freeipa.git/ipaserver/plugins, branch cakeysfix FreeIPA patches Refresh Dogtag RestClient.ca_host property 2017-05-02T15:33:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-27T10:51:30+00:00 0d406fcb784924bfe685729f3156efb8c902b947 Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Vault: Explicitly default to 3DES CBC 2017-04-28T06:25:03+00:00 Christian Heimes cheimes@redhat.com 2017-04-26T16:15:40+00:00 5197422ef65e7239fc56c562ab87d99388a38a8d The server-side plugin for IPA Vault relied on the fact that the default oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag 10.4 has changed the default from 3DES to AES. Pass the correct algorithm OID to KeyClient.archive_encrypted_data(). Closes: https://pagure.io/freeipa/issue/6899 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches 2017-04-26T10:20:42+00:00 Gabe redhatrises@gmail.com 2017-04-25T13:51:17+00:00 38276d3473ecf2a4cc5b5e2a107347f046625626 - Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for nsaccountlock to false as well as update the filter to check for the default value - Remove pytest xfail for test_find_enabled_user https://pagure.io/freeipa/issue/6896 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert: defer cert-find result post-processing 2017-04-19T11:28:27+00:00 Jan Cholasta jcholast@redhat.com 2017-03-30T08:33:30+00:00 eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches when cert-find is executed with the --all option on certificates which won't even be included in the combined result. https://pagure.io/freeipa/issue/6808 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Rather than post-processing the results of each internal search,
post-process the combined result.

This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.

https://pagure.io/freeipa/issue/6808

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
trust: always use oddjobd helper for fetching trust information 2017-04-11T12:16:39+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-04-05T09:37:10+00:00 e560899cce20ca7773a5ce46a1c29db1349e8ec7 Since introduction of privilege separation in IPA framework none of the operations that require direct access to the framework's credentials can be done. All authentication has to be performed with GSSAPI. As result, we cannot obtain TGT for HTTP/.. principal with kinit anymore, so it is better to re-route all types of trust to oddjobd helper and get rid of casing out two-way trust. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366

Reviewed-By: Martin Basti <mbasti@redhat.com>
idrange-add: properly handle empty --dom-name option 2017-04-05T08:15:51+00:00 Florence Blanc-Renaud flo@redhat.com 2017-03-28T14:02:45+00:00 70743c8c48db54309a09d510b3a5d8ae86c29e58 When idrange-add is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add an option to build ipaserver wheels 2017-04-03T11:08:52+00:00 Christian Heimes cheimes@redhat.com 2017-01-17T11:16:25+00:00 ae1c2086db3efb51341025ae25f9b39060868ac1 To create a wheel bundle with ipaserver and its dependencies: make wheel_bundle IPA_SERVER_WHEELS=1 To include additional dependencies: make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui] Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
To create a wheel bundle with ipaserver and its dependencies:

    make wheel_bundle IPA_SERVER_WHEELS=1

To include additional dependencies:

    make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Conditionally import pyhbac 2017-04-03T11:08:52+00:00 Christian Heimes cheimes@redhat.com 2017-01-17T07:49:54+00:00 3064b890e24a5056c77f19c3951cfb59d49366f8 The pyhbac module is part of SSSD. It's not available as stand-alone PyPI package. It would take a lot of effort to package it because the code is deeply tight into SSSD. Let's follow the example of other SSSD Python packages and make the import of pyhbac conditionally. It's only necessary for caacl and hbactest plugins. I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it does not check for presence of pyhbac package itself. The check is performed earlier in execute(). The prefix indicates that it is an internal function and developers have to think twice before using it in another place. This makes it much easier to install ipaserver with instrumented build of Python with a different ABI or in isolated virtual envs to profile and debug the server. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Hide request_type doc string in cert-request help 2017-03-31T10:32:51+00:00 Abhijeet Kasurde akasurde@redhat.com 2017-02-18T11:01:07+00:00 a1bb442054936113369a88b49483e914664712e7 Fix hides description of request_type argument in cert-request command help Fixes https://pagure.io/freeipa/issue/6494 Fixes https://pagure.io/freeipa/issue/5734 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
Fix hides description of request_type argument in cert-request
command help

Fixes https://pagure.io/freeipa/issue/6494
Fixes https://pagure.io/freeipa/issue/5734

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Add --password-expiration to allow admin to force user password expiration 2017-03-31T10:19:40+00:00 Gabe redhatrises@gmail.com 2017-03-31T00:21:47+00:00 274b0bcf5ff2408739d94ba1b1b4bca69f310dfc - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>