| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This small integration suite tests some basic operations using
kadmin.local interface on services in both kerberos and services
subtree.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
--all
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA. Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values). Add the `--chain' flag for including the chain in the
result (chain is also included with `--all'). Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6504
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
- for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
- for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
| |
fixes c2934aaa
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.
Some scripts (e.g. servers, installers, and upgrades) set the confdir
explicitly and do not support the env var.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
| |
ipalib's env bootstrapping uses hard-coded defaults, too.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6446
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
| |
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
`__repr__` now returns more descriptive string containing the actual principal
name while keeping the ability to reconstruct the object from it.
This makes principal names visible in debug logs, easing troubleshooting a
bit.
https://fedorahosted.org/freeipa/ticket/6505
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6412
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Needed for basic certs in idoverrides tests
https://fedorahosted.org/freeipa/ticket/6412
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.
Move them to ipaserver as they are used only on the server.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent false positive errors reported by `ipatests/i18n.py` and
`ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the
environment.
Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve
the robustness.
https://fedorahosted.org/freeipa/ticket/6512
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.
Fix some renamed modules, module members and functions.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Makefile test targets were lost when gettextize infrastructure was
introduced. Now it is re-added in its modernized form which counts with
generated .pot files.
ipatests/i18n.py is now explicitly setting character encoding in files
it generates. According to gettext manual chapter "Filling in the Header Entry"
the Content-Type header is language-specific so it does not make sense
to fill it in in .pot file.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
| |
Commits 64af88fe and 9fbd29cc have removed dependency on lxml.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
The module ipapython.dnssec.odsmgr is the only module in ipalib,
ipaclient, ipapython and ipaplatform that uses lxml.etree.
https://fedorahosted.org/freeipa/ticket/6469
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.
It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6485
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6347
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6481
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6005
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
|
|
|
|
|
| |
Added generic method to run certutil with arbitrary set of paramenters
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6420
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
| |
As the group type has been changed from 'normal' to 'nonposix' we need to update
this information also in tests.
https://fedorahosted.org/freeipa/ticket/6334
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6419
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
Providing cleanup of trust information from AD machines for legacy client tests.
https://fedorahosted.org/freeipa/ticket/6396
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
| |
Providing cleanup of trust information from AD machines for trusts tests.
https://fedorahosted.org/freeipa/ticket/6396
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6451
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Since /etc/ipa/ca.crt should be always present on the test runner, we should
use it in bind method tests and not rely on its presence in user conf dir.
https://fedorahosted.org/freeipa/ticket/6409
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the time of this writting
https://fedoraproject.org/wiki/Packaging:Guidelines#Manpages
says this:
When installing man pages, note that they should be installed uncompressed
as the build system will compress them as needed. The compression method
may change, so it is important to reference the pages in the %files section
with a pattern that takes this into account:
%{_mandir}/man1/foo.1*
Removing the compression also allows to remove several install-data-hook
targets from Makefile.am files.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Static files from Git which are not touched by the build system
have to be explicitly listed in Makefile.am so they get into tarball.
EXTRA_DIST lists whole sub-directories with static files.
This is not ideal but we do not have enough time to fix it properly.
Dojo builder patch files were renames to shorten their name.
The original names were exceeding autotools length limit.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
By default automake does not distribute man pages. This marks then with
dist_ prefix to force their distribution in tarball.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|