Commit Graph

3333 Commits

Author SHA1 Message Date
Stanislav Levin
cd2739bb0c pylint: Skip unused-private-member for property case
See https://github.com/PyCQA/pylint/issues/4756 for details

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
d90f4536e6 pylint: Drop no longer used __finalized
The private member `__finalized` has been added in
7db3aae1b2, later removed in
6b8abb0d78, but `_API__finalized`
(access via mangled attribute name) was not cleaned up and finally
refactored back to `__finalized` in
b1fc875c3a.

Found by Pylint:
```
ipalib/plugable.py:807: [W0238(unused-private-member), API.finalize]
Unused private member `API.__finalized`)
```

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
017b73e7f6 pylint: Fix use-maxsplit-arg
Pylint 2.9.0 new checker:
> Emitted when accessing only the first or last element of str.split().
  The first and last element can be accessed by using str.split(sep,
  maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Brian Turek
ba796e389b ipalib: Handle percent signs in saved values
Turn off string interpolation on the FileStore class to avoid
exceptions when a value to be saved contains a percent sign (%).
The underlying SafeConfigParser that is used interprets percent
signs as placeholders to be interpolated which then causes an
exception as the placeholder isn't properly formatted.

ipa-client-install uses the FileStore class to backup certain
values that it overwrites as part of the installation. If those
pre-existing, backed-up values contained a percent sign,
ipa-client-install would throw an exception and thus prevent
installation.

https://pagure.io/freeipa/issue/9085

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-11 13:35:32 +02:00
Rob Crittenden
b842b825ab Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-03 10:59:10 +01:00
Florence Blanc-Renaud
2d468fa49f ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Michal Polovka
3189e501fb
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.

Related: https://pagure.io/freeipa/issue/8795

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-13 16:52:57 +02:00
Christian Heimes
c78d1341ad Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Stanislav Levin
cf80244375 plugins: Don't treat keys of api as bytes
The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 14:16:56 +03:00
Rob Crittenden
6434968a7c When loading certificates verify that it is X.509 v3
Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.

https://pagure.io/freeipa/issue/8817

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-14 15:19:42 -04:00
Stanislav Levin
0a169b1bea krb_utils: Simplify get_credentials
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.

With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.

Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-12 11:19:25 +03:00
Alexander Bokovoy
33327b2e21 get_credentials: return ValueError for missing creds
Related: https://pagure.io/freeipa/issue/8873

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-04 15:38:08 +03:00
Rob Crittenden
51fb9d61bb Catch ValueError when trying to retrieve existing credentials
get_credentials() was changed to raise ValueError instead of
gssapi.exceptions.GSSError as part of the sweeper to clean up
expired credentials caches.

For WebUI users, this will prevent a 500 error if their
associated credentials cache is expired or missing.

https://pagure.io/freeipa/issue/8873

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-04 08:49:53 +03:00
Rob Crittenden
a4675f6f50 Implement simple LDAP cache layer
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.

The cache be enabled (default) or disabled using
ldap_cache=True/False.

This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.

The key to the cache entry is the dn of the object
being requested.

Any write to or referencing a cached dn is evicted from
the cache.

The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.

Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*

https://pagure.io/freeipa/issue/8798

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2021-05-12 10:45:57 -04:00
Christian Heimes
a297ebbb8a Add max/min safe integer
JSON cannot safely handle integers outside range ``-(2**53) - 1`` to
``(2**53) - 1``. Add constants for safe integers and limit the Int
parameter to safe JSON values.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER

See: https://pagure.io/freeipa/issue/8802
See: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-04-27 13:10:26 -04:00
Stanislav Levin
91e7452393 pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)

Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
271fd162a7 ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.

Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00
François Cami
82e32433ed ipalib/util.py: add print_replication_status
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
Florence Blanc-Renaud
178dec8fc3 pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.

Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-22 16:18:11 -05:00
Christian Heimes
24a5d4d06b Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.

* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs

Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-29 13:36:41 -05:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Antonio Torres Moríñigo
809d9cb80f Allow leading/trailing whitespaces in passwords
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.

Fixes: https://pagure.io/freeipa/issue/7599

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-12-18 16:47:59 +02:00
Alexander Bokovoy
563d0a0729 rpcserver: fix exception handling for FAST armor failure
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-30 19:06:11 +02:00
Alexander Bokovoy
b8b46779dc rpcserver: fallback to non-armored kinit in case of trusted domains
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.

FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.

[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.

[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.

Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.

In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:48:22 -04:00
Christian Heimes
727a2ffb93 Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
b79191f710 Faster certmonger wait_for_request()
wait_for_request() now waits 0.5 instead of 5 seconds. This shoves off
15 to 20 seconds from ipa-server-install while marginally increased
load on the system.

request_and_wait_for_cert() now uses correct certmonger_wait_timeout
instead of http_timeout.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-30 09:52:08 +02:00
Christian Heimes
96edff0b8c Add helpers for resolve1 and nameservers
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 16:44:26 +02:00
Christian Heimes
72fb4e60c8 Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Rob Crittenden
cdf830af18 De-duplicate ACI attributes and permissions
Ensure uniqueuess in attributes and permissions in the ACI class.

A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:15:59 +03:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Rob Crittenden
12dfb0fc96 cli: When parsing options require name/value pairs
If single-option values are combined together with invalid options
an exception would be raised.

For example -verbose was treated as -v -e rbose. Since rbose isn't
a name/value pair things would blow up. This is now caught and
a somewhat more reable error returned. The -v and -e are consumed,
not much we can do about that, but at least a more usable error is
returned.

https://pagure.io/freeipa/issue/6115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-25 10:31:19 -04:00
Rob Crittenden
a8d5e6bbfe Fall back to old server installation detection when needed
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.

https://pagure.io/freeipa/issue/8458

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-08-18 11:11:26 +02:00
Rob Crittenden
0dc084a34f Address legacy pylint issues in sysrestore.py
These were triggered because of the movement of sysrestore.py in
the tree

https://pagure.io/freeipa/issue/8384

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-07 16:44:28 -04:00
Rob Crittenden
2c3a042c06 Update check_client_configuration to use new client fact
check_client_configuration differs from is_ipa_client_configured
in that it raises an exception if not configured so is a nice
convenience in AdminTool scripts. Port it to call to
is_ipa_client_configured() instead of determining the install
state on its own.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
5e02713481 Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Christian Heimes
80794f6b5e Make tab completion in console more useful
tab completion and dir() now show registered plugins in API name spaces.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-07 12:36:10 +02:00
Christian Heimes
069f41a01e Add __signature__ to plugins
Auto-generate inspect.Signature from plugin arguments and options. The
signature is used by (amongst others) pydoc / help.

```
$ ipa console
>>> help(api.Command.group_add)
Help on group_add in module ipaserver.plugins.group object:

class group_add(ipaserver.plugins.baseldap.LDAPCreate)
 |  group_add(cn: str, *, description: str = None, gidnumber: int = None, setattr: List[str] = None, addattr: List[str] = None, nonposix: bool, external: bool, all: bool, raw: bool, version: str = None, no_members: bool) -> Dict[str, Any]
```

Fixes: https://pagure.io/freeipa/issue/8388
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-07 12:36:10 +02:00
Fraser Tweedale
d7f3a0b2d3 ra.get_certificate: use REST API
Update ra.get_certificate to use the Dogtag REST API.  This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).

Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-30 16:18:21 +02:00
Fraser Tweedale
c7766ebb94 Define errors_by_code in ipalib.errors
The errors_by_code mapping could be used in more places.  In
particular it will be useful in the Dogtag GSS-API authentication
effort.  Move to ipalib.errors.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-29 12:03:16 +10:00
Christian Heimes
5c09dcdb98 Grammar: whitespace is a word
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
4911a3f055 Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 22:44:42 +03:00
Fraser Tweedale
9d9012f682 httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-10 22:27:26 +10:00
Peter Keresztes Schmidt
1606174457 Remove remains of unused config options
Options removed:
 * ca_ee_port
 * ca_agent_install_port
 * ca_ee_install_port

Closes: https://pagure.io/freeipa/issue/6708
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-02 09:39:42 +02:00
Christian Heimes
13c3997baa Fix detection logic for api.env.in_tree
The logic to detect in-tree builds was broken and ipatests/conftest.py
had hard-coded in_tree=True.

IPA now considers an environment as in-tree when the parent directory of
the ``ipalib`` package contains ``ipasetup.py.in``. This file is only
present in source and never installed.

API bootstrap() does not use ```self.site_packages in site.getsitepackages()``
because the function call can be expensive and would require path
normalization, too. The function is also missing from venv site module.

Fixes: https://pagure.io/freeipa/issue/8312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-14 18:16:20 +02:00
Christian Heimes
82ba4db11e Make api.env.mode consistent
* use "developer" in Azure
* fix man page: "development" to "developer"
* list known modes in API bootstrap methods

Other values for mode are still supported to avoid breaking existing
installations.

Fixes: https://pagure.io/freeipa/issue/8313
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-14 17:55:59 +02:00
Christian Heimes
d0818e1809 Fix E713 test for membership should be 'not in'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
e00dc40fea Create ipasphinx package for Sphinx plugins
Sphinx is extensible with plugins that can add new syntax, roles,
directives, domains, and more.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 20:03:21 +02:00