Commit Graph

10843 Commits

Author SHA1 Message Date
Fraser Tweedale
c6db493b06 installer: rename --subject to --subject-base
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
db6674096c installutils: remove hardcoded subject DN assumption
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`.  In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
324183cd63 Refactor and relocate set_subject_base_in_config
Refactor set_subject_base_in_config to use api.Backend.ldap2 instead
of a manually created LDAP connection.

Also rename the function to have a more accurate name, and move it
to 'ipaserver.install.ca' to avoid cyclic import (we will eventually
need to use it from within that module).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Martin Basti
d648c6a692 py3: enable py3 pylint
We should run pylint in both python2 and python3 versions

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-11 13:17:15 +01:00
Martin Babinsky
9b5b713150 Travis CI: actually return non-zero exit status when the test job fails
The original code did not actually propagate the test runner exit status
to parent process so Travis CI job was always green.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-09 15:22:51 +01:00
David Kupka
d15ccde20f ipaclient: schema cache: Handle malformed server info data gracefully
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.

https://fedorahosted.org/freeipa/ticket/6578

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-09 09:13:36 +01:00
Martin Basti
35ba724de9 Py3: Fix ToASCII method
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5935

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-06 12:48:10 +01:00
Christian Heimes
deaad95247 Fix used before assignment bug in host_port_open()
Detected by most recent pylint under Python 3.5.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-06 10:07:33 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Stanislav Laznicka
8db5b277a0 Unify password generation across FreeIPA
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Pavel Vomacka
be7865bf4f Change activity text while loading metadata
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.

Part of: https://fedorahosted.org/freeipa/ticket/6144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-01-05 19:13:37 +01:00
Pavel Vomacka
5a950aeb29 Refactoring of rpc module
The rpc module is now separated from display layer.

There are two new global topics:
- 'rpc-start' for showing the widget which indicates execution of rpc calls
- 'rpc-end' for hiding the widget which indicates execution of rpc calls.
These two global topics replace the original methods IPA.display_activity_icon() and
IPA.hide_activity_icon().

There is also new property of a command (notify_globally), which allows to turn off the widget
which indicates network activity. Instead of classic activity indicator there can be
called custom function at the beginning and at the end of network activity.

There are also changes in internal communication in rpc.js module. There are four new
events, two for calling on_success and on_error methods and two for calling custom functions
at the beginning and at the end of network activity.

https://fedorahosted.org/freeipa/ticket/6144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-01-05 19:13:37 +01:00
Pavel Vomacka
18425dbbe7 WebUI: update Patternfly and Bootstrap
Current versions:
	PatternFly: 3.9.0
	Boostrap: 3.3.7
	Bootstrap-select: 1.4.3
	Font-Awesome: 4.0.3

https://fedorahosted.org/freeipa/ticket/6394

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-01-05 18:33:46 +01:00
David Kupka
388ed93935 schema_cache: Make handling of string compatible with python3
https://fedorahosted.org/freeipa/ticket/6559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 18:30:00 +01:00
Timo Aaltonen
0ff12de338 client, platform: Use paths.SSH* instead of get_config_dir().
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 17:50:03 +01:00
Jan Cholasta
ceb26f5ac4 ca: fix ca-find with --pkey-only
Since commit 32b1743e5f, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.

Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.

https://fedorahosted.org/freeipa/ticket/6178

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 17:39:57 +01:00
Christian Heimes
1e06a5195b Use pytest conftest.py and drop pytest.ini
Let's replace some ugly hacks with proper pytest conftest.py hooks.
Test initialization of ipalib.api is now handled in
pytest_cmdline_main(). Pytest plugins, markers and ignores are also
moved into conftest.py. Additional guards make it possible to run tests
without ipaserver installed.

I added confcutdir to ensure that pytest does not leave our project
space. Pytest used pytest.ini or setup.py before but pytest.ini is gone.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-05 17:37:02 +01:00
Christian Heimes
3387734e6c Catch ValueError raised by pytest.config.getoption()
pytest.config.getoption() can raise ValueError for unknown options, too.

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-01-05 17:35:33 +01:00
Martin Babinsky
0ef55a91ef Trim the test runner log to show only pytest failures/errors
If we get to the `run-tests` phase, we no longer care about messages
from previous steps so we can truncate the log output to only show
pytest failures/errors, reducing log size.

As a fallback, the previous behaviour to print last 5000 log lines was
kept in the case the CI tests fail during setup.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
4abd3f554a Add license headers to the files used by Travis CI
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
f48d6fc168 Travis CI: use specific Python version during build
This is a preparatory work for the future requirement of running
Python2/3 jobs simultaneously.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
b6216756f6 introduce install step to .travis.yml and cache pip installs
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
b8423492f5 split out lint to a separate Travis job
In order to speed our Travis CI gating even further, the lint step has
been split to a separate job that can be run in parallel with the test
runs. The test runs are in turn launched in developer mode to speed them
up.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
149d86de14 Travis: offload test execution to a separate script
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
1267e3e723 Travis CI: a separate script to run test tasks
this script is intended only for use in Travis CI and contains
configuration of the test run requested:

    * it can run linter step separately by specifying TASK_TO_RUN="lint"
      environment variable in .travis.yml. In this case it also runs
      pep8 checker on the commits in PR.
    * other steps are run in developer mode in order to skip pylint run
      and speed up the task
    * in all cases the CI result log is populated and can be displayed
      if the job fails

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
aff4e684e1 Put the commands informing and displaying build logs on single line
This prevents Travis log collector to add separate expansion marks to
the echo output and the actuall log output.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
758731088e travis: mark FreeIPA as python project
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
Martin Babinsky
d86cae7748 Bump up ipa-docker-test-runner version
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 16:21:51 +01:00
David Kupka
a15fdea615 installer: Stop adding distro-specific NTP servers into ntp.conf
Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.

https://fedorahosted.org/freeipa/ticket/6486

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-05 10:45:30 +01:00
Fraser Tweedale
a5fb5f2da1 dsinstance: minor string fixes
Fixes: https://fedorahosted.org/freeipa/ticket/6586
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-05 10:17:00 +01:00
Fraser Tweedale
6f7d982fe2 Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-05 10:17:00 +01:00
Christian Heimes
987d24f784 Silence pylint import errors of ipaserver in ipalib and ipaclient
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 09:50:28 +01:00
Stanislav Laznicka
25a6ddcce8 Clarify meaning of --domain and --realm in installers
Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 09:47:25 +01:00
Abhijeet Kasurde
80c0e5cb8d Enumerate available options in IPA installer
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options

Fixes https://fedorahosted.org/freeipa/ticket/5435

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-03 13:00:36 +01:00
Jan Cholasta
eb1f05d598 spec file: revert to the previous Release tag
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:

* `0` sorts before `1`, which is usually used as the initial release number
  in downstream packages,

* the information provided by `%{?dist}` is useful, as packages built on
  one OS are not always installable on another OS.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-02 12:09:25 +01:00
Jan Cholasta
556fc21482 x509: use PyASN1 to parse PKCS#7
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.

https://fedorahosted.org/freeipa/ticket/6550

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-12-22 10:22:31 +01:00
Fraser Tweedale
bdbb1c34a2 Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-21 17:04:18 +01:00
Simo Sorce
2bc01ec5b4 Use the tar Posix option for tarballs
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.

tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.

https://fedorahosted.org/freeipa/ticket/6418

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-21 14:54:08 +01:00
Jan Cholasta
998c87af2b server install: fix KRA agent PEM file not being created
In commit 822e1bc82a the call to create the
KRA agent PEM file was accidentally removed from the server installer.

Call into the KRA installer from the server installer to create the file
again.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-20 16:26:28 +01:00
Fraser Tweedale
4028ad73e7 Fix DL1 replica installation in CA-less topology
Commit dbb98765d7 changed certmonger
requests for DS and HTTP certificates during installation to raise
on error (https://fedorahosted.org/freeipa/ticket/6514).
This introduced a regression in DL1 replica installation in CA-less
topology.  A certificate was requested, but prior to the
aforementioned commit this would fail silently and installation
continued, whereas now installation fails.

Guard the certificate request with a check that the topology is
CA-ful.

Fixes: https://fedorahosted.org/freeipa/ticket/6573
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-20 10:19:15 +01:00
Jan Cholasta
1b85e59cee spec file: do not define with_lint inside a comment
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.

Escape the percent sign in '%global' in the comment to prevent this.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-19 13:39:17 +01:00
Petr Spacek
8bc6775122 Remove named-pkcs11 workarounds from DNSSEC tests.
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-19 13:10:48 +01:00
Martin Babinsky
d95bdbbfd5 Add a basic test suite for kadmin.local interface
This small integration suite tests some basic operations using
kadmin.local interface on services in both kerberos and services
subtree.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-16 10:37:49 +01:00
Martin Babinsky
f596735064 Make kadmin family of functions return the result of ipautil.run
This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-16 10:37:49 +01:00
Alexander Bokovoy
73f33569c8 ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-15 17:32:33 +01:00
Fraser Tweedale
fec4c32ff1 certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-14 18:08:33 +01:00
Simo Sorce
397f2be9df Add compatibility code to retrieve headers
Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.

https://fedorahosted.org/freeipa/ticket/6558

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 17:54:11 +01:00
David Kupka
b1a20599c4 tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 17:46:12 +01:00
David Kupka
6f1d927467 password policy: Add explicit default password policy for hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-12-14 17:46:12 +01:00
David Kupka
d841a79dc1 ipaclient.plugins: Use api_version from internally called commands
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-14 11:50:35 +01:00