Commit Graph

10706 Commits

Author SHA1 Message Date
Jan Cholasta
7b966e8577 ipautil: remove get_domain_name()
get_domain_name() and related code depends on ipaplatform.

Replace all uses of get_domain_name() with api.env.domain and remove
get_domain_name() and all of the related code.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
f919ab4ee0 certdb: use a temporary file to pass password to pk12util
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.

Use a temporary file instead.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
fba6c21da3 certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.

Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a1f260d021 ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
8e5d2c7014 custodiainstance: automatic restart on config file update
Automatically restart Custodia during IPA server upgrade if custodia.conf
was updated.

Use the new store class name in custodia.conf.template.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
9117a5d5a6 paths: remove DEV_NULL
The platform-specific path to /dev/null is provided by the Python standard
library in os.devnull.

Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Martin Basti
a291c6ded9 DNS: URI records: bump python-dns requirements
Support for DNS URI records has been added in python-dns 1.13

https://fedorahosted.org/freeipa/ticket/6344

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-29 14:28:42 +01:00
Petr Spacek
132b475c25 Build: workaround bug while calling parallel make from rpmbuild
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 12:57:11 +01:00
Martin Babinsky
211c944a35 Improve the robustness FreeIPA's i18n module and its tests
Prevent false positive errors reported by `ipatests/i18n.py` and
`ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the
environment.

Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve
the robustness.

https://fedorahosted.org/freeipa/ticket/6512

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-28 13:58:33 +01:00
Christian Heimes
6bbbce4473 wrap long line
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
fef6f18aa2 Silence import warnings for Samba bindings
Python 3 Samba bindings are not available yet. Let's silence the
warnings to make pylint pass under Python 3.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
38e8719f72 Python3 pylint fixes
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Florence Blanc-Renaud
044d887e81 Fix ipa-replica-install when upgrade from ca-less to ca-full
When ipa-replica-prepare is run on a master upgraded from CA-less to
CA-full, it creates the replica file with a copy of the local /etc/ipa/ca.crt.
This causes issues if this file hasn't been updated with ipa-certupdate,
as it contains the external CA that signed http/ldap certs, but not
the newly installed IPA CA.
As a consequence, ipa-replica-install fails with "Could not find a CA cert".

The fix consists in retrieving the CA certificates from LDAP instead of
the local /etc/ipa/ca.crt.

https://fedorahosted.org/freeipa/ticket/6375

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-25 09:26:22 +01:00
Stanislav Laznicka
e617f895e7 Do not log DM password in ca/kra installation logs
https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-25 09:13:56 +01:00
Thierry Bordaz
c223130d5f IPA Allows Password Reuse with History value defined when admin resets the password.
When admin reset a user password, history of user passwords is
preserved according to its policy.

https://fedorahosted.org/freeipa/ticket/6402

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-24 17:01:02 +01:00
Christian Heimes
a8376a2447 Add main guards to a couple of Python scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:35:43 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Christian Heimes
2cbaf15604 Replace LooseVersion
pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.

https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity. But pkg_resources.parse_version() is a heavy weight solution
with reduced functionality, e.g. no access to major version.

For API_VERSION and plugin version we can use a much simpler and faster
approach.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-24 15:46:40 +01:00
Christian Heimes
526bcea705 Don't ship install subpackages with wheels
The install subpackages of ipaclient, ipalib and ipapython contain
helper code for installers such as ipa-client-install. They also depend
on external modules that are not available on PyPI, e.g. SSSDConfig.
Since PyPI wheel packages do not support client installation, the
install subpackages contain dead and unsupported code.

The custom build_py plugin removes the subpackages from bdist_wheel
builds. It's not enough to just remove 'ipaclient.install' from the
'packages' list. Surplus files have to be removed from build/lib, too.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 11:40:48 +01:00
Christian Heimes
29947fe1a3 Minor fixes for IPAVersion class
Py3: classes with __eq__ must provide __hash__ function or set __hash__
to None.
Comparison function like __eq__ must signal unsupported types by
returning NotImplemented. Python turns this in a proper TypeError.
Make the version member read-only and cache _bytes represention.

https://fedorahosted.org/freeipa/ticket/6473

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 17:44:27 +01:00
Martin Basti
55b14abcb5 remove Knob function
`Knob` function is an old implementation which was replcaed by `knob`
function and currently is unused, so it can be removed

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-22 17:38:38 +01:00
Christian Heimes
573eee444e Pylint: whitelist packages with extension modules
Pylint refuses to load extension modules from unsafe places. This
triggers import-error failures for pylint runs inside a tox virtualenv.
Any module or package in extension-pkg-whitelist is whitelisted and
pylint imports extension modules.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 17:37:39 +01:00
Tomas Krizek
0914fc6a60 upgrade: ldap conn management
Clean up unnecessary starts/stops of DS and unnescessary attributes.
If the DS is running, establish an LDAP connection and properly close
it.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 16:17:27 +01:00
Tomas Krizek
68295bf8cf services: replace admin_conn with api.Backend.ldap2
Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 16:17:27 +01:00
Petr Spacek
4c133837d1 Build: remove ipa.pot from Git as it can be re-generated at any time
All the source files are in the very same repo so there is no point
in keeping the file in Git.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Petr Spacek
8a79625850 Build: integrate translation system tests again
The Makefile test targets were lost when gettextize infrastructure was
introduced. Now it is re-added in its modernized form which counts with
generated .pot files.

ipatests/i18n.py is now explicitly setting character encoding in files
it generates. According to gettext manual chapter "Filling in the Header Entry"
the Content-Type header is language-specific so it does not make sense
to fill it in in .pot file.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Petr Spacek
9ef5a7de78 Build: automatically generate list of files to be translated in configure
configure is easiest option how to automatically generate POTFILES.in.
Attempts to add it to po/Makefile* have big potential to create cyclic
depedencies and cause other trouble.

Given how rare operation adding a source file is, I think it is sufficient
to document that configure needs to be run again after adding a source file
with translatable strings.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Petr Spacek
166257ec5b Build: clean in po/ removes *~ files as well
Editing work is done in Zanata UI so there is no point in keeping all
versions around in SCM.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Petr Spacek
d40c376ccc Build: support strip-po target for translations
The target was added to top-level Makefile.am as well so the maintainer
does not need to jump between directories when doing Zanata pull/push
and strip-po.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
Petr Spacek
4842231074 Build: use standard infrastructure for translations
We now use standard framework generatedby "gettextize" utility.

It has two limitations which I do not consider sufficiently important
to invest into hand-made solution:

1. It can automatically gather strings only from files which have some
   file extension like .c or .py. Right now we do not have any
   translatable strings in Python files without extensions. Given that these
   files will be removed from source tree and replaced with entry points
   from setuptools I do not see a reason to invest into supporting this.

2. It does not automatically strip untranslated strings from po files.
   This is a manual step in mainteiner's in workflow anyway so I will
   add separate Makefile target for it later on.

This commit contains gettextize instrastructure + filled-in files
Makevars and POTFILES.in.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-11-22 16:14:50 +01:00
David Kupka
4225484356 tests: Mark 389-ds acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
David Kupka
3e53bbcc34 tests: Mark Dogtag acceptance tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 12:54:56 +01:00
Fraser Tweedale
687ebd18a1 Remove references to ds_newinst.pl
ds_newinst.pl was removed from 389 DS over 9 years ago. Remove
references to it.

Fixes: https://fedorahosted.org/freeipa/ticket/6496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-21 18:03:52 +01:00
Martin Basti
61094a2a20 KRA: don't add KRA container when KRA replica
This fixes regression caused by c56256e2a2
"""
  [9/11]: add vault container
ipa         : CRITICAL Failed to load vault.ldif: Command
'/usr/bin/ldapmodify -v -f /tmp/tmpxxO9IC -H
ldapi://%2fvar%2frun%2fslapd-IPA-TEST.socket -x -D cn=Directory
Manager
-y /tmp/tmpVKinCZ' returned non-zero exit status 68
  [10/11]: apply LDAP updates
"""

and removes unneded steps during installation of KRA replica,
because KRA container must be there since installation of first KRA
instance.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-21 17:58:49 +01:00
Petr Spacek
5862eaa1a0 Build: fix path in ipa-ods-exporter.socket unit file
This fixes regression caused by incorrect
daemons/dnssec/ipa-ods-exporter.socket.in path template introduced
in commit 312e780041.

https://fedorahosted.org/freeipa/ticket/6495

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-21 17:24:58 +01:00
Tomas Krizek
2793cdc859 upgrade: do not explicitly set principal for services
After installer refactoring, principal is a property of service.

https://fedorahosted.org/freeipa/ticket/6500

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-21 16:13:51 +01:00
Martin Basti
ad32bf147e Zanata: exlude testing ipa.pot file
Exlude testing file "ipatests/test_ipalib/data/ipa.pot" which should not be
uploaded to zanata.

https://fedorahosted.org/freeipa/ticket/6435

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-21 14:47:47 +01:00
Christian Heimes
1166fbc494 Add 'ipa localenv' subcommand
ipa local-env simply dumps all values from api.env as sorted key="value"
pairs. It's a convenient helper for debugging and to write tests for
e.g. PR #182.

https://fedorahosted.org/freeipa/ticket/6490

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-18 14:48:48 +01:00
Christian Heimes
c93bfda594 ipapython and ipatest no longer require lxml
Commits 64af88fe and 9fbd29cc have removed dependency on lxml.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 11:29:28 +01:00
Florence Blanc-Renaud
efb3700389 Fix ipa migrate-ds when it finds a search reference
When ipa migrate-ds finds user entries and a search reference, it complains
that the LDAP search did not return any result and does not migrate the
entries or the groups.

The issue comes from LDAPClient._convert_result which returns an empty result
list when the input is a search reference. In turn LDAPClient.find_entries
assumes that the empty result list corresponds to a Search Result Done and
returns without any entry.

The fix examines first the objtype returned by self.conn.result3. If it is
a search result done, then the loop can be exited. Otherwise (referral or
entry), _convert_result is called and the result (if not empty) is appended
to the list of returned entries.

https://fedorahosted.org/freeipa/ticket/6358

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 01:01:05 +01:00
Martin Babinsky
ce2bb47cca Use common procedure to setup initial replication in both domain levels
Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.

This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Martin Babinsky
8378e1e39f ensure that the initial sync using GSSAPI works agains old masters
IPA 3.x masters neither have 'cn=replication managers' sysaccount groups set,
nor do they support adding nsds5ReplicaBinddnGroup attribute to the replica
config objects.

In order for common replication mechanism to work against
them, the replica must be ready to supply the required information to the old
master.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Martin Babinsky
cf6048a3ba replication: refactor the code setting principals as replica bind DNs
In addition to improving the readability of
`setup_krb_princs_as_replica_binddns` method, the re-usable bits were factored
out to separate methods

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Martin Babinsky
3dc9ab1621 replication: augment setup_promote_replication method
the method that sets up initial GSSAPI replication in DL1 was augmented so
that the specified bind DN/bind password allows simple bind to remote master
using STARTTLS. The CA certificate for the connection is also configurable.

This facilitates the use of this method in DL0 where GSSAPI bind can not be
used during DS bootstrap while DM credentials are available.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Martin Babinsky
9d7943f3da Turn replication manager group into ReplicationManager class member
https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Christian Heimes
9102fb3b02 Register entry points of Custodia plugins
With setuptools in place FreeIPA is able to register its Custodia
plugins. Custodia 0.1 ignores the plugins directives. Custodia 0.2 uses
the entry points to discover plugins.

https://fedorahosted.org/freeipa/ticket/6492

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-16 23:47:38 +01:00
Christian Heimes
9fbd29cc10 Use xml.etree in ipa-client-automount script
The ipa-client-automount script used lxml.etree to modify
/etc/autofs_ldap_auth.conf.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-16 23:37:46 +01:00