freeipa.git/ipapython, branch fix_ber_scanf FreeIPA patches ipapython/ipachangeconf.py: change "is not 0" for "!= 0" 2019-09-02T15:39:11+00:00 François Cami fcami@redhat.com 2019-09-02T08:58:35+00:00 02262ac7cfa52926fd0c943ddf6e96269e90e218 Python 3.8 introduced a warning to check for usage of "is not" when comparing literals. Any such usage will output: SyntaxWarning: "is not" with a literal. Did you mean "!="? See: https://bugs.python.org/issue34850 Fixes: https://pagure.io/freeipa/issue/8057 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Move ipachangeconf from ipaclient.install to ipapython 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:05+00:00 e5af8c19a9e40fb3b96c56ace081f79980437fc2 This will let us call it from ipaplatform. Mark the original location as deprecated. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow insecure binds for migration 2019-08-13T16:43:58+00:00 Christian Heimes cheimes@redhat.com 2019-08-13T15:22:01+00:00 a36556e1064900af7a75ca6f07aba66212cf321a Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind over an insecure connection. Password logins were only allowed over LDAPS or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases. This commit lifts the restriction and permits insecure binds over plain LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA certificate is configured with a plain LDAP connection. Fixes: https://pagure.io/freeipa/issue/8040 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
ipapython/admintool.py: use SERVER_NOT_CONFIGURED 2019-07-30T10:01:27+00:00 François Cami fcami@redhat.com 2019-07-29T09:22:09+00:00 402246a72990f77591f5efaec7ff0bc0cf82f416 Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to deal with cases when server is not configured. Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2. Related-to: https://pagure.io/freeipa/issue/6843 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.

Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
upgrade: remove ipaCert and key from /etc/httpd/alias 2019-07-15T14:08:21+00:00 Florence Blanc-Renaud flo@redhat.com 2019-07-08T09:25:13+00:00 ef39e1b02a2ef965997d38fc7b72d5ee1542d44b With ipa 4.5+, the RA cert is stored in files in /var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles the move from /etc/httpd/alias to the files but does not remove the private key from /etc/httpd/alias. The fix calls certutil -F -n ipaCert to remove cert and key, instead of -D -n ipaCert which removes only the cert. Fixes: https://pagure.io/freeipa/issue/7329 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipapython.ipautil.run: allow skipping stdout/stderr logging 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-16T20:50:39+00:00 d85e0550cab58d64e65610314906d32bd21a9e39 There are cases when output from a utility run contains sensitive content that is better to avoid logging. For example, klist can be told to show actual encryption keys with -K option. Redacting them out with nolog option to ipapython.ipautil.run() is not possible because replacement routine expects exact matches. Introduce two boolean options that allow to skip printing output from the utility being run: -- nolog_output: skip printing captured stdout -- nolog_error: skip printing captured stderr These options default to False (thus, stdout/stderr content will continue to be printed). In case they were set to True, corresponding line will contain stdout=<REDACTED> or stderr=<REDACTED> Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
There are cases when output from a utility run contains sensitive
content that is better to avoid logging. For example, klist can be told
to show actual encryption keys with -K option. Redacting them out with
nolog option to ipapython.ipautil.run() is not possible because
replacement routine expects exact matches.

Introduce two boolean options that allow to skip printing output from
the utility being run:
  -- nolog_output: skip printing captured stdout
  -- nolog_error: skip printing captured stderr

These options default to False (thus, stdout/stderr content will
continue to be printed). In case they were set to True, corresponding
line will contain

   stdout=<REDACTED>

or

   stderr=<REDACTED>

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipaserver.install.installutils: move commonly used utils to ipapython.ipautil 2019-06-29T08:00:28+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-11T15:05:29+00:00 cdb94e0ff2c7bc03b2f0064b77fedabfa0ae8121 When creating ipa-client-samba tool, few common routines from the server installer code became useful for the client code as well. Move them to ipapython.ipautil and update references as well. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.

Move them to ipapython.ipautil and update references as well.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
admintool: don't display log file on errors unless logging is setup 2019-06-11T17:42:50+00:00 Rob Crittenden rcritten@redhat.com 2019-05-17T19:08:29+00:00 10b721d118a295b62a4c1df52ae47d8b106464a2 The admintool will display the message when something goes wrong: See %s for more information" % self.log_file_name This is handy except when finally logging setup is not done yet so the log file doesn't actually get written to. This can happen if validation catches and raises an exception. Fixes: https://pagure.io/freeipa/issue/7952 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The admintool will display the message when something goes wrong:

See %s for more information" % self.log_file_name

This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.

This can happen if validation catches and raises an exception.

Fixes: https://pagure.io/freeipa/issue/7952

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
dn: sort AVAs when converting from x509.Name 2019-06-11T06:14:44+00:00 Fraser Tweedale ftweedal@redhat.com 2019-05-29T03:22:35+00:00 ad7472970305f7be2d3afc65fda1e86296d118dd Equal DNs with multi-valued RDNs can compare inequal if one (or both) is constructed from a cryptography.x509.Name, because the AVAs in the multi-valued RDNs are not being sorted. Sort the AVAs when constructing from Name and add test cases for equality checks on multi-valued RDNs constructed from inputs with permuted AVA order. Part of: https://pagure.io/freeipa/issue/7963 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.

Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.

Part of: https://pagure.io/freeipa/issue/7963

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Return 0 on uninstall when on_master for case of not installed 2019-06-07T09:24:45+00:00 Rob Crittenden rcritten@redhat.com 2019-06-04T16:18:46+00:00 c1c50650a7f359aa9fd77d4348c31169ca878003 This is to suppress the spurious error message: The ipa-client-install command failed. when the client is not configured. This is managed by allowing a ScriptError to return SUCCESS (0) and have this ignored in log_failure(). https://pagure.io/freeipa/issue/7836 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
This is to suppress the spurious error message:

The ipa-client-install command failed.

when the client is not configured.

This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>