summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* DNS upgrade: change global forwarding policy in LDAP to "only" if private ↵Petr Spacek2016-05-301-0/+18
| | | | | | | | | | | | | | IPs are used This change is necessary to override automatic empty zone configuration in latest BIND and bind-dyndb-ldap 9.0+. This procedure is still not complete because we need to handle global forwarders in named.conf too (independently on each server). https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add function ipapython.dnsutil.related_to_auto_empty_zone()Petr Spacek2016-05-301-0/+30
| | | | | | | | | It allows to test if given DNS name is sub/super domain of an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move IP address resolution from ipaserver.install.installutils to ↵Petr Spacek2016-05-301-0/+59
| | | | | | | | | | | ipapython.dnsutil This is to make it reusable from other modules and to avoid future code duplication. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutilPetr Spacek2016-05-302-35/+35
| | | | | | | | | This is preparatory work to avoid (future) cyclic import between ipapython.dnsutil and ipapython.ipautil. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Convert dict items to list before iteratingPetr Viktorin2016-05-301-1/+1
| | | | | | | | | In Python 3, dict.items() returns a view. When such a view is iterated over, the dict cannot change size. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython.secrets.kem: Use ConfigParser from six.movesPetr Viktorin2016-05-301-2/+2
| | | | | | | | | In Python 3, the module name changed from 'ConfigParser' to 'configparser'. Use the appropriate location from six. Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaldap: Keep attribute names as text, not bytesPetr Viktorin2016-05-301-2/+2
| | | | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove unused variable and finally block in SchemaCacheMartin Basti2016-05-121-5/+0
| | | | | | | Handling exceptions in python is expensive operation, removing of uneeded finally block is good for performance. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Removed custom implementation of CalledProcessErrorAbhijeet Kasurde2016-05-101-15/+2
| | | | | | | | | | Removed custom class of CalledProcessError which was required for Python versions prior to 2.5 Fixes: https://fedorahosted.org/freeipa/ticket/5717 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add function ipapython.dnsutil.inside_auto_empty_zone()Petr Spacek2016-04-281-0/+25
| | | | | | | | It allows to test if given DNS name belongs to an automatic empty zone. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()Petr Spacek2016-04-281-2/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move function is_auto_empty_zone() into ipapython.dnsutilPetr Spacek2016-04-282-7/+7
| | | | | | | | | | I'm going to extend this so it is better to have it in module. At the same time it is now using shared assert_absolute_dnsname() helper. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Add assert_absolute_dnsname() helper to ipapython.dnsutilPetr Spacek2016-04-281-0/+19
| | | | | | | | | Sanity check for zone names and such should be the same everywhere. This new function will be a replacement for ad-hoc checks. https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move automatic empty zone list into ipapython.dnsutil and make it reusablePetr Spacek2016-04-282-53/+60
| | | | | | https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove function ipapython.ipautil.host_exists()Petr Spacek2016-04-281-14/+0
| | | | | | | The function duplicated ipalib.util.verify_host_resolvable() in slightly incompatible way because it used NSS while rest of IPA is using only DNS. Reviewed-By: Martin Basti <mbasti@redhat.com>
* sysrestore: Iterate over a list of dict keysPetr Viktorin2016-04-281-1/+1
| | | | | | | | | | | In Python 3, dict.keys() returns a key view. It is not safe to delete dict keys when iterating over this view. Convert the keys to list first. Part of the work for https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Always set hostnameMartin Basti2016-04-261-12/+0
| | | | | | | | | | | This prevents cases when hostname on system is set inconsistently (transient and static hostname differs) and may cause IPA errors. This commit ensures that all hostnames are set properly. https://fedorahosted.org/freeipa/ticket/5794 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use netifaces module instead of 'ip' commandMartin Basti2016-04-141-17/+18
| | | | | | | | | Netifaces allows to get addresses from local interfaces of the host in safer way than parsing output of the ip command. https://fedorahosted.org/freeipa/ticket/5591 Reviewed-By: David Kupka <dkupka@redhat.com>
* differentiate between limit types when LDAP search exceeds configured limitsMartin Babinsky2016-04-131-18/+50
| | | | | | | | | | | When LDAP search fails on exceeded limits, we should raise an specific exception for the type of limit raised (size, time, administrative) so that the consumer can distinguish between e.g. searches returning too many entries and those timing out. https://fedorahosted.org/freeipa/ticket/5677 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fix: catch Exception instead of more specific exception typesMartin Basti2016-03-221-2/+2
| | | | | | | | Regression caused by commit 491447cc5ab8c5eff2be57d609201cefb79f7053, ValueErrori and AttributeError are too much specific for these cases, multiple types of exception can be raised. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Pylint: remove unnecessary-semicolonMartin Basti2016-03-221-1/+1
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* Pylint: import max one module per lineMartin Basti2016-03-221-1/+2
| | | | | Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* pylint: remove bare exceptMartin Basti2016-03-224-18/+13
| | | | | | | Bare except should not be used. Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
* certdb: never use the -r option of certutilJan Cholasta2016-03-161-10/+8
| | | | | | | | | | | | | | | The -r option makes certutil output certificates in DER. If there are multiple certificates sharing the same nickname, certutil will output them concatenated into a single blob. The blob is not a valid DER anymore and causes failures further in the code. Use the -a option instead to output the certificates in PEM and convert them to DER on demand. https://fedorahosted.org/freeipa/ticket/5117 https://fedorahosted.org/freeipa/ticket/5720 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipapython.sysrestore: Use str methods instead of functions from the string ↵Petr Viktorin2016-03-031-6/+6
| | | | | | | | | | | | | module For historical reasons, the string module contained some functions that mirror methods of the str type. These are eremoved in Python 3. Use str methods instead. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move get_ipa_basedn from ipautil to ipadiscoveryPetr Viktorin2016-03-031-41/+0
| | | | | | | | The function wasn't used anywhere else. Part of the work for https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* pylint: supress false positive no-member errorsMartin Basti2016-03-023-4/+7
| | | | | | | | | pylint 1.5 prints many false positive no-member errors which are supressed by this commit. https://fedorahosted.org/freeipa/ticket/5615 Reviewed-By: David Kupka <dkupka@redhat.com>
* cookie parser: do not fail on cookie with empty valuePetr Vobornik2016-03-011-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/5709 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Move freeipa certmonger helpers to libexecdir.Timo Aaltonen2016-02-261-11/+2
| | | | | | | | | | | The scripts in this directory are simple python scripts, nothing arch-specific in them. Having them under libexec would simplify the code a bit too, since there would be no need to worry about lib vs lib64 (which also cause trouble on Debian). https://fedorahosted.org/freeipa/ticket/5586 Reviewed-By: David Kupka <dkupka@redhat.com>
* client: stop using /etc/pki/nssdbJan Cholasta2016-02-241-0/+29
| | | | | | | | | | Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses /etc/ipa/nssdb and IPA CA certificates are provided to the system using p11-kit. Remove leftovers on upgrade. https://fedorahosted.org/freeipa/ticket/5592 Reviewed-By: David Kupka <dkupka@redhat.com>
* Fixes minor issuesStanislav Laznicka2016-02-241-4/+10
| | | | | | | | | | | | | Fixes issues discovered by Coverity plugins/baseldap.py: possible undefined value in return certmonger.py: possible dereference of None value i18n.py: fixed always True bug (+ cosmetic change) https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Cosmetic changes to the codeStanislav Laznicka2016-02-241-1/+1
| | | | | | | | | | | | | | | Fixes some Coverity issues ipadiscovery.py: added assert should universe break plugins/dns.py: removed dead code dnssec/ldapkeydb.py: attribute assert in the proper object test_automount_plugin.py: fixed possible close() on None xmlrpc_test.py: Coverity does not like accessing None.__class__ https://fedorahosted.org/freeipa/ticket/5661 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Py3: do not use dict.iteritems()Martin Basti2016-02-231-2/+2
| | | | | | | | | | Py3 does not support iter* methods, this commit replaces 2 occurencies of iteritems() to items(). The dictionaries there are not big, this is sufficient we do not need to use six. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* p11helper: Port to Python 3Petr Viktorin2016-02-171-6/+5
| | | | | | | | | - Use binascii.hexlify instead of encode('hex') - Keep the library name as a text string instead of encoding to bytes https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipautil: Use mode 'w+' in write_tmp_filePetr Viktorin2016-02-171-1/+1
| | | | | | | | | Python defaults to 'w+b', but all callers in IPA write use text (as opposed to bytes). https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipautil.run, kernel_keyring: Encoding fixes for Python 3Petr Viktorin2016-02-172-5/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipaldap, ldapupdate: Encoding fixes for Python 3Petr Viktorin2016-02-171-4/+10
| | | | | | https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove workaround for CA running checkFraser Tweedale2016-01-211-22/+3
| | | | | | | | | | | | | A workaround was introduced for ticket #4676 that used wget to perform an (unauthenticated) https request to check the CA status. Later, wget was changed to curl (the request remained unauthenticated). Remove the workaround and use an http request (no TLS) to check the CA status. Also remove the now-unused unauthenticated_http_request method, and update specfile to remove ipalib dependency on curl. Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython: use python-cryptography instead of libcrypto in p11helperJan Cholasta2016-01-211-232/+108
| | | | | | | | Replace CFFI calls to libcrypto with equivalent python-cryptography code. https://fedorahosted.org/freeipa/ticket/5596 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython: port p11helper C code to PythonJan Cholasta2016-01-2110-2477/+1868
| | | | | | | | This replaces the binary _ipap11helper module with cffi-based Python code. https://fedorahosted.org/freeipa/ticket/5596 Reviewed-By: Martin Basti <mbasti@redhat.com>
* dnsutil: Rename __nonzero__ to __bool__Petr Viktorin2016-01-201-1/+3
| | | | | | | | | | In Python 3, this special method got renamed. Set both to the same function to keep compatibility. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use print_function future definition wherever print() is usedPetr Viktorin2016-01-201-0/+2
| | | | | | | | | | | | Pylint considers `print` a statement if the __future__ import is not present, even if it's used like a function with one argument. Add the __future__ import to files `pylint --py3k` complains about. https://fedorahosted.org/freeipa/ticket/5623 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipapython: remove default_encoding_utf8Jan Cholasta2016-01-154-128/+1
| | | | | | | | | Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent Python code. https://fedorahosted.org/freeipa/ticket/5596 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Do not decode HTTP reason phrase from DogtagFraser Tweedale2016-01-131-12/+11
| | | | | | | | | | | | | | The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 Fixes: https://fedorahosted.org/freeipa/ticket/5578 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow to used mixed case for sysrestoreMartin Basti2016-01-081-0/+4
| | | | | | | | | | | | | This commit allows to use mixed case of keys for sysrestore, before this commit all keys were saved in lowercase what prevents to accesing them. Original usage of mixed case for sysretore key in opendssecinstance had to be changed to lowercase to prevent issues on already installed systems. https://fedorahosted.org/freeipa/ticket/5574 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removalPetr Spacek2016-01-071-0/+6
| | | | | | | | | | Command "ldap-cleanup <zone name>" is called to remove all key metadata from LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale metadata were causing problems when re-enabling DNSSEC on the same zone. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAPPetr Spacek2016-01-072-9/+31
| | | | | | | | | | This filtering is useful in cases where LDAP contains DNS zones which have old metadata objects and DNSSEC disabled. Such zones must be ignored to prevent errors while calling dnssec-keyfromlabel or rndc. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAPPetr Spacek2016-01-071-11/+61
| | | | | | | | | | Key purging has to be only only after key metadata purging so ipa-dnskeysyncd on replices does not fail while dereferencing non-existing keys. https://fedorahosted.org/freeipa/ticket/5334 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: add debug mode to ldapkeydb.pyPetr Spacek2016-01-071-2/+52
| | | | | | | | | | | | ldapkeydb.py can be executed directly now. In that case it will print out key metadata as obtained using IPA LDAP API. Kerberos credential cache has to be filled with principal posessing appropriate access rights before the script is execured. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: remove obsolete TODO notePetr Spacek2016-01-071-1/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-05 12:57:55 +0000