variable and finally block in SchemaCache
Handling exceptions in python is expensive operation, removing of
uneeded finally block is good for performance.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-05-12 11:18:40 +02:00
Abhijeet Kasurde
51db9380cf Removed custom implementation of CalledProcessError
Removed custom class of CalledProcessError which was required for
Python versions prior to 2.5

Fixes: https://fedorahosted.org/freeipa/ticket/5717

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-05-10 09:47:06 +02:00
Petr Spacek
c7ee765c4d Add function ipapython.dnsutil.inside_auto_empty_zone()
It allows to test if given DNS name belongs to an automatic empty zone.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Spacek
1df30b4646 Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Spacek
6752d6404a Move function is_auto_empty_zone() into ipapython.dnsutil
I'm going to extend this so it is better to have it in module.
At the same time it is now using shared assert_absolute_dnsname()
helper.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Spacek
41464b74f4 Add assert_absolute_dnsname() helper to ipapython.dnsutil
Sanity check for zone names and such should be the same everywhere.
This new function will be a replacement for ad-hoc checks.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Spacek
bd32b48eb0 Move automatic empty zone list into ipapython.dnsutil and make it reusable
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Spacek
9ee6d379c4 Remove function ipapython.ipautil.host_exists()
The function duplicated ipalib.util.verify_host_resolvable() in slightly
incompatible way because it used NSS while rest of IPA is using only DNS.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Petr Viktorin
05cb4ba4e9 sysrestore: Iterate over a list of dict keys
In Python 3, dict.keys() returns a key view. It is not safe to delete
dict keys when iterating over this view.

Convert the keys to list first.

Part of the work for https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 16:22:07 +02:00
Martin Basti
c5686295f1 Always set hostname
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.

This commit ensures that all hostnames are set properly.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
70fd78928c Use netifaces module instead of 'ip' command
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.

https://fedorahosted.org/freeipa/ticket/5591

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-14 13:53:27 +02:00
Martin Babinsky
1f0959735f differentiate between limit types when LDAP search exceeds configured limits
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Martin Basti
d1e29fe60e Fix: catch Exception instead of more specific exception types
Regression caused by commit 491447cc5a,
ValueErrori and AttributeError are too much specific for these cases, multiple types of
exception can be raised.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-22 17:33:02 +01:00
Martin Basti
da0318d4d7 Pylint: remove unnecessary-semicolon
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
b66028af18 Pylint: import max one module per line
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
491447cc5a pylint: remove bare except
Bare except should not be used.

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Jan Cholasta
54a59475f3 certdb: never use the -r option of certutil
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:35:44 +01:00
Petr Viktorin
272ff9d1f7 ipapython.sysrestore: Use str methods instead of functions from the string module
For historical reasons, the string module contained some functions
that mirror methods of the str type. These are eremoved in Python 3.

Use str methods instead.

Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Petr Viktorin
8df86d5bff Move get_ipa_basedn from ipautil to ipadiscovery
The function wasn't used anywhere else.

Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Martin Basti
72d5499c5a pylint: supress false positive no-member errors
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-02 14:57:36 +01:00
Petr Vobornik
25c53ba3fe cookie parser: do not fail on cookie with empty value
https://fedorahosted.org/freeipa/ticket/5709

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-01 14:16:08 +01:00