summaryrefslogtreecommitdiffstats
path: root/ipalib
Commit message (Collapse)AuthorAgeFilesLines
* Remove the cachedproperty classStanislav Laznicka2017-05-021-34/+0
| | | | | | | | | | The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Fixed typo in ipa-client-install outputThorsten Scherf2017-05-021-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use only anonymous PKINIT to fetch armor ccacheMartin Babinsky2017-04-281-17/+13
| | | | | | | | | | | | | | | Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix PKCS11 helperMartin Basti2017-04-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | | Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* setup, pylint, spec file: drop python-nss dependencyJan Cholasta2017-03-311-1/+0
| | | | | | Remove the unused python-nss dependency. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* certdb: use certutil and match_hostname for cert verificationJan Cholasta2017-03-311-16/+55
| | | | | | | Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add --password-expiration to allow admin to force user password expirationGabe2017-03-311-6/+10
| | | | | | | - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Prevent churn on ccachesSimo Sorce2017-03-281-1/+16
| | | | | | | | | | | | | | | | | | | | We slice down the received cookie so that just the content that matter is preserved. Thi is ok because servers can't trust anything else anyway and will accept a cookie with the ancillary data missing. By removing variable parts like the expiry component added by mod_session or the Expiration or Max-Age metadata we keep only the part of the cookie that changes only when a new session is generated. This way when storing the cookie we actually add a new entry in the ccache only when the session actually changes, and this prevents churn on FILE based ccaches. Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Handle failed authentication via cookieSimo Sorce2017-03-281-20/+32
| | | | | | | | | | | | | | If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Add debug logging for keep-aliveChristian Heimes2017-03-201-1/+20
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Use connection keep-aliveChristian Heimes2017-03-201-1/+1
| | | | | | | | | | | | | Do not forcefully close the connection after every request. This enables HTTP connection keep-alive, also known as persistent TCP and TLS/SSL connection. Keep-alive speed up consecutive HTTP requests by 15% (for local, low-latency network connections to a fast server) to multiple times (high latency connections or remote peers). https://pagure.io/freeipa/issue/6641 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Add debug log in case cookie retrieval went wrongStanislav Laznicka2017-03-201-1/+4
| | | | | | https://pagure.io/freeipa/issue/6774 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: cache the transport certificate on clientJan Cholasta2017-03-131-0/+14
| | | | | | | | | | Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as in memory. https://fedorahosted.org/freeipa/ticket/6652 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* rpc: fix crash in verbose modeJan Cholasta2017-03-131-5/+6
| | | | | | | | | | Fix a crash caused by feeding incorrect data to `json.dumps()` in `JSONServerProxy.__request()` introduced by commit 8159c2883bf66980582d1227c364df4e592bdd7e. https://pagure.io/freeipa/issue/6734 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* install: re-introduce option groupsJan Cholasta2017-03-131-1/+3
| | | | | | | | | Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* install: add missing space in realm_name descriptionJan Cholasta2017-03-131-1/+1
| | | | | | https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* pylint_plugins: add forbidden import checkerJan Cholasta2017-03-102-2/+8
| | | | | | | | | | Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Store session cookie in a ccache optionSimo Sorce2017-03-101-22/+5
| | | | | | | | | | | Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Don't use weak ciphers for client HTTPS connectionsStanislav Laznicka2017-03-092-1/+8
| | | | | | https://pagure.io/freeipa/issue/6730 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Allow login to WebUI using Kerberos aliases/enterprise principalsMartin Babinsky2017-03-081-14/+0
| | | | | | | | | | | | | The logic of the extraction/validation of principal from the request and subsequent authentication was simplified and most of the guesswork will be done by KDC during kinit. This also allows principals from trusted domains to login via rpcserver. https://fedorahosted.org/freeipa/ticket/6343 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Fix cookie with Max-Age processingStanislav Laznicka2017-03-061-4/+8
| | | | | | | | | | When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Support for Certificate Identity MappingFlorence Blanc-Renaud2017-03-021-0/+2
| | | | | | | | | | See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Env __setitem__: replace assert with exceptionTomas Krizek2017-03-011-1/+2
| | | | | | Use exception to make debugging issues easier. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Refactor certmonger for OpenSSL certificatesStanislav Laznicka2017-03-011-75/+79
| | | | | | | | | | Currently, it was only possible to request an NSS certificate via certmonger. Merged start_tracking methods and refactored them to allow for OpenSSL certificates tracking. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Workaround for certmonger's "Subject" representationsStanislav Laznicka2017-03-011-0/+5
| | | | | | | | | | | | | | | | If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove NSSConnection from the Python RPC moduleStanislav Laznicka2017-03-014-57/+169
| | | | | | | | | | | | | | | | | | | | NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. The HTTPSConnection is set up to handle authentication with client certificate for connections to Dogtag server as RA agent. It allows to handle client cert/private key in separate files and also encrypted private key files. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add fips_mode variable to envTomas Krizek2017-02-211-0/+8
| | | | | | | | | | | Variable fips_mode indicating whether machine is running in FIPS-enabled mode was added to env. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add fix for ipa plugins commandAbhijeet Kasurde2017-02-171-1/+2
| | | | | | | | | | Fix adds count of plugins loaded to return dict Fixes https://fedorahosted.org/freeipa/ticket/6513 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Explicitly remove support of SSLv2/3Stanislav Laznicka2017-02-172-2/+35
| | | | | | | | | | | | | | | It was possible to set tls_version_min/max to 'ssl2' or 'ssl3', even though newer versions of NSS will fail to set this as a valid TLS version. This patch explicitly checks for deprecated TLS versions prior to creating a TLS connection. Also, we don't allow tls_version_min/max to be set to a random string anymore. https://fedorahosted.org/freeipa/ticket/6607 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Explain more performance tricks in doc stringChristian Heimes2017-02-151-2/+5
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Pretty print JSON in debug mode (debug level >= 2)Christian Heimes2017-02-151-43/+57
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Convert list to tuplesChristian Heimes2017-02-151-1/+5
| | | | | | | | | Some tests assume that JSON deserializier returns tuples instead of lists. I don't think it is necessary but let's pass the tests for now. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Faster JSON encoder/decoderChristian Heimes2017-02-151-79/+132
| | | | | | | | | | | | | | | | | | Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Insure removal of session on identity changeSimo Sorce2017-02-151-0/+6
| | | | | | | | | | | If we are changing identiy (different principal) insure we remove the session cookie stored on the rpc context so that we do not mistakenly connect with the previous identity credentials. https://fedorahosted.org/freeipa/ticket/6543 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow rpc callers to pass ccache and service namesSimo Sorce2017-02-151-6/+14
| | | | | | | | | | This allows code to use multiple ccaches without having to muck with the process global environment variables (KRB5CCNAME). https://fedorahosted.org/freeipa/ticket/6543 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a new user to run the framework codeSimo Sorce2017-02-151-0/+4
| | | | | | | | | | | | | | | | | Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Anonymous user to obtain FAST armor ccacheSimo Sorce2017-02-152-1/+32
| | | | | | | | | | | | The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Change session handlingSimo Sorce2017-02-151-0/+2
| | | | | | | | | | | | | | | | Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Ditch version_info and use version number from ipapython.versionChristian Heimes2017-02-101-7/+2
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Stable _is_null checkChristian Heimes2017-02-101-1/+7
| | | | | | | | | Avoid comparison of bytes with int in _is_null() check. b'' == 0 triggers a BytesWarning. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cryptography has deprecated serial in favor of serial_numberChristian Heimes2017-02-101-1/+1
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable additional warnings (BytesWarning, DeprecationWarning)Christian Heimes2017-02-101-7/+39
| | | | | | | Closes: https://fedorahosted.org/freeipa/ticket/6631 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* DNSSEC: forwarders validation improvementMartin Basti2017-02-081-2/+1
| | | | | | | | | Some DNS servers behaves oddly and instead sending result without RRSIG records don't reply at all when DNSSEC flag is enabled (timeout). Instead of hard error IPA should this handle as DNSSEC error and continue with installation/adding forwarders. Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* py3: send Decimal number as string instead of base64 encoded valueMartin Basti2017-02-081-1/+1
| | | | | | | | | | | | | | | for Decimal only from client to server direction uses __base64__ notation. Server replies with pure string for Decimal data, and also server is able to parse string and create decimal values where needed. without this we need ugly py3 code: - return {'__base64__': base64.b64encode(str(val))} + return {'__base64__': base64.b64encode( + str(val).encode('ascii')).decode('ascii')} https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib.x509: Handle missing SAN gracefullyDavid Kupka2017-02-071-1/+5
| | | | | | | When extension is not present None is returned instead of empty iterable or exception thrown. Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: x509.py: return principal as unicode stringMartin Basti2017-02-071-6/+6
| | | | | | | | | X509 return principal as unicode string https://fedorahosted.org/freeipa/ticket/4985 https://fedorahosted.org/freeipa/ticket/6640 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Fix reference before assignmentFraser Tweedale2017-02-061-0/+1
| | | | | | | | | | In 'store_session_cookie', if the server does not set the session cookie for some reason, the 'session_cookie' variable does not get assigned, resulting in UnboundLocalError. Set an initial value of 'None'. Fixes: https://fedorahosted.org/freeipa/ticket/6636 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: normalize_certificate: support both bytes and unicodeMartin Basti2017-01-311-6/+15
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: strip_header: support both bytes and unicodeMartin Basti2017-01-311-6/+10
| | | | | | | | Various method passed various bytes or unicode as parameter https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* csrgen: Add code to generate scripts that generate CSRsBen Lipton2017-01-311-0/+28
| | | | | | | | | | | | Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 09:04:51 +0000