To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.
This leads to a bad quality translation and should be changed to
an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In Python 3, six.string_types is just an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
As for now the default title of remove dialogs is set to
'Remove ${entity}', where 'entity' is also translatable text.
This construction is used via method 'create_remove_dialog'
of Search facet for the all association 'Delete' actions of
entities.
The such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.
The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.
Fixes: https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Translatable messages should be marked with @i18n. Also
these messages should be presented in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In the case that enabledService is not found ipaConfigString kdc entry, a
NotFound error was raised without setting the reason. This resulted in a
traceback.
Fixes: https://pagure.io/freeipa/issue/7652
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
To be translatable label field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be translatable text field should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be translatable title and label fields should be marked
with @i18n. Also these messages should be provided by
i18n_messages.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process. This endpoint serves i18n requests
only.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Globally disabling the following violations:
- `assignment-from-no-return` (E1111):
Assigning to function call which doesn't return. Used when an
assignment is done on a function call but the inferred function
doesn't return anything.
- `keyword-arg-before-vararg` (W1113):
Keyword argument before variable positional arguments list in the
definition of %s function When defining a keyword argument before
variable positional arguments, one can end up in having multiple
values passed for the aforementioned parameter in case the method is
called with keyword arguments.
Locally disabling the following:
- `subprocess-popen-preexec-fn` (W1509):
Using preexec_fn keyword which may be unsafe in the presence of
threads The preexec_fn parameter is not safe to use in the presence
of threads in your application. The child process could deadlock
before exec is called. If you must use it, keep it trivial! Minimize
the number of libraries you call into.
https://docs.python.org/3/library/subprocess.html#popen-constructor
Fixed violations:
- `bad-mcs-classmethod-argument` (C0204):
Metaclass class method %s should have %s as first argument Used when
a metaclass class method has a first argument named differently than
the value specified in valid-metaclass-classmethod-first-arg option
(default to "mcs"), recommended to easily differentiate them from
regular instance methods.
- Note: Actually `cls` is the default first arg for `__new__`.
- `consider-using-get` (R1715):
Consider using dict.get for getting values from a dict if a key is
present or a default if not Using the builtin dict.get for getting a
value from a dictionary if a key is present or a default if not, is
simpler and considered more idiomatic, although sometimes a bit slower
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix the following violations aiming to support Pylint 2.0
- `unneeded-not` (C0113):
Consider changing "not item in items" to "item not in items" used
when a boolean expression contains an unneeded negation.
- `useless-import-alias` (C0414):
Import alias does not rename original package Used when an import
alias is same as original package.e.g using import numpy as numpy
instead of import numpy as np
- `raising-format-tuple` (W0715):
Exception arguments suggest string formatting might be intended Used
when passing multiple arguments to an exception constructor, the
first of them a string literal containing what appears to be
placeholders intended for formatting
- `bad-continuation` (C0330):
This was already included on the disable list, although with current
version of pylint (2.0.0.dev2) violations at the end of the files
are not being ignored.
See: https://github.com/PyCQA/pylint/issues/2278
- `try-except-raise` (E0705):
The except handler raises immediately Used when an except handler
uses raise as its first or only operator. This is useless because it
raises back the exception immediately. Remove the raise operator or
the entire try-except-raise block!
- `consider-using-set-comprehension` (R1718):
Consider using a set comprehension Although there is nothing
syntactically wrong with this code, it is hard to read and can be
simplified to a set comprehension.Also it is faster since you don't
need to create another transient list
- `dict-keys-not-iterating` (W1655):
dict.keys referenced when not iterating Used when dict.keys is
referenced in a non-iterating context (returns an iterator in
Python 3)
- `comprehension-escape` (W1662):
Using a variable that was bound inside a comprehension Emitted when
using a variable, that was bound in a comprehension handler, outside
of the comprehension itself. On Python 3 these variables will be
deleted outside of the comprehension.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.
ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
In order to support pylint 2.0 the following violations must be fixed:
- `chained-comparison` (R1716):
Simplify chained comparison between the operands This message is
emitted when pylint encounters boolean operation like
"a < b and b < c", suggesting instead to refactor it to "a < b < c".
- `consider-using-in` (R1714):
Consider merging these comparisons with "in" to %r To check if a
variable is equal to one of many values,combine the values into a
tuple and check if the variable is contained "in" it instead of
checking for equality against each of the values.This is faster
and less verbose.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.
Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.
In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.
This PR addresses the changes agreed in Bugzilla.
Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).
So this kind of behaviour is a bug, as it was determined on IRC.
This patch removes possibility to add more then one radius server
into radius proxy.
Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.
https://pagure.io/freeipa/issue/7424
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In structured mode, dict size is modified by del record[attr].
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Change eb6d4c3037 deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This was causing issues when adding/removing a CA in the
CA plugin.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is import to avoid problems when migrating from olders
versions of IPA and using idoverrideuser-* commands.
https://pagure.io/freeipa/issue/7074
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
sudocmd.get_dn() was trying to assign in an item of a tuple
which is not possible.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
commit bddb90f38a added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.
When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.
https://pagure.io/freeipa/issue/7120
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
cert-show returns a base64 encoded certificate yet the assumption
here was for a PEM bytes instance.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
The schema RPC response can include a bytes value for the
'topic_topic' field (when the server is running in Python 2).
In this case, a Python 3 client fails to initialise the API
when a schema fetch is required, because it cannot serialise
the bytes values in the schema object to JSON.
Ensure the 'topic_topic' value is unicode.
Part of: https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The hyphenated forms are less ambiguous and easier to read.
(For more grammar background, see for example
"Hyphenate Complex Adjectives" in http://stylepedia.net/
Grammar-Hyphenation )
https://pagure.io/freeipa/issue/6582
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.
The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.
https://pagure.io/freeipa/issue/7077
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new validator which inherits from integer validator
and checks whether the integer is positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.
Implement the following simplifications:
- Search all user/host/service accounts at once, by krbPrincipalName
(error if no account found). Use principal canonical name to
determine the type of the principal.
- Update subject principals userCertificate attribute uniformly,
instead of dispatching to user/host/service-mod based on type of
principal.
Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.
Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
https://pagure.io/freeipa/issue/6966
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.
Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.
https://pagure.io/freeipa/issue/6948
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Refactoring user_add class to use 'ldap.update_entry()' call
instead of api call 'user_mod' when --noprivate option is used.
https://pagure.io/freeipa/issue/5788
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to achieve the task, the following changes were required:
* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
accepts/returns single-value lists in order to not break Liskov
substitution principle
* Existing attributes inherit from the child class
https://pagure.io/freeipa/issue/6937
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. The pkinit-anonymous command was supposed
to enable/disable anonymous pkinit by locking/unlocking the
anonymous principal. We can't allow this for FreeIPA to work
so we are removing the command as it was never supported anyway.
https://pagure.io/freeipa/issue/6936
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com
The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].
https://pagure.io/freeipa/issue/6943
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The check for krbprincipalaux in the entries is now made
case-insensitively.
https://pagure.io/freeipa/issue/6911
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Now, the cert-request command compares the domain part of the
email case-insensitively.
https://pagure.io/freeipa/issue/5919
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.
This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().
Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user
https://pagure.io/freeipa/issue/6896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Rather than post-processing the results of each internal search,
post-process the combined result.
This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.
https://pagure.io/freeipa/issue/6808
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.
As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366
Reviewed-By: Martin Basti <mbasti@redhat.com>
When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.
We need to handle empty dom-name as if the option was not specified.
https://pagure.io/freeipa/issue/6404
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
To create a wheel bundle with ipaserver and its dependencies:
make wheel_bundle IPA_SERVER_WHEELS=1
To include additional dependencies:
make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.
Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.
I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.
This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently when trying to erase the ipaDomainResolutionOrder attribute we
hit an internal error as the split() method is called on a None object.
By returning early in case of empty string we now allow removing the
ipaDomainResolutionOrder attribute by both calling delattr or setting
its value to an empty string.
https://pagure.io/freeipa/issue/6825
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow the sudorule objects to be renamed.
https://pagure.io/freeipa/issue/2466
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow HBAC rule objects to be renamed.
https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.
An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.
https://pagure.io/freeipa/issue/2466https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead, apply the limits on the combined result.
This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.
https://pagure.io/freeipa/issue/6716
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.
AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".
This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.
https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.
Fixes https://pagure.io/freeipa/issue/6797
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.
https://pagure.io/freeipa/issue/6372
Reviewed-By: Martin Basti <mbasti@redhat.com>
