On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.
See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.
This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.
https://pagure.io/freeipa/issue/7145
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa help code invokes pager if help lines length is more then
current terminal height.
https://pagure.io/freeipa/issue/7225
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Creating a method to check if ipa client is configured. Also,
changing scripts to use it instead of duplicating the check.
https://pagure.io/freeipa/issue/6261
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Since OptionParser behaves differently in Python 2/3,
zonemgr_callback now handles value as str in both version.
https://pagure.io/freeipa/issue/5990
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
ipalib.util.check_writable_file didn't check whether the argument
is an actual file which is now fixed.
https://pagure.io/freeipa/issue/6883
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.
NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.
The HTTPSConnection is set up to handle authentication with client
certificate for connections to Dogtag server as RA agent. It allows
to handle client cert/private key in separate files and also
encrypted private key files.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: David Kupka <dkupka@redhat.com>
Relax the check for valid hostname component by allowing multiple consecutive
'-' or '/' characters int he middle of the label (the first/last character
must still be alphanumeric or underscore). Also use verbose regex format to
document its structure.
https://fedorahosted.org/freeipa/ticket/4710
Reviewed-By: Martin Basti <mbasti@redhat.com>
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliaseshttps://fedorahosted.org/freeipa/ticket/1365https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This module should aggregate common functionality utilized in the commands
managing domain-level 1 topology.
https://fedorahosted.org/freeipa/ticket/5588
Reviewed-By: Martin Basti <mbasti@redhat.com>
Allow registering any object that is callable and has `name` and `bases`
attributes as a plugin.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.
DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Host, user and idview commands do unnnecessary extra search for
ipasshpubkey attribute to generate fingerprints.
Note: Host and user plugins shows ipasshpubkey only when the attribute
is changed, idviews show ipasshpubkey always. This behavior has been
kept by this commit.
common_pre/post_callbacks were fixed in [base|stage]user modules.
common_callbacks requires the same arguments as pre/post_callbacks now
(except baseuser_find.post_common_callback)
Note2: in *-add commands there is no need for managing ipasshpubkey as
this attribute should be shown always there.
https://fedorahosted.org/freeipa/ticket/3376
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.
https://fedorahosted.org/freeipa/ticket/5718
Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa
topologysegment-*' commands
* ipa-csreplica-manage del - a user should use ipa-replica-manage del
https://fedorahosted.org/freeipa/ticket/5405
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 3, the types module no longer provide alternate names for
built-in types, e.g. `types.StringType` can just be spelled `str`.
NoneType is also removed; it needs to be replaced with type(None)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>