summaryrefslogtreecommitdiffstats
path: root/ipalib/rpc.py
Commit message (Collapse)AuthorAgeFilesLines
* Store session cookie in ccache for cli usersRob Crittenden2012-06-141-11/+74
| | | | | | | | | Try to use the URI /ipa/session/xml if there is a key in the kernel keyring. If there is no cookie or it turns out to be invalid (expired, whatever) then use the standard URI /ipa/xml. This in turn will create a session that the user can then use later. https://fedorahosted.org/freeipa/ticket/2331
* Replace DNS client based on acutil with python-dnsMartin Kosek2012-05-241-6/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | IPA client and server tool set used authconfig acutil module to for client DNS operations. This is not optimal DNS interface for several reasons: - does not provide native Python object oriented interface but but rather C-like interface based on functions and structures which is not easy to use and extend - acutil is not meant to be used by third parties besides authconfig and thus can break without notice Replace the acutil with python-dns package which has a feature rich interface for dealing with all different aspects of DNS including DNSSEC. The main target of this patch is to replace all uses of acutil DNS library with a use python-dns. In most cases, even though the larger parts of the code are changed, the actual functionality is changed only in the following cases: - redundant DNS checks were removed from verify_fqdn function in installutils to make the whole DNS check simpler and less error-prone. Logging was improves for the remaining checks - improved logging for ipa-client-install DNS discovery https://fedorahosted.org/freeipa/ticket/2730 https://fedorahosted.org/freeipa/ticket/1837
* Don't set dbdir in the connection until after the connection is created.Rob Crittenden2012-03-131-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were comparing the current connection with itself so were never going to call nss_shutdown(). dbdir needs to be set after the connection has been made. This worked on single server installs because we don't do a ping so NSS would never be pre-initialized. If multiple servers are available we call ping() to find one that is up before submitting the request, this is what would have pre-initialized NSS. This was tripping up request-cert because it will intialize NSS with no DB if it hasn't been initialized. We need to initialize it to validate the CSR. A non-working client was doing this when calling cert-request: - call load_certificate_request() - nss.nss_nodb_init() - load the CSR - create a connection, dbdir=/etc/pki/nssdb - the dbdir matches within the same connection, don't call nss_shutdown() - connect to remote server - fail, untrusted CA because we are still using db from nss_nodb_init. Instead if we set dbdir afterward then this will properly be shutdown and NSS re-initialized with correct dbdir. https://fedorahosted.org/freeipa/ticket/2498
* Do kinit in client before connecting to backendRob Crittenden2012-03-041-4/+27
| | | | | | | | | | | | | | The client installer was failing because a backend connection could be created before a kinit was done. Allow multiple simultaneous connections. This could fail with an NSS shutdown error when the second connection was created (objects still in use). If all connections currently use the same database then there is no need to initialize, let it be skipped. Add additional logging to client installer. https://fedorahosted.org/freeipa/ticket/2478
* Don't set delegation flag in client, we're using S4U2Proxy nowRob Crittenden2012-02-151-7/+17
| | | | | | | | | | | | A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
* add session manager and cache krb authJohn Dennis2012-02-091-8/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* Replace float with DecimalMartin Kosek2012-01-201-0/+4
| | | | | | | | | | | | | | | | | | | | Having float type as a base type for floating point parameters in ipalib introduces several issues, e.g. problem with representation or value comparison. Python language provides a Decimal type which help overcome these issues. This patch replaces a float type and Float parameter with a decimal.Decimal type in Decimal parameter. A precision attribute was added to Decimal parameter that can be used to limit a number of decimal places in parameter representation. This approach fixes a problem with API.txt validation where comparison of float values may fail on different architectures due to float representation error. In order to safely transfer the parameter value over RPC it is being converted to string which is then converted back to decimal.Decimal number on a server side. https://fedorahosted.org/freeipa/ticket/2260
* Require an HTTP Referer header in the server. Send one in ipa tools.Rob Crittenden2011-12-121-0/+3
| | | | | | | | | | This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-2/+2
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Fix /usr/bin/ipa dupled server listMartin Kosek2011-09-221-1/+9
| | | | | | | | | Fix get_url_list() so that the configured master server is there just once. This fix lets /usr/bin/ipa try connecting to all IPA masters just once and not print confusing server list with dupled master. https://fedorahosted.org/freeipa/ticket/1817
* Test for forwarded Kerberos credentials cache in wsgi code.Rob Crittenden2011-05-181-1/+13
| | | | | | | | | We should more gracefully handle if the TGT has not been forwarded than returning a 500 error. Also catch and display KerberosErrors from ping() in the client better. ticket 1101
* Fallback to default locale (en_US) if env. setting is corrupt.Pavel Zuna2011-03-011-1/+5
|
* Send Accept-Language header over XML-RPC and translate on server.Pavel Zuna2011-03-011-3/+30
| | | | | Fix #904 Fix #917
* Set the default Int maxvalue to the maximum XML-RPC can handle.Rob Crittenden2011-01-181-1/+3
| | | | | | Also handle marshalling errors thrown by xmlrpclib more gracefully. ticket 770
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Handle regular socket errors gracefully in ipa commandRob Crittenden2010-10-151-0/+3
| | | | ticket 382
* Changes to fix compatibility with Fedora 14Rob Crittenden2010-08-311-3/+11
| | | | | | | | | | | | Fedora 14 introduced the following incompatiblities: - the kerberos binaries moved from /usr/kerberos/[s]/bin to /usr/[s]bin - the xmlrpclib in Python 2.7 is not fully backwards compatible to 2.6 Also, when moving the installed host service principals: - don't assume that krbticketflags is set - allow multiple values for krbextradata ticket 155
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-161-13/+73
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* use NSS for SSL operationsJohn Dennis2010-06-151-126/+7
|
* Connect the -v cli argument to the verbose flag in xmlrpclibRob Crittenden2010-06-031-2/+2
| | | | | | If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
* XML-RPC signature changeJason Gerard DeRose2010-03-301-1/+1
|
* Explicitly set verbosity off in the XML-RPC clientRob Crittenden2009-09-141-0/+1
| | | | | This is so I don't have to hunt for where to set this to True when doing low-level client debugging.
* Catch and handle HTTP exceptions (like 401, 404, etc)Rob Crittenden2009-07-151-1/+3
|
* Add a local implementation of httplib.SSLFile and httplib.FakeSocketrcrit2009-07-011-2/+9
| | | | | | | Python 2.6 changed its internal implementation which makes it difficult to override in a way that is backwards compatible. 508953
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-9/+9
|
* Handle GSSAPI exceptions more gracefullyRob Crittenden2009-04-201-6/+28
|
* Use OpenSSL for SSL instead of the built-in python version.Rob Crittenden2009-02-201-3/+127
|
* Get merged tree into an installalble state.Rob Crittenden2009-02-031-1/+4
| | | | | | | | I have only tested the all, rpms and *clean targets directly. install may work but the rpm moves a lot of things around for us. The Apache configuration file isn't in its final state but it works with the new mod_python configuration.
* Finished small tweaks to get new ipaserver.xmlrpc() mod_python handler workingJason Gerard DeRose2009-02-031-0/+2
|
* Fixed bug I introduced in KerbTransport; started work on lite-xmlrpc.py to ↵Jason Gerard DeRose2009-02-031-2/+2
| | | | add client address to context
* Got new ldap connection working using Connectible.connect()Jason Gerard DeRose2009-02-031-5/+5
|
* Ported xmlclient to subclass from ConnectibleJason Gerard DeRose2009-02-031-22/+7
|
* Ported xmlserver to subclass from ExecutionerJason Gerard DeRose2009-02-031-1/+1
|
* Removed depreciated import of errors in frontend.pyJason Gerard DeRose2009-02-031-1/+3
|
* Added ServiceError (KerberosError) and make rpc.KerbTransport raise it if ↵Jason Gerard DeRose2009-02-031-2/+7
| | | | appropriate
* More xmlrpc tweaks: xmlserver.execute() now logs non-public exceptions; ↵Jason Gerard DeRose2009-02-031-1/+4
| | | | xmlclient.forward() now handles socket error; fixed some Python 2.4 problems in lite-xmlrpc2.py
* Further migration toward new xmlrcp code; fixed problem with unicode ↵Jason Gerard DeRose2009-02-031-5/+14
| | | | Fault.faultString; fixed problem where ServerProxy method was not called correctly
* Sundry work getting ready to switch to new XML-RPC client/server codeJason Gerard DeRose2009-02-031-1/+52
|
* Added rpc.xmlclient backend plugin for forwarding; added corresponding unit ↵Jason Gerard DeRose2009-01-191-0/+50
| | | | tests
* Added docstring cross-references between rpc and rpcserver modulesJason Gerard DeRose2009-01-161-2/+4
|
* Added docstrings to the new rpc.xml_dumps() and rcp.xml_loads() functionsJason Gerard DeRose2009-01-161-6/+57
|
* ipalib.rpc: now using allow_none=True after conversation with Rob; added ↵Jason Gerard DeRose2009-01-151-9/+27
| | | | xml_dumps() and xml_loads() functions; some name cleanup
* Started moving xmlrpc-functions from ipalib.util to ipalib.rpcJason Gerard DeRose2008-11-241-0/+86
generated by cgit (git 2.34.1) at 2024-06-18 05:52:53 +0000