freeipa.git/ipaplatform/base, branch clisesshandling FreeIPA patches httpinstance: disable system trust module in /etc/httpd/alias 2017-03-14T16:12:19+00:00 Jan Cholasta jcholast@redhat.com 2017-03-01T16:54:05+00:00 f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Disable the system trust module on install and upgrade to prevent the system trust store to be used in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Don't allow standalone KRA uninstalls 2017-03-13T15:27:23+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-08T15:38:12+00:00 5d3a0e6758866239c886e998a6d89c5a4b150184 KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
pylint_plugins: add forbidden import checker 2017-03-10T12:04:59+00:00 Jan Cholasta jcholast@redhat.com 2017-02-14T08:58:44+00:00 5d489ac5604ca959cfe439c0594b8739073f3cea Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move csrgen templates into ipaclient package 2017-03-08T14:59:26+00:00 Christian Heimes cheimes@redhat.com 2017-03-02T15:09:53+00:00 80be18162921268be9c8981495c9e8a4de0c85cd csrgen broke packaging of ipaclient for PyPI. All csrgen related resources are now package data of ipaclient package. Package data is accessed with Jinja's PackageLoader() or through pkg_resources. https://pagure.io/freeipa/issue/6714 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Ben Lipton <blipton@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Moving ipaCert from HTTPD_ALIAS_DIR 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-13T08:08:42+00:00 5ab85b365ae886558b1f077b0d039a0d24bebfa7 The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Move RA agent certificate file export to a different location 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-02T16:00:00+00:00 2a1494c9aef2e2b5c06e427e689787e5a2c4dc7f HTTPS connection to certificate server requires client authentication so we need a file with client certificate and private key prior to its first occurence which happens during migration of certificate profiles to LDAP. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove non-sensical kdestroy on https stop 2017-02-22T14:50:48+00:00 Simo Sorce simo@redhat.com 2017-02-15T09:44:59+00:00 b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
server upgrade: always upgrade KRA agent PEM file 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-16T10:19:09+00:00 0862e320916e0123df7e8505ba61229db0cb1e4a Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/6675

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>