This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.
The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.
Convert the DN objects to strings to fix the issue.
https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Improve the single/double quote handling during parsing/unparsing of
nss.conf's NSSNickname directive. Single quotes are now added/stripped
explicitly when handling the certificate nickname.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Separate functions were added to installutils module to quote/unquote a
string in arbitrary characters.
`installutils.get/set_directive` functions will use them to enclose
the directive values in double quotes/strip the double quotes from
retrieved values to maintain the original behavior.
These functions can be used also for custom quoting/unquoting of
retrieved values when desired.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`get_directive` value parsing was improved in order to bring its logic
more in-line to changes in `set_directive`: a specified quoting
character is now unquoted and stripped from the retrieved value. The
function will now also error out when malformed directive is
encountered.
https://fedorahosted.org/freeipa/ticket/6460
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.
Detect and report if size limit was exceeded in the certificate search in
the CA.
Do not apply limits to the internal ca-find call.
https://fedorahosted.org/freeipa/ticket/6564
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There is no need to encode hostname to bytes. UTF-8 characters must be
encoded in different format in URL anyway and it causes only error in
Py3. String must be unicode to support Py2.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).
Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.
https://fedorahosted.org/freeipa/ticket/6570
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In commit 5249eb817e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.
Convert the return statements to raise statements to fix the issue.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method
https://fedorahosted.org/freeipa/ticket/6126
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy
v3:
- make parse_ipa_version static
v4:
- make more methods static
v5:
- fix pylint issues
- use syntax that doesn't break with python3
v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
