Commit Graph

542 Commits

Author SHA1 Message Date
Jan Cholasta
a929ac3338 install: use standard Python classes to declare knob types
Use type(None) rather than bool to define knobs which are represented as
command line flags. This allows declaring both "--option" and
"--option={0,1}"-style command line options.

Use enum.Enum subclasses instead of set literals to declare enumerations.

Use typing.List[T] instead of (list, T) to declare lists. (Note that a
minimal reimplementation of typing.List is used instead of the Python 2
backport of the typing module due to non-technical reasons.)

Use CheckedIPAddress instead of 'ip' and 'ip-local' to declare IP
addresses.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Jan Cholasta
9fd1981ae8 install: introduce updated knob constructor
Add new knob() knob constructor. Keep the old Knob() constructor for
backward compatibility with old code.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Jan Cholasta
be0c1afa74 install: simplify CLI option parsing
Let IPAOptionParser handle parsing of its supported types and use an option
callback only for unsupported types.

Instead of parsing positional arguments manually, parse them using a custom
IPAOptionParser instance, reusing the option parsing code.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Jan Cholasta
a641e279ff install: improve CLI positional argument handling
Instead of specifying which knobs should be positional arguments in
cli.install_tool(), do it using a flag in knob definition, where the rest
of CLI configuration is.

As a side effect, the usage string for CLI tools can now be generated
automatically.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Tomas Krizek
a68c95d116 ipaldap: remove do_bind from LDAPClient
Remove do_bind() method that was a relict used in IPAdmin. Replace
its uses with simple / external binds.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-10 17:40:49 +01:00
Florence Blanc-Renaud
808b1436b4 Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
9522970bfa dn: support conversion from python-cryptography Name
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Petr Spacek
8de11b091f Build: Makefiles for Python packages
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.

dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.

Currently VPATH builds do not work for various reasons.
This should be fixed later on.

Most credit goes to these guys:
 Christian Heimes <cheimes@redhat.com>
 Petr Viktorin <pviktori@redhat.com>
 Kevin Brown <kevin@kevin-brown.com>

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
c48e5fd811 Build: move version handling from Makefile to configure
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.

This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Tomas Krizek
5b81dbfda1 ipaldap: merge IPAdmin to LDAPClient
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
    IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
    enable_replication_version_checking()

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
4f1a6a1776 ipaldap: merge gssapi_bind to LDAPClient
* Rename do_sasl_gssapi_bind to gssapi_bind

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
60e38ecc7f ipaldap: merge external_bind into LDAPClient
* Rename do_external_bind to external_bind
* Remove user_name argument in  external_bind() and always set it
    to effective user name

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
de58a5c605 ipaldap: merge simple_bind into LDAPClient
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
5760b7e983 ipaldap: remove wait/timeout during binds
Testing whether it is possible to connect to directory server is already done
in RedHatDirectoryService.restart().

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Christian Heimes
91920e7cb4 Add __name__ == __main__ guards to setup.pys
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-10-25 18:11:31 +02:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Christian Heimes
e12a70a8b1 Remove ipapython/ipa.conf
The file ipapython/ipa.conf is no longer used and not installed.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-20 18:43:37 +02:00
Christian Heimes
4cd83fb51c Port all setup.py to setuptools
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-20 18:43:37 +02:00
David Kupka
fb85230e25 UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
Missing attributes in instance created by pickle.load cause AttributeError in
second part of ipa-server-install --external-ca.

https://fedorahosted.org/freeipa/ticket/6385

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-10-12 10:42:24 +02:00
Martin Babinsky
71f642f751 do not use keys() method when iterating through dictionaries
pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when
building FreeIPA, we have to fix these errors

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Martin Babinsky
29829cc55a remove trailing newlines form python modules
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Martin Basti
4628522c53 Pylint: fix the rest of unused local variables
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Christian Heimes
ac94d32c4f Add iSecStore.span
In the future Custodia is going to make CSStore.span an abstract method.

Closes: https://fedorahosted.org/freeipa/ticket/6365
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-06 10:39:15 +02:00
Martin Babinsky
4d994bee60 Move character escaping function to ipautil
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.

https://fedorahosted.org/freeipa/ticket/5809

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-10-03 13:42:34 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Babinsky
f7764cda68 Make Continuous installer continuous only during execution phase
`common.Continuous` class is a basis for uninstallers, which should execute
all the steps regardless of occuring errors. However, we would like the
installer to raise exceptions and return non-zero exit code during validation
phase when some preconditions are not met.

Add a separate exception handler which catches exceptions and logs them as
errors during execution phase only.

https://fedorahosted.org/freeipa/ticket/5725

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-09-26 18:38:37 +02:00
Martin Babinsky
347f5ca0e1 use separate exception handlers for executors and validators
installer framework has been modified to allow for different error handling
during validation and execution phases.

https://fedorahosted.org/freeipa/ticket/5725

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-09-26 18:38:37 +02:00
Tomas Krizek
07ff1f619c Update man/help for --server option
The --server option now specifically mentions that
it expects the FQDN of the IPA server.

https://fedorahosted.org/freeipa/ticket/6202

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-09-23 15:04:53 +02:00
Jan Barta
71b3352ad0 pylint: fix bad-mcs-method-argument
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
8420d04f38 pylint: fix bad-mcs-classmethod-argument
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
9bc57a01e1 pylint: fix old-style-class
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Tomas Krizek
ddf48f2fef Show error message for invalid IPs in client install
Re-raise the thrown exception to get an error message
instead of a traceback during ipa-client-install with
invalid IP address.

https://fedorahosted.org/freeipa/ticket/6340

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-21 10:26:24 +02:00
Martin Basti
71ad8d4fc9 Allow broadcast ip addresses
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.

This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
81d64d530c Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
db55bde15d Fix parse errors with link-local addresses
Link-local addresses received from netifaces contains '%suffix' that
causes parse error in IPNetwork class. We must remove %suffix before
it us used in IPNetwork objects.

https://fedorahosted.org/freeipa/ticket/6296

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-06 16:39:34 +02:00
Martin Basti
00d43095da Fix ScriptError to always return string from __str__
Use super for proper handling of exceptions. msg property was added due
compatibility with the current code.

https://fedorahosted.org/freeipa/ticket/6294

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-05 18:15:45 +02:00
Christian Heimes
4ae4d0d690 Use RSA-OAEP instead of RSA PKCS#1 v1.5
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle
side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern
alternative.

https://fedorahosted.org/freeipa/ticket/6278

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-05 18:11:46 +02:00
Christian Heimes
d9ab0097e1 Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 16:59:43 +02:00
Martin Basti
86e156c3c5 Remove forgotten print from DN.__str__ implementation
These debug prints were forgotten there and should be removed, because
str(DN) is often operation and we may save time with handling exceptions
and printing unwanted debug

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-19 13:04:52 +02:00
Martin Basti
51ccde25f7 Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-03 15:32:41 +02:00
Milan Kubík
8e83b9715a ipapython: Extend kinit_password to support principal canonicalization
In order to authenticate with a principal alias it is necessary
to request canonicalization of the principal. This patch extends
the kinit_password with this option.

The option to indicate enterprise principal has been added as well.

https://fedorahosted.org/freeipa/ticket/6142

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-29 09:04:42 +02:00
Martin Basti
f8bf8a6240 Use copy when replacing files to keep SELinux context
When installer replaces any file with newer, it must use 'copy' instead of
'mv' to keep SELinux context valid.

https://fedorahosted.org/freeipa/ticket/6111

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 16:46:55 +02:00
Florence Blanc-Renaud
bc7eb99a29 Fix session cookies
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).

The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.

https://fedorahosted.org/freeipa/ticket/5984

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 16:30:32 +02:00
Fraser Tweedale
b12db92414 Create server and host certs with DNS altname
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-19 14:18:04 +02:00
Petr Spacek
5e78b54d7c Fix internal errors in host-add and other commands caused by DNS resolution
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Petr Spacek
ce1f9ca51b Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
All these were unused so I'm removing them to keep the code clean and
easier to read. At this point it is clear that only difference between
netaddr.IPAddress and CheckedIPAddress is prefixlen attribute.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00