Handling exceptions in python is expensive operation, removing of
uneeded finally block is good for performance.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Removed custom class of CalledProcessError which was required for
Python versions prior to 2.5
Fixes: https://fedorahosted.org/freeipa/ticket/5717
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
I'm going to extend this so it is better to have it in module.
At the same time it is now using shared assert_absolute_dnsname()
helper.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Sanity check for zone names and such should be the same everywhere.
This new function will be a replacement for ad-hoc checks.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The function duplicated ipalib.util.verify_host_resolvable() in slightly
incompatible way because it used NSS while rest of IPA is using only DNS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, dict.keys() returns a key view. It is not safe to delete
dict keys when iterating over this view.
Convert the keys to list first.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.
https://fedorahosted.org/freeipa/ticket/5591
Reviewed-By: David Kupka <dkupka@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Regression caused by commit 491447cc5a,
ValueErrori and AttributeError are too much specific for these cases, multiple types of
exception can be raised.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.
Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.
https://fedorahosted.org/freeipa/ticket/5117https://fedorahosted.org/freeipa/ticket/5720
Reviewed-By: David Kupka <dkupka@redhat.com>
For historical reasons, the string module contained some functions
that mirror methods of the str type. These are eremoved in Python 3.
Use str methods instead.
Part of the work for https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: David Kupka <dkupka@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Fixes issues discovered by Coverity
plugins/baseldap.py: possible undefined value in return
certmonger.py: possible dereference of None value
i18n.py: fixed always True bug (+ cosmetic change)
https://fedorahosted.org/freeipa/ticket/5661
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes some Coverity issues
ipadiscovery.py: added assert should universe break
plugins/dns.py: removed dead code
dnssec/ldapkeydb.py: attribute assert in the proper object
test_automount_plugin.py: fixed possible close() on None
xmlrpc_test.py: Coverity does not like accessing None.__class__
https://fedorahosted.org/freeipa/ticket/5661
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Py3 does not support iter* methods, this commit replaces 2 occurencies
of iteritems() to items(). The dictionaries there are not big, this is
sufficient we do not need to use six.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
- Use binascii.hexlify instead of encode('hex')
- Keep the library name as a text string instead of encoding to bytes
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python defaults to 'w+b', but all callers in IPA write use text (as
opposed to bytes).
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).
Remove the workaround and use an http request (no TLS) to check the
CA status. Also remove the now-unused unauthenticated_http_request
method, and update specfile to remove ipalib dependency on curl.
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, this special method got renamed. Set both to the same
function to keep compatibility.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Pylint considers `print` a statement if the __future__ import is
not present, even if it's used like a function with one argument.
Add the __future__ import to files `pylint --py3k` complains about.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The HTTP reason phrase sent by Dogtag is assumed to be encoded in
UTF-8, but the encoding used by Tomcat is dependent on system
locale, causing decode errors in some locales.
The reason phrase is optional and will not be sent in a future
version of Tomcat[1], so do not bother decoding and returning it.
[1] 707ab1c77f
Fixes: https://fedorahosted.org/freeipa/ticket/5578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit allows to use mixed case of keys for sysrestore, before this
commit all keys were saved in lowercase what prevents to accesing them.
Original usage of mixed case for sysretore key in opendssecinstance had
to be changed to lowercase to prevent issues on already installed
systems.
https://fedorahosted.org/freeipa/ticket/5574
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Command "ldap-cleanup <zone name>" is called to remove all key metadata from
LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale
metadata were causing problems when re-enabling DNSSEC on the same zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
This filtering is useful in cases where LDAP contains DNS zones which
have old metadata objects and DNSSEC disabled. Such zones must be
ignored to prevent errors while calling dnssec-keyfromlabel or rndc.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.
https://fedorahosted.org/freeipa/ticket/5334
Reviewed-By: Martin Basti <mbasti@redhat.com>
ldapkeydb.py can be executed directly now. In that case it will print
out key metadata as obtained using IPA LDAP API.
Kerberos credential cache has to be filled with principal posessing
appropriate access rights before the script is execured.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.
Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Running make with PYTHON=/usr/bin/python3 will build/install the
bits for Python 3.
Executable scripts in ipatests have symlinks Python version suffixes
as per Fedora guidelines. Suffix-less names point to the Python 2 versions.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In cases where domain is already delegated to IPA prior installation
we might get timeout or SERVFAIL. The answer depends on the recursive
server we are using for the check.
Reviewed-By: David Kupka <dkupka@redhat.com>
Raise an error when the domain already exists. This can be overriden using
--force or --allow-zone-overlap options.
https://fedorahosted.org/freeipa/ticket/3681
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Check if the zone user wants to add is already resolvable and refuse to
create it if yes. --skip-overlap-check and --force options suppress this check.
https://fedorahosted.org/freeipa/ticket/5087
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-gssapi chokes on empty ccache files, so instead of creating an empty
temporary ccache file in private_ccache, create a temporary directory and
use a non-existent file in that directory as the ccache.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Default ldap search limit is now 30 sec by default during upgrade.
Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.
Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.
https://fedorahosted.org/freeipa/ticket/5267
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
Reviewed-By: Petr Spacek <pspacek@redhat.com>
If the code within the private_ccache contextmanager does not
set/removes the KRB5CCNAME, the pop method will raise KeyError, which
will cause unnecessary termination of the code flow.
Make sure the KRB5CCNAME is popped out of os.environ only if present.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already
been initialised with the given dbdir.
Part of: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).
Fix and tidy up some HTTP logging messages for Dogtag requests.
Part of: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The automake generated makefiles have already a target check.
We need to provide this target also to non-generated
Makefiles so we can recursively call make check from
top level Makefile
Reviewed-By: Martin Basti <mbasti@redhat.com>
export_pem_cert should export the certificate
in pem format but instead exports the cert in der
format as it doesn't enable pem=True.
This patch specifies pem=True for export_pem_cert function
Signed-off-by: Niranjan MR <mrniranjan@fedoraproject.org>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
StringIO was renamed in Python 3. The import was was unused,
so remove it.
Files need to be opened in binary mode if bytes are written to them.
(For Python 2: on Linux, there's no practical difference between
text and binary mode)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
servers.
Ticket: https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Sort out the accepted types.
Handle Python 3's stricter separation between bytes and unicode.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the types module no longer provide alternate names for
built-in types, e.g. `types.StringType` can just be spelled `str`.
NoneType is also removed; it needs to be replaced with type(None)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module was renamed in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module is renamed to xmlrpc.client in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, integers don't have a maximum. The number called
"sys.maxint" is now "sys.maxsize" (defined as larger than the
largest possible list/string index).
The new spelling is also available in Python 2.7.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
__cmp__ and cmp were removed from Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
- Use PyLong instead of PyInt on Python 3
- Use PyBytes instead of PyString for binary strings
- Use Py_TYPE(o) instead of o->py_type, and PyVarObject_HEAD_INIT
instead of PyObject_HEAD_INIT
- Use a helper function instead of Py_BuildValue("s#"), so that
bytes are returned on Python 3
- Use new style module initialization on Python 3
- Use PyModule_AddIntConstant and PyModule_AddIntMacro for adding constants
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During the migration from winsync replicated users to their
trusted identities, memberships are being preserved. However,
trusted users are external and as such cannot be added as
direct members to the IPA entities. External groups which
encapsulate the migrated users are added as members to those
entities instead.
The name of the external group is generated from the type
of the entity and its name. However, the entity's name can
contain characters which are invalid for use in the group
name.
Adds a helper function to convert a given string to a string
which would be valid for such use and leverages it in the
winsync-migrate tool.
https://fedorahosted.org/freeipa/ticket/5319
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This mimics Python 3's behavior, where sys.argv is automatically decoded
using file system encoding, as returned by sys.getfilesystemencoding(). This
includes reimplementation of os.fsdecode() from Python 3.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Rename __unicode__ to __str__ in classes which define it and use the
six.python_2_unicode_compatible decorator on them to make them compatible with
both Python 2 and 3.
Additional changes were required for the ipapython.dnsutil.DNSName class,
because it defined both __str__ and __unicode__.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Metaclass specification is incompatible between Python 2 and 3. Use the
six.with_metaclass helper to specify metaclasses.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
