Commit Graph

29 Commits

Author SHA1 Message Date
Tomas Krizek
9340a1417a install: remove dirman_pw from services
Remove directory manager's password from service's constructors

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Fraser Tweedale
0078e7a919 ipa-certupdate: track lightweight CA certificates
Enhance the ipa-certupdate program to add Certmonger tracking
requests for lightweight CA certificates.

Also update the dogtag-ipa-ca-renew-agent-submit to not store or
retrieve lightweight CA certificates, becaues Dogtag clones observe
renewals and update their NSSDBs on their own, and allow the helper
to request non-self-signed certificates.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 08:52:29 +02:00
Fraser Tweedale
6b3db0dc73 Load server plugins in certmonger renewal helper
The certmonger renewal helper needs to load server plugins to
operate.  Initialise the API with in_server=True.

Fixes: https://fedorahosted.org/freeipa/ticket/5943
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 15:01:07 +02:00
Petr Viktorin
099cf98307 Refactor ipautil.run
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.

The stdout and stderr of all commands are logged (unless skip_output is given).

The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.

The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.

All calls are changed to reflect this.

A use of Popen in cainstance is changed to ipautil.run.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-14 10:54:23 +01:00
Jan Cholasta
23507e6124 Alias "unicode" to "str" under Python 3
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-09-17 11:08:43 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Jan Cholasta
e39fe4ed31 plugable: Pass API to plugins on initialization rather than using set_api
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Martin Babinsky
3d2feac0e4 Adopted kinit_keytab and kinit_password for kerberos auth
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-04-20 08:27:35 +00:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
a63df8f309 Fix CA certificate renewal syslog alert
https://fedorahosted.org/freeipa/ticket/4820

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 17:48:26 +00:00
Jan Cholasta
1f6fff2b5a Do not renew the IPA CA cert by serial number in dogtag-ipa-ca-renew-agent
Always use the full CSR when renewing the IPA CA certificate with Dogtag. The
IPA CA certificate may be issued by an external CA, in which case renewal by
serial number does not make sense and will fail if the IPA CA was initially
installed as a subordinate of an external CA.

https://fedorahosted.org/freeipa/ticket/4784

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:16:49 +01:00
Jan Cholasta
423c3e8f34 Fix automatic CA cert renewal endless loop in dogtag-ipa-ca-renew-agent
Reset profile name after requesting the CA cert from Dogtag to prevent the
automatic renewal request from being restarted in subsequent calls.

https://fedorahosted.org/freeipa/ticket/4765

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:06:47 +01:00
Jan Cholasta
52b141ca6a Fix wrong expiration date on renewed IPA CA certificates
The expiration date was always set to the expiration date of the original
certificate.

https://fedorahosted.org/freeipa/ticket/4717

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-19 14:25:26 +00:00
Jan Cholasta
2cf0f0a658 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-05 15:26:42 +01:00
Jan Cholasta
35947c6e10 Do not wait for new CA certificate to appear in LDAP in ipa-certupdate
If new certificate is not available, reuse the old one, instead of waiting
indefinitely for the new certificate to appear.

https://fedorahosted.org/freeipa/ticket/4628

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-30 10:51:36 +01:00
Jan Cholasta
a649a84a1b Handle profile changes in dogtag-ipa-ca-renew-agent
To update the CA certificate in the Dogtag NSS database, the
"ipa-cacert-manage renew" and "ipa-certupdate" commands temporarily change
the profile of the CA certificate certmonger request, resubmit it and
change the profile back to the original one.

When something goes wrong while resubmitting the request, it needs to be
modified and resubmitted again manually. This might fail with invalid
cookie error, because changing the profile does not change the internal
state of the request.

Detect this in dogtag-ipa-ca-renew-agent and reset the internal state when
profile is changed.

https://fedorahosted.org/freeipa/ticket/4627

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-29 15:06:05 +01:00
Jan Cholasta
61159b7ff2 Check that renewed certificates coming from LDAP are actually renewed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
031096324d Alert user when externally signed CA is about to expire.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
35857026e6 Support CA certificate renewal in dogtag-ipa-ca-renew-agent.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Jan Cholasta
cf6edf4a92 Support exporting CSRs in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:56 +01:00
Jan Cholasta
b5d082ec4d Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
a356c3806b Support storing renewed certificates to LDAP in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
bbb2af5016 Support retrieving renewed certificates from LDAP in dogtag-ipa-ca-renew-agent.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
bab88eb1ed Add new certmonger CA helper dogtag-ipa-ca-renew-agent.
The helper will be used to handle CA-related certificate renewal requests.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00