summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-0/+19
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSS for name->resolution in IPA installerPetr Spacek2016-06-291-1/+1
| | | | | | | | | | | | This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: turn LDAP filter utility functions into class methodsFraser Tweedale2016-06-291-16/+19
| | | | | | | | | The LDAP filter utilities do not use any instance attributes, so collectively turn them into class methods to promote reuse. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* plugable: support plugin versioningJan Cholasta2016-06-281-0/+5
| | | | | | | | | | | | | | Allow multiple incompatible versions of a plugin using the same name. The current plugins are assumed to be version '1'. The unique identifier of plugins was changed from plugin name to plugin name and version. By default, the highest version available at build time is used. If the plugin is an unknown remote plugin, version of '1' is used by default. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* pylint: fix: multiple-statementsJan Barta2016-06-211-1/+2
| | | | Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* ldap: fix handling of binary data in search filtersJan Cholasta2016-06-211-1/+6
| | | | | | | | | | This fixes a UnicodeDecodeError when passing non-UTF-8 binary data to LDAPClient.make_filter() and friends. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Fix minor typosYuri Chornoivan2016-06-201-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix minor typosYuri Chornoivan2016-06-161-1/+1
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* installer: index() raises ValueErrorDavid Kupka2016-06-131-2/+2
| | | | | | | | | Expecting IndexError instead of ValueError led to traceback instead of correctly reporting the error situation. https://fedorahosted.org/freeipa/ticket/5945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix resolve_rrsets: RRSet is not hashableMartin Basti2016-06-091-2/+2
| | | | | | | | | We cannot use set() with RRSet objects, because RRSet object is not hashable. A set was replaced by list. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* add context to exception on LdapEntry decode errorFlorence Blanc-Renaud2016-06-091-2/+10
| | | | | | | | | | | | | When reading the content of an invalid LDAP entry, the exception only displays the attribute name and value, but not the DN of the entry. Because of this, it is difficult to identify the root cause of the problem. The fix raises a ValueError exception which also contains the entry DN. https://fedorahosted.org/freeipa/ticket/5434 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add custodia store for lightweight CA key replicationFraser Tweedale2016-06-091-0/+56
| | | | | | | | | | | | | | | Due to limitations in Dogtag's use of NSSDB, importing private keys must be done by the Dogtag Java process itself. This requires a PKIArchiveOptions format (signing key wrapped with host CA key) - PKCS #12 cannot be used because that would require decrypting the key in Dogtag's memory, albeit temporarily. Add a new custodia store that executes a 'pki' command to acquire the wrapped key. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Optionally add service name to Custodia key DNsFraser Tweedale2016-06-091-5/+22
| | | | | | | | | | | | | | | | | | | Lightweight CAs support introduces new service principals for Dogtag, with Custodia keys. The current Custodia key creation uses a DN that contains only they key type and the hostname, so keys for multiple services on the same host cannot be created. Add the 'generate_keys' method to generate keys for a host or an arbitrary service. When a service name is given, add the key entries in a nested container with RDN 'cn=<service name>'. (The container is assumed to exist). This change does not affect searching because subtree search is used, filtering on the ipaKeyUsage and memberPrincipal attributes. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow CustodiaClient to be used by arbitrary principalsFraser Tweedale2016-06-081-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | Currently CustodiaClient assumes that the client is the host principal, and it is hard-coded to read the host keytab and server keys. For the Lightweight CAs feature, Dogtag on CA replicas will use CustodiaClient to retrieve signing keys from the originating replica. Because this process runs as 'pkiuser', the host keys cannot be used; instead, each Dogtag replica will have a service principal to use for Custodia authentication. Update CustodiaClient to require specifying the client keytab and Custodia keyfile to use, and change the client argument to be a full GSS service name (instead of hard-coding host service) to load from the keytab. Update call sites accordingly. Also pass the given 'ldap_uri' argument through to IPAKEMKeys because without it, the client tries to use LDAPI, but may not have access. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS upgrade: change global forwarding policy in LDAP to "only" if private ↵Petr Spacek2016-05-301-0/+18
| | | | | | | | | | | | | | IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add function ipapython.dnsutil.related_to_auto_empty_zone()Petr Spacek2016-05-301-0/+30
| | | | | | | | | It allows to test if given DNS name is sub/super domain of an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-301-0/+59
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutilPetr Spacek2016-05-302-35/+35
| | | | | | | | | This is preparatory work to avoid (future) cyclic import between ipapython.dnsutil and ipapython.ipautil. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Convert dict items to list before iteratingPetr Viktorin2016-05-301-1/+1
| | | | | | | | | In Python 3, dict.items() returns a view. When such a view is iterated over, the dict cannot change size. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython.secrets.kem: Use ConfigParser from six.movesPetr Viktorin2016-05-301-2/+2
| | | | | | | | | In Python 3, the module name changed from 'ConfigParser' to 'configparser'. Use the appropriate location from six. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Keep attribute names as text, not bytesPetr Viktorin2016-05-301-2/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused variable and finally block in SchemaCacheMartin Basti2016-05-121-5/+0
| | | | | | | Handling exceptions in python is expensive operation, removing of uneeded finally block is good for performance. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Removed custom implementation of CalledProcessErrorAbhijeet Kasurde2016-05-101-15/+2
| | | | | | | | | | Removed custom class of CalledProcessError which was required for Python versions prior to 2.5 Fixes: https://fedorahosted.org/freeipa/ticket/5717 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add function ipapython.dnsutil.inside_auto_empty_zone()Petr Spacek2016-04-281-0/+25
| | | | | | | | It allows to test if given DNS name belongs to an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()Petr Spacek2016-04-281-2/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move function is_auto_empty_zone() into ipapython.dnsutilPetr Spacek2016-04-282-7/+7
| | | | | | | | | | I'm going to extend this so it is better to have it in module. At the same time it is now using shared assert_absolute_dnsname() helper. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add assert_absolute_dnsname() helper to ipapython.dnsutilPetr Spacek2016-04-281-0/+19
| | | | | | | | | Sanity check for zone names and such should be the same everywhere. This new function will be a replacement for ad-hoc checks. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move automatic empty zone list into ipapython.dnsutil and make it reusablePetr Spacek2016-04-282-53/+60
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove function ipapython.ipautil.host_exists()Petr Spacek2016-04-281-14/+0
| | | | | | | The function duplicated ipalib.util.verify_host_resolvable() in slightly incompatible way because it used NSS while rest of IPA is using only DNS. Reviewed-By: Martin Basti <mbasti@redhat.com>
* sysrestore: Iterate over a list of dict keysPetr Viktorin2016-04-281-1/+1
| | | | | | | | | | | In Python 3, dict.keys() returns a key view. It is not safe to delete dict keys when iterating over this view. Convert the keys to list first. Part of the work for https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always set hostnameMartin Basti2016-04-261-12/+0
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use netifaces module instead of 'ip' commandMartin Basti2016-04-141-17/+18
| | | | | | | | | Netifaces allows to get addresses from local interfaces of the host in safer way than parsing output of the ip command. https://fedorahosted.org/freeipa/ticket/5591 Reviewed-By: David Kupka <dkupka@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-18/+50
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix: catch Exception instead of more specific exception typesMartin Basti2016-03-221-2/+2
| | | | | | | | Regression caused by commit 491447cc5ab8c5eff2be57d609201cefb79f7053, ValueErrori and AttributeError are too much specific for these cases, multiple types of exception can be raised. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Pylint: remove unnecessary-semicolonMartin Basti2016-03-221-1/+1
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-221-1/+2
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-224-18/+13
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* certdb: never use the -r option of certutilJan Cholasta2016-03-161-10/+8
| | | | | | | | | | | | | | | The -r option makes certutil output certificates in DER. If there are multiple certificates sharing the same nickname, certutil will output them concatenated into a single blob. The blob is not a valid DER anymore and causes failures further in the code. Use the -a option instead to output the certificates in PEM and convert them to DER on demand. https://fedorahosted.org/freeipa/ticket/5117 https://fedorahosted.org/freeipa/ticket/5720 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipapython.sysrestore: Use str methods instead of functions from the string ↵Petr Viktorin2016-03-031-6/+6
| | | | | | | | | | | | | module For historical reasons, the string module contained some functions that mirror methods of the str type. These are eremoved in Python 3. Use str methods instead. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move get_ipa_basedn from ipautil to ipadiscoveryPetr Viktorin2016-03-031-41/+0
| | | | | | | | The function wasn't used anywhere else. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-023-4/+7
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* cookie parser: do not fail on cookie with empty valuePetr Vobornik2016-03-011-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5709 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move freeipa certmonger helpers to libexecdir.Timo Aaltonen2016-02-261-11/+2
| | | | | | | | | | | The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com>
* client: stop using /etc/pki/nssdbJan Cholasta2016-02-241-0/+29
| | | | | | | | | | Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses /etc/ipa/nssdb and IPA CA certificates are provided to the system using p11-kit. Remove leftovers on upgrade. https://fedorahosted.org/freeipa/ticket/5592 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fixes minor issuesStanislav Laznicka2016-02-241-4/+10
| | | | | | | | | | | | | Fixes issues discovered by Coverity plugins/baseldap.py: possible undefined value in return certmonger.py: possible dereference of None value i18n.py: fixed always True bug (+ cosmetic change) https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Cosmetic changes to the codeStanislav Laznicka2016-02-241-1/+1
| | | | | | | | | | | | | | | Fixes some Coverity issues ipadiscovery.py: added assert should universe break plugins/dns.py: removed dead code dnssec/ldapkeydb.py: attribute assert in the proper object test_automount_plugin.py: fixed possible close() on None xmlrpc_test.py: Coverity does not like accessing None.__class__ https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Py3: do not use dict.iteritems()Martin Basti2016-02-231-2/+2
| | | | | | | | | | Py3 does not support iter* methods, this commit replaces 2 occurencies of iteritems() to items(). The dictionaries there are not big, this is sufficient we do not need to use six. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* p11helper: Port to Python 3Petr Viktorin2016-02-171-6/+5
| | | | | | | | | - Use binascii.hexlify instead of encode('hex') - Keep the library name as a text string instead of encoding to bytes https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipautil: Use mode 'w+' in write_tmp_filePetr Viktorin2016-02-171-1/+1
| | | | | | | | | Python defaults to 'w+b', but all callers in IPA write use text (as opposed to bytes). https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipautil.run, kernel_keyring: Encoding fixes for Python 3Petr Viktorin2016-02-172-5/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-10 12:41:15 +0000