When service-find was issued under Python 3, the command fails
because it tried to sort a list of Principal objects which was not
possible.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
To know what to focus on when some check fail. E.g. to detect that
IPv6 address or its resolution for localhost is misconfigured.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.
Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Certificates, both in PEM and DER format, should be handled as bytes
in Python 3.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.
Always configure logging on the root logger.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.
Disable the logging-not-lazy and logging-format-interpolation pylint
checks.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not configure stderr handler by default and let the application do the
configuration.
Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Changed deletion of edges in remove_vertex method because there's no
need to store redundant variable in memory.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Hi!
I've just read the code and I saw that graph bfs uses not optimal
for Python solution. So I've edited it with more optimal one.
https://pagure.io/freeipa/issue/7051
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
in py3 we are receiving ugly tracebacks due __del__ method that
should be used very carefully or never. Due tracebacks, this doesn't
work and context manager should be used for reliable connection
termination.
Exception ignored in: <bound method LDAPClient.__del__ of ipaserver.plugins.ldap2.ldap2()>
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/ipapython/ipaldap.py", line 1057, in __del__
File "/usr/lib/python3.5/site-packages/ipaserver/plugins/ldap2.py", line 123, in close
File "/usr/lib/python3.5/site-packages/ipalib/backend.py", line 94, in isconnected
NameError: name 'hasattr' is not defined
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It was hard to detect what is supposed to be in self._orig variable.
Renaming to _orig_raw makes clear for future generations that it
contains bytes.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
python-netifaces now provides IPv6 netmask in format mask/prefix. It
breaks freeipa as it is unexpected format for python-netaddr. We must
split netmask and provide only prefix for netaddr.
https://pagure.io/freeipa/issue/7021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
ipa-dns-install uses ip_netmask=False --> parse_netmask=False, other installers uses default (parse_netmask=True).
Use this consistent accross all installers.
Also this option is unused (and shouldn't be used).
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has
undesirable side effect that CheckedIPAddress object has set self._net
from local interface.
However with the recent changes, match_local is usually set to False,
thus this side effect stops happening and default mask per address class
is used. This causes validation error because mask on interface and mask
used for provided IP addresses differ (reporducible only with classless
masks).
FreeIPA should compare only IP addresses with local addresses without masks
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
CA certificates MUST have the Subject Key Identifier extension to
facilitiate certification path construction. Not having this
extension on the IPA CA certificate will cause failures in Dogtag
during signing; it tries to copy the CA's Subject Key Identifier to
the new certificate's Authority Key Identifier extension, which
fails.
When installing an externally-signed CA, check that the Subject Key
Identifier extension is present in the CA certificate.
Fixes: https://pagure.io/freeipa/issue/6976
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.
https://pagure.io/freeipa/issue/6831https://pagure.io/freeipa/issue/6869
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
https://pagure.io/freeipa/issue/6945
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
CA sometimes "forgot to answer" so we have to add timeout for http
connection and ask again rather than wait for infinity.
https://pagure.io/freeipa/issue/6766
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
httplib.HTTPConnection supports timeout option so _httplib_request can
be updated to allow passing connection keyword arguments to
connection_factory.
We need connection timeout for cases when reply from server is not
received on time to ask again and not to wait for infinity.
https://pagure.io/freeipa/issue/6766
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
`NSSDatabase.verify_ca_cert_validity` tries to access a property of basic
constraints extension on the extension object itself rather than its value.
Access the attribute on the correct object to fix the issue.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
