summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/cert.py
Commit message (Collapse)AuthorAgeFilesLines
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-031-835/+0
| | | | | | | | | | Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: move File command arguments to ipaclientJan Cholasta2016-06-031-2/+4
| | | | | | | | | | File arguments are relevant only on the client, on the server they are the same as Str. Specify the arguments as Str in ipalib.plugins and override them with File in ipaclient.plugins. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipalib: split off client-side plugin code into ipaclientJan Cholasta2016-06-031-13/+0
| | | | | | | | | | | Provide client-side overrides for command plugins which implement any of the client-side `interactive_prompt_callback`, `forward` or `output_for_cli` methods and move the methods from the original plugins to the overrides. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add more information regarding where to find revocation reason in "ipa ↵Patrice Duc-Jacquet2016-06-021-2/+4
| | | | | | | | | | | | | | | | | | | | | cert_revoke -h" and "ipa cert_find -h". According to review feedback, I changed the help message as follow $ ipa cert_revoke -h Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options] Revoke a certificate. Options: -h, --help show this help message and exit --revocation-reason=INT Reason for revoking the certificate (0-10). Type "ipa help cert" for revocation reason details. https://fedorahosted.org/freeipa/ticket/5819 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Gabe Alford <redhatrises@gmail.com>
* ipalib: use relative imports for cross-plugin importsJan Cholasta2016-05-251-7/+7
| | | | | | | | | This will make it possible to move the plugin modules between ipalib, ipaclient and ipaserver without having to change the imports. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-1/+2
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove unused importsMartin Basti2015-12-231-3/+1
| | | | | | | This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Handle binascii.Error from base64.b64decode()Petr Viktorin2015-10-221-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | In Python 3, the base64.b64decode function raises binascii.Error (a ValueError subclass) when it finds incorrect padding. In Python 2 it raises TypeError. Callers should usually handle ValueError; unless they are specifically concerned with handling base64 padding issues). In some cases, callers should handle ValueError: - ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should handle ValueError - ipalib.x509 (load_certificate*, get_*): callers should handle ValueError In other cases ValueError is handled: - ipalib.parameters - ipapython.ssh - ipalib.rpc (json_decode_binary - callers already expect ValueError) - ipaserver.install.ldapupdate Elsewhere no error handling is done, because values come from trusted sources, or are pre-validated: - vault plugin - ipaserver.install.cainstance - ipaserver.install.certs - ipaserver.install.ipa_otptoken_import Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+5
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* cert-request: remove allowed extensions checkFraser Tweedale2015-08-191-19/+3
| | | | | | | | | | | | | | | cert-request currently permits a limited number of request extensions; uncommon and esoteric extensions are prohibited and this limits the usefulness of custom profiles. The Dogtag profile has total control over what goes into the final certificate and has the option to reject request based on the request extensions present or their values, so there is little reason to restrict what extensions can be used in FreeIPA. Remove the check. Fixes: https://fedorahosted.org/freeipa/ticket/5205 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add permission for bypassing CA ACL enforcementFraser Tweedale2015-08-141-3/+10
| | | | | | | | | | | | Add the "Request Certificate ignoring CA ACLs" permission and associated ACI, initially assigned to "Certificate Administrators" privilege. Update cert-request command to skip CA ACL enforcement when the bind principal has this permission. Fixes: https://fedorahosted.org/freeipa/ticket/5099 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-6/+6
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix KRB5PrincipalName / UPN SAN comparisonFraser Tweedale2015-08-111-1/+1
| | | | | | | | | | | | | Depending on how the target principal name is conveyed to the command (i.e. with / without realm), the KRB5PrincipalName / UPN subjectAltName validation could be comparing unequal strings and erroneously rejecting a valid request. Normalise both side of the comparison to ensure that the principal names contain realm information. Fixes: https://fedorahosted.org/freeipa/ticket/5191 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add profile for DNP3 / IEC 62351-8 certificatesFraser Tweedale2015-08-111-0/+1
| | | | | | | | | | | The DNP3 smart-grid standard uses certificate with the IEC 62351-8 IECUserRoles extension. Add a profile for DNP3 certificates which copies the IECUserRoles extension from the CSR, if present. Also update cert-request to accept CSRs containing this extension. Fixes: https://fedorahosted.org/freeipa/ticket/4752 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Allow SAN extension for cert-request self-serviceFraser Tweedale2015-08-111-1/+1
| | | | | | | | | | | Users cannot self-issue a certificate with a subjectAltName extension (e.g. with rfc822Name altNames). Suppress the cert-request "request certificate with subjectaltname" permission check when the bind principal is the target principal (i.e. cert-request self-service). Fixes: https://fedorahosted.org/freeipa/ticket/5190 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* fix error message when certificate CN is invalidPetr Vobornik2015-07-091-3/+1
| | | | | | The error message was probably copied from mail address check below. Reviewed-By: David Kupka <dkupka@redhat.com>
* cert-request: enforce caacl for principals in SANFraser Tweedale2015-07-081-17/+25
| | | | | | | | | cert-request currently does not enforce caacls for principals included in the subjectAltName requestExtension. Enforce for any dNSName values recognised as hosts/services known to FreeIPA. Fixes: https://fedorahosted.org/freeipa/ticket/5096 Reviewed-By: David Kupka <dkupka@redhat.com>
* Enforce CA ACLs in cert-request commandFraser Tweedale2015-06-111-0/+17
| | | | | | | | | | | | | | | This commit adds CA ACL enforcement to the cert-request command and uses the pyhbac machinery. It is planned to implement ACL enforcement in Dogtag in a future release, and remove certificate issuance privileges and CA ACL enforcement responsibility from the framework. See https://fedorahosted.org/freeipa/ticket/5011 for more information. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Update cert-request to support user certs and profilesFraser Tweedale2015-06-041-88/+132
| | | | | | | Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4938 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add profile_id parameter to 'request_certificate'Fraser Tweedale2015-06-041-1/+1
| | | | | | | | | | | | Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Check LDAP instead of local configuration to see if IPA CA is enabledJan Cholasta2014-10-171-4/+34
| | | | | | | | The check is done using a new hidden command ca_is_enabled. https://fedorahosted.org/freeipa/ticket/4621 Reviewed-By: David Kupka <dkupka@redhat.com>
* Remove misleading authorization error message in cert-request with --addJan Cholasta2014-10-081-5/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4540 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Support requests with SAN in cert-request.Jan Cholasta2014-06-241-34/+69
| | | | | | | | | | For each SAN in a request there must be a matching service entry writable by the requestor. Users can request certificates with SAN only if they have "Request Certificate With SubjectAltName" permission. https://fedorahosted.org/freeipa/ticket/3977 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Update all remaining plugins to the new Registry APINathaniel McCallum2014-06-111-6/+9
| | | | Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Remove unused function get_subjectaltname from the cert plugin.Jan Cholasta2014-03-251-14/+0
| | | | Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Update pkcs10 module functions to always load CSRs and allow selecting format.Jan Cholasta2014-03-251-5/+3
| | | | | | This change makes the pkcs10 module more consistent with the x509 module. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Certificate search max_serial_number problem fixedAdam Misnyovszki2014-02-251-0/+2
| | | | | | | | Maximum serial number field now accepts only positive numbers https://fedorahosted.org/freeipa/ticket/4163 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove ipa-pwd-extop and ipa-enrollment duplicate error stringsMartin Kosek2013-10-301-5/+5
| | | | | | | Some error strings were duplicate which makes it then harder to see what is the real root cause of it. https://fedorahosted.org/freeipa/ticket/3988
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-3/+2
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Preserve case of attribute names in LDAPEntry.Jan Cholasta2013-03-011-4/+4
|
* Add the version option to all CommandsPetr Viktorin2013-02-211-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | Several Commands were missing the 'version' option. Add it to those that were missing it. Do not remove the version option before calling commands. This means methods such as execute(), forward(), run() receive it. Several of these needed `**options` added to their signatures. Commands in the Cert plugin passed any unknown options to the underlying functions, these are changed to pass what's needed explicitly. Some commands in DNS and Batch plugins now pass version to commands they call. When the option is not given, fill it in automatically. (In a subsequent commit, a warning will be added in this case). Note that the public API did not change: all RPC calls already accepted a version option. There's no need for an API version bump (even though API.txt changes substantially). Design page: http://freeipa.org/page/V3/Messages Tickets: https://fedorahosted.org/freeipa/ticket/2732 https://fedorahosted.org/freeipa/ticket/3294
* Implement the cert-find command for the dogtag CA backend.Rob Crittenden2013-02-191-2/+135
| | | | | | | | | | | | | | | | Use a new RESTful API provided by dogtag 10+. Construct an XML document representing the search request. The output is limited to whatever dogtag sends us, there is no way to request additional attributes other than to read each certificate individually. dogtag uses a boolean for each search term to indicate that it is used. Presense of the search item is not enough, both need to be set. The search operation is unauthenticated Design page: http://freeipa.org/page/V3/Cert_find https://fedorahosted.org/freeipa/ticket/2528
* Raise ValidationError when CSR does not have a subject hostnameLynn Root2012-12-111-0/+4
| | | | | | Raise ValidationError when CSR does not have a subject hostname. Ticket: https://fedorahosted.org/freeipa/ticket/3123
* Fix requesting certificates that contain subject altnames.Rob Crittenden2012-10-191-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/3184
* Internationalization for public errorsPetr Viktorin2012-09-031-6/+15
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
* Make revocation_reason required when revoking a certificate.Rob Crittenden2012-04-051-1/+1
| | | | | | | This will prevent errors if an empty reason is provided and it is set by default one doesn't have to always set it on the command-line. https://fedorahosted.org/freeipa/ticket/2597
* Display serial number as HEX (DECIMAL) when showing certificates.Rob Crittenden2012-03-141-19/+17
| | | | https://fedorahosted.org/freeipa/ticket/1991
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-231-1/+0
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Skip the cert validator if the csr we are passed in is a valid filenameRob Crittenden2011-09-141-0/+7
| | | | | | | | | The validator will still fire, just after the load_files() call. Basically it will hit the validator twice. The first time it will exit because the value of csr is a filename. The second time it will run the validator against the contents of the file. ticket https://fedorahosted.org/freeipa/ticket/1777
* ticket 1669 - improve i18n docstring extractionJohn Dennis2011-08-241-38/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts the use of pygettext for i18n string extraction. It was originally introduced because the help documentation for commands are in the class docstring and module docstring. Docstrings are a Python construct whereby any string which immediately follows a class declaration, function/method declaration or appears first in a module is taken to be the documentation for that object. Python automatically assigns that string to the __doc__ variable associated with the object. Explicitly assigning to the __doc__ variable is equivalent and permitted. We mark strings in the source for i18n translation by embedding them in _() or ngettext(). Specialized extraction tools (e.g. xgettext) scan the source code looking for strings with those markers and extracts the string for inclusion in a translation catalog. It was mistakingly assumed one could not mark for translation Python docstrings. Since some docstrings are vital for our command help system some method had to be devised to extract docstrings for the translation catalog. pygettext has the ability to locate and extract docstrings and it was introduced to acquire the documentation for our commands located in module and class docstrings. However pygettext was too large a hammer for this task, it lacked any fined grained ability to extract only the docstrings we were interested in. In practice it extracted EVERY docstring in each file it was presented with. This caused a large number strings to be extracted for translation which had no reason to be translated, the string might have been internal code documentation never meant to be seen by users. Often the superfluous docstrings were long, complex and likely difficult to translate. This placed an unnecessary burden on our volunteer translators. Instead what is needed is some method to extract only those strings intended for translation. We already have such a mechanism and it is already widely used, namely wrapping strings intended for translation in calls to _() or _negettext(), i.e. marking a string for i18n translation. Thus the solution to the docstring translation problem is to mark the docstrings exactly as we have been doing, it only requires that instead of a bare Python docstring we instead assign the marked string to the __doc__ variable. Using the hypothetical class foo as an example. class foo(Command): ''' The foo command takes out the garbage. ''' Would become: class foo(Command): __doc__ = _('The foo command takes out the garbage.') But which docstrings need to be marked for translation? The makeapi tool knows how to iterate over every command in our public API. It was extended to validate every command's documentation and report if any documentation is missing or not marked for translation. That information was then used to identify each docstring in the code which needed to be transformed. In summary what this patch does is: * Remove the use of pygettext (modification to install/po/Makefile.in) * Replace every docstring with an explicit assignment to __doc__ where the rhs of the assignment is an i18n marking function. * Single line docstrings appearing in multi-line string literals (e.g. ''' or """) were replaced with single line string literals because the multi-line literals were introducing unnecessary whitespace and newlines in the string extracted for translation. For example: ''' The foo command takes out the garbage. ''' Would appear in the translation catalog as: "\n The foo command takes out the garbage.\n " The superfluous whitespace and newlines are confusing to translators and requires us to strip leading and trailing whitespace from the translation at run time. * Import statements were moved from below the docstring to above it. This was necessary because the i18n markers are imported functions and must be available before the the doc is parsed. Technically only the import of the i18n markers had to appear before the doc but stylistically it's better to keep all the imports together. * It was observed during the docstring editing process that the command documentation was inconsistent with respect to the use of periods to terminate a sentence. Some doc had a trailing period, others didn't. Consistency was enforced by adding a period to end of every docstring if one was missing.
* Autofill the default revocation reasonRob Crittenden2011-07-221-0/+1
| | | | https://fedorahosted.org/freeipa/ticket/1514
* Make data type of certificates more obvious/predictable internally.Rob Crittenden2011-06-211-4/+3
| | | | | | | | | | | | | | | | | | | For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
* Return an error message when revocation reason 7 is usedRob Crittenden2011-06-151-0/+2
| | | | | | 7 is undefined as a revocation reason. https://fedorahosted.org/freeipa/ticket/1318
* Fix lint false positives.Jan Cholasta2011-04-131-1/+1
|
* Fix style and grammatical issues in built-in command help.Rob Crittenden2011-03-041-5/+23
| | | | | | | There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
* Validate and convert certificate SNJakub Hrozek2011-02-161-0/+28
| | | | | | | | | | | | | The cert plugin only worked OK with decimal certificate serial numbers. This patch allows specifying the serial number in hexadecimal, too. The conversion now works such that: * with no explicit radix, a best-effort conversion is done using int(str, 0) in python. If the format is ambiguous, decimal takes precedence. * a hexadecimal radix can be specified explicitly with the traditional 0x prefix https://fedorahosted.org/freeipa/ticket/958 https://fedorahosted.org/freeipa/ticket/953
* The --out option wasn't working at all with cert-show.Rob Crittenden2011-02-141-4/+5
| | | | | | | | Also fix some related problems in write_certificate(), handle either a DER or base64-formatted incoming certificate and don't explode if the filename is None. ticket 954
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Add --out option to service, host and cert-show to save the cert to a file.Rob Crittenden2010-12-131-0/+22
| | | | | | | Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
* Have certmonger track the initial Apache and 389-ds server certs.Rob Crittenden2010-09-091-2/+27
| | | | | | | | | | | | | | | We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
generated by cgit (git 2.34.1) at 2025-09-26 09:30:34 +0000