Commit Graph

10687 Commits

Author SHA1 Message Date
Martin Basti
c0b5c6709d py3: _httplib_request: don't convert string to bytes
There is no need to encode hostname to bytes. UTF-8 characters must be
encoded in different format in URL anyway and it causes only error in
Py3. String must be unicode to support Py2.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
232ceed5bb py3: cainstance: replace mkstemp with NamedTemporaryFile
With Python3 files must be opened in textual mode to write text, and
best practise is to use fileobject instead fo os.write() and manual
encodig

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
2547bca8df py3: write CA/KRA config into file opened in text mode
config parser writes data as text so CA/KRA should be opened in textual
mode otherwise type errors are raised from installer

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0d4074b4f1 py3: CA/KRA: config parser requires string
basedn is DN object it has to be converted to string before it can be
used with config parser

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
7ae5e5f669 py3: ipautil: open tempfiles in text mode
Code in ipautlis works with text, so tempfiles should be open in
textmode otherwise TypeErrors are raised

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
bbe8849a65 py3: ldap modlist must have keys as string, not bytes
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
63b5d4a859 py3: open temporary ldif file in text mode
ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
e064109277 py3: service.py: replace mkstemp by NamedTemporaryFile
NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
23239bccc1 py3: create_cert_db: write to file in a compatible way
Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Jan Cholasta
84a9611cb8 ipaldap: properly escape raw binary values in LDAP filters
Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-24 11:50:07 +01:00
Martin Basti
ccea23138b _resolve_records: fix assert, nameserver_ip can be none
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:58:06 +01:00
Abhijeet Kasurde
c56e02b3c5 Remove deprecated ipa-upgradeconfig command
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:51:39 +01:00
Florence Blanc-Renaud
ceec512b09 ipa-restore must stop tracking PKINIT cert in the preparation phase
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-20 19:16:25 +01:00
Jan Cholasta
26630db9d0 client install: correctly report all failures
In commit 5249eb817e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-20 17:34:07 +01:00
Ganna Kaihorodova
91c050b4e0 User Tracker: Test to create user with minimal values
Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
fa7aaef1de User Tracker: creation of user with minimal values
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2017-01-19 17:39:08 +01:00
Ganna Kaihorodova
c391f6ba58 Stage User: Test to create stage user with minimal values
Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Ganna Kaihorodova
a336de630e Tests: Stage User Tracker implementation
Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-19 17:36:46 +01:00
Timo Aaltonen
e04b75cb9e ipaplatform: Add Debian platform module.
v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static

v5:
- fix pylint issues
- use syntax that doesn't break with python3

v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-19 16:45:42 +01:00
Ganna Kaihorodova
822a119100 Tests: Add tree root domain role in legacy client tests
Legacy client tests inherits test cases from trust tests, that have
role for tree root domain. That role was missing in legacy client tests.

https://fedorahosted.org/freeipa/ticket/6600

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 16:40:28 +01:00
Abhijeet Kasurde
ae2d0a2217 Update warning message for ipa server uninstall
Fix adds an additional recommendation message for taking backup
of existing data and configuration before proceeding to
ipa server uninstallation procedures.

Fixes https://fedorahosted.org/freeipa/ticket/6548

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-18 09:41:11 +01:00
Christian Heimes
d8343a96dd Clean / ignore make check artefact
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-18 09:19:15 +01:00
Pavel Vomacka
9d2ef64fb9 Coverity: removed useless semicolon which ends statement earlier
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:15:54 +01:00
Pavel Vomacka
a69c4448c5 Coverity: Fix possibility of access to attribute of undefined
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:15:54 +01:00
Lukas Slebodnik
b82d285a4a SPEC: Fix build in mock
Neither pylint nor jsl is installed by default because rpm macro with_lint
is not defined in spec file. However, configure script tried to
find pylint/jsl anyway.

  checking for Pylint... /usr/bin/python2: No module named pylint
  configure: error: cannot find pylint for /usr/bin/python2

  RPM build errors:
  error: Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)
      Bad exit status from /var/tmp/rpm-tmp.2GAFh4 (%build)

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Lukas Slebodnik
3f91469f32 CONFIGURE: Update help message for jslint
Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Lukas Slebodnik
5c18feaa20 CONFIGURE: Fix detection of pylint
If configure script was executed with --enable-pylint then
it behaved the same as --disable-pylint. It does not make
any sense.

Resolves:
https://fedorahosted.org/freeipa/ticket/6604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-18 09:05:56 +01:00
Abhijeet Kasurde
6d52c0fe6a Fix for handling CalledProcessError in authconfig
NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-18 08:51:38 +01:00
Tomas Krizek
49855ca9de Fix coverity issue
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-16 14:44:54 +01:00
Christian Heimes
504f441707 ipapython: Add dependencies on version.py
install-exec and bdist_wheel also depend on version.py. Let's ensure
that version.py is correctly generated when installing or building
packages.

Yes, make is clever and correctly merges dependencies with rules from
included make files.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-16 14:41:10 +01:00
Jan Cholasta
926fe2049a cainstance: do not configure renewal guard
Do not configure renewal guard for dogtag-ipa-renew-agent, as it is not
used in IPA anymore.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-01-16 14:37:25 +01:00
Jan Cholasta
ad49bda907 dogtaginstance: track server certificate with our renew agent
Track Dogtag's server certificate with dogtag-ipa-ca-renew-agent instead of
dogtag-ipa-renew-agent.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-01-16 14:37:25 +01:00
Jan Cholasta
d5af11f65c renew agent: handle non-replicated certificates
In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-01-16 14:37:25 +01:00
Christian Heimes
68cb4d2b0f pytest: set rules to find test files and functions
1e06a5195b removed pytest.ini. Without the
ini file, pytest 3.x has suboptimal settings and no longer picks up all
test functions and test files.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-12 11:17:54 +01:00
Martin Basti
083b4241d2 Remove duplicated step from DS install
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-12 11:15:14 +01:00
Stanislav Laznicka
721105c53d Generate sha256 ssh pubkey fingerprints for hosts
Replace md5 with sha256 for host ssh pubkey fingerprints

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-12 11:09:46 +01:00
Martin Babinsky
566c86a782 disable hostname canonicalization by Kerberos library
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-01-11 16:18:24 +01:00
Fraser Tweedale
0c95a00147 Add sanity checks for use of --ca-subject and --subject-base
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:28:50 +01:00
Fraser Tweedale
3f56609732 Indicate that ca subject / subject base uses LDAP RDN order
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.

Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-11 15:27:55 +01:00
Fraser Tweedale
3d01ec14c6 Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
09a65df684 Reuse self.api when executing ca_enabled_check
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled.  When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.

Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
f54df62aba dsinstance: extract function for writing certmap.conf
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.

Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.

Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
46bf0e89ae ipa-ca-install: add missing --subject-base option
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
6f3eb85c30 Extract function for computing default subject base
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
c6db493b06 installer: rename --subject to --subject-base
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
db6674096c installutils: remove hardcoded subject DN assumption
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`.  In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
324183cd63 Refactor and relocate set_subject_base_in_config
Refactor set_subject_base_in_config to use api.Backend.ldap2 instead
of a manually created LDAP connection.

Also rename the function to have a more accurate name, and move it
to 'ipaserver.install.ca' to avoid cyclic import (we will eventually
need to use it from within that module).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Martin Basti
d648c6a692 py3: enable py3 pylint
We should run pylint in both python2 and python3 versions

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-11 13:17:15 +01:00
Martin Babinsky
9b5b713150 Travis CI: actually return non-zero exit status when the test job fails
The original code did not actually propagate the test runner exit status
to parent process so Travis CI job was always green.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-09 15:22:51 +01:00
David Kupka
d15ccde20f ipaclient: schema cache: Handle malformed server info data gracefully
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.

https://fedorahosted.org/freeipa/ticket/6578

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-09 09:13:36 +01:00