ipa cert-show wrongly displays all certs as Revoked.
The dogtag plugin code is checking if the JSON data received
from dogtag contains a RevocationReason with:
if 'RevocationReason' in resp:
but the value can be None.
Replace the check with
if 'RevocationReason' in resp and esp['RevocationReason'] is not None:
as this will execute the code only if there is a value
and it is not None.
Fixes: https://pagure.io/freeipa/issue/8394
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When override_gid is set in sssd.conf in IPA domain section
Then it should also work for subdomain.
Related: https://pagure.io/SSSD/sssd/issue/4061
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
With commit "WebUI: Apply jQuery patch to fix htmlPrefilter issue" (bc9f3e0557)
jQuery's handling of self-closing elements.
DOM before the above mentioned commit:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
and after:
<div name="nsaccountlock"><i class="fa fa-check"> Enabled</i></div>
Explicitly closing the <i> element fixes the issue:
<div name="nsaccountlock"><i class="fa fa-check"></i> Enabled</div>
Fixes: https://pagure.io/freeipa/issue/8396
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Related: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
SELinux policy permission to use 'noatsecure'. This comes most likely
from execve() setup by glibc.
Add SELinux interface ipa_helper_noatsecure() that can be called by
oddjob's SELinux policy definition.
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
access SELinux configuration and produce AVC for that. Allow reading
general userspace SELinux configuration.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
73c02f635 introduced a workaround to make sure the latest version
of (free)ipa-client-epn was installed.
Since cc624fb17 this should not be needed anymore.
Fixes: https://pagure.io/freeipa/issue/8391
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The test test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed
sometimes fails at kinit in create_active_user:
```
kinit: Password has expired while getting initial credentials
```
krb5_strace shows that this happens when kinit changes servers
between password change and TGT requests.
Display SSSD's kdcinfo to see if kinit should be pinned to one
server.
Related-to: https://pagure.io/freeipa/issue/8353
Related-to: https://pagure.io/freeipa/issue/8271
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Update ra.get_certificate to use the Dogtag REST API. This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).
Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).
Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation. Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.
Add the 'check_operation_access' method for explicit virtual
operation access checks. Refactor 'VirtualCommand.check_access()'
to use it.
Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Related to: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
When AD user is added customized idview and UID, GID
is overriden. Then SSSD should not fail to retrieve
AD domain details.
Related: https://pagure.io/SSSD/sssd/issue/4173
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun@redhat.com>
The errors_by_code mapping could be used in more places. In
particular it will be useful in the Dogtag GSS-API authentication
effort. Move to ipalib.errors.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove all freeipa-* packages from template:
bdd98c3b9d
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Due to https://github.com/freeipa/freeipa-pr-ci/issues/378
the installed version of freeipa-client-epn is not the built
one. Temporarily force uninstall/reinstall of this package
before running the test.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix formatting issues found with mandoc.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.
Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:
datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)
Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.
[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: https://pagure.io/freeipa/issue/8378
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test TestCertsInIDOverrides enables the ifp service in
sssd.conf by a sed command. If the service is already enabled,
the ifp service appears multiple times in the section
[sssd]
services = ..ifp...ifp
and sssd fails to start.
Use tasks.remote_sssd_config to properly configure the
services as this API properly handles the case when the
service is already configured.
Fixes: https://pagure.io/freeipa/issue/8371
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests for below checks are included
IPATrustDomainsCheck
IPATrustControllerConfCheck
IPAsidgenpluginCheck
IPATrustControllerServiceCheck
IPATrustAgentMemberCheck
IPATrustCatalogCheck
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.
Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"
As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).
There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.
Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.
Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Since TOTPs have a limited validity, let the user enter
them as the last item in the form.
This reduces the chance of the TOTP getting invalid while
the user is still filling out other fields.
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
We do two things:
1. Fix the xpath for AJP connector verification. An AJP connector is
one which has protocol="AJP/1.3", NOT one that has port="8009". An
AJP connector can exist on any port and port 8009 can have any
protocol. Secrets only make sense on AJP connectors, so make the
xpath match the existing comment.
2. Add some background in-line documentation about AJP secret
provisioning. This should help future developers understand why this
was added to IPA and what limitations there are in what PKI or IPA
can do. Most notably, explain why Dogtag can't upgrade the AJP
connector to have a secret in the general case.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names. Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases). When a DNS name maps to a
"alternative" principal (i.e. not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.
To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.
Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.
Ticket: https://pagure.io/freeipa/issue/8335
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.
See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New images were necessary to include updated `selinux-policy` package.
Rawhide image based on `Fedora-Rawhide-20200607.n.0` compose.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.
This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments. Do not execute the CA sub-search on CA-less
deployments.
Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This section should be hidded if user object hasn't ipantuserattrs
object class. I.e. when trusts are not enabled.
Web UI framework already supports hidding of sections if the
section contains no visible field. So to achieve it we simply needs
to hide the fields. Given that attributelevelrights
contains rights only for attributes of current object classes, all
of these are regarded as not writable.
We can leverage feature of input_widget that it gets hidden
when the attribute is not writable and has no value and widget's
"hidden_if_empty" is set to true. Thus doing it here.
For this to work, it is also required to fix an issue with
"ipanthomedirectorydrive" which is optional (in API) but Web UI
doesn't offer "empty" ("") value. Adding it here.
fixes: https://pagure.io/freeipa/issue/8336
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>