Commit Graph

112 Commits

Author SHA1 Message Date
Rob Crittenden
f8798b3e16 Add SELinux subpackage for Thales Luna HSM support
This is simple, a port needs to be available to certmonger
to communicate during renewals of CA subsystem certificats.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
87ecca0f18 Add SELinux subpackage for nCipher nfast HSM support
A number of files that need to be managed by certmonger
have unconfined_u:object_r:pki_common_t:s0.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Julien Rische
3f1b373cb2 Tolerate absence of PAC ticket signature depending of server capabilities
Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.

However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.

This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.

On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.

This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.

This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.

For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.

Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.

Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-05-24 13:20:38 +02:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Alexander Bokovoy
2dc752018c ipa-kdb: refactor KDB driver to prepare for KDB version 9
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.

Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.

FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.

KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.

Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.

Related: https://pagure.io/freeipa/issue/9083

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-24 17:38:24 -05:00
Alexander Bokovoy
f019104061 Support building against OpenLDAP 2.6+
OpenLDAP 2.6 deprecated separate libldap/libldap_r, there is only one
(reentrant) variant for the library.

Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.

Fixes: https://pagure.io/freeipa/issue/9080

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-11 15:19:36 -05:00
Timo Aaltonen
9eecaddd86 configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in
This is a platform specific value.

Fixes: https://pagure.io/freeipa/issue/9014

Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-25 21:02:56 -05:00
Rob Crittenden
ae05970ea7 ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:

- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
  the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-30 08:45:08 -04:00
Stanislav Levin
7fc0c04dc4 configure: Make rpmlint optional
Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.

With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.

Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-29 10:16:12 +03:00
Christian Heimes
5ca918943c configure: ipaplatform falls back to ID_LIKE
The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.

CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.

Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-09 09:47:00 -05:00
Peter Keresztes Schmidt
f9357cb986 configure: Do not set -Wno-strict-aliasing -Wno-sign-compare
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-15 14:11:56 +01:00
Peter Keresztes Schmidt
a355646c37 build: Unify compiler warning flags used
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-15 14:11:56 +01:00
Peter Keresztes Schmidt
54b42f72fb configure: Fix source tree detection to enable more warnings
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-15 14:11:56 +01:00
Alexander Bokovoy
d81df964c2 util: Fix client-only build
Commit 26b9a69784 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.

Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.

Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-18 16:23:05 +02:00
Rob Crittenden
26b9a69784 Wrap libpwquality PKG_CHECK_MODULES in ENABLE_SERVER test
libpwquality is only needed when building a server. Don't test
for it in a client build.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-09 09:41:27 -05:00
Rob Crittenden
3fc2eda4e1 Require libpwolicy and configure it in the build system
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Alexander Bokovoy
3a42bc0960 extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration
Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.

nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.

Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.

In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.

Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-04 18:43:22 +03:00
Peter Keresztes Schmidt
f6940772dd ipa-join: select {JSON,XML}-RPC at build time
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
25205f44a1 ipa-join: switch to jansson for json handling
Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Alexandre Mulatinho
6e414d2291 ipa-join: allowing call with jsonrpc into freeipa API
Adding JSON-C and LibCURL library into configure.ac and Makefile.am

Creating a API call with option '-j' or '--jsonrpc' to make host join
on FreeIPA with JSONRPC and libCURL.

Related: https://pagure.io/freeipa/issue/7966
Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Christian Heimes
a18d406b56 Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.

It's necesary to run pre/post installation hooks to make systemd aware
of new files.

Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-11 17:27:31 +02:00
Christian Heimes
be47ec9799 libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.

Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 20:04:18 +03:00
Alexander Bokovoy
23a49538f1 ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.

1. Direct ticket acquisition

In direct ticket acquisition mode the utility first does one of the
following actions:
 - obtain a TGT ticket for a user principal using supplied password
 - import existing TGT from a default credentials cache

Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.

If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.

2. S4U2Self protocol transition

In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.

If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.

If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Christian Heimes
e00dc40fea Create ipasphinx package for Sphinx plugins
Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 20:03:21 +02:00
Christian Heimes
e881e35783 Fix various OpenDNSSEC 2.1 issues
Require OpenDNSSEC 2.1.6-5 with fix for RHBZ#1825812 (DAC override AVC)

Allow ipa-dnskeysyncd to connect to enforcer.sock (ipa_dnskey_t write
opendnssec_var_run_t and connectto opendnssec_t). The
opendnssec_stream_connect interface is available since 2016.

Change the owner of the ipa-ods-exporter socket to ODS_USER:ODS_GROUP.
The ipa-ods-exporter service already runs as ODS_USER.

Fixes: https://pagure.io/freeipa/issue/8283
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-04-21 21:37:06 +02:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
Vit Mojzis
0c9949e898 selinux: move BUILD_SELINUX_POLICY definition
BUILD_SELINUX_POLICY needs to be defined outside of ENABLE_SERVER
conditional block.

Fixes:
\# ./configure --disable-server
...
configure: error: conditional "BUILD_SELINUX_POLICY" was never defined.
Usually this means the macro was only invoked conditionally.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-05 09:57:00 +01:00
Christian Heimes
9288901f9b Integrate SELinux policy into build system
Hook up the new policy to autoconf and automake.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-05 09:57:00 +01:00
Robbie Harwood
179c8f4009 Add a skeleton kdcpolicy plugin
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Christian Hermann
9a440ae885 configure.ac: don't rely on bashisms
93fb037d84 introduced unportable shell
syntax, which led to erros like
./configure: 3179: ./configure: CFLAGS+= -D__STDC_WANT_LIB_EXT1__=1: not found
in case a posix shell is used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-07 08:18:59 +02:00
Christian Heimes
ac86707de3 Increase default debug level of certmonger
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.

Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-24 10:00:37 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Christian Heimes
93fb037d84 Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
  Samba's ZERO_STRUCT() macro, see
  https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
  http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
  see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
  instead of generic __typeof__().

Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 12:33:45 +01:00
Christian Heimes
21f14e9893 Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.

See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 17:39:00 +02:00
Christian Heimes
e4a3942e89 Detect and prefer platform Python
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.

Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-08-23 14:49:06 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Christian Heimes
fa94ef0412 autoconf prefers Python 3 over 2
The configure script now looks for Python 3.6 or newer, then falls back
to Python 2. All Makefile default to Python 3 if Python 3 is available.

See: pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-15 12:57:00 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Christian Heimes
7fbbf6689e Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.

Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.

Fast testing execute all unit tests that do not depend on ipalib.api.

In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Alexander Bokovoy
78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Jan Cholasta
4322b57e31 configure: fix AC_CHECK_LIB usage
Replace empty string with a single space in the third argument of
`AC_CHECK_LIB` (`action-if-found`) where applicable.

Empty string in the argument causes `AC_CHECK_LIB` to use the default
action when a library is found which includes adding the library to `LIBS`,
which specifies libraries to be linked in every binary and library in the
project.

This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to
every binary and library in IPA, even where unused.

https://pagure.io/freeipa/issue/6846

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-19 13:56:23 +00:00
Christian Heimes
3a5b3be8b9 tox testing support for client wheel packages
Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-12 16:53:22 +02:00
Timo Aaltonen
076eb409a0
ipa-otpd.socket.in: Use a platform specific value for KDC service file
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:17:51 +02:00
Christian Heimes
ae1c2086db Add an option to build ipaserver wheels
To create a wheel bundle with ipaserver and its dependencies:

    make wheel_bundle IPA_SERVER_WHEELS=1

To include additional dependencies:

    make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Christian Heimes
e357133fd7 Add make devcheck for developers
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 13:48:47 +02:00
Sumit Bose
0ba0c07813 ipa-kdb: do not depend on certauth_plugin.h
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Sumit Bose
054f1bd78b configure: fix --disable-server with certauth plugin
Resolves https://pagure.io/freeipa/issue/6816

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Timo Aaltonen
44a3e0fe1d configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
These are platform specific, add values for Debian and default values
for Fedora/RHEL.

Also, use prettier output when checking the extra python install options.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-22 13:39:18 +01:00