Added error handling for function user_input in order to
handle EOFError in ipautil.py
https://fedorahosted.org/freeipa/ticket/3406
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The deprecated has_key method will be removed from dicts in Python 3.
For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension. Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.
Also update cert-request to accept CSRs containing this extension.
Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In except clause, use of "," is not recommended (PEP 3110)
Signed-off-by: Niranjan Mallapadi <mrniranjan@fedoraproject.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The open() function is the recommended way to open a file. In Python 3
the file type is gone, but open() still works the same.
The patch is related to https://fedorahosted.org/freeipa/ticket/5127
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Param suplementary_groups allows to specify list of group names to be
used for subprocess.
suplementary_groups param requires runas param to be specified.
Required for ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
ipa-replica-manage del now:
- checks the whole current topology(before deletion), reports issues
- simulates deletion of server and checks the topology again, reports issues
Asks admin if he wants to continue with the deletion if any errors are found.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch adds an error handler which prints out the paths to logs related to
configuration and installation of Dogtag/CA in the case of failure.
https://fedorahosted.org/freeipa/ticket/4900
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
pylint added 'confidence' parameter to 'add_message' method of PyLinter.
To be compatible with both, pre- and post- 1.4 IPALinter must accept
the parameter but not pass it over.
Also python3 checker was added and enabled by default. FreeIPA is still
not ready for python3.
Additionally few false-positives was marked.
Reviewed-By: Martin Basti <mbasti@redhat.com>
the old implementation tried to get all entries which are member of group.
That means also user. User can't have any members therefore this costly
processing was unnecessary.
New implementation reduces the search only to entries which have members.
Also page size was removed to avoid paging by small pages(default size: 100)
which is very slow for many members.
https://fedorahosted.org/freeipa/ticket/4947
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Make all DNs, RDNs and AVAs immutable.
Immutability makes reasoning about DN-handling code easier,
as value objects can't be changed once created.
Instead of mutable DNs, one can use a list (or even a generator)
of RDNs that's converted to a DN on output.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising Krb5Error.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
DN code was optimized to be faster if DNs are created from string. This is
the major use case, since most DNs come from LDAP.
With this patch, DN creation is almost 8-10x faster (with 30K-100K DNs).
Second mojor use case - deepcopy in LDAPEntry is about 20x faster - done by
custom __deepcopy__ function.
The major change is that DN is no longer internally composed of RDNs and
AVAs but it rather keeps the data in open ldap format - the same as output
of str2dn function. Therefore, for immutable DNs, no other transformations
are required on instantiation.
The format is:
DN: [RDN, RDN,...]
RDN: [AVA, AVA,...]
AVA: ['utf-8 encoded str - attr', 'utf-8 encode str -value', FLAG]
FLAG: int
Further indexing of DN object constructs an RDN which is just an encapsulation
of the RDN part of open ldap representation. Indexing of RDN constructs AVA in
the same fashion.
Obtained EditableAVA, EditableRDN from EditableDN shares the respected lists
of the open ldap repr. so that the change of value or attr is reflected in
parent object.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This change does not solve using multiple instances of StateFile concurently
because there is no use for it in near future. Instead this solves an issue of loosing
records when more instances of StateFile are interleaved in sequential code.
https://fedorahosted.org/freeipa/ticket/4901
Reviewed-By: Martin Basti <mbasti@redhat.com>
We use ntpd now to sync time before fetching a TGT during client
install. Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.
This patch adds the ability for commands run via ipautil.run() to
have an optional timeout. This capability is used by the NTP sync
code that is run during ipa-client-install.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
