Commit Graph

46 Commits

Author SHA1 Message Date
Stanislav Laznicka
76e8d7b35d Remove ipapython.nsslib as it is not used anymore
Previous changes allowed the removal of nsslib.

So long, and thanks for all the fish.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
ac6f573a30 Explicitly remove support of SSLv2/3
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-17 10:04:00 +01:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Martin Basti
da0318d4d7 Pylint: remove unnecessary-semicolon
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
491447cc5a pylint: remove bare except
Bare except should not be used.

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
72d5499c5a pylint: supress false positive no-member errors
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-02 14:57:36 +01:00
Martin Basti
e1192ebd97 Remove wildcard imports
Wildcard imports should not be used.

Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Fraser Tweedale
2be8d2d068 TLS and Dogtag HTTPS request logging improvements
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).

Fix and tidy up some HTTP logging messages for Dogtag requests.

Part of: https://fedorahosted.org/freeipa/ticket/5269

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-23 11:05:49 +01:00
Petr Viktorin
6811b4be6a ipapython.nsslib: Remove NSSHTTPS
This workaround is unused in Python 2.7+.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-27 17:23:25 +01:00
Petr Viktorin
4ddd1821b6 ipapython.nsslib, ipalib.rpc: Remove code for Python 2.6 and below
IPA hasn't supported these pythons for a while now.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-27 17:23:25 +01:00
Petr Viktorin
026b1b5307 Use six.moves.http_client instead of httplib
The module was renamed in Python 3.

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Petr Viktorin
ad2bc94725 Use six.moves.xmlrpc.client instead of xmlrpclib
The module is renamed to xmlrpc.client in Python 3.

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Rob Crittenden
5c0ad221e8 Use NSS protocol range API to set available TLS protocols
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.

This is overridable per client by setting tls_version_min and/or
tls_version_max.

https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-24 13:09:44 +00:00
Endi S. Dewata
80a8df3f19 Modififed NSSConnection not to shutdown existing database.
The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.

https://fedorahosted.org/freeipa/ticket/4638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-11 09:09:19 +01:00
Martin Kosek
c4b63dc48a Clear NSS session cache when socket is closed
Even when NSS connection is closed, there may be still cached
certificates in the NSS lib. This may cause subsequent NSS
initialization to crash. This problem especially reproduces in the
unit tests.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-02 16:31:50 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Petr Viktorin
80886a50e6 ipapython.nsslib: Name arguments to NSPRError
Previously NSPRError was given arguments in the wrong order.
Fix this by naming the arguments.
2013-10-04 15:49:19 +02:00
Jan Cholasta
77bb4b5177 Pylint cleanup.
Add more dynamic attribute info to IPATypeChecker in make-lint. Remove
unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26.

https://fedorahosted.org/freeipa/ticket/3379
2013-01-29 15:39:49 +01:00
Rob Crittenden
fb7575d6b7 Close connection after each request, avoid NSS shutdown problem.
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180
2012-10-24 15:07:53 -04:00
Martin Kosek
4879c68d68 Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
2012-07-13 14:25:18 +02:00
Rob Crittenden
536bcd2666 Fix NSS no_init in the NSSHTTPS class 2012-03-04 20:03:21 -05:00
Rob Crittenden
55f89dc689 Do kinit in client before connecting to backend
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
2012-03-04 17:23:01 -05:00
Jan Cholasta
04b8575c52 Add API initialization to ipa-client-install.
This change makes it possible to call IPA commands from ipa-client-install.

Done to support adding SSH host keys to DNS.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:35 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Rob Crittenden
a90e50cdf7 Shut down duplicated file handle when HTTP response code is not 200.
httplib purposely keeps the socket open as a file on failed requests. We
need to close this file otherwise nss_shutdown() will fail.

https://fedorahosted.org/freeipa/ticket/1807
2011-09-23 10:49:39 +02:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Jan Cholasta
f8cb129b93 Remove unused classes.
Removed NSPRConnection and NSPRHTTP from ipapython.nsslib, as they
are not used anywhere in FreeIPA.
2011-04-20 14:36:32 -04:00
Sylvain Baubeau
0832bf5a6a Removed wrong timeout parameter
https://fedorahosted.org/freeipa/ticket/1086

Add Sylvain Baubeau to Contributors.txt
2011-03-18 14:57:29 -04:00
Jakub Hrozek
2e25b2ed27 Make nsslib IPv6 aware 2011-02-21 14:52:25 -05:00
Rob Crittenden
7b71604521 Fix NSS initialization errors during ipa-replica-prepare
When enabling replication we make an SSL connection. I think the way
this goes is python-ldap -> openldap -> NSS. It may be a problem in
the openldap SSL client, maybe it isn't calling NSS_Shutdown(). In any
case if we use ldapi instead the problem goes away.

Back out the temporary code to ignore nss_shutdown errors.

ticket 965
2011-02-18 10:00:03 -05:00
Rob Crittenden
16b8d62968 Fix two problems with ipa-replica-prepare
1. Fix a unicode() problem creating the DNS entries
2. Fix a strange NSS error when generating the certificates against
   a dogtag server.

The NSS errors are quite strange. When generating the first certificate
nss_shutdown() fails because the database isn't initialized yet but
nss_is_initialized() returned True. The second pass fails because
something is in use.
2011-02-14 18:15:35 -05:00
Jakub Hrozek
7493d781df Change FreeIPA license to GPLv3+
The changes include:
 * Change license blobs in source files to mention GPLv3+ not GPLv2 only
 * Add GPLv3+ license text
 * Package COPYING not LICENSE as the license blobs (even the old ones)
   mention COPYING specifically, it is also more common, I think

 https://fedorahosted.org/freeipa/ticket/239
2010-12-20 17:19:53 -05:00
Rob Crittenden
d0ea0bb638 Changes to fix compatibility with Fedora 14
Fedora 14 introduced the following incompatiblities:
- the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin
- the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6

Also, when moving the installed host service principals:
- don't assume that krbticketflags is set
- allow multiple values for krbextradata

ticket 155
2010-08-31 16:59:27 -04:00
Rob Crittenden
1df10a88cd Add support for client failover to the ipa command-line.
This adds a new global option to the ipa command, -f/--no-fallback. If this
is included then just the server configured in /etc/ipa/default.conf is used.
Otherwise that is tried first then all servers in DNS with the ldap SRV record
are tried.

Create a new Local() Command class for local-only commands. The help
command is one of these. It shouldn't need a remote connection to execute.

ticket #15
2010-08-16 10:35:27 -04:00
Rob Crittenden
b7ca3d68c2 Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
  init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests

Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one.  I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
2010-07-29 10:50:10 -04:00
Rob Crittenden
8d2d7429be Clean up crypto code, take advantage of new nss-python capabilities
This patch does the following:
- drops our in-tree x509v3 parser to use the python-nss one
- return more information on certificates
- make an API change, renaming cert-get to cert-show
- Drop a lot of duplicated code
2010-07-15 10:51:49 -04:00
John Dennis
31027c6183 use NSS for SSL operations 2010-06-15 15:03:36 -04:00
John Dennis
55422cb7b9 Require current versions of python-nss & python-lxml
ipa.spec.in         |    3 ++-
 ipapython/nsslib.py |    2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
2009-11-23 16:52:06 -05:00
Rob Crittenden
8780751330 Clean up some problems discovered with pylint and pychecker
Much of this is formatting to make pylint happy but it also fixes some
real bugs.
2009-08-12 13:18:15 -04:00
rcrit
9352d2fc10 Add a local implementation of httplib.SSLFile and httplib.FakeSocket
Python 2.6 changed its internal implementation which makes it difficult
to override in a way that is backwards compatible.

508953
2009-07-01 08:51:23 -04:00
Rob Crittenden
484eff1016 Implement an installer for the Dogtag certificate system.
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.

What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs

What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
2009-04-03 14:06:09 -04:00