Commit Graph

3163 Commits

Author SHA1 Message Date
Stanislav Laznicka
6f8d90d97a client: make ipa-client-install py3 compatible
This commit enables ipa-client-install to be installable in
Python 3 and makes it run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:13:18 +02:00
Felipe Volpone
75d26e1f01 py3: fixing zonemgr_callback
Since OptionParser behaves differently in Python 2/3,
zonemgr_callback now handles value as str in both version.

https://pagure.io/freeipa/issue/5990

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:48:49 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
5ff1de8490 parameters: relax type checks
Previously, the type check of the Param class did only allow
the parameters to only have a value that's of a direct type.
However, that's nonsensically restrictive. For example, if
there's an interface implemented as an `ABCMeta` class then
the check for type fails since the interface's type is
`ABCMeta` instead of directly a `type`. Among others,
this is the case for cryptography.x509.Certificate.

Being a type is a transitive property of a Python object and we
should respect that in our framework.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
43c74d3333 Introduce load_unknown_x509_certificate()
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Tomas Krizek
ba5f7afedc logging: make sure logging level is set to proper value
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-26 15:57:56 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
f62a0fdb90 logging: port to standard Python logging
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.

Disable the logging-not-lazy and logging-format-interpolation pylint
checks.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
464516489f logging: do not configure any handlers by default
Do not configure stderr handler by default and let the application do the
configuration.

Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ba3963b4dc config: provide defaults for xmlrpc_uri, ldap_uri and basedn
Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`.
Derive the default value of `basedn` from `domain`.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Petr Spacek
3f6411a49c ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default.
This patch removes hardcoded default so the so the code which depends
on these values blows up early and does not do crazy stuff
with default values instead of real ones.

This should help to uncover issues caused by improper ipalib
initialization.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Basti
f3537297be Remove network and broadcast address warnings
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Stanislav Laznicka
d665224a85 session_storage: Correctly handle string/byte types
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:59:53 +02:00
Simo Sorce
77db574cca Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-07 15:36:26 +02:00
Martin Basti
6637980af6 Only warn when specified server IP addresses don't match intf
In containers local addresses differ from public addresses and we need
a way to provide only public address to installers.

https://pagure.io/freeipa/issue/2715
https://pagure.io/freeipa/issue/4317

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-06-06 18:10:33 +02:00
Stanislav Laznicka
e1f8684e85 rpc: avoid possible recursion in create_connection
There was a recursion in RPCClient.create_connection() which under rare
circumstances would not have an ending condition. This commit removes
it and cleans up the code a bit as well.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
79d1752577 rpc: preparations for recursion fix
Made several improvements to coding style:
 - same use of KerberosError throughout the module
 - removed some unused variables
 - moved code from try-except blocks if it didn't have to be there
 - preparations for putting most of RPCClient.create_connection()
   to loop

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
81a808caeb Avoid possible endless recursion in RPC call
This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Martin Basti
2e63ec42d0 py3: use ConfigParser instead of SafeConfigParser
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Stanislav Laznicka
3b6892783e kdc.key should not be visible to all
While the world certainly is interested in our privates, we
should not just go ahead and show it to them.

https://pagure.io/freeipa/issue/6973

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-31 18:18:47 +02:00
Alexander Bokovoy
9c3fad9cef krb5: make sure KDC certificate is readable
When requesting certificate for KDC profile, make sure its public part
is actually readable to others.

Fixes https://pagure.io/freeipa/issue/6973

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-25 14:25:01 +02:00
Jan Cholasta
f769045f0a server install: fix KDC PKINIT configuration
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
52730c786f certdb: use custom object for trust flags
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
21f4cbf8da renew agent: get rid of virtual profiles
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.

This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Stanislav Laznicka
33b3d7ad7a
cert-show: writable files does not mean dirs
ipalib.util.check_writable_file didn't check whether the argument
is an actual file which is now fixed.

https://pagure.io/freeipa/issue/6883

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-10 13:16:01 +02:00
Martin Basti
05984f171b ca_status: add HTTP timeout 30 seconds
CA sometimes "forgot to answer" so we have to add timeout for http
connection and ask again rather than wait for infinity.

https://pagure.io/freeipa/issue/6766

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-04 14:09:50 +02:00
Stanislav Laznicka
92313c9e9d Remove the cachedproperty class
The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-02 17:33:25 +02:00
Thorsten Scherf
e3f849d541 Fixed typo in ipa-client-install output
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-02 13:41:20 +02:00
Martin Babinsky
3adb9ca875 Use only anonymous PKINIT to fetch armor ccache
Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.

We should also be able to use custom PKINIT anchor for the armoring.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Basti
e8f2a415b3 Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 09:54:10 +02:00
Jan Cholasta
2b33230f66 setup, pylint, spec file: drop python-nss dependency
Remove the unused python-nss dependency.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Jan Cholasta
9183cf2a75 certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Simo Sorce
d63326632b
Prevent churn on ccaches
We slice down the received cookie so that just the content that matter
is preserved. Thi is ok because servers can't trust anything else anyway
and will accept a cookie with the ancillary data missing.

By removing variable parts like the expiry component added by
mod_session or the Expiration or Max-Age metadata we keep only the part
of the cookie that changes only when a new session is generated.

This way when storing the cookie we actually add a new entry in the
ccache only when the session actually changes, and this prevents churn
on FILE based ccaches.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Simo Sorce
fbbeb132bf
Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.

Fixes https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Christian Heimes
b2bdd2e1a9
Add debug logging for keep-alive
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-20 19:24:28 +01:00
Christian Heimes
7beb6d1cad
Use connection keep-alive
Do not forcefully close the connection after every request. This enables
HTTP connection keep-alive, also known as persistent TCP and TLS/SSL
connection. Keep-alive speed up consecutive HTTP requests by 15% (for
local, low-latency network connections to a fast server) to multiple
times (high latency connections or remote peers).

https://pagure.io/freeipa/issue/6641

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-20 19:24:28 +01:00
Stanislav Laznicka
0bb858ea77
Add debug log in case cookie retrieval went wrong
https://pagure.io/freeipa/issue/6774

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-20 19:16:30 +01:00
Jan Cholasta
98bb5397c5 vault: cache the transport certificate on client
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-13 16:02:16 +01:00
Jan Cholasta
8295848bfe rpc: fix crash in verbose mode
Fix a crash caused by feeding incorrect data to `json.dumps()` in
`JSONServerProxy.__request()` introduced by commit
8159c2883b.

https://pagure.io/freeipa/issue/6734

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 15:44:44 +01:00
Jan Cholasta
2fc9feddd0 install: re-introduce option groups
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
5efa55c88d install: add missing space in realm_name description
https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Simo Sorce
7cab959555 Store session cookie in a ccache option
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-10 12:40:08 +01:00
Stanislav Laznicka
fda22c3344
Don't use weak ciphers for client HTTPS connections
https://pagure.io/freeipa/issue/6730

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-09 10:27:55 +01:00