Commit Graph

11725 Commits

Author SHA1 Message Date
Tomas Krizek
f38708fdcb
Contributors.txt: update
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
2017-09-01 14:38:37 +02:00
Tomas Krizek
5dcb0e6fc7
dnssec: keep dnssec daemons in Python2
Until DNSSEC is ready for Python3, we should run DNSSEC with Python 2.

Related: https://pagure.io/freeipa/issue/4985

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-01 12:35:31 +02:00
Fraser Tweedale
504c303ec4
Fix external renewal for CA with non-default subject DN
When running ``ipa-cacert-manage renew --external-ca`` with an IPA
CA having a subject DN that does not correspond to ``CN=Certificate
Authority, {subject-base}``, the CSR for submission to the external
CA does not generated.  dogtag-ipa-ca-renew-agent-submit is wrongly
assuming the default form of the CA subject DN.

Update dogtag-ipa-ca-renew-agent-submit to look up the actual
subject DN.

Fixes: https://pagure.io/freeipa/issue/7123
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-01 11:46:49 +02:00
Pavel Vomacka
76f217b289
Fixes bug in actions creating for search facet
In case that there are no actions specified in spec object, the concatenation
of arrays causes that 'undefined' item is added into the array.

https://pagure.io/freeipa/issue/7052

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-09-01 11:43:52 +02:00
Pavel Vomacka
d5ef1a7fd0
WebUI: fix showing required asterisk '*'
There was a bug that when user switch between two facets where is
required field and in one of them is writable and in second one
is not writable, then the asterisk which marks required field is
not shown. i.e. admin vs. user details page or global_passwd_policy
vs. other_passwd_policy details page.

That was caused by incorrect evaluation of required state of field.
Evaluation works that way: evaluate old required state, then evaluate
current required state and if states has changed then emit change event.
The evaluation depends on writable and read_only state of field.
Those two states are set before evaluation of required state, but
their old values (for evaluating previous required stated) were
not stored anywhere.

This commit adds two attributes which stores old writable
and read_only states. The required asterisk is then shown correctly.

https://pagure.io/freeipa/issue/6849

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-09-01 11:42:08 +02:00
Stanislav Laznicka
aa969da461
spec: remove strict options from shebangs
https://pagure.io/freeipa/issue/4985

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-01 11:39:16 +02:00
Stanislav Laznicka
263217ff46
spec: have the scripts depend on py3 packages
When building for Fedora, we have with_python3 set to 1 by
default. Therefore, when such build is performed, have the
scripts depend on python3 packages instead of python2 (the
previous state was the scripts depended on both Python versions).

https://pagure.io/freeipa/issue/4985

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-01 11:39:16 +02:00
Stanislav Laznicka
3aff58c804
spec: remove python3 workaround
We have had a python3-ipaserver package for quite some time now

https://pagure.io/freeipa/issue/4985

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-01 11:39:16 +02:00
Nathaniel McCallum
bc05ab9922
ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.

https://pagure.io/freeipa/issue/7035

Signed-off-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-01 10:50:34 +02:00
Stanislav Laznicka
c14aa6cdac
Remove unused variable
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-09-01 10:48:34 +02:00
Alexander Bokovoy
79378c9051
csrgen: support openssl 1.0 and 1.1
Support both openssl 1.0 and 1.1 APIs where sk_* functions got prefixed
with OPENSSL_ in the latter version.

Since referencing a symbol from a dynamically loaded library generates
exception, use the AttributeError exception to catch it and fall back to
the older method.

Fixes https://pagure.io/freeipa/issue/7110

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-31 13:46:00 +02:00
Tomas Krizek
4028f1aebb
ipatests: collect log after ipa-ca-install
Make sure logs are collected after calling ipa-ca-install command.

Related: https://pagure.io/freeipa/issue/7060

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-31 13:41:27 +02:00
Pavel Vomacka
8c2dbece59 WebUI: Update unit test README
Update link to our FreeIPA wiki page where unit tests are described.
The description of how to run those test was also updated.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
6b70b91de4 Fixes details_test.js
Adds missing import which extends jquery's element with alert method.
Also fixes setting of breadcrumb and tabs in details spec - the code changes
behavior.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
bb5582d52b Fixes for widget_tests.js
Link widget creates only one <label> and one <a> element not more as before.
Test changed accordingly.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
63f7575cb3 Fixes for aci_tests.js
Aci_widget doesn't use table elements anymore. Whole widget is created from
list element. Change in tests needed.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
11e19cd5d5 Fixes for entity_tests.js
Register also details module to provide all objects from that module.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
4fb52371f2 Fixes for ipa_test.js
Basically add API version into the API request. The API version was not
required before.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
9e0db0759a Add up to date JSON files
All files are up to date and there are only files which are needed for unit tests.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
46fba2128f Add loader.js into requirements of all HTML unit test files
https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
4eb37d7436 WebUI: remove creating js/libs symlink from makefile
This patchset returns back js directory with its symlinks into
the repository so it does not need to be created during build.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
0ee7db75e4 WebUI: Remove plugins symlink as it is unused
The plugins symlink points to non-existing directory and is currently
not used. It also causes errors in freeipa-pr-ci during creating
tarball.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
41a18bbbc8 Remove all old JSON files
JSON files were used as source of information for offline WebUI.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
6ad92d3a4f Revert "Web UI: Remove offline version of Web UI"
This reverts commit 24525fd086.
The reverted commit removed symlinks which allowed unit tests to
access FreeIPA code.

https://pagure.io/freeipa/issues/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Tomas Krizek
661e611d14
dnssec: fix localhsm.py utility script
See e6b2ed6b68 for details.

Fixes https://pagure.io/freeipa/issue/7116

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 16:00:23 +02:00
Felipe Volpone
0b7d9c5a7b
Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.

https://pagure.io/freeipa/issue/7108

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-30 15:51:39 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Martin Basti
dffddbd2c0 DNS update: reduce timeout for CA records
Timeout 120 seconds is quite long and it makes uninstallation too long
for. Given that this is non critical operation and may be executed
manually later, waiting 120 seconds is too much. Usually waiting longer
will not help at all to resolve missing record.

30 seconds is long enough 🕯

https://pagure.io/freeipa/issue/6176

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-30 13:02:59 +02:00
Florence Blanc-Renaud
ee5345ac05 Fix Certificate renewal (with ext ca)
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue

https://pagure.io/freeipa/issue/7106

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 12:58:58 +02:00
Stanislav Laznicka
170f7a778b certmonger: remove temporary workaround
During recent refactoring, a workaround was added to make it
possible for OpenSSL backend of python-cryptography to read PEM
certificates returned by dogtag-ipa-renew-agent-submit. This was
fixed in latest certmonger version.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:55:59 +02:00
Tomas Krizek
3091938c0b prci: add caless tests
Add TestServerReplicaCALessToCAFull to PR CI test suite.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 12:53:53 +02:00
Florence Blanc-Renaud
69bda6b440 Fix ipa-server-upgrade: This entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.

To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.

https://pagure.io/freeipa/issue/7125

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:47:53 +02:00
Stanislav Laznicka
1b78f79283 cert: fix wrong assumption of cert-show result type
cert-show returns a base64 encoded certificate yet the assumption
here was for a PEM bytes instance.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-30 12:44:46 +02:00
Stanislav Laznicka
e09b6c2602 rpc: don't encode bytes
bytes.encode() appeared in rpc.py by a mistake, should have been
bytes.decode()

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-30 12:44:46 +02:00
Fraser Tweedale
947ac4bc1f py3: handle bytes in schema response
If a server is running under py2 it could return a bytes value for
the 'topic_topic' field in the schema response.  A py3 client fails
to handle this (in one place it applies 'str' to it, which raises
BytesWarning; in other places it tries to serialise the schema to
JSON which fails because of the bytes value).

Handle the case where 'topic_topic' is not unicode, and handle bytes
values when serialising the schema to JSON.

Fixes: https://pagure.io/freeipa/issue/6809
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:05:20 +02:00
Fraser Tweedale
9cead4da2e py3: fix vault public key decoding
Part of: https://pagure.io/freeipa/issue/7033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:03:25 +02:00
Fraser Tweedale
cac7357ebd cert: fix application of 'str' to bytes when formatting otherName
Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:01:31 +02:00
Stanislav Laznicka
0be9a17211 py3: Fix searching for yubikeys
Bumping the requirements for the python-yubikey package. This is
unfortunately most probably fixed only in Fedora because there was no
upstream release for about a year and a half now. That also means
bumping the version in ipasetup.py.in would be pointless.

https://pagure.io/freeipa/issue/7121

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-29 12:59:23 +02:00
Fraser Tweedale
b1e1109679 py3: fix schema response for py2 server with py3 client
The schema RPC response can include a bytes value for the
'topic_topic' field (when the server is running in Python 2).
In this case, a Python 3 client fails to initialise the API
when a schema fetch is required, because it cannot serialise
the bytes values in the schema object to JSON.

Ensure the 'topic_topic' value is unicode.

Part of: https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 12:57:02 +02:00
Stanislav Laznicka
2bc5b7f044 py3: remove relative import
https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
e6a9de8a2e py3: remove Exception.message appearances
Exception.message is removed in Python3

https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
7a86ff5d9b Fix cert file creation during CA-less installation
When writing extracted certs and keys to the file, we opened the
same file at a different spot but the original file position
indicator would not be moved when the certificate is written there.
The result is that the certificate gets rewritten by the private
key.  This commit fixes it.

Fixes: https://pagure.io/freeipa/issue/7118
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:48:02 +02:00
Fraser Tweedale
477b3dca80 Fix incorrect 'with' statement in CA-less installation
Part of: https://pagure.io/freeipa/issue/7118

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:48:02 +02:00
Stanislav Laznicka
6ca8787cc7 Uninstall: fix BytesWarning exception
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:42:51 +02:00
Stanislav Laznicka
31142ead83 Unify storing certificates in LDAP
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:40:15 +02:00
Stanislav Laznicka
2151ab02c1 py3: fix caless to CA promotion on replica
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:25:19 +02:00
Alexander Bokovoy
928374ca7d dcerpc: support Python 3
Make 'ipa trust-add' work under Python 3. One needs patches from
https://lists.samba.org/archive/samba-technical/2017-July/121746.html
to Samba too.

Since we haven't switched whole ipa server environment to Python 3 yet,
following packages need to be installed to make trust code working under
Python 3:

 - python3-libsss_nss_idmap
 - python3-sss
 - python3-samba
 - python3-mod_wsgi

Fixes: https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-23 09:03:12 +02:00
Stanislav Laznicka
6fc7a96e11 cacert_manage: fix CA cert renewal
Since IPACertificate object is passed to CAInstance's
update_people_entry() and update_authority_entry(),
these are not be able to load this object as a certificate again and
thus would fail. This commit fixes that.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-23 08:59:54 +02:00
Rob Crittenden
a37e90530f Include the CA basic constraint in CSRs when renewing a CA
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:

  X509v3 Basic Constraints: critical
      CA:TRUE

Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.

Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.

https://pagure.io/freeipa/issue/7088

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 11:05:37 +02:00
Stanislav Laznicka
7ef6de931b python3: port certmonger requests script
This commit fixes requesting certificates via certmonger in Python 3.
This includes dogtag-ipa-ca-renew-agent-submit script and scripts
used during the scripts restarting.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00