Commit Graph

13058 Commits

Author SHA1 Message Date
German Parente
ef324a7f13 ipa-replica-manage: remove "last init status" if it's None.
we remove the "last init status" section in the output of
ipa-replica-manage to avoid confusion and show epoch date
when status is None

Fixes: https://pagure.io/freeipa/issue/7716

Signed-off-by: German Parente <gparente@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-28 09:47:55 +02:00
Mohammad Rizwan Yusuf
581b7148f4 Test if ipactl restart restarts the pki-tomcatd
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.

related ticket : https://pagure.io/freeipa/issue/7927

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-05-28 09:43:40 +02:00
Fraser Tweedale
f9b22283dd add test for external CA key size sanity check
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.

Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.

Part of: https://pagure.io/freeipa/issue/7761

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 10:04:30 +03:00
Fraser Tweedale
891d54e46f dn: handle multi-valued RDNs in Name conversion
When applying DN to a cryptography.x509.Name, multi-valued RDNs get
"flattened" into separate RDNs.  Update the constructor to correctly
handle Name values with multi-valued RDNs.

Fixes: https://pagure.io/freeipa/issue/7963
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-28 10:03:00 +03:00
Stanislav Levin
3f33ac88bd Make pycodestyle results identical
Currently, pycodestyle is running on:
- make fastlint:
  `$(PYTHON) -m pycodestyle --diff`

  According to docs:
  ```
  The project options are read from the [pycodestyle] section of the
  tox.ini file or the setup.cfg file located in any parent folder of the
  path(s) being processed.
  ```

  So, pycodestyle respects tox.ini:
  ```
  [pycodestyle]
  # E402 module level import not at top of file
  # W504 line break after binary operator
  ignore = E402, W504
  ```

- PR Travis `lint`:
  `pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:`

  According to docs:
  ```
  Please note that if the option –ignore=errors is used, the
  default configuration will be overridden and ignore only the
  check(s) you skip.
  ```

  So, pycodestyle doesn't respect tox.ini.

For now, fastlint ignores E402, W504, while Travis lint ignores only W504.
This issue is exposed by Azure Pipelines, which employs fastlint.

Fixes: https://pagure.io/freeipa/issue/7962
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 10:01:23 +03:00
Alexander Bokovoy
a9bcf531a6 ipa-pwd-extop: do not remove MagicRegen mod, replace it
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.

ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.

With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.

Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696

Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
46234f0cb9 test_ipagetkeytab: test retrieval of explicit encryption types
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.

Add a test case that performs this operation.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
b5fbbd1957 Keytab retrieval: allow requesting arcfour-hmac for SMB services
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
0f891c6a3f test_ipagetkeytab: factor out DM password reader
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
6163cbc166 test_ipagetkeytab: allow testing LDAP connection beyond bind operation
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.

This is required to perform actual tests for use of the retrieved keys.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
ef67dece52 ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
53a0fa9130 LDAPCreate: allow callers to override objectclasses
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.

We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.

Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
5230e2a12d Azure Pipelines: run fast linter in case of a pull request build
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
c8ef093e56 Azure Pipelines: simplify test job definitions
Rewrite templates to make test job declarations simpler and easier to
work with.

A test job template can be instantiated this way:

- template: templates/test-jobs.yml
  parameters:
    jobName: Base
    jobTitle: Base tests
    testsToRun:
    - test_cmdline
    - test_install
    - test_ipaclient
    - test_ipalib
    - test_ipaplatform
    - test_ipapython
    testsToIgnore:
    - test_integration
    - test_webui
    - test_ipapython/test_keyring.py
    taskToRun: run-tests

Both 'testsToRun' and 'testsToIgnore' accept arrays of test matches.
Wildcards also supported:

    ....
    testsToRun:
    - test_xmlrpc/test_hbac*
    ....

'taskToRun' specifies a script ipatests/azure/azure-${taskToRun}.sh that
will be executed in the test environment to actually start tests.

Parameters 'testsToRun' and 'testsToIgnore' define TESTS_TO_{RUN,IGNORE}
variables that will be set in the environment of the test script. These
variables will have entries from the parameters separated by a space.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
6a2c356da0 ipa-run-tests: add support of globs for test targets and ignores
ipa-run-tests expands arguments passed with their full paths. However,
it doesn't support expanding globs, so targets like 'test_ipa*' cannot
be specified.

Expand the code that replaces '--ignore foo' and 'foo' positional
arguments with support for '--ignore foo*' and 'foo*'.

This allows to reduce a number of additional steps in the CI pipeline
preparation.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Florence Blanc-Renaud
64d187e56e NSSDatabase: fix get_trust_chain
In the get_trust_chain method, use certutil -O with the option
--simple-self-signed to make sure that self-signed certs properly
get processed.
Note: this option has been introduced in nss 3.38 and our spec file
already requires nss >= 3.41.

Scenario: when IPA CA is switched from self-signed to externally-signed,
then back to self-signed, the same nickname can be used in
/etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
the original and renewed certs are present in the NSS db, running
$ certutil -O -n <IPA CA alias>
produces a complex output like the following (this command is used to find
the trust chain):
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]

  "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

    "caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

The renewal code is disturbed by this output.
If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
used to extract the trust chain, the output is as expected for a self-signed
cert:
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]

As a result, the scenario self-signed > externally signed > self-signed
works.

Fixes: https://pagure.io/freeipa/issue/7926
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-24 17:18:56 -04:00
Thierry Bordaz
67490acb04 Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-24 12:42:51 +02:00
Kaleemullah Siddiqui
c9c8b3e048 Order of master and replica corrected in logger.info
Order of master/replica was incorect which has been
corrected

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-05-23 09:58:18 +02:00
Tibor Dudlák
be39d3a99b
ipatests: Add Unattended option to external ca task
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Tibor Dudlák
e3f35843dc
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.

Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Florence Blanc-Renaud
4804103315 ipatests: CA renewal must refresh cn=CAcert
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
         ipaconfigstring: ipaCA

Related to https://pagure.io/freeipa/issue/7928

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Florence Blanc-Renaud
9cd88587e4 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Stanislav Levin
5263c36c1b Respect TMPDIR, TEMP or TMP environment variables during testing
The FreeIPA uses its own classes for managing temp files and
directories for tests. One of its underlying low-level functions
is `mkdtemp`.

According to documentation for `mkdtemp`:
```
If dir is not None, the file will be created in that directory; otherwise, a
default directory is used. The default directory is chosen from a
platform-dependent list, but the user of the application can control the
directory location by setting the TMPDIR, TEMP or TMP environment variables.
```

It's actually the truth,
/usr/lib64/python3.7/tempfile.py:
```
def _candidate_tempdir_list():
    """Generate a list of candidate temporary directories which
    _get_default_tempdir will try."""

    dirlist = []

    # First, try the environment.
    for envname in 'TMPDIR', 'TEMP', 'TMP':
        dirname = _os.getenv(envname)
        if dirname: dirlist.append(dirname)

    # Failing that, try OS-specific locations.
    if _os.name == 'nt':
        dirlist.extend([ _os.path.expanduser(r'~\AppData\Local\Temp'),
                         _os.path.expandvars(r'%SYSTEMROOT%\Temp'),
                         r'c:\temp', r'c:\tmp', r'\temp', r'\tmp' ])
    else:
        dirlist.extend([ '/tmp', '/var/tmp', '/usr/tmp' ])
```

For now, there is a hardcoded assertion of a temp directory (`/tmp`) in
IPA tests. But some systems use the mentioned environment variables
(for example, pam_mktemp https://www.openhub.net/p/pam_mktemp).
It's easy to check an actual temp dir via `gettempdir`.

Fixes: https://pagure.io/freeipa/issue/7956
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-21 13:07:45 -04:00
Serhii Tsymbaliuk
6a9c20a87c
Fix occasional 'whoami.data is undefined' error in FreeIPA web UI
'Metadata' phase (Web UI initialization flow) doesn't wait "whoami" response.
It causes the error when on the next phase "whoami" data is undefined.
To avoid this "whoami" request now has flag async = false,
so init_metadata waits until it will be completed.

Ticket: https://pagure.io/freeipa/issue/7917

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-21 14:45:27 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Florence Blanc-Renaud
7fe10d9903 ipatests: add integration test checking the files mode
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.

Related to https://pagure.io/freeipa/issue/7934

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Florence Blanc-Renaud
a425448914 Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db

The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.

Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Christian Heimes
2d22fdafaa Forbid imports of ipaserver and install packages
ipatests' plugin and integration tests must no longer import ipaserver
or ipa*.install packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Christian Heimes
984a44a46a integration plugins import ldif
Make ipatests depend on python-ldap.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Christian Heimes
8bd469c54e Don't import ipaserver in conf.py
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Christian Heimes
4b7e81fbbe Replace imports from ipaserver
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Christian Heimes
289f9c7e25 Delay import of SSSDConfig
SSSDConfig is not available on PyPI.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-16 13:20:38 +02:00
Alexander Bokovoy
74f3ca5db0 i18n_messages: get back a locale needed for testing
Commit f49fac7bda added a special
workaround to get fr-fr locale translations installed when running
tests in Travis CI.

Get it back to Azure Pipelines.

Fixes: https://pagure.io/freeipa/issue/7951
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-16 09:51:45 +03:00
Alexander Bokovoy
245a8bcdfe test_legacy_clients: fix class inheritance
Fixes: https://pagure.io/freeipa/issue/7940
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-16 09:51:45 +03:00
Alexander Bokovoy
c41b3ae98f fix selenium imports in automount web UI test
Fixes: https://pagure.io/freeipa/issue/7942
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-16 09:51:45 +03:00
Alexander Bokovoy
9cb6817b30 azure-run-tests: handle single unexpanded parameter too
If TESTS_TO_RUN contains a single parameter that cannot be expanded,
bash will not perform brace elimination. Remove braces manually.

For example, TESTS_TO_RUN='test_xmlrpc/test_*.py' will not expand
outside of ipatests and the script would generate

 tests_to_run=-k{test_xmlrpc/test_*.py}

Braces then will prevent actual ipa-run-tests execution from matching
any of XMLRPC tests.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-16 09:51:45 +03:00
Alexander Bokovoy
58fe6fac61 Set up CI with Azure Pipelines
Sets up a pipeline to run FreeIPA build and tests in Azure Pipelines.

Azure Pipelines provides 10 parallel free runners for open source projects.
Use them to run following jobs:

 - Build: build RPMs and Fedora 30 container with them
 - Lint: run linting of the source code
 - Tox: run py36,pypi,pylint tests using Tox
 - Web UI unit tests: run Web UI unit tests with Grunt/QUnit/PhantomJS
 - XMLRPC tests: install FreeIPA server and run XMLRPC tests against it

All jobs are running in Fedora 30 containers. Build, Lint, Tox, and Web
UI unit tests run inside f30/fedora-toolbox container. Build job
generates a container with pre-installed FreeIPA packages using official
fedora:30 container. All containers are picked up from
registry.fedoraproject.org.

Artifacts from the build job are pushed to a pipeline storage and reused
in the XMLRPC tests. They also are accessible in the 'Summary' tab to
download.

XUnit and QUnit outputs from the tests that produce it are reported in
the 'Tests' tab.

Logs from individual steps from each job are available for review in
the 'Logs' tab. They also can be downloaded.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-14 14:52:29 -04:00
Alexander Bokovoy
b7533d9c5f Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-14 14:52:29 -04:00
Rob Crittenden
ecc08e3983 Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS)
A PKCS#12 file is generated from a set of input files in various
formats. This file is then used to provide the public and private
keys and certificate chain fro importing into an NSS database.

In order to work in FIPS mode stronger encryption is required.

The default OpenSSL certificate algo is 40-bit RC2 which is not
allowed in FIPS mode. The default private key algo is 3DES.
Use AES-128 instead for both.

Fixes: https://pagure.io/freeipa/issue/7948

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-14 12:46:56 -04:00
Christian Heimes
2042b5a0d2 Use PKCS#8 instead of traditional privkey format
The modern PKCS#8 private key format supports better encryption standard
and is preferable over traditional, weak PKCS#1 key format.

Fixes: https://pagure.io/freeipa/issue/7943
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-14 17:11:54 +02:00
Stanislav Levin
7b8a2af219 Fix build_requestinfo in LibreSSL environments
`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.

Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-14 15:58:40 +02:00
Christian Heimes
64dc92ccb4 Load libldap_r-*.so.2
libldap_r.so is only available in the OpenLDAP development packages. The
openldap package provides libldap_r-*.so.2.

Fixes: https://pagure.io/freeipa/issue/7941
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-14 12:27:55 +02:00
Stanislav Levin
ac6568dcf5 Fix build_requestinfo in OpenSSL1.1.0+ environments
Since OpenSSL 1.1.0 the `req_info` field of X509_REQ structure is
no longer a pointer to X509_REQ_INFO. This results in a crash of
`build_requestinfo` in environments having OpenSSL1.1.0+ (libcrypto).

With this patch, the X509_REQ definition becomes the version dependent.
Both OpenSSL1.0.x and OpenSSL1.1.x are supported.

Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-12 23:49:07 +02:00
Alexander Bokovoy
98b4c710d9 upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami@redhat.com>
2019-05-11 21:15:37 +02:00
François Cami
5331510eab ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-07 09:08:40 +02:00
François Cami
e6415ec321 ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.

Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-05-07 09:00:42 +02:00
François Cami
d76737e4c6 ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-06 17:46:19 +02:00
François Cami
660c4984c6 ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
ipa-client-automount assumes the NFS domain to be the same as the IPA domain.
This is not always the case.
This commit adds a --idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Fixes: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-06 17:46:19 +02:00
Adam Williamson
78652a52f0 Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-02 09:36:54 -04:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00