Commit Graph

13385 Commits

Author SHA1 Message Date
Alexander Bokovoy
e9dd757763 covscan: free ucs2-encoded password copy when generating NTLM hash
On successful code path we leak internal copy of the ucs2-encoded
password.

Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-29 11:14:18 +01:00
Alexander Bokovoy
e3ad78538e covscan: free encryption types in case there is an error
Even when a number of translated encryption types is zero, the array
might still be allocated. Call free() in any case as free(NULL) does
nothing.

Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-29 11:14:18 +01:00
Christian Heimes
e8b98555fc Fix otptoken_sync plugin
The plugin had two bugs:

For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.

The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.

Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-28 16:09:07 +01:00
Christian Heimes
095d3f9bc9 Add test case for OTP login
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.

Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-28 16:09:07 +01:00
Rob Crittenden
02ce407f5e CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.

Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.

In case of errors log the full value on when the server is in
debug mode.

Reported by Jamison Bennett from Cloudera

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by:  Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-26 15:24:20 +02:00
Simo Sorce
4abd2f76d7 Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-26 11:33:48 +01:00
Sergey Orlov
e87357749e
ipatests: add check that ipa-adtrust-install generates sane smb.conf
Related to: https://pagure.io/freeipa/issue/6951

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-11-26 11:14:41 +01:00
Florence Blanc-Renaud
094cf629b3 Nightly definition: use right template for krbtpolicy
The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests

Switch to master_1repl template.

Related: https://pagure.io/freeipa/issue/8001
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-25 12:38:32 +01:00
Timo Aaltonen
04bb8ef2f5 Debian: Fix font-awesome path.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-25 12:21:24 +01:00
François Cami
438094f868 DSU: add Design for Disable Stale Users
Add disable-stale-users.md: feature document for the upcoming DSU feature.

Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-23 00:12:24 +01:00
Rob Crittenden
c02cc93c14 Add integration test for Kerberos ticket policy
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Alexander Bokovoy
c5f32165d6 Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.

The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Alexander Bokovoy
9db6f65a85 Allow presence of LDAP attribute options
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.

When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.

Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Serhii Tsymbaliuk
7f6b1c99f0
WebUI: Fix notification area layout
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.

Ticket: https://pagure.io/freeipa/issue/8120

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-21 16:44:11 +01:00
Cédric Jeanneret
ae256fa524 Update selinux-policy minimal requirement
Since 6c27104467 we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-11-20 17:12:34 -05:00
Christian Heimes
b216701d9a Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.

Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 17:08:40 +01:00
Alexander Bokovoy
ba466a8021 Do not run trust upgrade code if master lacks Samba bindings
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-11-20 16:19:00 +01:00
Florence Blanc-Renaud
7893fb9cb1 test_ipalib: add test for DNParam class
A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Florence Blanc-Renaud
ecdd7dae19 XMLRPCtest: add a test for add-certmapdata with multiple subject/issuer
ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.

Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Florence Blanc-Renaud
e08a6de6af DNParam: raise Exception when multiple values provided to a 1-val param
When ipa user-add-certmapdata is called with multiple --subject or
multiple --issuer, the DNParam's _convert_scalar method is called with
a tuple containing all the params and should raise an exception as the
--subject and --issuer are single-value params.

The DNParam _convert_scalar method internally calls the DN init method,
and the DN init method is able to create a DN from a tuple of RDNs.
As such, it won't raise exception if a tuple/list is provided.

Check that _convert_scalar is only provided a single element.

Fixes: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 11:15:28 +01:00
Serhii Tsymbaliuk
c0b0c6b4b5
WebUI: Fix adding member manager for groups and host groups
- fix API method call for adding member manager
- fix regressions in host group associated tables

Ticket: https://pagure.io/freeipa/issue/8123

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-19 13:31:08 +01:00
Armando Neto
e536824425 prci: bump template version for temp_commit and nightly_latest
Commit cd887a48b5 did that for gating,
this commit bumps the version for the remaining definitions.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-14 12:03:36 -03:00
Christian Heimes
8124b1bd4c Test installation with (fake) userspace FIPS
Based on userspace FIPS mode by Ondrej Moris.

Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.

Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-14 16:01:15 +01:00
Francisco Trivino
cd887a48b5 prci: bump template version and fix test_smb gating definition
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.

This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-14 13:09:24 +01:00
Alexander Bokovoy
d243c188f2 Update contributors
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-12 20:49:18 +02:00
Alexander Bokovoy
d317fd4de7 Update translations
Add Portuguese translation

Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-12 17:08:43 +02:00
Armando Neto
99d6845dbe prci: bump fedora release
Fedora 31 is the latest release, Fedora 30 is now the previous release.

New template boxes were built for current tests definitions with
updated dependencies.

Boxes were generated after https://github.com/freeipa/freeipa-pr-ci/pull/321

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Armando Neto
c62bd1608e prci: rename definitions files and jobs to change how fedora releases are referenced
Replacing `fedora-30` with `fedora-latest` and `fedora-29` with `fedora-previous` will
reduce the changes required for new releases of Fedora.

Future changes would only require to update the name and version of the template used.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-12 09:16:11 -03:00
Christian Heimes
97a31e69e8 Use default ssh host key algorithms
ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.

The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-12 12:26:49 +01:00
Cédric Jeanneret
6c27104467 Prevents DNS Amplification Attack and allow to customize named
While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] 5f4c75eb28

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2019-11-12 10:49:49 +02:00
Sergey Orlov
f58fb573d1
ipatests: enable test_smb.py in gating.yaml
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
c2b230ce64
ipatests: replace ad hoc backup with FileBackup helper
Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Sergey Orlov
72540c4233
ipatests: refactor FileBackup helper
* `cp` now preserves all attributes of original file, there is no reason
  to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk

Related to: https://pagure.io/freeipa/issue/8115

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 15:09:23 +01:00
Christian Heimes
0f4c41ab26 Add tests for member management
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Christian Heimes
f0a1f084b6 Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Florence Blanc-Renaud
87c24ebd34 smartcard: make the ipa-advise script compatible with authselect/authconfig
"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).

The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.

Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-08 12:57:54 +01:00
Rob Crittenden
3593e53622 Conditionally restart certmonger after client installation
If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>
2019-11-07 13:00:15 -05:00
Rob Crittenden
1e3de17269 Add conditional restart (try-restart) capability to services
This will conditionally restart a service if it is active.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>
2019-11-07 13:00:15 -05:00
Robbie Harwood
3cb9444c4c Provide modern example enctypes in ipa-getkeytab(1)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-06 15:39:51 -05:00
Christian Heimes
560acf3748 Skip commented lines after substitution
LDAP updater now ignores commented out lines after substitution.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-05 11:48:28 -05:00
Christian Heimes
bc56642bf9 Block camellia in krbenctypes update in FIPS
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-05 11:48:28 -05:00
Sergey Orlov
f16c08b7d6
ipatests: in DNS zone file add A record for name server
Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Sergey Orlov
b10e43c3ea
ipatests: strip newline character when getting name of temp file
Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.

Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-11-05 17:24:24 +01:00
Rob Crittenden
09d5b938c1 Enable AES SHA 256 and 384-bit enctypes in Kerberos
https://pagure.io/freeipa/issue/8110

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-04 09:45:07 -05:00
Sergey Orlov
14be271533 ipatests: add test to check that only TLS 1.2 is enabled in Apache
Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:49:09 -04:00
Spencer E. Olson
73796c7797 Fixes debian path for IPA_CUSTODIA_HANDLER
Debian installs into a different directory for libexec files.  This patch
fixes the path to the custodia files for debian.

Signed-off-by: Spencer E. Olson <olsonse@umich.edu>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-01 13:46:14 -04:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
François Cami
f44b73b97c ipatests: nightly_f29: disable TestIpaClientAutomountFileRestore
The fixes for https://pagure.io/freeipa/issue/8054 and
https://pagure.io/freeipa/issue/8038 are intended for f30.
Given that the fixes will not be backported to f29, disable
that test.

Fixes: https://pagure.io/freeipa/issue/8063
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-18 22:40:00 +02:00
Armando Neto
3d8a444f62 prci: increase timeout argument for test_sssd.py
Follow-up for commit a4ca34261a.

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci@380c8b8.

This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.

This also adds a missing but available topology to `temp_commit.yaml`.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-10-18 11:27:09 -03:00
Florence Blanc-Renaud
921f500240 ipa-backup: fix python2 issue with os.mkdir
Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)

ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).

Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-10-17 08:36:54 +02:00