summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Increase default length of auto generated passwordsMartin Basti2016-08-031-1/+2
| | | | | | | | | | | | | | | Installer/IPA generates passwords for warious purpose: * KRA * kerberos master key * NSSDB password * temporary passwords during installation Length of passwords should be increased to 22, ~128bits of entropy, to be safe nowadays. https://fedorahosted.org/freeipa/ticket/6116 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipapython: Extend kinit_password to support principal canonicalizationMilan Kubík2016-07-291-1/+10
| | | | | | | | | | | | In order to authenticate with a principal alias it is necessary to request canonicalization of the principal. This patch extends the kinit_password with this option. The option to indicate enterprise principal has been added as well. https://fedorahosted.org/freeipa/ticket/6142 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use copy when replacing files to keep SELinux contextMartin Basti2016-07-221-1/+5
| | | | | | | | | When installer replaces any file with newer, it must use 'copy' instead of 'mv' to keep SELinux context valid. https://fedorahosted.org/freeipa/ticket/6111 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix session cookiesFlorence Blanc-Renaud2016-07-221-7/+8
| | | | | | | | | | | | | | The CLI was not using session cookies for communication with IPA API. The kernel_keyring code was expecting the keyname to be a string, but in python 2 a unicode was supplied (the key is built using ipa_session_cookie:%principal and principal is a unicode). The patch fixes the assertions, allowing to store and retrieve the cookie. It also adds a test with unicode key name. https://fedorahosted.org/freeipa/ticket/5984 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Create server and host certs with DNS altnameFraser Tweedale2016-07-191-1/+8
| | | | | | | | | | | | | | Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix internal errors in host-add and other commands caused by DNS resolutionPetr Spacek2016-07-012-68/+93
| | | | | | | | | | | | | | | | | | Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused is_local(), interface, and defaultnet from CheckedIPAddressPetr Spacek2016-07-011-9/+0
| | | | | | | | All these were unused so I'm removing them to keep the code clean and easier to read. At this point it is clear that only difference between netaddr.IPAddress and CheckedIPAddress is prefixlen attribute. Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipalib: introduce Principal parameterMartin Babinsky2016-07-011-1/+5
| | | | | | | | | | | This patch introduces a separate Principal parameter that allows the framework to syntactically validate incoming/outcoming principals by using a single shared codebase. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipapython module for Kerberos principal manipulation and parsingMartin Babinsky2016-07-011-0/+208
| | | | | | | | | | | | This module implements a shared codebase to handle various types of Kerberos principal names encountered during management of users, hosts nad services. Common codebase aims to replace various ad-hoc functions and routines scattered along the management framework. https://fedorahosted.org/freeipa/ticket/3864 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Do not allow installation in FIPS modeFlorence Blanc-Renaud2016-06-291-0/+19
| | | | | | | https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Use NSS for name->resolution in IPA installerPetr Spacek2016-06-291-1/+1
| | | | | | | | | | | | This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: turn LDAP filter utility functions into class methodsFraser Tweedale2016-06-291-16/+19
| | | | | | | | | The LDAP filter utilities do not use any instance attributes, so collectively turn them into class methods to promote reuse. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* plugable: support plugin versioningJan Cholasta2016-06-281-0/+5
| | | | | | | | | | | | | | Allow multiple incompatible versions of a plugin using the same name. The current plugins are assumed to be version '1'. The unique identifier of plugins was changed from plugin name to plugin name and version. By default, the highest version available at build time is used. If the plugin is an unknown remote plugin, version of '1' is used by default. https://fedorahosted.org/freeipa/ticket/4427 Reviewed-By: David Kupka <dkupka@redhat.com>
* pylint: fix: multiple-statementsJan Barta2016-06-211-1/+2
| | | | Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* ldap: fix handling of binary data in search filtersJan Cholasta2016-06-211-1/+6
| | | | | | | | | | This fixes a UnicodeDecodeError when passing non-UTF-8 binary data to LDAPClient.make_filter() and friends. https://fedorahosted.org/freeipa/ticket/5381 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Fix minor typosYuri Chornoivan2016-06-201-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix minor typosYuri Chornoivan2016-06-161-1/+1
| | | | Reviewed-By: Petr Spacek <pspacek@redhat.com>
* installer: index() raises ValueErrorDavid Kupka2016-06-131-2/+2
| | | | | | | | | Expecting IndexError instead of ValueError led to traceback instead of correctly reporting the error situation. https://fedorahosted.org/freeipa/ticket/5945 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Fix resolve_rrsets: RRSet is not hashableMartin Basti2016-06-091-2/+2
| | | | | | | | | We cannot use set() with RRSet objects, because RRSet object is not hashable. A set was replaced by list. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* add context to exception on LdapEntry decode errorFlorence Blanc-Renaud2016-06-091-2/+10
| | | | | | | | | | | | | When reading the content of an invalid LDAP entry, the exception only displays the attribute name and value, but not the DN of the entry. Because of this, it is difficult to identify the root cause of the problem. The fix raises a ValueError exception which also contains the entry DN. https://fedorahosted.org/freeipa/ticket/5434 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add custodia store for lightweight CA key replicationFraser Tweedale2016-06-091-0/+56
| | | | | | | | | | | | | | | Due to limitations in Dogtag's use of NSSDB, importing private keys must be done by the Dogtag Java process itself. This requires a PKIArchiveOptions format (signing key wrapped with host CA key) - PKCS #12 cannot be used because that would require decrypting the key in Dogtag's memory, albeit temporarily. Add a new custodia store that executes a 'pki' command to acquire the wrapped key. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Optionally add service name to Custodia key DNsFraser Tweedale2016-06-091-5/+22
| | | | | | | | | | | | | | | | | | | Lightweight CAs support introduces new service principals for Dogtag, with Custodia keys. The current Custodia key creation uses a DN that contains only they key type and the hostname, so keys for multiple services on the same host cannot be created. Add the 'generate_keys' method to generate keys for a host or an arbitrary service. When a service name is given, add the key entries in a nested container with RDN 'cn=<service name>'. (The container is assumed to exist). This change does not affect searching because subtree search is used, filtering on the ipaKeyUsage and memberPrincipal attributes. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow CustodiaClient to be used by arbitrary principalsFraser Tweedale2016-06-081-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | Currently CustodiaClient assumes that the client is the host principal, and it is hard-coded to read the host keytab and server keys. For the Lightweight CAs feature, Dogtag on CA replicas will use CustodiaClient to retrieve signing keys from the originating replica. Because this process runs as 'pkiuser', the host keys cannot be used; instead, each Dogtag replica will have a service principal to use for Custodia authentication. Update CustodiaClient to require specifying the client keytab and Custodia keyfile to use, and change the client argument to be a full GSS service name (instead of hard-coding host service) to load from the keytab. Update call sites accordingly. Also pass the given 'ldap_uri' argument through to IPAKEMKeys because without it, the client tries to use LDAPI, but may not have access. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNS upgrade: change global forwarding policy in LDAP to "only" if private ↵Petr Spacek2016-05-301-0/+18
| | | | | | | | | | | | | | IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add function ipapython.dnsutil.related_to_auto_empty_zone()Petr Spacek2016-05-301-0/+30
| | | | | | | | | It allows to test if given DNS name is sub/super domain of an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-301-0/+59
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutilPetr Spacek2016-05-302-35/+35
| | | | | | | | | This is preparatory work to avoid (future) cyclic import between ipapython.dnsutil and ipapython.ipautil. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Convert dict items to list before iteratingPetr Viktorin2016-05-301-1/+1
| | | | | | | | | In Python 3, dict.items() returns a view. When such a view is iterated over, the dict cannot change size. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython.secrets.kem: Use ConfigParser from six.movesPetr Viktorin2016-05-301-2/+2
| | | | | | | | | In Python 3, the module name changed from 'ConfigParser' to 'configparser'. Use the appropriate location from six. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Keep attribute names as text, not bytesPetr Viktorin2016-05-301-2/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused variable and finally block in SchemaCacheMartin Basti2016-05-121-5/+0
| | | | | | | Handling exceptions in python is expensive operation, removing of uneeded finally block is good for performance. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Removed custom implementation of CalledProcessErrorAbhijeet Kasurde2016-05-101-15/+2
| | | | | | | | | | Removed custom class of CalledProcessError which was required for Python versions prior to 2.5 Fixes: https://fedorahosted.org/freeipa/ticket/5717 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add function ipapython.dnsutil.inside_auto_empty_zone()Petr Spacek2016-04-281-0/+25
| | | | | | | | It allows to test if given DNS name belongs to an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()Petr Spacek2016-04-281-2/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move function is_auto_empty_zone() into ipapython.dnsutilPetr Spacek2016-04-282-7/+7
| | | | | | | | | | I'm going to extend this so it is better to have it in module. At the same time it is now using shared assert_absolute_dnsname() helper. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add assert_absolute_dnsname() helper to ipapython.dnsutilPetr Spacek2016-04-281-0/+19
| | | | | | | | | Sanity check for zone names and such should be the same everywhere. This new function will be a replacement for ad-hoc checks. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move automatic empty zone list into ipapython.dnsutil and make it reusablePetr Spacek2016-04-282-53/+60
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove function ipapython.ipautil.host_exists()Petr Spacek2016-04-281-14/+0
| | | | | | | The function duplicated ipalib.util.verify_host_resolvable() in slightly incompatible way because it used NSS while rest of IPA is using only DNS. Reviewed-By: Martin Basti <mbasti@redhat.com>
* sysrestore: Iterate over a list of dict keysPetr Viktorin2016-04-281-1/+1
| | | | | | | | | | | In Python 3, dict.keys() returns a key view. It is not safe to delete dict keys when iterating over this view. Convert the keys to list first. Part of the work for https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always set hostnameMartin Basti2016-04-261-12/+0
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use netifaces module instead of 'ip' commandMartin Basti2016-04-141-17/+18
| | | | | | | | | Netifaces allows to get addresses from local interfaces of the host in safer way than parsing output of the ip command. https://fedorahosted.org/freeipa/ticket/5591 Reviewed-By: David Kupka <dkupka@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-18/+50
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix: catch Exception instead of more specific exception typesMartin Basti2016-03-221-2/+2
| | | | | | | | Regression caused by commit 491447cc5ab8c5eff2be57d609201cefb79f7053, ValueErrori and AttributeError are too much specific for these cases, multiple types of exception can be raised. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Pylint: remove unnecessary-semicolonMartin Basti2016-03-221-1/+1
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-221-1/+2
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-224-18/+13
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* certdb: never use the -r option of certutilJan Cholasta2016-03-161-10/+8
| | | | | | | | | | | | | | | The -r option makes certutil output certificates in DER. If there are multiple certificates sharing the same nickname, certutil will output them concatenated into a single blob. The blob is not a valid DER anymore and causes failures further in the code. Use the -a option instead to output the certificates in PEM and convert them to DER on demand. https://fedorahosted.org/freeipa/ticket/5117 https://fedorahosted.org/freeipa/ticket/5720 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipapython.sysrestore: Use str methods instead of functions from the string ↵Petr Viktorin2016-03-031-6/+6
| | | | | | | | | | | | | module For historical reasons, the string module contained some functions that mirror methods of the str type. These are eremoved in Python 3. Use str methods instead. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move get_ipa_basedn from ipautil to ipadiscoveryPetr Viktorin2016-03-031-41/+0
| | | | | | | | The function wasn't used anywhere else. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-023-4/+7
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2024-10-01 16:33:11 +0000