| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It is not obvious how to add SELinux type and role transitions to a
Sudo rule. Update the 'sudorule' plugin documentation with examples
of how to do this.
Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
| |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
| |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
| |
fix inefficient if statements, enable pylint check
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
| |
It will correspond with CLI and will be more self-explanatory.
https://fedorahosted.org/freeipa/ticket/6334
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Inform the user where to find additional information
about certificate revocation reasons.
https://fedorahosted.org/freeipa/ticket/6327
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The flag was removed in commit ff52c25ae299abba8bed653fe324951979a41293
because it is unused. Add it back for compatibility with old clients.
https://fedorahosted.org/freeipa/ticket/5644
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.
https://fedorahosted.org/freeipa/ticket/6329
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.
https://fedorahosted.org/freeipa/ticket/6328
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a regression in recent change to request cert via Dogtag REST
API. 'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed. Inspect the
request result to determine if the request completed, and raise if
it did not.
Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.
https://fedorahosted.org/freeipa/ticket/5855
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also moving activate_action method several lines up - correcting logical order of methods.
https://fedorahosted.org/freeipa/ticket/5818
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted. Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.
Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409). Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError. The exception includes no
information about the response status.
Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.
To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'. It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.
https://fedorahosted.org/freeipa/ticket/6304
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.
This commit adds the ca-disable and ca-enable commands.
Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef058847bb39e78236e8af0ad69ac961bbcf.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.
https://fedorahosted.org/freeipa/ticket/6199
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use a handler created for the purpose of deciding whether
to raise exception or not.
https://fedorahosted.org/freeipa/ticket/6259
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.
https://fedorahosted.org/freeipa/ticket/6247
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
| |
Enhance the cert-show command to return subject alternative name
values.
Fixes: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.
https://fedorahosted.org/freeipa/ticket/6200
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6236
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.
At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).
Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.
Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.
Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.
https://fedorahosted.org/freeipa/ticket/6021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.
Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.
https://fedorahosted.org/freeipa/ticket/6159
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
| |
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
