Commit Graph

11663 Commits

Author SHA1 Message Date
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Aleksei Slaikovskii
fad88b358b ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text

This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.

https://pagure.io/freeipa/issue/7185

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 10:55:49 +02:00
Alexander Bokovoy
620f9653ba ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.

This also changes semantics of force-sync by waiting until the end of
the initial replication.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Alexander Bokovoy
051786ce37 ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
John Morris
a2dea5a56d
Increase dbus client timeouts during CA install
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.

The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.

This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).

See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2].  Upstream ticket at [3].

[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-18 17:55:25 +02:00
Petr Čech
3a0410267f ipatests: Fix on logs collection
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.

This situation is not optimal because we need to see what happend
during the debbuging the tests.

So, this patch solves this situation and it adds try--finally
construction.

https://pagure.io/freeipa/issue/7214

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-10-18 17:01:53 +02:00
Florence Blanc-Renaud
49cf5ec64b
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.

When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.

https://pagure.io/freeipa/issue/7173

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-18 12:34:03 +02:00
Abhijeet Kasurde
c8dbd0cfbe
tests: correct usage of hostname in logger in tasks
This fix adds correct usage of host.hostname in logger.

Fixes: https://pagure.io/freeipa/issue/7190

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-18 12:13:55 +02:00
Christian Heimes
dea059d158
Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).

When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.

Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.

Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-18 12:09:57 +02:00
Stanislav Laznicka
9b8b7afeb4
p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-10-17 16:43:15 +02:00
Alexander Koksharov
48dc9bb9ba kra-install: better warning message
User would like to see CA installation command in KRA installation
warning message.

This makes warning message similar to other installer messages where it
does suggests a command to run.

https://pagure.io/freeipa/issue/6952

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-10-17 15:59:58 +02:00
Rob Crittenden
acd72cc8f5 Use 389-ds provided method for file limits tuning
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.

Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.

Bump the required version of 389-ds-base to 1.3.7.0.

Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.

https://pagure.io/freeipa/issue/6994

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-17 14:59:06 +02:00
Felipe Barreto
3822120077 Fixing param-{find,show} and output-{find,show} commands
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.

https://pagure.io/freeipa/issue/7134

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-17 13:42:11 +02:00
David Kupka
7ab49dda6d schema: Fix internal error in param-{find,show} with nonexistent object
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-17 13:42:11 +02:00
Florence Blanc-Renaud
d87163c290 ipa-server-upgrade: do not add untracked certs to the request list
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.

https://pagure.io/freeipa/issue/7151

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-17 10:22:39 +02:00
Florence Blanc-Renaud
73b2097569 ipa-server-upgrade: fix the logic for tracking certs
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.

The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.

https://pagure.io/freeipa/issue/7151

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-17 10:22:39 +02:00
David Kupka
53abf0105b
tests: Add LDAP URI to ldappasswd explicitly
Tests should always rely on api.env.* values when possible.
Without this running the tests remotely can result in errors such
as ldap{search,modify,passwd} attempting to connect to the
wrong URI and failing.

https://fedorahosted.org/freeipa/ticket/6622

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-13 17:03:23 +02:00
Aleksei Slaikovskii
7a3da27816
Less confusing message for PKINIT configuration during install
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.

https://pagure.io/freeipa/issue/7179

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-13 16:47:53 +02:00
Sumit Bose
fe1aad7679
ipa-kdb: reinit trusted domain data for enterprise principals
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-13 13:43:35 +02:00
Michal Reznik
a2a6cf381e tests: add host zone with overlap
This patch is mainly for test_forced_client_reenrolment suite
where when we are not in control of our client DNS we create an
overlap zone in order to get the host records updated. This also
sets resolv.conf before every ipa-client-install to the ipa master.

https://pagure.io/freeipa/issue/7124

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-10-11 13:06:57 +02:00
Stanislav Laznicka
209bb27712 travis: make tests fail if pep8 does not pass
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-10 10:05:37 +02:00
Michal Reznik
3b5e979334 tests_py3: decode get_file_contents() result
When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().

https://pagure.io/freeipa/issue/7131

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-10-06 09:22:37 +02:00
Stanislav Laznicka
af1b8513ab Remove the message attribute from exceptions
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-06 09:19:46 +02:00
Rob Crittenden
418421d941 Collect group membership without a size limit
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.

https://pagure.io/freeipa/issue/7112

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-04 10:22:10 +02:00
Michal Reznik
f2b32759b9 test_caless: add caless to external CA test
Add caless to external CA test as the suite is currently
missing one.

https://pagure.io/freeipa/issue/7155

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-04 10:18:11 +02:00
Fraser Tweedale
75a2eda85d ipa-cacert-manage: avoid some duplicate string definitions
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
49c0a7b4d4 ipa-cacert-manage: handle alternative tracking request CA name
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure).  `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".

To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
d43cf35cca Add tests for external CA profile specifiers
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
29f4ec865b ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
560ee3c0b5 certmonger: add support for MS V2 template
Update certmonger.resubmit_request() and .modify() to support
specifying the Microsoft V2 certificate template extension.

This feature was introduced in certmonger-0.79.5 so bump the minimum
version in the spec file.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
2207dc5c17 certmonger: refactor 'resubmit_request' and 'modify'
certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument.  Perform a small refactor to
improve these functions.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
fc7c684b12 ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
b4365e3a7f install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
1699cff350 Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
c5afee964e cli: simplify parsing of arbitrary types
Add the 'constructor' type to IPAOption to allow parsing arbitrary
types.

When using this type, supply the 'constructor' attribute with the
constructor of the type.  The checker for the 'constructor' type
attempts to construct the data, returning if successful else raising
OptionValueError.

The 'knob' interface remains unchanged but now accepts arbitrary
constructors.

This feature subsumes the '_option_callback' mechanism, which has
been refactored away.

This feature also subsumes the "dn" type in IPAOption, but this
refactor is deferred.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Michal Reznik
7902fc9a06 test_external_ca: switch to python-cryptography
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-09-27 11:51:20 +02:00
Fraser Tweedale
ee87b66bd3
py3: fix pkcs7 file processing
https://pagure.io/freeipa/issue/7131

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-22 11:57:15 +02:00
Tomas Krizek
321f07de02 prci: update F26 template
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
2017-09-22 07:52:02 +02:00
Petr Vobornik
b0184d10ab
browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.

Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.

The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.

Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'.  I don't have time to revert this
change so removing traces of krb.js as well.

https://pagure.io/freeipa/issue/7135

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:27:14 +02:00
Felipe Barreto
bf0b74bec4
Checks if Dir Server is installed and running before IPA installation
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.

https://pagure.io/freeipa/issue/6611

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:24:06 +02:00
Stanislav Laznicka
5acd484090
rpc: don't decode cookie_string if it's None
This removes an ugly debug message from client installation

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-20 12:58:33 +02:00
Alexander Bokovoy
dc47a4b85f
Make sure upgrade also checks for IPv6 stack
- Add check for IPv6 stack to upgrade process
 - Change IPv6 checker to also check that localhost resolves to ::1

Part of fixes https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-19 17:33:24 +02:00
Tomas Krizek
faaba4f1bd
spec: bump python-pyasn1 to 0.3.2-2
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.

Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-19 11:26:01 +02:00
Stanislav Laznicka
e537686bcc Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

https://pagure.io/freeipa/issue/7119

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-19 09:42:07 +02:00
Florence Blanc-Renaud
87540fe1ef Fix ipa-server-upgrade with server cert tracking
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert

The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.

https://pagure.io/freeipa/issue/7141

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-19 09:34:31 +02:00
Rob Crittenden
62e72c2a53 Add exec to /var/lib/ipa/sysrestore for install status inquiries
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.

Relaxing permissions is is needed to run the tests as the jenkins user.

Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.

https://pagure.io/freeipa/issue/7157

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-19 08:54:20 +02:00
Rob Crittenden
fa6181293a Use TLS for the cert-find operation
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.

Switch from using urllib.request to dogtag.https_request.

https://pagure.io/freeipa/issue/7027

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-18 11:44:08 +02:00
Stanislav Laznicka
623ec6c037 pylint: fix missing module
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-18 11:41:15 +02:00
Alexander Bokovoy
8661611d3e OTP import: support hash names with HMAC- prefix
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.

Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().

Fixes https://pagure.io/freeipa/issue/7146

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-18 11:37:31 +02:00
Florence Blanc-Renaud
93be966daf Python3: Fix winsync replication agreement
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.

https://pagure.io/freeipa/issue/7131

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-09-15 08:36:22 +02:00