Commit Graph

202 Commits

Author SHA1 Message Date
Christian Heimes
bf67974459 Use entry_points for ipa CLI
Fix problem with hard-coded shebang in ipa command line tool by using
a proper setuptools entry point for the console script. ipaclient is now
an executable Python package, too.

```
$ python -m ipaclient ping
```

is equivalent to

```
$ ipa ping
```

Related: https://pagure.io/freeipa/issue/6653
Closes: https://pagure.io/freeipa/issue/6850
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-11 13:29:50 +02:00
Ben Lipton
a53e17830c csrgen: Beginnings of NSS database support
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
e7588ab2dc csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
5420e9cfbe csrgen: Remove helper abstraction
All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Christian Heimes
abefb64bea Simplify KRA transport cert cache
In-memory cache causes problem in forking servers. A file based cache is
good enough. It's easier to understand and avoids performance regression
and synchronization issues when cert becomes out-of-date.

https://pagure.io/freeipa/issue/6787
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 08:10:03 +00:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Jan Cholasta
72de679eb4 csrgen: hide cert-get-requestdata in CLI
The CSR generation feature is supposed to be used from cert-request, hide
the internal cert-get-requestdata command in the CLI.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 12:26:16 +00:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
c60d9c9744 cert: add output file option to cert-request
The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Jan Cholasta
98bb5397c5 vault: cache the transport certificate on client
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-13 16:02:16 +01:00
Jan Cholasta
2fc9feddd0 install: re-introduce option groups
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
1cfe06c79e client install: split off SSSD options into a separate class
Split off SSSD knob definitions from the ClientInstallInterface class into
a new SSSDInstallInterface class.

https://pagure.io/freeipa/issue/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-13 10:12:40 +01:00
Jan Cholasta
0298ecf441 certmap: load certificate from file in certmap-match CLI
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-13 08:03:53 +00:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Christian Heimes
177f07e163 Chain CSR generator file loaders
First try custom location, then csrgen subdir in confdir and finally
fall back to package data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Christian Heimes
ed7a03a1af Vault: port key wrapping to python-cryptography
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 14:22:11 +01:00
Christian Heimes
3be696c92f Drop in-memory copy of schema zip file
The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.

File locking has been replaced with a temporary file and atomic rename.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Christian Heimes
332dbab1ff Speed up client schema cache
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m13.608s
user    0m10.316s
sys     0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m9.330s
user    0m7.635s
sys     0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a9d1fb7d9 Remove NSSConnection from otptoken plugin
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
4350dcdea2 csrgen: Allow overriding the CSR generation profile
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
39a5d9c5aa csrgen: Automate full cert request flow
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Jan Cholasta
19060db1b8 compat: fix Any params in batch and dnsrecord
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:53:50 +01:00
Stanislav Laznicka
0fffeabe02 Fix error in ca_cert_files validator
ClientInstall expects a single ca_cert_file as a string but the
framework gives it a list.

https://fedorahosted.org/freeipa/ticket/6694

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-21 15:31:54 +01:00
Jan Cholasta
b4fa354f50 client install: create /etc/ipa/nssdb with correct mode
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-20 13:00:50 +00:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Martin Basti
7eb2ef6190 DNS: dns-update-system-record can create nsupdate file
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 12:20:55 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Stanislav Laznicka
08c71703a4 Remove is_fips_enabled checks in installers and ipactl
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-13 18:10:55 +01:00
Ben Lipton
a26cf0d791 tests: Add tests for CSR autogeneration
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
afd7c05d11 csrgen: Use data_sources option to define which fields are rendered
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Jan Cholasta
26630db9d0 client install: correctly report all failures
In commit 5249eb817e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-20 17:34:07 +01:00
Martin Babinsky
566c86a782 disable hostname canonicalization by Kerberos library
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-01-11 16:18:24 +01:00
David Kupka
d15ccde20f ipaclient: schema cache: Handle malformed server info data gracefully
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.

https://fedorahosted.org/freeipa/ticket/6578

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-09 09:13:36 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
David Kupka
388ed93935 schema_cache: Make handling of string compatible with python3
https://fedorahosted.org/freeipa/ticket/6559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 18:30:00 +01:00
Timo Aaltonen
0ff12de338 client, platform: Use paths.SSH* instead of get_config_dir().
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 17:50:03 +01:00
Christian Heimes
987d24f784 Silence pylint import errors of ipaserver in ipalib and ipaclient
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 09:50:28 +01:00
David Kupka
d841a79dc1 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Jan Cholasta
4fff09978e server install: fix external CA install
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-12-08 12:08:49 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00