Commit Graph

10706 Commits

Author SHA1 Message Date
Stanislav Laznicka
29aa4877ee fix permission_find fail on low search size limit
permission_find() method would have failed if size_limit in config is too
small caused by a search in post_callback. This search should also
respect the passed sizelimit or the sizelimit from ipa config if no
sizelimit is passed.

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-06 11:36:46 +01:00
Stanislav Laznicka
0df65b6d03 Make get_entries() not ignore its limit arguments
get_entries() wouldn't pass some arguments deeper to find_entries()
function it wraps. This would cause unexpected behavior in some
cases throughout the framework where specific (non-)limitations
are expected.

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-06 11:36:46 +01:00
Martin Babinsky
1300381d45 Add 'env_confdir' to constants
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.

https://fedorahosted.org/freeipa/ticket/6389

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-05 16:30:41 +01:00
Pavel Vomacka
a8b7dbff8a Add python-pyasn1-modules into dependencies
Python-pyasn1-modules is needed because of this import:
     from pyasn1_modules import rfc2459
in ipalib/x509.py.

Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.

https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-05 13:57:00 +01:00
Christian Heimes
cac0c2d951 Relax check for .git to support freeipa in submodules
Let's relax the check for .git from directory to exists in order to
support freeipa in a git submodule. Submodules have a .git file with
content like

    gitdir: ../.git/modules/freeipa

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-05 12:10:02 +01:00
Christian Heimes
86295a8c2e Ignore backup~ files like config.h.in~
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-05 12:08:54 +01:00
Christian Heimes
34bd2b6337 Fetch correct exception in IPA_CONFDIR test
fixes c2934aaa

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-05 11:58:59 +01:00
Petr Vobornik
c2934aaa7e Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly used
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 15:05:33 +01:00
Christian Heimes
d4916254e9 Use env var IPA_CONFDIR to get confdir
The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Some scripts (e.g. servers, installers, and upgrades) set the confdir
explicitly and do not support the env var.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 15:05:33 +01:00
Martin Babinsky
64a4be26fe Fix pep-8 transgressions in ipalib/misc.py
Make the code moved from `ipaserver/plugins` pep-8 conformant.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Martin Babinsky
42307ae2dc Revert "Add 'ipa localenv' subcommand"
This reverts commit 1166fbc494. The proper fix
is to restore pre-thin client behavior of commands inheriting from
LocalOrRemote class.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Pavel Vomacka
7f301b00ce Adjustments for setup requirements v2
Remove setup requirement on wheel since it triggers download.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-12-02 09:45:14 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00
Christian Heimes
98f0077360 Remove import of ipaplatform.paths from test_ipalib
ipalib's env bootstrapping uses hard-coded defaults, too.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Christian Heimes
3e3b5462b2 Remove BIN_FALSE and BIN_TRUE
https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Christian Heimes
fb307ba582 Add pylint guard to import of ipaplatform in ipapython.certdb
ipaplatform is not available in PyPI wheel packages. The guard silences
a pylint error in wheel pylint tests.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Christian Heimes
5dc5960e71 Require python-gssapi >= 1.2.0, take 2
Fix version range typo in ipasetup.py.in.

Sorry, the bug slipped through my internal tests. The version pinning is
only relevant for make wheel_bundle. The wheel bundle target has been
failing from the start because python-nss has a build bug for wheels,
https://bugzilla.redhat.com/show_bug.cgi?id=1389739

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes cheimes@redhat.com
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-01 16:41:26 +01:00
Tomas Krizek
af0ba66188 ipa-replica-conncheck: do not close listening ports until required
Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-01 15:20:21 +01:00
Christian Heimes
027fc32fe0 Backwards compatibility with setuptools 0.9.8
Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-01 15:00:40 +01:00
Christian Heimes
289982e02f Require python-cryptography >= 1.3.1
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.

Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-30 17:33:32 +01:00
Christian Heimes
235f685247 Wheel bundles fixes
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 16:44:38 +01:00
Florence Blanc-Renaud
dbb98765d7 Check the result of cert request in replica installer
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 16:33:54 +01:00
Oleg Fayans
503d0929e9 Test: basic kerberos over http functionality
https://fedorahosted.org/freeipa/ticket/6446

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Oleg Fayans
c7fd46e42a Test: made kinit_admin a returning function
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-30 16:29:18 +01:00
Christian Heimes
8559791e0d Require python-gssapi >= 1.2.0
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.

Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-30 16:24:41 +01:00
Jan Cholasta
4221266562 replica install: track the RA agent certificate again
During the rebase of commit 822e1bc82a on top
of commit 808b1436b4, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.

Put the call back so that the certificate is tracked after replica install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-30 14:04:21 +01:00
Christian Heimes
ed9645b2ac Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-30 13:32:30 +01:00
Martin Babinsky
38cc40ddb5 Enhance __repr__ method of Principal
`__repr__` now returns more descriptive string containing the actual principal
name while keeping the ability to reconstruct the object from it.

This makes principal names visible in debug logs, easing troubleshooting a
bit.

https://fedorahosted.org/freeipa/ticket/6505

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-30 09:40:43 +01:00
Petr Spacek
0e093f938d Accept server host names resolvable only using /etc/hosts
Apparently "files" implementation of hosts NSS database cannot deal with
trailing period in host names.

Previously name server.example.com which is was resolvable neither using
dns nor myhostname NSS modules were rejected by installer
(despite having matching line in /etc/hosts).

These names which are resolvable purely using "files" database are now
accepted.

The problem is that I had to remove trailing period from names passed
to getaddrinfo() function. This effectivelly enables search list processing.
This means that items from the search list might be silently appended to
the query and we might get an IP address for totally different names
than we asked for.

Unfortunatelly I see no way around this while keeping ability
to use names from NSS hosts database.

https://fedorahosted.org/freeipa/ticket/6518

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-29 18:35:31 +01:00
Oleg Fayans
452dc97aba tests: Added basic tests for certs in idoverrides
https://fedorahosted.org/freeipa/ticket/6412

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-29 18:30:44 +01:00
Oleg Fayans
ccd3677b50 Created idview tracker
Needed for basic certs in idoverrides tests

https://fedorahosted.org/freeipa/ticket/6412

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-11-29 18:30:44 +01:00
Martin Babinsky
266b9d9c6c replication: ensure bind DN group check interval is set on replica config
This is a safeguard ensuring valid replica configuration against incorrectly
upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on
their domain/ca topology config.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-29 16:09:59 +01:00
Martin Babinsky
73d0d03891 upgrade: add replica bind DN group check interval to CA topology config
Without this attribute explicitly set the replication plugin won't recognize
updates from members of 'replication managers' sysaccount group, leading to
stuck replica CA installation.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-29 16:09:59 +01:00
Petr Spacek
a89f63c5a6 Build: properly integrate ipa.pot into build system tests
i18n.py tests indirectly depend on existence on ipa.pot file.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Petr Spacek
6aa360775a Build: properly integrate ipasetup.py into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

There is a problem that Python sub-directories depend on ipasetup.py
which is one level above the sub-directory. This means that depedencies
are the other way around that expected. This is being worked around
using hack from
http://lists.gnu.org/archive/html/automake/2009-03/msg00011.html

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Petr Spacek
6fcfe689f4 Build: properly integrate version.py into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Petr Spacek
89739a6c91 Build: properly integrate loader.js into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Petr Spacek
6857de02f3 Build: properly integrate freeipa.spec.in into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Petr Spacek
ba6ae666ac Build: properly integrate ipa-version.h.in into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Jan Cholasta
a260fd8058 ipaclient: remove hard dependency on ipaplatform
Hard-code the user cache directory path in ipaclient.remote_plugins.schema.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
70c3cd7f48 ipaclient: move install modules to the install subpackage
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend
on ipaplatform.

Move them to ipaclient.install as they are used only from the client
installer.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d43b57d2ce ipalib: remove hard dependency on ipapython
Hard-code the path to /bin/false in SubprocessError doc string.

Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a2c5888973 ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
528012fe8a ipapython: remove hard dependency on ipaplatform
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.

Hard-coded the path to setpasswd in ipautil.run() doc string.

Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
6e50fae9ec ipautil: move file encryption functions to installutils
The encrypt_file() and decrypt_file() functions depend on ipaplatform.

Move them to ipaserver.install.installutils, as they are only used for the
server installer.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7d5c680ace ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
75b70e3f0d ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d911f49348 ipautil: remove the timeout argument of run()
The argument depends on the platform-specific timeout binary and is used
only in ipaclient.ntpconf.

Call the timeout binary explicitly in ipaclient.ntpconf and remove the
argument.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00