summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Correct PyPI package dependenciesChristian Heimes2017-04-261-4/+2
| | | | | | | | | | | | | * Remove unused install requires from ipapython * Add missing requirements to ipaserver * Correct dependencies for yubico otptoken * Add explicit dependency on cffi for csrgen * Python 2 uses python-ldap, Python 3 pyldap https://pagure.io/freeipa/issue/6875 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove publish_ca_cert() method from NSSDatabaseStanislav Laznicka2017-04-031-9/+0
| | | | | | | | NSSDatabase.publish_ca_cert() is not used anymore, remove it. https://pagure.io/freeipa/issue/6806 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* certdb: fix `AttributeError` in `verify_ca_cert_validity`Jan Cholasta2017-04-031-1/+1
| | | | | | | | | `NSSDatabase.verify_ca_cert_validity` tries to access a property of basic constraints extension on the extension object itself rather than its value. Access the attribute on the correct object to fix the issue. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* setup, pylint, spec file: drop python-nss dependencyJan Cholasta2017-03-311-1/+0
| | | | | | Remove the unused python-nss dependency. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* certdb: use certutil and match_hostname for cert verificationJan Cholasta2017-03-311-50/+30
| | | | | | | Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. Reviewed-By: Christian Heimes <cheimes@redhat.com>
* session storage parameters must be bytesChristian Heimes2017-03-311-2/+2
| | | | | | | Fixes TypeError: bytes or integer address expected instead of str instance Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use Custodia 0.3.1 featuresChristian Heimes2017-03-281-1/+0
| | | | | | | | | | | | | | | | | | | | | * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. * ipapython no longer depends on custodia The patch addresses three issues: * https://bugzilla.redhat.com/show_bug.cgi?id=1430247 Forward compatibility with Custodia 0.3 in Fedora rawhide * https://pagure.io/freeipa/issue/5825 Use sd-notify * https://pagure.io/freeipa/issue/6788 Prepare for separate SELinux context Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Work around issues fetching session dataSimo Sorce2017-03-281-23/+190
| | | | | | | | | | | | | | | | | | | | | Unfortunately the MIT krb5 library has a severe limitation with FILE ccaches when retrieving config data. It will always only search until the first entry is found and return that one. For FILE caches MIT krb5 does not support removing old entries when a new one is stored, and storage happens only in append mode, so the end result is that even if an update is stored it is never returned with the standard krb5_cc_get_config() call. To work around this issue we simply implement what krb5_cc_get_config() does under the hood with the difference that we do not stop at the first match but keep going until all ccache entries have been checked. Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Avoid growing FILE ccaches unnecessarilySimo Sorce2017-03-281-0/+6
| | | | | | | | Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* httpinstance: clean up /etc/httpd/alias on uninstallJan Cholasta2017-03-221-0/+13
| | | | | | | | | | | Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias from backup on uninstall. Files modified by IPA are kept with .ipasave suffix. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipapython.ipautil.nolog_replace: Do not replace empty valueDavid Kupka2017-03-211-1/+1
| | | | | | | | | | When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX' three (once for plain value, once for http quoted value and last time for shell quoted value) times before every character (including terminating '\0') in the string. https://pagure.io/freeipa/issue/6738 Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Python 3: Fix session storageChristian Heimes2017-03-151-1/+18
| | | | | | | | ctypes can only handle bytes, not text. Encode and decode all incoming and outgoing text from UTF-8 to bytes. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Fix Python 3 pylint errorsChristian Heimes2017-03-151-2/+2
| | | | | | | | | | | | | | | | ************* Module ipaserver.install.ipa_kra_install ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse') ************* Module ipapython.install.core ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member) ************* Module ipatests.test_ipapython.test_dn ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals()) ************* Module ipa-ca-install install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* install: re-introduce option groupsJan Cholasta2017-03-131-9/+49
| | | | | | | | | Re-introduce option groups in ipa-client-install, ipa-server-install and ipa-replica-install. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* install CLI: remove magic option groupsJan Cholasta2017-03-131-11/+6
| | | | | | | | | Do not automatically create the "basic options" and "uninstall options" option groups in the CLI code. https://pagure.io/freeipa/issue/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* pylint_plugins: add forbidden import checkerJan Cholasta2017-03-105-2/+12
| | | | | | | | | | Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Store session cookie in a ccache optionSimo Sorce2017-03-101-0/+197
| | | | | | | | | | | Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* ipapython: fix DEFAULT_PLUGINS in version.pyJan Cholasta2017-03-092-2/+9
| | | | | | | | | | | Replace the placeholder with the actual value during build. This fixes the client incorrectly assuming that the default version of all plugins is 1. https://pagure.io/freeipa/issue/6597 Reviewed-By: Martin Basti <mbasti@redhat.com>
* config: re-add `init_config` and `config`Jan Cholasta2017-03-081-0/+149
| | | | | | | | | | | Re-add `init_config` and `config` to `ipapython.config`, because they are used by Ipsilon (see https://pagure.io/ipsilon/issue/265). This partially reverts commit 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9. https://pagure.io/freeipa/issue/6707 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use GSS-SPNEGO if connecting locallySimo Sorce2017-03-071-1/+5
| | | | | | | | | | | | | | | | | | | | | GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix cookie with Max-Age processingStanislav Laznicka2017-03-061-1/+4
| | | | | | | | | | When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Support for Certificate Identity MappingFlorence Blanc-Renaud2017-03-021-1/+7
| | | | | | | | | | See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* certdb: Don't restore_context() of new NSSDBChristian Heimes2017-03-011-5/+1
| | | | | | | | | | | It's not necesary to restore the context of newly created files. SELinux ensures that new files have the correct permission. An explicit restore_context() is only required when either policies have changed or the context was changed manually. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Moving ipaCert from HTTPD_ALIAS_DIRStanislav Laznicka2017-03-011-2/+4
| | | | | | | | | | | | | The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove ipapython.nsslib as it is not used anymoreStanislav Laznicka2017-03-011-344/+0
| | | | | | | | | | Previous changes allowed the removal of nsslib. So long, and thanks for all the fish. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove NSSConnection from DogtagStanislav Laznicka2017-03-011-14/+10
| | | | | | | | | | | | | Replaced NSSConnection with Python's httplib.HTTPSConnection. This class is OpenSSL-based. A client certificate with a private key is required to authenticate against the certificate server. We facilitate the RA_AGENT_PEM which already exists. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Don't prepend option names with additional '--'Stanislav Laznicka2017-02-211-1/+1
| | | | | | | | | The options now have '--' prepended by their names already, don't add it. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Martin Basti <mbasti@redhat.com>
* client install: create /etc/ipa/nssdb with correct modeJan Cholasta2017-02-201-2/+8
| | | | | | | | | | | | The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipactl restart: log httplib failues as debugMartin Basti2017-02-171-1/+1
| | | | | | | | | | | There are several excerptions ConnectionRefusedError raised before ipactl is able to connect to dogtag after restart. These exception should be logged on debug level until timeout is reached. https://fedorahosted.org/freeipa/ticket/6674 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add password to certutil calls in NSSDatabaseStanislav Laznicka2017-02-171-13/+7
| | | | | | | | | | NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Explicitly remove support of SSLv2/3Stanislav Laznicka2017-02-171-2/+59
| | | | | | | | | | | | | | | It was possible to set tls_version_min/max to 'ssl2' or 'ssl3', even though newer versions of NSS will fail to set this as a valid TLS version. This patch explicitly checks for deprecated TLS versions prior to creating a TLS connection. Also, we don't allow tls_version_min/max to be set to a random string anymore. https://fedorahosted.org/freeipa/ticket/6607 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Simplify NSSDatabase password file handlingSimo Sorce2017-02-151-17/+12
| | | | | | | https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Separate RA cert store from the HTTP cert storeSimo Sorce2017-02-151-1/+92
| | | | | | | | | | | | | | | This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Change session handlingSimo Sorce2017-02-151-1/+1
| | | | | | | | | | | | | | | | Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: ipa_generate_password: do not compare None and IntMartin Basti2017-02-101-0/+2
| | | | | | | | | | | | | The one cannot compare None and Int in Py3 """ unorderable types: NoneType() > int() """ Continue when class is disabled with None value https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: modify_s: attribute name must be str not bytesMartin Basti2017-02-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap: preserve order of values in LDAPEntry._sync()Jan Cholasta2017-02-091-2/+2
| | | | | | | | | | In Python 2, the order was preserved by accident. This change makes sure the order is preserved in both Python 2 and 3. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: get_memberofindirect: fix ByteWarningsMartin Basti2017-02-081-2/+4
| | | | | | | | DN must be converted to bytes as other variables adn lists contain bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* py3: DN: fix BytesWarningMartin Basti2017-02-081-1/+1
| | | | | | | | | User repr() instead of str() for bytes, it has the same effect, but it is proper way how to print bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* py3: ipaldap: properly encode DNSName to bytesMartin Basti2017-02-081-1/+1
| | | | | | | | | | The encode method of LDAPClient didn't return DNSName as bytes but string in py3. In py2 it returns non-unicode string so it can be encoded safely by ascii as to_text() method returns only ascii characters. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* private_ccache: yield ccache nameFraser Tweedale2017-01-311-1/+1
| | | | | | | | | | When using private_ccache, yield 'path' from the context manager. This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within the context. Part of: https://fedorahosted.org/freeipa/ticket/5011 Reviewed-By: Martin Basti <mbasti@redhat.com>
* py3: fingerprint_hex_sha256: fix encoding/decodingMartin Basti2017-01-311-3/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Principal: validate type of input parameterMartin Basti2017-01-311-1/+6
| | | | | | | Bytes are unsupported and we should raise a TypeError from Principal __init__ method otherwise we get hard to debug result Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Use dict comprehensionMartin Basti2017-01-311-1/+3
| | | | Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: ipaldap: update encode/decode methodsMartin Basti2017-01-311-34/+7
| | | | | | | | | | | Update encoding/decoding accordingly to work under Py3 Removing functions that were used only once in code and give no real improvements https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* py3: decode bytes for json.loads()Martin Basti2017-01-242-0/+51
| | | | | | | | | | | | In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: make_filter_from_attr: use string instead of bytesMartin Basti2017-01-241-1/+2
| | | | | | | | | | Method escape_filter_chars() requires string as parameter instead of bytes. 'value_to_utf8' returns bytes thus this code has to be removed. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: HTTPResponse has no 'dict' attribute in 'msg'Martin Basti2017-01-241-1/+1
| | | | | | | | | | There is no 'dict' attribute in 'msg', but 'msg' attribute is dict-like object in both py2/3, so it can be used instead. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: _httplib_request: don't convert string to bytesMartin Basti2017-01-241-3/+1
| | | | | | | | | | | There is no need to encode hostname to bytes. UTF-8 characters must be encoded in different format in URL anyway and it causes only error in Py3. String must be unicode to support Py2. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: ipautil: open tempfiles in text modeMartin Basti2017-01-241-2/+2
| | | | | | | | | | Code in ipautlis works with text, so tempfiles should be open in textmode otherwise TypeErrors are raised https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 10:15:00 +0000