Commit Graph

11290 Commits

Author SHA1 Message Date
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Christian Heimes
6c092c24b2 Skip test_session_storage in ipaclient unittest mode
The test class depends on a working Kerberos configuration and session.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 13:48:47 +02:00
Christian Heimes
e357133fd7 Add make devcheck for developers
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 13:48:47 +02:00
Abhijeet Kasurde
a1bb442054 Hide request_type doc string in cert-request help
Fix hides description of request_type argument in cert-request
command help

Fixes https://pagure.io/freeipa/issue/6494
Fixes https://pagure.io/freeipa/issue/5734

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-03-31 12:32:51 +02:00
Jan Cholasta
2b33230f66 setup, pylint, spec file: drop python-nss dependency
Remove the unused python-nss dependency.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Jan Cholasta
9183cf2a75 certdb: use certutil and match_hostname for cert verification
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-31 12:20:35 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Christian Heimes
d06315de6b session storage parameters must be bytes
Fixes TypeError: bytes or integer address expected instead of str instance

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-31 12:18:43 +02:00
Florence Blanc-Renaud
b96a942cdc ipa-ca-install man page: Add domain level 1 help
In domain level 1 ipa-ca-install does not require a replica-file. Update the
man page to distinguish the domain level 0 or 1 usage.

https://pagure.io/freeipa/issue/5831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 12:16:58 +02:00
Stanislav Laznicka
fe7cf1e854 Remove redundant option check for cert files
There was a redundant check for CA-less install certificate files
for replicas but the same check is done for all installers before
that.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
8af884d048 replica-prepare man: remove pkinit option refs
Remove the references to the pkinit options which was forgotten
about in 46d4d534c0

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
9e3ae785ac Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
6cda1509a6 Fix the order of cert-files check
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Martin Babinsky
2eabb0dab7 Remove duplicate functionality in upgrade
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.

https://pagure.io/freeipa/issue/6799

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 15:30:56 +02:00
Martin Babinsky
191668e85b Always check and create anonymous principal during KDC install
The anonymous principal will now be checked for presence and created on
both server and replica install. This fixes errors caused during replica
installation against older master that do not have anonymous principal
present.

https://pagure.io/freeipa/issue/6799

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 15:30:56 +02:00
Abhijeet Kasurde
7fddc1df57 Hide PKI Client database password in log file
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:20:57 +02:00
Christian Heimes
397e671697 Fix ipatests.util doc tests
Doctests of ipatests.util fail under Python 3.

The old test scenario does no longer work on Python 3 since u'how are you'
and 'how are you' have identical type, but u'how are you' != b'how are you'.
It works with int / float on all Python versions.

Python 2 has <type 'int'> while Python 3 uses <class 'int'>.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:20:13 +02:00
Fabiano Fidêncio
e03056cf34 Allow erasing ipaDomainResolutionOrder attribute
Currently when trying to erase the ipaDomainResolutionOrder attribute we
hit an internal error as the split() method is called on a None object.

By returning early in case of empty string we now allow removing the
ipaDomainResolutionOrder attribute by both calling delattr or setting
its value to an empty string.

https://pagure.io/freeipa/issue/6825

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:19:11 +02:00
Alexander Bokovoy
0d817ae63a adtrust: make sure that runtime hostname result is consistent with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.

Also host name and principal name must have the same case.

Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:

    [20/21]: starting CIFS services
    ipa         : CRITICAL CIFS services failed to start

    where samba logs have this:

    [2017/03/20 06:34:27.385307,  0] ipa_sam.c:4193(bind_callback_cleanup)
      kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
    [2017/03/20 06:34:27.385476,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
      Connection to LDAP server failed for the 16 try!

Fixes https://pagure.io/freeipa/issue/6786

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:17:21 +02:00
Martin Babinsky
5c22f905d4 Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
17aa51ef02 Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.

https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
1fc48cd0af Remove unused variable from failed anonymous PKINIT handling
https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
c2d95d3962 Upgrade: configure PKINIT after adding anonymous principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.

https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Abhijeet Kasurde
6d4c917440 Use with statement for opening file
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:08:08 +02:00
Alexander Bokovoy
67e5244cad
server: make sure we test for sss_nss_getlistbycert
Fixes https://pagure.io/freeipa/issue/6828

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-29 10:34:59 +02:00
Jan Cholasta
b18ee8b9dd
spec file: bump libsss_nss_idmap-devel BuildRequires
Bump BuildRequires on libsss_nss_idmap-devel to the version which
introduces the sss_nss_getlistbycert function.

This fixes RPM build failure when an older version of
libsss_nss_idmap-devel was installed.

https://pagure.io/freeipa/issue/6828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-29 10:33:25 +02:00
Sumit Bose
8960398a57
extdom: improve cert request
Certificates can be assigned to multiple user so the extdom plugin must
use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and
return a list of fully-qualified user names.

Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break
existing clients.

Related to https://pagure.io/freeipa/issue/6826

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-28 18:21:18 +02:00
Sumit Bose
ee455f163d
extdom: do reverse search for domain separator
To avoid issues which @-signs in the short user or group names it is
better to search for the domain separator starting at the end of the
fully-qualified name.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-28 18:21:18 +02:00
David Kupka
0128e805e5
httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
Server installation failed when attmpting to disable module 'Root Certs' and
the module was not available in HTTP_ALIAS_DIR. When the module is not
available there's no need to disable it and the error may be treated as
success.

https://pagure.io/freeipa/issue/6803

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-28 17:10:54 +02:00
Stanislav Laznicka
e204d030fc
Generate PIN for PKI to help Dogtag in FIPS
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.

https://pagure.io/freeipa/issue/6824

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-28 17:07:20 +02:00
Jan Cholasta
2dda1acf44 spec file: bump krb5-devel BuildRequires for certauth
Bump BuildRequires on krb5-devel to the version which introduces the
certauth pluggable interface.

This fixes RPM build failure when an older version of krb5-devel was
installed.

https://pagure.io/freeipa/issue/4905

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-28 14:03:54 +00:00
Christian Heimes
f5bf5466ed Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 15:02:06 +02:00
David Kupka
27d13d90fe spec file: Bump requires to make Certificate Login in WebUI work
gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6823

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 14:24:18 +02:00
Simo Sorce
d63326632b
Prevent churn on ccaches
We slice down the received cookie so that just the content that matter
is preserved. Thi is ok because servers can't trust anything else anyway
and will accept a cookie with the ancillary data missing.

By removing variable parts like the expiry component added by
mod_session or the Expiration or Max-Age metadata we keep only the part
of the cookie that changes only when a new session is generated.

This way when storing the cookie we actually add a new entry in the
ccache only when the session actually changes, and this prevents churn
on FILE based ccaches.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Simo Sorce
e07aefb886
Work around issues fetching session data
Unfortunately the MIT krb5 library has a severe limitation with FILE
ccaches when retrieving config data. It will always only search until
the first entry is found and return that one.

For FILE caches MIT krb5 does not support removing old entries when a
new one is stored, and storage happens only in append mode, so the end
result is that even if an update is stored it is never returned with the
standard krb5_cc_get_config() call.

To work around this issue we simply implement what krb5_cc_get_config()
does under the hood with the difference that we do not stop at the first
match but keep going until all ccache entries have been checked.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Simo Sorce
fbbeb132bf
Handle failed authentication via cookie
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.

Fixes https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Simo Sorce
9a6ac74eb4
Avoid growing FILE ccaches unnecessarily
Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-28 13:36:30 +02:00
Stanislav Laznicka
dc13703e75
Backup CA cert from kerberos folder
https://pagure.io/freeipa/issue/6748

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-28 13:16:35 +02:00
Florence Blanc-Renaud
f17460a34c
git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org
After the migration to pagure.io, tickets are accessed through another URL.

In order to use the commit template:
git config commit.template .git-commit-template

https://pagure.io/freeipa/issue/6822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-28 13:10:08 +02:00
David Kupka
7e1fdd2c58 rpcserver.login_x509: Actually return reply from __call__ method
__call__ didn't return causing internal error in wsgi application. Previously
this bug was hidden by some other error and the code worked even though it
shouldn't.

https://pagure.io/freeipa/issue/6819

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-28 13:04:39 +02:00
Christian Heimes
abefb64bea Simplify KRA transport cert cache
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 08:10:03 +00:00
Florence Blanc-Renaud
e934da09d5 dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function
dogtag-ipa-ca-renew-agent-submit behaves differently depending on the
certificate it needs to renew. For instance, some certificates (such as IPA RA)
are the same on all the hosts and the renewal is actually done only on
the renewal master. On other nodes, the new cert is downloaded from LDAP.

The function is_replicated() is returning the opposite as what it should. If
the cert nickname is IPA RA, it should return that the cert is replicated but
it doesn't, and this leads to a wrong code path to renew the cert.

https://pagure.io/freeipa/issue/6813

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 07:01:37 +00:00
David Kupka
3dcd342631 Create temporaty directories at the begining of uninstall
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.

https://pagure.io/freeipa/issue/6715

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-28 08:45:56 +02:00
Stanislav Laznicka
8c1409155e Allow renaming of the sudorule objects
The recent changes allow the sudorule objects to be renamed.

https://pagure.io/freeipa/issue/2466

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
55424c8677 Allow renaming of the HBAC rule objects
The recent changes allow HBAC rule objects to be renamed.

https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
8e4408e678 Reworked the renaming mechanism
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.

An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.

https://pagure.io/freeipa/issue/2466
https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
b7ae3363fd Bump samba version for FIPS and priv. separation
With the latest Samba, adding trusts to AD under FIPS should now work
as well as adding trusts as a whole after the privilege separation
rework.

https://pagure.io/freeipa/issue/6671
https://pagure.io/freeipa/issue/6697

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 18:51:11 +02:00
Pavel Vomacka
84b38b6793 WebUI: Allow to add certs to certmapping with CERT LINES around
The certificate to the certmapping might be inserted as
base64 encoded blob. This patch allows to also insert the certificate
blob with surrounding "-----BEGIN CERTIFICATE-----" and
"-----END CERTIFICATE-----" lines. This behavior is the same in
widget for assigning certificates to users, so the change helps
WebUI to be more consistent.

https://pagure.io/freeipa/issue/6772

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-27 18:48:51 +02:00
Martin Basti
eeaf428b1b Set "KDC:Disable Last Success" by default
In big deployments enabled recording of the last sucesfull login
this creates a huge changelog on DS side and cause performance
issues even if this is excluded from replication.

Actually this is not used directly by FreeIPA so it is safe to remove
in new installations. User who need this must manually remove
"KDC:Disable Last Success" using `ipa config-mod` command or WebUI.

https://pagure.io/freeipa/issue/5313

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-27 18:24:05 +02:00