Commit Graph

2577 Commits

Author SHA1 Message Date
Rob Crittenden
9c1ab3ca50
Pass ipa-ca-agent credentials as PEM files
In Fedora 27 curl is proposing to switch to using OpenSSL as
the crypto backend instead of NSS. This requires a new set of
arguments to certmonger to bootstrap fetching the IPA RA cert.

https://pagure.io/freeipa/issue/7076

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-18 11:32:34 +02:00
Fraser Tweedale
7995518921 Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.

We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.

https://pagure.io/freeipa/issue/7097

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-14 19:25:59 +02:00
Christian Heimes
5f03329051
Misc Python 3 fixes for ipaserver.secrets
bytes/str fixes for LDAP data, JSON encoding and temp files.

Require jwcrpyto 0.4.2 with fix for RHBZ #1476150

https://pagure.io/freeipa/issue/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-11 13:47:35 +02:00
Stanislav Laznicka
7d217c8c9b
host, service: fix adding host/svc with a cert
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.

The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.

https://pagure.io/freeipa/issue/7077

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 12:09:44 +02:00
Stanislav Laznicka
d147948fcc server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-03 13:50:10 +02:00
Stanislav Laznicka
76904ba84d replica: fix SetuptoolsVersion comparison
Python 3 does not allow comparing SetuptoolsVersion and str
instances.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-03 13:48:12 +02:00
Stanislav Laznicka
9fc2cab972 certs: write and read bytes as such
There were several cases in ipaserver.install.certs where bytes
would be read/written as normal strings, this commit fixes that.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:15:13 +02:00
Stanislav Laznicka
c95617e714 cainstance: read cert file as bytes
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:55:21 +02:00
Stanislav Laznicka
0c848b791d ca: TypeError fix
We were trying to load a certificate as a string even though it
was an object already.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 16:53:00 +02:00
Stanislav Laznicka
276bef101b krainstance: fix writing str to file
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:51:09 +02:00
Felipe Volpone
75d26e1f01 py3: fixing zonemgr_callback
Since OptionParser behaves differently in Python 2/3,
zonemgr_callback now handles value as str in both version.

https://pagure.io/freeipa/issue/5990

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-27 16:48:49 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
43c74d3333 Introduce load_unknown_x509_certificate()
load_unknown_x509_certificate() serves for the cases where we
can't be sure what the format of its input certificate is. This
is the case for installers, it should not be used anywhere else.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Lewis Eason
bcfa6b533d Correct typo estabilish->establish in the install scripts
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-07-24 13:41:16 +02:00
David Kupka
d6787eea48 install: replica: Show message about key synchronization
https://pagure.io/freeipa/issue/6940

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-24 13:38:31 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
9d19654cbd logging: use the actual root logger as the root logger
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.

Always configure logging on the root logger.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
f62a0fdb90 logging: port to standard Python logging
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.

Disable the logging-not-lazy and logging-format-interpolation pylint
checks.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Fraser Tweedale
227cf8d4e9
cert-request: simplify request processing
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.

Implement the following simplifications:

- Search all user/host/service accounts at once, by krbPrincipalName
  (error if no account found).  Use principal canonical name to
  determine the type of the principal.

- Update subject principals userCertificate attribute uniformly,
  instead of dispatching to user/host/service-mod based on type of
  principal.

Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-14 09:24:20 +02:00
Martin Basti
041982f073
baseldap: fix format string
Fixes missing type specification in format string.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-14 09:19:11 +02:00
Simo Sorce
c565fa1781 Always check peer has keys before connecting
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.

Ticket #6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2017-07-13 10:04:11 +02:00
Tibor Dudlák
17f03a7952 whoami.py: Type error when running tests
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.

Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-07 14:44:42 +02:00
Martin Babinsky
e2e380e83b Do not remove the old masters when setting the attribute fails
If the setting of server attribute fails (e.g. due to master not having
the associated role enabled) the error would pop up *after* the old
values were cleared from LDAP. Fix this behavior so that all checks are
performed before manipulating any data.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Martin Babinsky
f4d77533f5 *config-show: Do not show empty roles/attributes
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to  the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Jan Cholasta
4736fef6bb ldap2: remove URI argument from ldap2 constructor
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
935fcaea2e {ca,kra}instance: drop redundant URI argument from ad-hoc ldap2 connections
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
e9cb74fd27 user, migration: use LDAPClient for ad-hoc LDAP connections
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Babinsky
53c5c0ad7b smart-card-advises: ensure that krb5-pkinit is installed on client
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0cf7090f3 smart card advise: use password when changing trust flags on HTTP cert
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
4d57aef7a5 smart card advises: use a wrapper around Bash for loops
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
a9fec090f7 Use the compound statement formatting API for configuring PKINIT
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
85a79b5ccd Fix indentation of statements in Smart card advises
https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
9808395c17 delegate formatting of compound Bash statements to dedicated classes
this simplifies handling compound statements using _AdviceOutput class.
The necessary statements are exposed as context managers and API for
most common constructs is provided.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
dea4b4ca1b advise: add an infrastructure for formatting Bash compound statements
A series of context managers simplify formatting of common compound
statements such as `if`, `else if`, `else` blocks.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
0181334c4c delegate the indentation handling in advises to dedicated class
Indentation levels are now handled transparently by a dedicated class
and should not pollute the statement printing logic.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
36e0d2d65c add a class that tracks the indentation in the generated advises
https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0c2e0f26c Allow to pass in multiple CA cert paths to the smart card advises
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
584abe5b68 smart-card advises: add steps to store smart card signing CA cert
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
69ba5f9422 smart-card advises: configure systemwide NSS DB also on master
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Basti
e53674e741 py3: ipa_otptoken_import: fix calling unicode on bytes
.decode() must be used instead

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
24eadd3a39 py3: ipa_otptoken_import: fix lamba code inspection
lambda in py3 has '__code__' attribute instead of 'func_code'

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
8416d5772d py3: Remove comparison >=2 of debnug log level
We have only one debug log level and it causes issues with py3.
...
  File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
    response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Stanislav Laznicka
d308abac2e rpcserver: remove addition of str and bytes
base64 encoding returns bytes but these can't be added together with
a string.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-27 16:48:21 +02:00