Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.
A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.
Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.
See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.
Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.
However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.
Issue: https://pagure.io/freeipa/issue/7251
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.
The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.
setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.
Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix 994f71ac8a was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a note in cainstance.configure_instance that "admin_password" is
the password to be used for the PKI admin account, NOT the IPA admin
password. In fact, it is set to the Directory Manager password.
This comment would have saved me some time during recent
investigation of a replica installation issue.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.
This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them. Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried. Setting a shorter timeout allows the request to be
re-tried.
Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support. It is known that a
value of 5s is too short in HSM environment.
This fix requires pki-core >= 10.6.0, which is already required by
the spec file.
Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.
The new DirectiveSetter context manager wraps everything under an easy
to use interface.
https://pagure.io/freeipa/issue/7312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Keys are removed from disk and LDAP
https://pagure.io/freeipa/issue/7253
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Since IPACertificate object is passed to CAInstance's
update_people_entry() and update_authority_entry(),
these are not be able to load this object as a certificate again and
thus would fail. This commit fixes that.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In Fedora 27 curl is proposing to switch to using OpenSSL as
the crypto backend instead of NSS. This requires a new set of
arguments to certmonger to bootstrap fetching the IPA RA cert.
https://pagure.io/freeipa/issue/7076
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.
We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.
https://pagure.io/freeipa/issue/7097
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In case ipa_generate_password() generates a sequence containing
'%', ConfigParser.set() will fail because it would think it is a
string that should be interpolated.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-ca-install currently overwrites /etc/ipa/ca.crt with the CA chain
retrieved from Dogtag. It should instead append the new certs, otherwise
the CA that signed dirsrv and httpd certificates is removed and ipa tools
fail.
A consequence is that ipa-kra-install fails.
This is a regression introduced by 5ab85b36.
https://pagure.io/freeipa/issue/6925
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.
Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.
This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)
Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.
This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
