Commit Graph

116 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
6f0da62f5a Passkey: add support for discoverable credentials
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a21214cb9e API: add new commands for passkey mappings
- ipa user-add-passkey
- ipa user-remove-passkey
- ipa stageuser-add-passkey
- ipa stageuser-remove-passkey

Fixes: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
5154f8e639 automember-rebuild: add a notice about high CPU usage
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.

Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-02 07:33:36 +01:00
Florence Blanc-Renaud
cad06382a2 pylint: remove unneeded disable=unused-private-member
pylint fixed issue https://github.com/PyCQA/pylint/issues/4756
and we don't need anymore to disable this check.

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Francisco Trivino
93548f2569 Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
Florence Blanc-Renaud
f1b2d8ab36 ipa otptoken-sync: return error when sync fails
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.

- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.

- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.

The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.

Fixes: https://pagure.io/freeipa/issue/9248

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-29 07:58:44 -04:00
Christian Heimes
40c362e1ee Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
851f6d48ac pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
cd2739bb0c pylint: Skip unused-private-member for property case
See https://github.com/PyCQA/pylint/issues/4756 for details

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Rob Crittenden
47fbe05f7f Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.

This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:

Added option "('one', 'two')" to Sudo Rule "test"

or

Added option "(u'one', u'Two')" to Sudo Rule "test"

instead of with this change:

Added option "one,two" to Sudo Rule "test"

Removing an option works in a similar way.

The value is normalized on the client side in order to ensure that
the option value is always a tuple.

https://pagure.io/freeipa/issue/2278

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-08 10:47:58 +02:00
Rob Crittenden
3e9bb606b4 Display all orphaned keys in automountlocation-tofiles
Only the first key was being displayed for any orphaned map.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
Florence Blanc-Renaud
178dec8fc3 pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.

Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-22 16:18:11 -05:00
Rob Crittenden
767232b478 Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Christian Heimes
e8b98555fc Fix otptoken_sync plugin
The plugin had two bugs:

For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.

The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.

Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-28 16:09:07 +01:00
Fraser Tweedale
854d3053e2 Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**.  This can occur in
normal operation, and should be a temporary condition.  Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.

Also update the client-side plugin that handles the
--certificate-out option.  Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.

** after the Dogtag NullPointerException gets fixed!

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Christian Heimes
e73fdcf8ba Import urllib submodules
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-30 10:32:43 -04:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Fraser Tweedale
a2ad417490 Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option).  This regression was introduced in the
'cert' plugin in commit 5a44ca6383,
and reflected in the 'ca' plugin in commit
c7064494e5.

The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field.  Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.

Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).

Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-02 10:18:32 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Armando Neto
c7064494e5 Fix certificate type error when exporting to file
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.

Reflecting the changes done in 5a44ca6383.

https://pagure.io/freeipa/issue/7628

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-06 14:36:15 +02:00
Armando Neto
d13571942e Fix Pylint 2.0 violations
Fix the following violations aiming to support Pylint 2.0

- `unneeded-not` (C0113):
  Consider changing "not item in items" to "item not in items" used
  when a boolean expression contains an unneeded negation.

- `useless-import-alias` (C0414):
  Import alias does not rename original package Used when an import
  alias is same as original package.e.g using import numpy as numpy
  instead of import numpy as np

- `raising-format-tuple` (W0715):
  Exception arguments suggest string formatting might be intended Used
  when passing multiple arguments to an exception constructor, the
  first of them a string literal containing what appears to be
  placeholders intended for formatting

- `bad-continuation` (C0330):
  This was already included on the disable list, although with current
  version of pylint (2.0.0.dev2) violations at the end of the files
  are not being ignored.
  See: https://github.com/PyCQA/pylint/issues/2278

- `try-except-raise` (E0705):
  The except handler raises immediately Used when an except handler
  uses raise as its first or only operator. This is useless because it
  raises back the exception immediately. Remove the raise operator or
  the entire try-except-raise block!

- `consider-using-set-comprehension` (R1718):
  Consider using a set comprehension Although there is nothing
  syntactically wrong with this code, it is hard to read and can be
  simplified to a set comprehension.Also it is faster since you don't
  need to create another transient list

- `dict-keys-not-iterating` (W1655):
  dict.keys referenced when not iterating Used when dict.keys is
  referenced in a non-iterating context (returns an iterator in
  Python 3)

- `comprehension-escape` (W1662):
  Using a variable that was bound inside a comprehension Emitted when
  using a variable, that was bound in a comprehension handler, outside
  of the comprehension itself. On Python 3 these variables will be
  deleted outside of the comprehension.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-14 12:04:19 +02:00
Armando Neto
b274da726b Replace file.flush() calls with flush_sync() helper
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.

Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.

However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.

Issue: https://pagure.io/freeipa/issue/7251

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-07 10:20:01 +02:00
Stanislav Levin
f5a04da95d Fix translation of commands description in API Browser
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-12 08:38:56 +02:00
Christian Heimes
c925b44f43 Load certificate files as binary data
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.

certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.

Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-04-30 20:42:00 +02:00
Fraser Tweedale
7633d62d85 csrgen: support initialising OpenSSL adaptor with key object
As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.

Part of: https://pagure.io/freeipa/issue/7496

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-25 14:41:12 +02:00
Christian Heimes
395a68d208 Defer import of ipaclient.csrgen
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.

Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-04-10 07:58:52 +02:00
Stanislav Laznicka
c9c41d2d90
vault: fix vault-retrieve to a file
`data` is bytes but we were opening the "--out" file as
a text.

https://pagure.io/freeipa/issue/7430

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-03-06 13:00:23 +01:00
Christian Heimes
1c9f0a4b19 Vault: Add argument checks to encrypt/decrypt
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.

See https://pagure.io/freeipa/issue/7326

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-19 13:26:39 +01:00
Christian Heimes
8cb756a229 Fix pylint warnings inconsistent-return-statements
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.

See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-18 11:51:14 +01:00
Stanislav Laznicka
c9265a7b05 x509: remove the strip_header() function
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 07:55:04 +01:00
Stanislav Laznicka
61605d28d8 parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
2b90c8a20e csrgen: accept public key info as Bytes
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Aleksei Slaikovskii
fad88b358b ipaclient.plugins.dns: Cast DNS name to unicode
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text

This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.

https://pagure.io/freeipa/issue/7185

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 10:55:49 +02:00
Fraser Tweedale
9cead4da2e py3: fix vault public key decoding
Part of: https://pagure.io/freeipa/issue/7033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-29 13:03:25 +02:00
Tibor Dudlák
76357283ec
otptoken_yubikey.py: Removed traceback when package missing.
IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.

Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 13:51:04 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
69d05b86b7
topology.py: Removes error message from dictionary.
IPA will not print error message header when maximum
number of agreements per replica exceeded in topology.

Resolves: https://pagure.io/freeipa/issue/6533
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-07-14 09:23:17 +02:00
Martin Basti
3f59721c55 py3: vault: data must be bytes
Use bytes for vault data

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Stanislav Laznicka
1ed1717e99 ca/cert-show: check certificate_out in options
If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None.

This check was done properly in the ca plugin. Lets' just unify how this
is handled and improve user experience by announcing which option causes
the failure.

https://pagure.io/freeipa/issue/6885

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-24 13:33:09 +00:00
David Kreitschmann
f1c6a5d8de Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
David Kupka
e415da22f3 otptoken-add-yubikey: When --digits not provided use default value
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-16 11:39:43 +02:00
Christian Heimes
bd5a5012d2 Slim down dependencies
* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-09 17:17:29 +02:00
Florence Blanc-Renaud
d5c41ed4ad vault: piped input for ipa vault-add fails
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-28 13:19:51 +02:00
Ben Lipton
e7588ab2dc csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo
Also modify cert_request to use this new format. Note, only PEM private
keys are supported for now. NSS databases are not.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00
Ben Lipton
136c6c3e2a csrgen: Change to pure openssl config format (no script)
https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 07:46:30 +00:00