certmonger.resubmit_request() and .modify() contain a redundant if
statement that means more lines of code must be changed when adding
or removing a function argument. Perform a small refactor to
improve these functions.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add the 'constructor' type to IPAOption to allow parsing arbitrary
types.
When using this type, supply the 'constructor' attribute with the
constructor of the type. The checker for the 'constructor' type
attempts to construct the data, returning if successful else raising
OptionValueError.
The 'knob' interface remains unchanged but now accepts arbitrary
constructors.
This feature subsumes the '_option_callback' mechanism, which has
been refactored away.
This feature also subsumes the "dn" type in IPAOption, but this
refactor is deferred.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).
Also as external CA is now a separate module we can import it and
use elsewhere.
https://pagure.io/freeipa/issue/7154
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The new python-pyasn1 fixes an issue that occurred during ca-less
installation.
Fixes: https://pagure.io/freeipa/issue/7157
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.
https://pagure.io/freeipa/issue/7119
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
installutils.is_ipa_configured() previously required root
privileges to see whether there were sysrestore or filestore
files. The directory was mode 0700 so this function always returned
False for non-root users.
Relaxing permissions is is needed to run the tests as the jenkins user.
Backed-up files retain their original FS permissions so this
shouldn't disclose any previously unreadable backed-up configuration.
https://pagure.io/freeipa/issue/7157
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We missed running some tests in python3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`bytes` instances have no `.format()`, we can simply base64 decode
the certificate and load it as DER instead.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This was causing issues when adding/removing a CA in the
CA plugin.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This is import to avoid problems when migrating from olders
versions of IPA and using idoverrideuser-* commands.
https://pagure.io/freeipa/issue/7074
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ldif.LDIFRecordList handles all attribute names as utf-8 strings
and all attribute values as bytes. If we take the attribute value
and try to search for it in the entry (= dictionary), if it contains
the attribute name as a key (which is a string), their hashes match.
However, even if hashes match, Python needs to make sure those two
are the same in case of a hash collision, so it tries to compare them.
This causes BytesWarning exception when running in strict mode
because `bytes` and `str` instances cannot be compared. KeyError
would be thrown in a non-strict mode.
Also, when later passing the attr to replace_value(), we need for it
to be `str` otherwise the modifications handler fails because it
tries to sort the attributes it's modifying but that's a bit less
poetic issue than the first one.
https://pagure.io/freeipa/issue/7129
Reviewed-By: Michal Reznik <mreznik@redhat.com>
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When promoting a client to a replica we have to change sssd.conf,
deleting _srv_ part from 'ipa_server' property and setting
'ipa_server_mode' to true.
Previously, the wrong domain could be updated since the ipa_domain
variable was not being used properly.
https://pagure.io/freeipa/issue/7127
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Switch PR CI testing of master branch to Fedora 26.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
dnf makecache does not support the "fast" keyword in its
makecache subcommand in Fedora 26.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
xmlserver.Command does not have to be called so don't.
Fixes pylint: not-callable error.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pylint is somehow confused about us importing custodia in
ipaserver.secrets.* modules, disable the check for these.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pylint requires all classes implementing __eq__ to also implement
__hash__. We disable hashing for the classes that miss the ability,
should they ever be required to use it, it can be implemented then.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
InnerClassMeta is rather magical and seems to work as-is. There's a
reason not to always send all parameters to the methods since they
really don't have to be able to handle all the parameters all the
time.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
unsupported-assignment-operation is useful at times, make it only
local, not global.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
sudocmd.get_dn() was trying to assign in an item of a tuple
which is not possible.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Explicitly convert Decimal.precision to int for unary `-` to make
sure int is passed to it.
Fixes pylint warning.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Disable unbalanced-tuple-unpacking for RuntimeException thrown
by samba since this one should always contain two members.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
assess_dcerpc_exception was used in multiple places with a pre-step
which was rather common. Move this to one spot.
This also fixes pylint warning about unbalanced unpacking.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The `module.register` member is added just a few lines
before pylint warns there's none such thing.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
