Commit Graph

857 Commits

Author SHA1 Message Date
Christian Heimes
1921d33d41 Drop unused extended sleep feature from Sleeper
The extended sleep feature is not used at the moment.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-30 09:52:08 +02:00
Christian Heimes
aa67177f4c Add helper for poll/sleep loops with timeout
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-30 09:52:08 +02:00
Christian Heimes
69ebe41525 Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-24 17:03:00 +02:00
Christian Heimes
96edff0b8c Add helpers for resolve1 and nameservers
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-23 16:44:26 +02:00
Christian Heimes
b19d20e2db Use new classes for run_command and Service
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.

run_command() and Service class accept either names or User object.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Stanislav Levin
b450c9bd32 dns: Make use of resolve_address of a current resolver instead of the global one
For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 17:24:40 +03:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
a102cfe5fa nss: Raise exception earlier on unsupported DB type
For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Christian Heimes
e89b400713 Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:

```
  IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  ("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```

Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.

The patch also enhances debug logging for installer and upgrader.

Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-07 17:54:06 +03:00
Fraser Tweedale
3c8352f9a7 acme: add certificate profile
Add a default certificate profile to be used with the ACME service.

The profile requires the (Dogtag) user interacting with the CA to be
a member of the (Dogtag) "ACME Agents" group.  For each CA server we
create a dedicated ACME agent account, make it a member of this
group, and configure the ACME issuer component to use that account.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Alexander Bokovoy
1f6ca418ee handle Y2038 in timestamp to datetime conversions
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:

  datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)

Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.

[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Fixes: https://pagure.io/freeipa/issue/8378

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-25 09:18:02 +03:00
Christian Heimes
5c09dcdb98 Grammar: whitespace is a word
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
f3e1171564 Explain the effect of OPT_X_TLS_PROTOCOL_MIN
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-18 14:45:31 +02:00
Christian Heimes
aa341020c8 Disable password schema update on LDAP bind
389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind.

See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-11 14:36:39 +02:00
Christian Heimes
6386c0cbdd Manually reformat ipapython/version.py.in
Add whitespaces around assignment operator and use consistent double
quotes.

https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
c544d18f1a Silence W601 .has_key() is deprecated
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
186d739d7f Fix E722 do not use bare 'except'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
690b5519f8 Fix E712 comparison to True / False
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Miro Hrončok
35e1ebb2f3 Fix a syntax typo
This worked for now, but is SyntaxError in Python 3.9.0a6:

  File "/usr/lib/python3.9/site-packages/ipapython/cookie.py", line 222
    return'/'
         ^
SyntaxError: invalid string prefix

(The Python change might actually be reverted before 3.9 final,
but this can be fixed anyway.)

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-04 08:12:58 +02:00
Christian Heimes
24cc13db89 Fix exception escape warning
W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-27 14:59:07 -04:00
Christian Heimes
49f909c9d3 Fix APIVersion.__getnewargs__
``__getnewargs__()`` must return a tuple.

Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
 __getnewargs__ does not return a tuple)``.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-27 14:59:07 -04:00
Alexander Bokovoy
dd7fdaa77d DNS install check: allow overlapping zone to be from the master itself
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.

Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.

Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-12 18:24:44 +01:00
Christian Heimes
d30dd52920 Check valid before/after of external certs
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.

Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-10 16:23:31 +01:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
Christian Heimes
0b8c81a5bc Don't install a preexec_fn by default
ipautil.run() now only installs a preexec_fn when it is actually needed.
This addresses a compatibility issue with mod_wsgi subinterpreters under
Python 3.8.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
See: https://bugs.python.org/issue37951
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-10-10 09:20:51 +02:00
Rafael Guterres Jeffman
c898be1df9 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Stanislav Levin
d0b420f6dd Fixed errors newly exposed by pylint 2.4.0
Newest Pylint introduced additional checks [1]:

- import-outside-toplevel [2]

> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.

- no-else-continue [3]

> These checks highlight unnecessary else and elif blocks after
break and continue statements.

- unnecessary-comprehension [4]

> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.

[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905

Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-25 20:14:06 +10:00
François Cami
02262ac7cf ipapython/ipachangeconf.py: change "is not 0" for "!= 0"
Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-02 17:39:11 +02:00
Rob Critenden
e5af8c19a9 Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Christian Heimes
a36556e106 Allow insecure binds for migration
Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-08-13 18:43:58 +02:00
François Cami
402246a729
ipapython/admintool.py: use SERVER_NOT_CONFIGURED
Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.

Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-30 12:01:27 +02:00
Florence Blanc-Renaud
ef39e1b02a upgrade: remove ipaCert and key from /etc/httpd/alias
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-07-15 17:08:21 +03:00
Alexander Bokovoy
d85e0550ca ipapython.ipautil.run: allow skipping stdout/stderr logging
There are cases when output from a utility run contains sensitive
content that is better to avoid logging. For example, klist can be told
to show actual encryption keys with -K option. Redacting them out with
nolog option to ipapython.ipautil.run() is not possible because
replacement routine expects exact matches.

Introduce two boolean options that allow to skip printing output from
the utility being run:
  -- nolog_output: skip printing captured stdout
  -- nolog_error: skip printing captured stderr

These options default to False (thus, stdout/stderr content will
continue to be printed). In case they were set to True, corresponding
line will contain

   stdout=<REDACTED>

or

   stderr=<REDACTED>

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
cdb94e0ff2 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.

Move them to ipapython.ipautil and update references as well.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Rob Crittenden
10b721d118 admintool: don't display log file on errors unless logging is setup
The admintool will display the message when something goes wrong:

See %s for more information" % self.log_file_name

This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.

This can happen if validation catches and raises an exception.

Fixes: https://pagure.io/freeipa/issue/7952

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-11 19:42:50 +02:00
Fraser Tweedale
ad74729703 dn: sort AVAs when converting from x509.Name
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.

Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.

Part of: https://pagure.io/freeipa/issue/7963

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-11 16:14:44 +10:00
Rob Crittenden
c1c50650a7 Return 0 on uninstall when on_master for case of not installed
This is to suppress the spurious error message:

The ipa-client-install command failed.

when the client is not configured.

This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-07 11:24:45 +02:00
Rob Crittenden
1284bf1588 Drop list of return values to be ignored in AdminTool
This was an attempt to suppress client uninstallation failure
messages in the server uninstallation script. This method
inadvertently also suppressed client uninstallation messages and
was generally confusing.

This reverts part of b96906156b

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-07 11:24:45 +02:00
Fraser Tweedale
891d54e46f dn: handle multi-valued RDNs in Name conversion
When applying DN to a cryptography.x509.Name, multi-valued RDNs get
"flattened" into separate RDNs.  Update the constructor to correctly
handle Name values with multi-valued RDNs.

Fixes: https://pagure.io/freeipa/issue/7963
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-28 10:03:00 +03:00
Florence Blanc-Renaud
64d187e56e NSSDatabase: fix get_trust_chain
In the get_trust_chain method, use certutil -O with the option
--simple-self-signed to make sure that self-signed certs properly
get processed.
Note: this option has been introduced in nss 3.38 and our spec file
already requires nss >= 3.41.

Scenario: when IPA CA is switched from self-signed to externally-signed,
then back to self-signed, the same nickname can be used in
/etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
the original and renewed certs are present in the NSS db, running
$ certutil -O -n <IPA CA alias>
produces a complex output like the following (this command is used to find
the trust chain):
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

The renewal code is disturbed by this output.
If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
used to extract the trust chain, the output is as expected for a self-signed
cert:
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

As a result, the scenario self-signed > externally signed > self-signed
works.

Fixes: https://pagure.io/freeipa/issue/7926
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-24 17:18:56 -04:00
Rob Crittenden
ecc08e3983 Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS)
A PKCS#12 file is generated from a set of input files in various
formats. This file is then used to provide the public and private
keys and certificate chain fro importing into an NSS database.

In order to work in FIPS mode stronger encryption is required.

The default OpenSSL certificate algo is 40-bit RC2 which is not
allowed in FIPS mode. The default private key algo is 3DES.
Use AES-128 instead for both.

Fixes: https://pagure.io/freeipa/issue/7948

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-14 12:46:56 -04:00
Christian Heimes
64dc92ccb4 Load libldap_r-*.so.2
libldap_r.so is only available in the OpenLDAP development packages. The
openldap package provides libldap_r-*.so.2.

Fixes: https://pagure.io/freeipa/issue/7941
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-14 12:27:55 +02:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00
Christian Heimes
2a459ce0f2 Make python-ldap optional for PyPI packages
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.

A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.

Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
36c65c4aaa Remove deprecated object logger
The object logger methods been deprecated for about two years since release
4.6.0. The log manager used to moneky-patch additional log methods like
info(), warning(), and error() into API plugin objects. The methods have
been replaced by calls to module logger objects in 4.6.0.

Remove monkey-patch logger methods, log manager, and its root logger from
ipapython.ipa_log_manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-04-23 12:55:35 +02:00
Christian Heimes
a5213140c3 Make netifaces optional
netifaces is a binary Python extension. Outside of the installer, it's
only used by CheckedIPAddress.get_matching_interface, which is only
called from installer code.

Make the import of netifaces optional to reduce the amount of
dependencies for PyPI package use case. Binary extensions are especially
annoying, because they depend on shared libraries, compiler, and header
files to be present.

Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-04-09 11:28:37 +02:00
Christian Heimes
3c354e74f3 Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.

Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-04 10:05:10 +02:00
Christian Heimes
3509545897
Require a minimum SASL security factor of 56
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.

Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.

Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-04-03 15:16:21 +02:00
Christian Heimes
3cb1ccb3b0 Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.

Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Rob Crittenden
6defe32055 Send only the path and not the full URI to httplib.request
Sending the full uri was causing httplib to send requests as:

POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1

From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.

https://pagure.io/freeipa/issue/7883

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-03-19 11:00:43 -04:00
Christian Heimes
5be9341fba Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.

The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.

LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
d5d9233b7c Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
165a941109
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.

Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.

Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-01-18 11:33:11 +01:00
Florence Blanc-Renaud
372c2fc990 ipaldap.py: fix method creating a ldap filter for IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)

When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).

Fixes https://pagure.io/freeipa/issue/7770

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-27 17:20:35 -05:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
Christian Heimes
13917ddc55 certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.

Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-11-14 07:57:13 +01:00
Fraser Tweedale
61e1d7a83b certdb: validate certificate signatures
When verifying a CA certificate, validate its signature.  This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes.  The '-e' option to 'certutil -V' was the
missing ingredient.

An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test.  With this change,
ipa-cacert-manage will reject the certificate:

  # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
  Importing the renewed CA certificate, please wait
  CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
  in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
  certificate was signed using a signature algorithm that is
  disabled because it is not secure.

Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-13 14:19:18 +01:00
Fraser Tweedale
d731f6fd74 certdb: ensure non-empty Subject Key Identifier
Installation or IPA CA renewal with externally-signed CA accepts an
IPA CA certificate with empty Subject Key Identifier. This is
technically legal in X.509, but is an operational issue.
Furthermore, due to an extant bug in Dogtag
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
startup failure.

Reject CA certificates with empty Subject Key Identifier.

Fixes: https://pagure.io/freeipa/issue/7762
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-12 11:23:16 +01:00
Fraser Tweedale
4cd26fcba5 ipaldap: avoid invalid modlist when attribute encoding differs
ipaldap does not take into account the possibility of the attribute
encoding returned by python-ldap differing from the attribute
encoding produced by FreeIPA.  In particular this can occur with DNs
with special characters that require escaping.  For example,
python-ldap (or the underlying LDAP library) escapes special
characters using hex encoding:

  CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU

Whereas FreeIPA, when encoding the DN, escapes the character
directly:

  CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU

Therefore it is possible to generate an invalid modlist. For
example, during external CA certificate renewal, if the issuer DN
includes a comma in one of the attribute values (as above), an
invalid modlist will be generated:

  [ (ldap.MOD_ADD, 'ipacaissuerdn',
      [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
  , (ldap.MOD_DELETE, 'ipacaissuerdn',
      [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
  ]

Although encoded differently, these are the same value.  If this
modification is applied to the object, attributeOrValueExists (error
20) occurs.

To avoid the issue, put deletes before adds in the modlist.  If a
value is present (with different encodings) as both an addition and
a deletion, it must be because the original object contained the
value with a different encoding.  Therefore it is safe to delete it,
then add it back.

Note that the modlist is not optimal.  In the simplest case (like
above example), there should be no modification to perform.  It is
considerably more complex (and more computation) to implement this
because the raw attribute values must be decoded before comparison.

Fixes: https://pagure.io/freeipa/issue/7750
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-06 10:59:06 +01:00
Florence Blanc-Renaud
9e1c26c755 certdb: provide meaningful err msg for wrong PIN
ipa-server-install or ipa-replica-install do not provide
a meaningful error message in CA-less mode when the install
fails because of a wrong PIN.

Update the err msg so that it provides a hint to the user.

Fixes https://pagure.io/freeipa/issue/5378

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-09 14:53:56 +02:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Christian Heimes
ed967ec24d Py3: Replace six.bytes_type with bytes
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
61156b0a50 Py3: Replace six.text_type with str
On Python 3, six.text_type (singular) is an alias for str.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
ea396528b7 Py3: Replace six.integer_types with int
In Python 3, six.integer_types is (int,). In most places, the alias can
be simply replaced with int. In other places, it was possible to
simplify the code by unpacking the tuple.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
964a9bdcec Py3: Replace six.string_types with str
In Python 3, six.string_types is just an alias for str.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 16:11:18 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Christian Heimes
4a58adf79e Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:

  DeprecationWarning: invalid escape sequence

There is still one warning that keeps repeating, though:

  source:264: DeprecationWarning: invalid escape sequence \d

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 10:23:03 +02:00
Christian Heimes
21f14e9893 Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.

See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-09-06 17:39:00 +02:00
Florence Blanc-Renaud
f0228fa649 uninstall -v: remove Tracebacks
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.

Fixes: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-08-23 12:06:45 +02:00
Alexander Scheel
fc0f6b4351 Add missing docstrings to kernel_keyring.py
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-20 17:58:16 -04:00
Alexander Scheel
3322aad7da Add docstring to verify_kdc_cert_validity
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-08-20 17:58:16 -04:00
Stanislav Laznicka
d473278621
ipatests: add installer framework testing
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-07-19 08:42:33 +02:00
Armando Neto
3ccd512dab Disable Pylint 2.0 violations
Globally disabling the following violations:

- `assignment-from-no-return` (E1111):
  Assigning to function call which doesn't return. Used when an
  assignment is done on a function call but the inferred function
  doesn't return anything.

- `keyword-arg-before-vararg` (W1113):
  Keyword argument before variable positional arguments list in the
  definition of %s function When defining a keyword argument before
  variable positional arguments, one can end up in having multiple
  values passed for the aforementioned parameter in case the method is
  called with keyword arguments.

Locally disabling the following:

- `subprocess-popen-preexec-fn` (W1509):
  Using preexec_fn keyword which may be unsafe in the presence of
  threads The preexec_fn parameter is not safe to use in the presence
  of threads in your application. The child process could deadlock
  before exec is called. If you must use it, keep it trivial! Minimize
  the number of libraries you call into.
  https://docs.python.org/3/library/subprocess.html#popen-constructor

Fixed violations:

- `bad-mcs-classmethod-argument` (C0204):
  Metaclass class method %s should have %s as first argument Used when
  a metaclass class method has a first argument named differently than
  the value specified in valid-metaclass-classmethod-first-arg option
  (default to "mcs"), recommended to easily differentiate them from
  regular instance methods.
  - Note: Actually `cls` is the default first arg for `__new__`.

- `consider-using-get` (R1715):
  Consider using dict.get for getting values from a dict if a key is
  present or a default if not Using the builtin dict.get for getting a
  value from a dictionary if a key is present or a default if not, is
  simpler and considered more idiomatic, although sometimes a bit slower

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-16 17:03:35 +02:00
Armando Neto
d13571942e Fix Pylint 2.0 violations
Fix the following violations aiming to support Pylint 2.0

- `unneeded-not` (C0113):
  Consider changing "not item in items" to "item not in items" used
  when a boolean expression contains an unneeded negation.

- `useless-import-alias` (C0414):
  Import alias does not rename original package Used when an import
  alias is same as original package.e.g using import numpy as numpy
  instead of import numpy as np

- `raising-format-tuple` (W0715):
  Exception arguments suggest string formatting might be intended Used
  when passing multiple arguments to an exception constructor, the
  first of them a string literal containing what appears to be
  placeholders intended for formatting

- `bad-continuation` (C0330):
  This was already included on the disable list, although with current
  version of pylint (2.0.0.dev2) violations at the end of the files
  are not being ignored.
  See: https://github.com/PyCQA/pylint/issues/2278

- `try-except-raise` (E0705):
  The except handler raises immediately Used when an except handler
  uses raise as its first or only operator. This is useless because it
  raises back the exception immediately. Remove the raise operator or
  the entire try-except-raise block!

- `consider-using-set-comprehension` (R1718):
  Consider using a set comprehension Although there is nothing
  syntactically wrong with this code, it is hard to read and can be
  simplified to a set comprehension.Also it is faster since you don't
  need to create another transient list

- `dict-keys-not-iterating` (W1655):
  dict.keys referenced when not iterating Used when dict.keys is
  referenced in a non-iterating context (returns an iterator in
  Python 3)

- `comprehension-escape` (W1662):
  Using a variable that was bound inside a comprehension Emitted when
  using a variable, that was bound in a comprehension handler, outside
  of the comprehension itself. On Python 3 these variables will be
  deleted outside of the comprehension.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-14 12:04:19 +02:00
Christian Heimes
f89e501ee1 Handle races in replica config
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.

ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-07-12 15:26:25 +02:00
Armando Neto
ba954efafd Fix pylint 2.0 conditional-related violations
In order to support pylint 2.0 the following violations must be fixed:

- `chained-comparison` (R1716):
  Simplify chained comparison between the operands This message is
  emitted when pylint encounters boolean operation like
  "a < b and b < c", suggesting instead to refactor it to "a < b < c".

- `consider-using-in` (R1714):
  Consider merging these comparisons with "in" to %r To check if a
  variable is equal to one of many values,combine the values into a
  tuple and check if the variable is contained "in" it instead of
  checking for equality against each of the values.This is faster
  and less verbose.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-12 08:49:43 +02:00
Armando Neto
b4ad0d19a2 Fix pylint 2.0 return-related violations
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:

- `useless-return` (R1711):
  Useless return at end of function or method Emitted when a single
  "return" or "return None" statement is found at the end of function
  or method definition. This statement can safely be removed because
  Python will implicitly return None

- `inconsistent-return-statements` (R1710):
  Either all return statements in a function should return an
  expression, or none of them should. According to PEP8, if any return
  statement returns an expression, any return statements where no value
  is returned should explicitly state this as return None, and an
  explicit return statement should be present at the end of the
  function (if reachable)

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-11 10:11:38 +02:00
Armando Neto
b274da726b Replace file.flush() calls with flush_sync() helper
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.

Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.

However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.

Issue: https://pagure.io/freeipa/issue/7251

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-07 10:20:01 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Christian Heimes
198a2c6112 Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.

The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.

Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-05 19:45:10 +02:00
Christian Heimes
6896c90eb2 Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.

See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Rob Crittenden
b96906156b
Improve console logging for ipa-server-install
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:

The ipa-client-install command was successful

This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.

In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.

https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 08:38:03 +02:00
Christian Heimes
f90e137a17 Sort and shuffle SRV record by priority and weight
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.

Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().

Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-19 08:56:46 +02:00
Christian Heimes
0a87de5ed5 Backport gzip.decompress for Python 2
Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.

Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 15:09:55 +02:00
Fraser Tweedale
1da3eddf56 Handle compressed responses from Dogtag
We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header.  But we don't decompress the
received data.  Inspect the response Content-Encoding header and
decompress the response body according to its value.

The `gzip.decompress` function is only available on Python 3.2 or
later.  In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file.  This commit avoids this
complexity.  Therefore it should only be included in Python 3 based
releases.

Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-30 15:09:55 +02:00
Stanislav Laznicka
f47d86c719 Move config directives handling code
Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Christian Heimes
9a9c8ced30 Use sane default settings for ldap connections
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.

https://pagure.io/freeipa/issue/7418

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-29 15:30:37 +02:00
Alexander Bokovoy
c61151f6aa pylint3: workaround false positives reported for W1662
Pylint3 falsely reports warning W1662: using a variable that was bound
inside a comprehension for the cases where the same name is reused for a
loop after the comprehension in question.

Rename the variable in a loop to avoid it.

If the code looks like the following:

  arr = [f for f in filters if callable(f)]
  for f in arr:
      result = result + f()

pylint3 would consider 'f' used outside of comprehension. Clearly, this
is a false-positive warning as the second 'f' use is completely
independent of the comprehension's use of 'f'.

Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
2018-05-17 16:55:42 -04:00
Rob Crittenden
648d7c0d38 Disable message about log in ipa-backup if IPA is not configured
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.

For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.

In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.

https://pagure.io/freeipa/issue/6843

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-03 17:34:45 +02:00
Rob Crittenden
41352ef938 Revert run_pk12util part of 807a5cbe7c
Only certutil creates files in the local directory. Changing the
directory for pk12util breaks ipa-server-certinstall if the
PKCS#12 file is not passed in as an absolute path.

https://pagure.io/freeipa/issue/7489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-04-20 08:51:37 -04:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Christian Heimes
807a5cbe7c certdb: Move chdir into subprocess call
According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.

See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-10 17:35:17 +02:00
Christian Heimes
6aca027ecc Fix installer CA port check for port 8080
The installer now checks that port 8080 is available and not in use by
any other application.

The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.

Original patch by m3gat0nn4ge.

Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-04 08:58:48 +02:00
Rob Crittenden
64fca87a52 Remove the Continuous installer class, it is unused
https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Rob Crittenden
68c7b03689 Return a value if exceptions are raised in server uninstall
The AdminTool class purports to "call sys.exit() with the return
value" but most of the run implementations returned no value, or
the methods they called returned nothing so there was nothing to
return, so this was a no-op.

The fix is to capture and bubble up the return values which will
return 1 if any exceptions are caught.

This potentially affects other users in that when executing the
steps of an installer or uninstaller the highest return code
will be the exit value of that installer.

Don't use the Continuous class because it doesn't add any
value and makes catching the exceptions more difficult.

https://pagure.io/freeipa/issue/7330

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-19 17:38:41 +01:00
Christian Heimes
df99af4a68 Remove unused modutils wrappers from NSS/CertDB
The disable system trust feature is no longer used.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
66a32d8931 NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
492e3c9b1e NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
c5fb6c8502 Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
  auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.

The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.

https://pagure.io/freeipa/issue/7354

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
9c2c3df0ab Add better CalledProcessError and run() logging
In case of an error, ipapython.ipautil.run() now raises an exception that
contains the error message of the failed command. Before the exception
only contained the command and error code.

The command is no longer collapsed into one string. The error message
and logging output contains the actual command and arguments with intact
quoting.

Example:
CalledProcessError(Command ['/usr/bin/python3', '-c', 'import sys; sys.exit(" ".join(("error", "XXXXXXXX")))'] returned non-zero exit status 1: 'error XXXXXXXX\n')

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-02-20 13:03:01 +01:00