Commit Graph

10706 Commits

Author SHA1 Message Date
Ben Lipton
a26cf0d791 tests: Add tests for CSR autogeneration
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
afd7c05d11 csrgen: Use data_sources option to define which fields are rendered
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
f1a1c6eca1 csrgen: Add a CSR generation profile for user certificates
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
fc58eff6a3 csrgen: Add CSR generation profile for caIPAserviceCert
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Jan Cholasta
87400cdec1 ipa-ca-install: do not fail without --subject-base and --ca-subject
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.

Convert the DN objects to strings to fix the issue.

https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-31 07:18:39 +01:00
Martin Babinsky
86f4a93fb3 Explicitly handle quoting/unquoting of NSSNickname directive
Improve the single/double quote handling during parsing/unparsing of
nss.conf's NSSNickname directive. Single quotes are now added/stripped
explicitly when handling the certificate nickname.

https://fedorahosted.org/freeipa/ticket/6460

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-25 15:02:16 +01:00
Martin Babinsky
2831b30e9a Delegate directive value quoting/unquoting to separate functions
Separate functions were added to installutils module to quote/unquote a
string in arbitrary characters.

`installutils.get/set_directive` functions will use them to enclose
the directive values in double quotes/strip the double quotes from
retrieved values to maintain the original behavior.

These functions can be used also for custom quoting/unquoting of
retrieved values when desired.

https://fedorahosted.org/freeipa/ticket/6460

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-25 15:02:16 +01:00
Martin Babinsky
517d43e78b installutils: improve directive value parsing in get_directive
`get_directive` value parsing was improved in order to bring its logic
more in-line to changes in `set_directive`: a specified quoting
character is now unquoted and stripped from the retrieved value. The
function will now also error out when malformed directive is
encountered.

https://fedorahosted.org/freeipa/ticket/6460

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-25 15:02:16 +01:00
Martin Babinsky
e1ed8b5eff Fix the installutils.set_directive docstring
Add missing parameter descriptions and fix incorrect indentation

https://fedorahosted.org/freeipa/ticket/6460

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-25 15:02:16 +01:00
Jan Cholasta
85834abad6 cert: fix search limit handling in cert-find
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Jan Cholasta
d84edc43e5 dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0eb5a0e0ec dogtag.py: fix exception logging of JSON data
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
1e0f98a146 py3: convert_attribute_members: don't use bytes as parameter for DN
due perfomance improvement in e4930b3235
we have to decode value before it can be used in DN() constructor.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
746d4ffc58 py3: make_filter_from_attr: use string instead of bytes
Method escape_filter_chars() requires string as parameter instead of
bytes. 'value_to_utf8' returns bytes thus this code has to be removed.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
4b148c8ca3 py3: __add_acl: use standard ipaldap methods
Using raw pyldap interface we have to keep vaules as bytes. Is easier to
migrate to ipaldap and use strings without decoding and encoding.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0a1d7f2e01 py3: add_entry_to_group: attribute name must be string not bytes
With bytes as attribute name pyldap raises type error

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
51578882fc py3: HTTPResponse has no 'dict' attribute in 'msg'
There is no 'dict' attribute in 'msg', but 'msg' attribute is dict-like object
in both py2/3, so it can be used instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
c0b5c6709d py3: _httplib_request: don't convert string to bytes
There is no need to encode hostname to bytes. UTF-8 characters must be
encoded in different format in URL anyway and it causes only error in
Py3. String must be unicode to support Py2.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
232ceed5bb py3: cainstance: replace mkstemp with NamedTemporaryFile
With Python3 files must be opened in textual mode to write text, and
best practise is to use fileobject instead fo os.write() and manual
encodig

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
2547bca8df py3: write CA/KRA config into file opened in text mode
config parser writes data as text so CA/KRA should be opened in textual
mode otherwise type errors are raised from installer

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0d4074b4f1 py3: CA/KRA: config parser requires string
basedn is DN object it has to be converted to string before it can be
used with config parser

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
7ae5e5f669 py3: ipautil: open tempfiles in text mode
Code in ipautlis works with text, so tempfiles should be open in
textmode otherwise TypeErrors are raised

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
bbe8849a65 py3: ldap modlist must have keys as string, not bytes
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
63b5d4a859 py3: open temporary ldif file in text mode
ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
e064109277 py3: service.py: replace mkstemp by NamedTemporaryFile
NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
23239bccc1 py3: create_cert_db: write to file in a compatible way
Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Jan Cholasta
84a9611cb8 ipaldap: properly escape raw binary values in LDAP filters
Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-24 11:50:07 +01:00
Martin Basti
ccea23138b _resolve_records: fix assert, nameserver_ip can be none
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:58:06 +01:00
Abhijeet Kasurde
c56e02b3c5 Remove deprecated ipa-upgradeconfig command
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:51:39 +01:00
Florence Blanc-Renaud
ceec512b09 ipa-restore must stop tracking PKINIT cert in the preparation phase
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-20 19:16:25 +01:00
Jan Cholasta
26630db9d0 client install: correctly report all failures
In commit 5249eb817e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-20 17:34:07 +01:00
Ganna Kaihorodova
91c050b4e0 User Tracker: Test to create user with minimal values
Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
fa7aaef1de User Tracker: creation of user with minimal values
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
c391f6ba58 Stage User: Test to create stage user with minimal values
Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Ganna Kaihorodova
a336de630e Tests: Stage User Tracker implementation
Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Timo Aaltonen
e04b75cb9e ipaplatform: Add Debian platform module.
v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static

v5:
- fix pylint issues
- use syntax that doesn't break with python3

v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-19 16:45:42 +01:00
Ganna Kaihorodova
822a119100 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Abhijeet Kasurde
ae2d0a2217 Update warning message for ipa server uninstall
Fix adds an additional recommendation message for taking backup
of existing data and configuration before proceeding to
ipa server uninstallation procedures.

Fixes https://fedorahosted.org/freeipa/ticket/6548

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 09:41:11 +01:00
Christian Heimes
d8343a96dd Clean / ignore make check artefact
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-18 09:19:15 +01:00
Pavel Vomacka
9d2ef64fb9 Coverity: removed useless semicolon which ends statement earlier
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:15:54 +01:00
Pavel Vomacka
a69c4448c5 Coverity: Fix possibility of access to attribute of undefined
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:15:54 +01:00
Lukas Slebodnik
b82d285a4a SPEC: Fix build in mock
Neither pylint nor jsl is installed by default because rpm macro with_lint
is not defined in spec file. However, configure script tried to
find pylint/jsl anyway.

  checking for Pylint... /usr/bin/python2: No module named pylint
  configure: error: cannot find pylint for /usr/bin/python2

  RPM build errors:
  error: Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
      Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Lukas Slebodnik
3f91469f32 CONFIGURE: Update help message for jslint
Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Lukas Slebodnik
5c18feaa20 CONFIGURE: Fix detection of pylint
If configure script was executed with --enable-pylint then
it behaved the same as --disable-pylint. It does not make
any sense.

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Abhijeet Kasurde
6d52c0fe6a Fix for handling CalledProcessError in authconfig
NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-18 08:51:38 +01:00
Tomas Krizek
49855ca9de Fix coverity issue
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-16 14:44:54 +01:00
Christian Heimes
504f441707 ipapython: Add dependencies on version.py
install-exec and bdist_wheel also depend on version.py. Let's ensure
that version.py is correctly generated when installing or building
packages.

Yes, make is clever and correctly merges dependencies with rules from
included make files.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-16 14:41:10 +01:00
Jan Cholasta
926fe2049a cainstance: do not configure renewal guard
Do not configure renewal guard for dogtag-ipa-renew-agent, as it is not
used in IPA anymore.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-01-16 14:37:25 +01:00