summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* stageuser: Add stageuser-{add,remove}-principalDavid Kupka2017-02-072-0/+38
| | | | | | https://fedorahosted.org/freeipa/ticket/6623 Reviewed-By: Martin Basti <mbasti@redhat.com>
* stageuser: Add stageuser-{add,remove}-certDavid Kupka2017-02-074-38/+78
| | | | | | | | | Move {add,remove}-cert implementation from user to baseuser and inherit {,stage}user-{add,remove}-cert from it. https://fedorahosted.org/freeipa/ticket/6623 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica install: do not log host OTPJan Cholasta2017-02-071-1/+3
| | | | | | | | | | Do not log the value of the --password option of ipa-client-install when it is run from ipa-replica-install before replica promotion. https://fedorahosted.org/freeipa/ticket/6633 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
* pki-base: use pki-base-python2 as dependencyMartin Basti2017-02-071-3/+2
| | | | | | | | | | | | | pki-base provides pki-base-python2, but we should depend directly on pki-base-python2 because in future pki-base may provide pki-base-python3 instead. Source: cheimes@redhat.com https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pki: add missing depedency pki-base[-python3]Martin Basti2017-02-071-2/+3
| | | | | | | | | FreeIPA server modules requires pki module https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipatests: nested netgroups (intg)Petr Čech2017-02-072-0/+170
| | | | | | | | | | | Adds a test case for issue in SSSD that manifested in an inability to resolve nested membership in netgroups The test case tests for direct and indirect membership. https://fedorahosted.org/freeipa/ticket/6439 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: x509.py: return principal as unicode stringMartin Basti2017-02-071-6/+6
| | | | | | | | | X509 return principal as unicode string https://fedorahosted.org/freeipa/ticket/4985 https://fedorahosted.org/freeipa/ticket/6640 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix reference before assignmentFraser Tweedale2017-02-061-0/+1
| | | | | | | | | | In 'store_session_cookie', if the server does not set the session cookie for some reason, the 'session_cookie' variable does not get assigned, resulting in UnboundLocalError. Set an initial value of 'None'. Fixes: https://fedorahosted.org/freeipa/ticket/6636 Reviewed-By: Martin Basti <mbasti@redhat.com>
* build: Add missing dependency on libxmlrpc{,_util}David Kupka2017-02-061-1/+1
| | | | | | | | | | Change in libxmlrpc packaging uncovered missing linking dependency in our build system. https://fedorahosted.org/freeipa/ticket/6637 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* tests: add test for PEM certificate files with leading textJan Cholasta2017-02-061-0/+11
| | | | Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipa-kra-install must create directory if it does not existFlorence Blanc-Renaud2017-02-021-0/+4
| | | | | | | | | | | | | ipa-kra-install creates an admin cert file in /root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the parent directory exists. This situation can happen when uninstall + restore has been run. The fix creates the directory if not present. https://fedorahosted.org/freeipa/ticket/6606 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: tests_xmlrpc: do not call str() on bytesMartin Basti2017-02-022-3/+3
| | | | | | | | | Calling str() on bytes causes undesired side effect: it adds prefix "b" to the result of conversion. The method decode() should be used instead. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* private_ccache: yield ccache nameFraser Tweedale2017-01-311-1/+1
| | | | | | | | | | When using private_ccache, yield 'path' from the context manager. This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within the context. Part of: https://fedorahosted.org/freeipa/ticket/5011 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: normalize_certificate: support both bytes and unicodeMartin Basti2017-01-311-6/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: strip_header: support both bytes and unicodeMartin Basti2017-01-311-6/+10
| | | | | | | | Various method passed various bytes or unicode as parameter https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: fingerprint_hex_sha256: fix encoding/decodingMartin Basti2017-01-311-3/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: fix CSR encoding inside frameworkMartin Basti2017-01-312-2/+4
| | | | | | | | | csr must be in string because framework excpects only strings, so we have to decode it back https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Principal: validate type of input parameterMartin Basti2017-01-311-1/+6
| | | | | | | Bytes are unsupported and we should raise a TypeError from Principal __init__ method otherwise we get hard to debug result Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Use dict comprehensionMartin Basti2017-01-311-1/+3
| | | | Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: can_read: attributelevelrights is already stringMartin Basti2017-01-311-1/+1
| | | | | | | | | Remove decode() as it causes error in py3 because the attribute is already string not bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: get_effective_rights: values passed to ldap must be bytesMartin Basti2017-01-311-1/+4
| | | | | | | | Values passed to LDAP must be bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: ipaldap: update encode/decode methodsMartin Basti2017-01-311-34/+7
| | | | | | | | | | | Update encoding/decoding accordingly to work under Py3 Removing functions that were used only once in code and give no real improvements https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: rpcserver fix undefined variableMartin Basti2017-01-311-1/+2
| | | | | | | | | variable 'e' is valid only in except block in py3, so it must be assigned to different variable for further usage https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: WSGI executioners must return bytes in listMartin Basti2017-01-311-10/+12
| | | | | | | | | WSGI prints TypeError into error log when IPA doesn't return bytes in list as result https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: session: fix r/w ccache dataMartin Basti2017-01-311-6/+5
| | | | | | | | | ccache contains binary data, so it should be read and write in binary mode https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Py3: Fix undefined variableMartin Basti2017-01-311-1/+1
| | | | | | | | Variable 'e' has only local scope in except block in Py3 https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: rpcserver: decode input because json requires stringMartin Basti2017-01-311-1/+1
| | | | | | | | json library parses string so input must be decoded https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: session.py decode server name to strMartin Basti2017-01-311-1/+1
| | | | | | | | | This fix is temporal because Memcache will be removed soon, so it is more workaround than fix https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Use proper logging for error messagesMartin Basti2017-01-311-4/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/6588r Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* wait_for_entry: use only DN as parameterMartin Basti2017-01-312-5/+3
| | | | | | | | | Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* tests: Add tests for CSR autogenerationBen Lipton2017-01-3113-28/+492
| | | | | | | | | This patch also contains some code changes to make the code easier to test and to make the tests pass. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Use data_sources option to define which fields are renderedBen Lipton2017-01-3113-77/+75
| | | | | | | | | | | | | | | This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Add a CSR generation profile for user certificatesBen Lipton2017-01-314-0/+41
| | | | | | https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Add CSR generation profile for caIPAserviceCertBen Lipton2017-01-316-0/+73
| | | | | | https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Add code to generate scripts that generate CSRsBen Lipton2017-01-3113-0/+623
| | | | | | | | | | | | Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-ca-install: do not fail without --subject-base and --ca-subjectJan Cholasta2017-01-311-3/+4
| | | | | | | | | | | | | | When --subject-base and --ca-subject are not specified in ipa-ca-install, default values are used. DN objects are used as the default values in ipa-ca-install, but the CA installer expects the values to be strings. This causes ipa-ca-install to fail unless both --subject-base and --ca-subject are specified. Convert the DN objects to strings to fix the issue. https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Explicitly handle quoting/unquoting of NSSNickname directiveMartin Babinsky2017-01-252-4/+14
| | | | | | | | | | | Improve the single/double quote handling during parsing/unparsing of nss.conf's NSSNickname directive. Single quotes are now added/stripped explicitly when handling the certificate nickname. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Delegate directive value quoting/unquoting to separate functionsMartin Babinsky2017-01-251-27/+43
| | | | | | | | | | | | | | | | | Separate functions were added to installutils module to quote/unquote a string in arbitrary characters. `installutils.get/set_directive` functions will use them to enclose the directive values in double quotes/strip the double quotes from retrieved values to maintain the original behavior. These functions can be used also for custom quoting/unquoting of retrieved values when desired. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* installutils: improve directive value parsing in `get_directive`Martin Babinsky2017-01-251-2/+17
| | | | | | | | | | | | | `get_directive` value parsing was improved in order to bring its logic more in-line to changes in `set_directive`: a specified quoting character is now unquoted and stripped from the retrieved value. The function will now also error out when malformed directive is encountered. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix the installutils.set_directive docstringMartin Babinsky2017-01-251-5/+8
| | | | | | | | | Add missing parameter descriptions and fix incorrect indentation https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* cert: fix search limit handling in cert-findJan Cholasta2017-01-241-4/+17
| | | | | | | | | | | | | | If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* dogtag: search past the first 100 certificatesJan Cholasta2017-01-241-1/+1
| | | | | | | | | | | | | Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* py3: decode bytes for json.loads()Martin Basti2017-01-245-6/+59
| | | | | | | | | | | | In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* dogtag.py: fix exception logging of JSON dataMartin Basti2017-01-241-4/+8
| | | | | | | | 'read_ca' and 'create_ca' have no logging when exception happened and it masks real reason why it failed. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: convert_attribute_members: don't use bytes as parameter for DNMartin Basti2017-01-241-1/+1
| | | | | | | | | | due perfomance improvement in e4930b3235e5d61d227a7e43d30a8feb7f35664d we have to decode value before it can be used in DN() constructor. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: make_filter_from_attr: use string instead of bytesMartin Basti2017-01-241-1/+2
| | | | | | | | | | Method escape_filter_chars() requires string as parameter instead of bytes. 'value_to_utf8' returns bytes thus this code has to be removed. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: __add_acl: use standard ipaldap methodsMartin Basti2017-01-241-8/+5
| | | | | | | | | | Using raw pyldap interface we have to keep vaules as bytes. Is easier to migrate to ipaldap and use strings without decoding and encoding. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: add_entry_to_group: attribute name must be string not bytesMartin Basti2017-01-241-1/+1
| | | | | | | | | With bytes as attribute name pyldap raises type error https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: HTTPResponse has no 'dict' attribute in 'msg'Martin Basti2017-01-241-1/+1
| | | | | | | | | | There is no 'dict' attribute in 'msg', but 'msg' attribute is dict-like object in both py2/3, so it can be used instead. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: _httplib_request: don't convert string to bytesMartin Basti2017-01-241-3/+1
| | | | | | | | | | | There is no need to encode hostname to bytes. UTF-8 characters must be encoded in different format in URL anyway and it causes only error in Py3. String must be unicode to support Py2. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-31 00:59:26 +0000