summaryrefslogtreecommitdiffstats
path: root/ipapython/dogtag.py
Commit message (Collapse)AuthorAgeFilesLines
* pylint_plugins: add forbidden import checkerJan Cholasta2017-03-101-0/+2
| | | | | | | | | | Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Moving ipaCert from HTTPD_ALIAS_DIRStanislav Laznicka2017-03-011-2/+4
| | | | | | | | | | | | | The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove NSSConnection from DogtagStanislav Laznicka2017-03-011-14/+10
| | | | | | | | | | | | | Replaced NSSConnection with Python's httplib.HTTPSConnection. This class is OpenSSL-based. A client certificate with a private key is required to authenticate against the certificate server. We facilitate the RA_AGENT_PEM which already exists. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipactl restart: log httplib failues as debugMartin Basti2017-02-171-1/+1
| | | | | | | | | | | There are several excerptions ConnectionRefusedError raised before ipactl is able to connect to dogtag after restart. These exception should be logged on debug level until timeout is reached. https://fedorahosted.org/freeipa/ticket/6674 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: decode bytes for json.loads()Martin Basti2017-01-241-0/+1
| | | | | | | | | | | | In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: HTTPResponse has no 'dict' attribute in 'msg'Martin Basti2017-01-241-1/+1
| | | | | | | | | | There is no 'dict' attribute in 'msg', but 'msg' attribute is dict-like object in both py2/3, so it can be used instead. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: _httplib_request: don't convert string to bytesMartin Basti2017-01-241-3/+1
| | | | | | | | | | | There is no need to encode hostname to bytes. UTF-8 characters must be encoded in different format in URL anyway and it causes only error in Py3. String must be unicode to support Py2. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure Anonymous PKINIT on server installSimo Sorce2016-12-121-0/+4
| | | | | | | | | | | | Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* pylint: enable the import-error checkJan Cholasta2016-10-241-0/+3
| | | | | | | | | | Check for import errors with pylint to make sure new python package dependencies are not overlooked. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused variables in the codeMartin Basti2016-09-271-1/+1
| | | | | | | | | | | This commit removes unused variables or rename variables as "expected to be unused" by using "_" prefix. This covers only cases where fix was easy or only one unused variable was in a module Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove workaround for CA running checkFraser Tweedale2016-01-211-22/+3
| | | | | | | | | | | | | A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method, and update specfile to remove ipalib dependency on curl. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Do not decode HTTP reason phrase from DogtagFraser Tweedale2016-01-131-12/+11
| | | | | | | | | | | | | | The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 Fixes: https://fedorahosted.org/freeipa/ticket/5578 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove wildcard importsMartin Basti2015-12-231-1/+1
| | | | | | | | | | | Wildcard imports should not be used. Check for wildcard imports has been enabled in pylint. Pylint note: options 'wildcard-import' causes too much false positive results, so instead it I used 'unused-wildcard-import' option which has almost the same effect. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-124/+2
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Do not erroneously reinit NSS in Dogtag interfaceFraser Tweedale2015-11-241-1/+2
| | | | | | | | | | The Dogtag interface always attempts to (re)init NSS, which can fail with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already been initialised with the given dbdir. Part of: https://fedorahosted.org/freeipa/ticket/5459 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* TLS and Dogtag HTTPS request logging improvementsFraser Tweedale2015-11-231-5/+4
| | | | | | | | | | | | Pretty printing the TLS peer certificate to logs on every request introduces a lot of noise; do not log it (subject name, key usage and validity are still logged). Fix and tidy up some HTTP logging messages for Dogtag requests. Part of: https://fedorahosted.org/freeipa/ticket/5269 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use six.moves.http_client instead of httplibPetr Viktorin2015-10-071-1/+7
| | | | | | | | The module was renamed in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.configparser instead of ConfigParserPetr Viktorin2015-10-071-3/+3
| | | | | | | | The module name was lowercased in Python 3. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use six.moves.urllib instead of urllib/urllib2/urlparsePetr Viktorin2015-10-071-1/+1
| | | | | | | | In Python 3, these modules are reorganized. Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Alias "unicode" to "str" under Python 3Jan Cholasta2015-09-171-0/+4
| | | | | | | | | The six way of doing this is to replace all occurences of "unicode" with "six.text_type". However, "unicode" is non-ambiguous and (arguably) easier to read. Also, using it makes the patches smaller, which should help with backporting. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use Python3-compatible dict method namesPetr Viktorin2015-09-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | Python 2 has keys()/values()/items(), which return lists, iterkeys()/itervalues()/iteritems(), which return iterators, and viewkeys()/viewvalues()/viewitems() which return views. Python 3 has only keys()/values()/items(), which return views. To get iterators, one can use iter() or a for loop/comprehension; for lists there's the list() constructor. When iterating through the entire dict, without modifying the dict, the difference between Python 2's items() and iteritems() is negligible, especially on small dicts (the main overhead is extra memory, not CPU time). In the interest of simpler code, this patch changes many instances of iteritems() to items(), iterkeys() to keys() etc. In other cases, helpers like six.itervalues are used. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Prohibit deletion of predefined profilesFraser Tweedale2015-08-181-3/+5
| | | | | | | | | | | Deletion of predefined profiles, including the default profile, should not be allowed. Detect this case and raise an error. Also update the predefined profiles collection to use namedtuple, making it easier to access the various components. Fixes: https://fedorahosted.org/freeipa/ticket/5198 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Modernize 'except' clausesPetr Viktorin2015-08-121-2/+2
| | | | | | | The 'as' syntax works from Python 2 on, and Python 3 will drop the "comma" syntax. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add profile for DNP3 / IEC 62351-8 certificatesFraser Tweedale2015-08-111-0/+1
| | | | | | | | | | | The DNP3 smart-grid standard uses certificate with the IEC 62351-8 IECUserRoles extension. Add a profile for DNP3 certificates which copies the IECUserRoles extension from the CSR, if present. Also update cert-request to accept CSRs containing this extension. Fixes: https://fedorahosted.org/freeipa/ticket/4752 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add profile_id parameter to 'request_certificate'Fraser Tweedale2015-06-041-0/+2
| | | | | | | | | | | | Add the profile_id parameter to the 'request_certificate' function and update call sites. Also remove multiple occurrences of the default profile ID 'caIPAserviceCert'. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Import included profiles during install or upgradeFraser Tweedale2015-06-041-2/+5
| | | | | | | | | | | | Add a default service profile template as part of FreeIPA and format and import it as part of installation or upgrade process. Also remove the code that modifies the old (file-based) `caIPAserviceCert' profile. Fixes https://fedorahosted.org/freeipa/ticket/4002 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add certprofile pluginFraser Tweedale2015-06-041-9/+20
| | | | | | | | | | | | | Add the 'certprofile' plugin which defines the commands for managing certificate profiles and associated permissions. Also update Dogtag network code in 'ipapython.dogtag' to support headers and arbitrary request bodies, to facilitate use of the Dogtag profiles REST API. Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
* point the users to PKI-related logs when CA configuration failsMartin Babinsky2015-04-291-0/+4
| | | | | | | | | | This patch adds an error handler which prints out the paths to logs related to configuration and installation of Dogtag/CA in the case of failure. https://fedorahosted.org/freeipa/ticket/4900 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Using wget to get status of CAMartin Basti2014-12-101-7/+11
| | | | | | | This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use NSS protocol range API to set available TLS protocolsRob Crittenden2014-11-241-1/+3
| | | | | | | | | | | | | Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. This is overridable per client by setting tls_version_min and/or tls_version_max. https://fedorahosted.org/freeipa/ticket/4653 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a KRA to IPAAde Lee2014-08-221-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+2
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* ipaplatform: Move all filesystem paths to ipaplatform.paths moduleTomas Babej2014-06-161-11/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4052 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* PKI service restart after CA renewal failedJan Cholasta2014-01-081-0/+4
| | | | | | | | | | Fix both the service restart procedure and registration of old pki-cad well known service name. This patch was adapted from original patch of Jan Cholasta 178 to fix ticket 4092. https://fedorahosted.org/freeipa/ticket/4092
* Installer should always wait until CA starts upMartin Kosek2013-10-171-3/+7
| | | | | | | | | | | | | | Patch for ticket 3964 changed the installer so that it does not always wait for CA if the proxy is not configured. However, it was found out that it may freeze an installation when a step subsequent after CA restart call the CA and receives no reply. Change the wait so that it always waits for CA to start up. If HTTP proxy is already configured, it should wait on port 443. If not, it should wait on local PKI port 8443. https://fedorahosted.org/freeipa/ticket/3973
* Make ipapython.dogtag log requests at debug level, not infoPetr Viktorin2013-02-011-1/+1
|
* Use correct Dogtag configuration in get_pin and get_ca_certchainPetr Viktorin2012-11-231-2/+4
| | | | | | Some install utilities used Dogtag configuration before Dogtag was configured. Fix by passing the relevant dogtag_constants where they're needed.
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-1/+11
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-231-59/+105
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-101-2/+2
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-4/+106
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Internationalization for public errorsPetr Viktorin2012-09-031-5/+9
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
* Add the -v option to sslget to provide more verbose errorsRob Crittenden2012-02-231-2/+2
| | | | | | | | I noticed a couple of bad references in ipapython/dogtag.py and fixed those as well. We used to call sslget for all our SSL client needs before python-nss was written. https://fedorahosted.org/freeipa/ticket/2391
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-231-9/+9
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-051-3/+3
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* enable proxy for dogtagAdam Young2011-08-291-1/+1
| | | | | | | | | | | | | | | | | | | Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ Signed-off-by: Simo Sorce <ssorce@redhat.com>
* Set the client auth callback after creating the SSL connection.Rob Crittenden2011-07-011-2/+2
| | | | | | | | | | If we set the callback before calling connect() then if the connection tries a network family type and fails, it will try other family types. If this happens then the callback set on the first socket will be lost when a new socket is created. There is no way to query for the callback in an existing socket. https://fedorahosted.org/freeipa/ticket/1349
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Catch when we fail to get a cert chain from the CA during installationRob Crittenden2010-11-241-1/+5
| | | | | | Also don't free the XML document if it was never created. ticket 404