summaryrefslogtreecommitdiffstats
path: root/ipaclient
Commit message (Collapse)AuthorAgeFilesLines
* DNS: dns-update-system-record can create nsupdate fileMartin Basti2017-02-151-6/+66
| | | | | | | | | | Added option --out <path> creates a file with IPA DNS data in nsupdate format. https://fedorahosted.org/freeipa/ticket/6585 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Separate RA cert store from the HTTP cert storeSimo Sorce2017-02-151-0/+1
| | | | | | | | | | | | | | | This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove is_fips_enabled checks in installers and ipactlStanislav Laznicka2017-02-131-5/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* tests: Add tests for CSR autogenerationBen Lipton2017-01-312-28/+58
| | | | | | | | | This patch also contains some code changes to make the code easier to test and to make the tests pass. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Use data_sources option to define which fields are renderedBen Lipton2017-01-311-13/+27
| | | | | | | | | | | | | | | This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* csrgen: Add code to generate scripts that generate CSRsBen Lipton2017-01-313-0/+434
| | | | | | | | | | | | Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: decode bytes for json.loads()Martin Basti2017-01-241-1/+1
| | | | | | | | | | | | In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* client install: correctly report all failuresJan Cholasta2017-01-201-12/+13
| | | | | | | | | | | | | In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* disable hostname canonicalization by Kerberos libraryMartin Babinsky2017-01-111-0/+1
| | | | | | | | | | | | | | | | By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* ipaclient: schema cache: Handle malformed server info data gracefullyDavid Kupka2017-01-091-2/+8
| | | | | | | | | | | As a part of CLI schema cache some data about each previously contacted server are stored in simple JSON file. The file may get corrupted and became undecodable for various reasons (parallel access, file system error, tampering). Since the data are not necessary we should just warn an continue. https://fedorahosted.org/freeipa/ticket/6578 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa_generate_password algorithm changePetr Spacek2017-01-061-1/+1
| | | | | | | | | | | | | | | | A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* schema_cache: Make handling of string compatible with python3David Kupka2017-01-051-9/+13
| | | | | | https://fedorahosted.org/freeipa/ticket/6559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client, platform: Use paths.SSH* instead of get_config_dir().Timo Aaltonen2017-01-051-27/+16
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Silence pylint import errors of ipaserver in ipalib and ipaclientChristian Heimes2017-01-051-1/+1
| | | | | | | | | | In client-only installations the ipaserver package is not available. Additional guards prevent pylint to complain about missing ipaserver package. https://fedorahosted.org/freeipa/ticket/6468 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaclient.plugins: Use api_version from internally called commandsDavid Kupka2016-12-143-0/+24
| | | | | | | | | | | | In client plugins make sure the api_version is 'inherited' from server command that is internally called. Otherwise the api_version is obtained from client API instance. When calling server command from client command 'version' is passed in options and it overrides the right one. Server then refuses to handle such call. https://fedorahosted.org/freeipa/ticket/6539 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-1/+1
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add options to write lightweight CA cert or chain to fileFraser Tweedale2016-12-121-0/+53
| | | | | | | | | | | | | | Administrators need a way to retrieve the certificate or certificate chain of an IPA-managed lightweight CA. Add params to the `ca' object for carrying the CA certificate and chain (as multiple DER values). Add the `--chain' flag for including the chain in the result (chain is also included with `--all'). Add the `--certificate-out' option for writing the certificate to a file (or the chain, if `--chain' was given). Fixes: https://fedorahosted.org/freeipa/ticket/6178 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* server install: fix external CA installJan Cholasta2016-12-081-0/+3
| | | | | | | | | | | | | Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Make `env` and `plugins` commands local againMartin Babinsky2016-12-021-3/+4
| | | | | | | | | | | | | | During thin client refactoring, LocalOrRemote class implementation of `run` method was overriden by default Command implementation during instantiation of client plugins from schema. This caused these commands to always forward this request to IPA master. This patch restores the original behavior: unless `--server` option was specified, the commands will always print out local config. https://fedorahosted.org/freeipa/ticket/6490 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Set explicit confdir option for global contextsChristian Heimes2016-12-022-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Wheel bundles fixesChristian Heimes2016-11-301-1/+1
| | | | | | | | | | | * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Adjustments for setup requirementsChristian Heimes2016-11-301-4/+3
| | | | | | | | | | | | | | * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaclient: remove hard dependency on ipaplatformJan Cholasta2016-11-292-4/+13
| | | | | | | | Hard-code the user cache directory path in ipaclient.remote_plugins.schema. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipaclient: move install modules to the install subpackageJan Cholasta2016-11-295-6/+2
| | | | | | | | | | | | The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib: remove hard dependency on ipapythonJan Cholasta2016-11-291-0/+1
| | | | | | | | | | | Hard-code the path to /bin/false in SubprocessError doc string. Remove ipaplatform dependency from ipalib's setup.py and add it as optional installer dependency to ipalib's and ipaclient's setup.py. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-291-27/+29
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib: move certstore to the install subpackageJan Cholasta2016-11-292-9/+4
| | | | | | | | | | The certstore module depends on ipaplatform. Move it to ipalib.install, as it is used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: move kinit functions to ipalib.installJan Cholasta2016-11-292-14/+15
| | | | | | | | | | | kinit_password() depends on ipaplatform. Move kinit_password() as well as kinit_keytab() to a new ipalib.install.kinit module, as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: move is_fips_enabled() to ipaplatform.tasksJan Cholasta2016-11-291-2/+1
| | | | | | | | The FIPS setting is platform-specific. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipautil: remove the timeout argument of run()Jan Cholasta2016-11-291-6/+9
| | | | | | | | | | | | The argument depends on the platform-specific timeout binary and is used only in ipaclient.ntpconf. Call the timeout binary explicitly in ipaclient.ntpconf and remove the argument. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* certdb: move IPA NSS DB install functions to ipaclient.installJan Cholasta2016-11-291-1/+49
| | | | | | | | | | | The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer and ipa-restore. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipapython: move certmonger and sysrestore to ipalib.installJan Cholasta2016-11-292-11/+4
| | | | | | | | | | The certmonger and sysrestore modules depend on ipaplatform. Move them to ipalib.install as they are used only from installers. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* paths: remove DEV_NULLJan Cholasta2016-11-291-1/+1
| | | | | | | | | | | The platform-specific path to /dev/null is provided by the Python standard library in os.devnull. Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Python3 pylint fixesChristian Heimes2016-11-251-0/+2
| | | | | | | | | | | Sprinkle 'pylint disable' comments over the code base to silence a bunch of pylint warnings on Python 3. All silenced warnings are harmless and not bugs. https://fedorahosted.org/freeipa/ticket/4985 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Break ipaplatform / ipalib import cycle of hellChristian Heimes2016-11-242-9/+10
| | | | | | | | | | | Here is an attempt to break the import cycle of hell between ipaplatform and ipalib. All services now pass an ipalib.api object to services.service(). RedHatServices.__init__() still needs to do a local import because it initializes its wellknown service dict with service instances. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Replace LooseVersionChristian Heimes2016-11-241-7/+6
| | | | | | | | | | | | | | | | | | | | pylint is having a hard time with distutils.version in tox's virtual envs. virtualenv uses some tricks to provide a virtual distutils package, pylint can't cope with. https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources instead. pkg_resources' version parser has some more benefits, e.g. PEP 440 conformity. But pkg_resources.parse_version() is a heavy weight solution with reduced functionality, e.g. no access to major version. For API_VERSION and plugin version we can use a much simpler and faster approach. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add install requirements to Python packagesChristian Heimes2016-11-161-0/+14
| | | | | | | https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use api.env.nss_dir instead of paths.IPA_NSSDB_DIRChristian Heimes2016-11-143-8/+4
| | | | | | | | | | ipaclient plugins are now using nss_dir from api.env instead of hard-coded paths.IPA_NSSDB_DIR. Closes: https://fedorahosted.org/freeipa/ticket/6386 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: migrate client install to the new class hierarchyJan Cholasta2016-11-112-1/+192
| | | | | | | | | Migrate ipa-client-install from the custom script to the new installer class hierarchy classes. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: introduce installer class hierarchyJan Cholasta2016-11-112-0/+221
| | | | | | | | | Add class hierarchy which allows inherting knob definitions between the various client and server install scripts. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added file permissions option to IPAChangeConf.newConf()Stanislav Laznicka2016-11-112-2/+5
| | | | | | | | | Also added information about why os.chmod is called sometimes after newConf() calls. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix to ipachangeconf docstringsStanislav Laznicka2016-11-111-18/+22
| | | | | | https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: use correct code for failed uninstallMartin Basti2016-11-111-2/+2
| | | | | | | | | Hardcoded value 1 means CLIENT_INSTALL_ERROR, but this part belongs to uninstallation so it should be CLIENT_UNINSTALL_ERROR https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: use exceptions instead of return statesMartin Basti2016-11-111-81/+100
| | | | | | | | | | | Python has builtin exceptions which can be used very well to handling errors in python instead of returning error states (C style) Exception will allow better client-server integration in future https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move install cleanup from ipa-client-install to moduleMartin Basti2016-11-111-1/+15
| | | | | | | | Cleanup should be part of installation function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move clean CCACHE to moduleMartin Basti2016-11-111-0/+10
| | | | | | | | | | According 04b8575c52410bb6d31e0e55f1cf431d7cc9c7c3 cleaning CCACHE is needed after installation. This commit moves this cleanup from ipa-client-install to client.install() function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move custom env variable into client moduleMartin Basti2016-11-111-2/+10
| | | | | | | | | | | | | There is no need to have env as parameter because this is used only once, so it can eb safely moved to client.py module NOTE: PATH should be overwritten to safe values before we execute any command https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: extract checks from uninstall to uninstall_checkMartin Basti2016-11-111-2/+8
| | | | | | | | Checks if uninstallation is possible should be moved to uninstall_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: extract checks from install to install_checkMartin Basti2016-11-111-20/+46
| | | | | | | | | client install contained installation check that have been moved to install_check function https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* client: move checks to client.install_checkMartin Basti2016-11-111-1/+20
| | | | | | | | Move checks from ipa-client-install to clien.install_check https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
generated by cgit (git 2.34.1) at 2024-07-02 18:18:53 +0000