IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.
Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.
Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.
The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.
https://pagure.io/freeipa/issue/7077
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.
Reviewed-By: Martin Basti <mbasti@redhat.com>
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously, the type check of the Param class did only allow
the parameters to only have a value that's of a direct type.
However, that's nonsensically restrictive. For example, if
there's an interface implemented as an `ABCMeta` class then
the check for type fails since the interface's type is
`ABCMeta` instead of directly a `type`. Among others,
this is the case for cryptography.x509.Certificate.
Being a type is a transitive property of a Python object and we
should respect that in our framework.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Recent certificate refactoring probably unclogged some failure
in handling certificates which causes test_changepw to correctly
fail since it is trying to connect using an HTTPS connection
without the CA certificate. This patch adds the CA cert to the
connection.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
During py.test initialization, the value 'debug' is passed instead
of logging.DEBUG.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Change makepki.sh for new makepki.py which should be more
readable, maintainable and extendable than the old script.
In this test we use it as a module and import create_pki().
The new makepki adds SKI and AKI extensions for correct
cert validation.
Other minor changes needed as we do not use NSS to store our
certificates on the test controller.
https://pagure.io/freeipa/issue/7030
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.
https://pagure.io/freeipa/issue/6980
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.
Always configure logging on the root logger.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.
Disable the logging-not-lazy and logging-format-interpolation pylint
checks.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not configure stderr handler by default and let the application do the
configuration.
Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.
Reviewed-By: Martin Basti <mbasti@redhat.com>
