freeipa.git/ipaserver/secrets, branch fix_ber_scanf FreeIPA patches Fix CustodiaClient ccache handling 2019-06-18T00:36:24+00:00 Christian Heimes cheimes@redhat.com 2019-06-12T20:02:52+00:00 c027b9334b8c3fbb1f31674d7b46c9edb5445208 A CustodiaClient object has to the process environment a bit, e.g. set up GSSAPI credentials. To reuse the credentials in libldap connections, it is also necessary to set up a custom ccache store and to set the environment variable KRBCCNAME temporarily. Fixes: https://pagure.io/freeipa/issue/7964 Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.

Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Move Custodia secrets handler to scripts 2019-04-26T10:09:22+00:00 Christian Heimes cheimes@redhat.com 2019-01-30T13:08:38+00:00 beffa7bcdaea8404472dfd7b0c5f7224fbeb49fa Implement the import and export handlers for Custodia keys as external scripts. It's a prerequisite to drop DAC override permission and proper SELinux rules for ipa-custodia. Except for DMLDAP, handlers no longer run as root but as handler specific users with reduced privileges. The Dogtag-related handlers run as pkiuser, which also help with HSM support. The export and import handles are designed to be executed by sudo, too. In the future, ipa-custodia could be executed as an unprivileged process that runs the minimal helper scripts with higher privileges. Fixes: https://pagure.io/freeipa/issue/6888 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Py3: Replace six.moves imports 2018-10-05T10:06:19+00:00 Christian Heimes cheimes@redhat.com 2018-09-27T05:47:07+00:00 15d5e44ee89ce4c0f1f366b0d7150166f1a26844 Replace six.moves and six.StringIO/BytesIO imports with cannonical Python 3 packages. Note: six.moves.input behaves differently than builtin input function. Therefore I left six.moves.input for now. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Py3: Remove subclassing from object 2018-09-27T09:49:04+00:00 Christian Heimes cheimes@redhat.com 2018-09-26T09:59:50+00:00 b431e9b684df11c811892bd9d2a5711355f0076e Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fix pylint 2.0 return-related violations 2018-07-11T08:11:38+00:00 Armando Neto abiagion@redhat.com 2018-07-10T20:14:04+00:00 b4ad0d19a20cc66690e7f4e9c4327afeedff2ab2 Aiming to support pylint 2.0 some functions and methods must have their return statements updated in order to fix two new violations: - `useless-return` (R1711): Useless return at end of function or method Emitted when a single "return" or "return None" statement is found at the end of function or method definition. This statement can safely be removed because Python will implicitly return None - `inconsistent-return-statements` (R1710): Either all return statements in a function should return an expression, or none of them should. According to PEP8, if any return statement returns an expression, any return statements where no value is returned should explicitly state this as return None, and an explicit return statement should be present at the end of the function (if reachable) Issue: https://pagure.io/freeipa/issue/7614 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:

- `useless-return` (R1711):
  Useless return at end of function or method Emitted when a single
  "return" or "return None" statement is found at the end of function
  or method definition. This statement can safely be removed because
  Python will implicitly return None

- `inconsistent-return-statements` (R1710):
  Either all return statements in a function should return an
  expression, or none of them should. According to PEP8, if any return
  statement returns an expression, any return statements where no value
  is returned should explicitly state this as return None, and an
  explicit return statement should be present at the end of the
  function (if reachable)

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import future imports 2018-04-20T07:43:37+00:00 Stanislav Laznicka slaznick@redhat.com 2018-04-05T07:21:16+00:00 b5bdd07bc54ca557491652ce61011ae6aa3eb592 Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Unified ldap_initialize() function 2018-02-15T17:32:17+00:00 Christian Heimes cheimes@redhat.com 2018-02-15T11:30:06+00:00 1b0c55a3b362a8655d0ec6c55d30d6173fa88eee Replace all ldap.initialize() calls with a helper function ldap_initialize(). It handles cacert and cert validation correctly. It also provides a unique place to handle python-ldap 3.0 bytes warnings in the future. Fixes: https://pagure.io/freeipa/issue/7411 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.

Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix multiple uninstallation of server 2018-02-15T13:02:03+00:00 Christian Heimes cheimes@redhat.com 2018-02-07T13:22:06+00:00 0cc2a6cae01043f0aba32319ac8c6475780b6d7f "ipa-server-install --uninstall" no longer fails with error message "'Env' object has no attribute 'basedn'" when executed on a system that has no freeIPA server installation. Fixes: https://pagure.io/freeipa/issue/7063 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Felipe Volpone <fbarreto@redhat.com> 
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.

Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
LGTM: Fix multiple use before assignment 2018-01-09T06:53:28+00:00 Christian Heimes cheimes@redhat.com 2018-01-03T10:09:41+00:00 73ee9ff40e7026ce264d0445db96fa16a33ed589 - Move assignment before try/finally block - Add raise to indicate control flow change - Add default value https://pagure.io/freeipa/issue/7344 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Custodia uninstall: Don't fail when LDAP is down 2017-12-20T08:55:46+00:00 Christian Heimes cheimes@redhat.com 2017-12-18T12:52:10+00:00 bfd4e3edd8d1b8cc9cfa685f761b93ee1c8b5f73 The Custodia instance is removed when LDAP is already shut down. Don't fail and only remove the key files from disk. The server_del command takes care of all Custodia keys in LDAP. https://pagure.io/freeipa/issue/7318 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.

https://pagure.io/freeipa/issue/7318

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>