summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Installer should always wait until CA starts upMartin Kosek2013-10-172-6/+11
| | | | | | | | | | | | | | Patch for ticket 3964 changed the installer so that it does not always wait for CA if the proxy is not configured. However, it was found out that it may freeze an installation when a step subsequent after CA restart call the CA and receives no reply. Change the wait so that it always waits for CA to start up. If HTTP proxy is already configured, it should wait on port 443. If not, it should wait on local PKI port 8443. https://fedorahosted.org/freeipa/ticket/3973
* PKI installation on replica failing due to missing proxy confMartin Kosek2013-10-111-1/+2
| | | | | | | | Proxy configuration was not detected correctly. Both ipa-pki-proxy.conf and ipa.conf need to be in place and httpd restarted to be able to check it's status. https://fedorahosted.org/freeipa/ticket/3964
* ipapython.nsslib: Name arguments to NSPRErrorPetr Viktorin2013-10-041-5/+7
| | | | | Previously NSPRError was given arguments in the wrong order. Fix this by naming the arguments.
* Raise an error when updating CIDict with duplicate keysPetr Viktorin2013-09-251-3/+22
| | | | | | | | | Updating a CIDict with data like {'A': 1, 'a': 2} would lead to data loss since only one of the items would get to the CIDict. This can result in non-obvious bugs similar to this one in python-ldap: https://bugzilla.redhat.com/show_bug.cgi?id=1007820 Raise an error in this case; any resolution must be done by the caller.
* Add missing dict methods to CIDictPetr Viktorin2013-09-251-18/+49
| | | | | | | | | | | | | Make the CIDict interface match standard dict (except view* methods). Add __contains__, __iter__, clear. Add keyword and iterable support for __init__, update. Also add values() and itervalues(). Previously the dict versions were used; the new ones guarantee that the order matches keys(). Mark view* methods as not implemented. CIDict.copy() now returns a CIDict. Test the above additions, and fromkeys() which worked but wasn't tested.
* Move tests to test directoriesPetr Viktorin2013-09-252-406/+0
| | | | | | | | Nose doesn't pick up directories that don't begin with 'test'. Rename ipatests/test_ipaserver/install to test_install so that it's run. Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython, so the whole test suite is in one place.
* Don't search platform pathTimo Aaltonen2013-09-161-1/+1
| | | | Don't use Python.h from the platform specific path
* Perform dirsrv tuning at platform levelTomas Babej2013-08-262-6/+88
| | | | | | | | | | | | | | | | When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823
* Prevent *.pyo and *.pyc multilib problemsMartin Kosek2013-08-131-2/+2
| | | | | | | | | | | | | Differences in the python byte code fails in a build validation (rpmdiff) done on difference architecture of the same package. This patch: 1) Ensures that timestamps of generated *.pyo and *.pyc files match 2) Python integer literals greater or equal 2^32 and lower than 2^64 are converted to long right away to prevent different type of the integer on architectures with different size of int https://fedorahosted.org/freeipa/ticket/3858
* Skip referrals when converting LDAP result to LDAPEntryTomas Babej2013-07-261-0/+9
| | | | | | | | When converting the result obtained by python-ldap library, we need to skip unresolved referral entries, since they cannot be converted. https://fedorahosted.org/freeipa/ticket/3814
* Correct default value of LDAPClient.get_entries scope argumentPetr Viktorin2013-07-251-1/+2
|
* Run gpg-agent explicitly when encrypting/decrypting files.Jan Cholasta2013-07-171-7/+12
| | | | | | Also add an option to ipautil.run to redirect command output to /dev/null. https://fedorahosted.org/freeipa/ticket/3767
* Use --ignore-dependencies only when necessaryAna Krivokapic2013-07-111-4/+5
| | | | | | | | | | Using the --ignore-dependencies switch was causing the ipactl stop command not to stop all instances of dirsrv and dogtag. Make sure the switch is used only when necessary, i.e. to prevent ipa-otpd.socket from getting stuck during the shutdown transaction. https://fedorahosted.org/freeipa/ticket/3730 https://fedorahosted.org/freeipa/ticket/3729
* Avoid systemd service deadlock during shutdownAna Krivokapic2013-07-111-1/+11
| | | | https://fedorahosted.org/freeipa/ticket/3729
* Use correct DS instance in ipactl statusAna Krivokapic2013-07-112-13/+31
| | | | | | | Make sure ipactl status check for correct DS instance. It should check for 'dirsrv@IPA-REALM' and not 'dirsrv.target'. https://fedorahosted.org/freeipa/ticket/3730
* Add Nose plugin for BeakerLib integrationPetr Viktorin2013-06-171-6/+13
| | | | | | | | | | | The plugin hooks into the Nose runner and IPA's logging infrastructure and calls the appropriate BeakerLib functions (rl*). IPA's log_manager is extended to accept custom Handler classes. The ipa-run-tests helper now loads the plugin. Patr of the work for: https://fedorahosted.org/freeipa/ticket/3621
* Manage ipa-otpd.socket by IPATomas Babej2013-06-061-0/+1
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Remove code to install Dogtag 9Petr Viktorin2013-05-311-4/+0
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Remove leading zero from IPA_NUM_VERSIONPetr Viktorin2013-05-141-0/+17
| | | | | | | The numeric IPA_NUM_VERSION contained a leading zero, so it was treated as octal value in Python code instead of decimal. https://fedorahosted.org/freeipa/ticket/3622
* Remove unused ipapython.certdb.CertDB classPetr Viktorin2013-04-021-127/+0
|
* Process exceptions when talking to DogtagAlexander Bokovoy2013-03-211-1/+4
| | | | | | | | | | The problem is the ca_status() uses an HTTP GET operation to check Dogtag's status. Under some circumstances Dogtag may take a long time to respond, so the HTTP GET may time out much earlier than 2 minutes. And since the above code doesn't catch the exception, the whole loop fails immediately, so it doesn't wait for a full 2 minutes as expected. https://fedorahosted.org/freeipa/ticket/3492
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-0/+2
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-132-75/+46
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Use IPAdmin rather than raw python-ldap in ipa-client-installPetr Viktorin2013-03-131-1/+4
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
* Move ipaldap to ipapythonPetr Viktorin2013-03-131-0/+1815
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Derive Entity class from Entry, and move it to ldapupdatePetr Viktorin2013-03-011-131/+0
| | | | | | | The two classes were nearly identical, and the updater is the only code that uses Entity. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused methods from Entry, Entity, and IPAdminPetr Viktorin2013-03-011-52/+0
| | | | | | These classes are deprecated, there's no use keeping unused methods around. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Add custom mapping object for LDAP entry data.Jan Cholasta2013-03-011-0/+2
|
* Make ipapython.dogtag log requests at debug level, not infoPetr Viktorin2013-02-011-1/+1
|
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-1/+4
| | | | | | | | | | | | | Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
* Better logging for AdminTool and ipa-ldap-updaterPetr Viktorin2013-02-011-30/+90
| | | | | | | | | | | | | - Automatically add a "Logging and output options" group with the --quiet, --verbose, --log-file options. - Set up logging based on these options; details are in the setup_logging docstring and in the design document. - Don't bind log methods as individual methods of the class. This means one less linter exception. - Make the help for command line options consistent with optparse's --help and --version options. Design document: http://freeipa.org/page/V3/Logging_and_output
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Drop ipapython.compat.Jan Cholasta2013-02-013-84/+2
|
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-11/+27
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Pylint cleanup.Jan Cholasta2013-01-293-21/+16
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-0/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* convert the base platform modules into packagesTimo Aaltonen2013-01-1410-178/+273
|
* Cookie Expires date should be locale insensitiveJohn Dennis2012-12-201-31/+11
| | | | | | | | | | | | | | | | | | | | | | | The Expires attribute in a cookie is supposed to follow the RFC 822 (superseded by RFC 1123) date format. That format includes a weekday abbreviation (e.g. Tue) which must be in English according to the RFC's. ipapython/cookie.py has methods to parse and format the Expires attribute but they were based on strptime() and strftime() which respects the locale. If a non-English locale is in effect the wrong date string will be produced and/or it won't be able to parse the date string. The fix is to use the date parsing and formatting functions from email.utils which specifically follow the RFC's and are not locale sensitive. This patch also updates the unit test to use email.utils as well. The patch should be applied to the following branches: Ticket: https://fedorahosted.org/freeipa/ticket/3313
* Switch %r specifiers to '%s' in Public errorsLynn Root2012-12-111-3/+3
| | | | | | | | | | | This switch drops the preceding 'u' from strings within Public error messages. This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function. Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com. Ticket: https://fedorahosted.org/freeipa/ticket/3121 Ticket: https://fedorahosted.org/freeipa/ticket/2588
* Compliant client side session cookie behaviorJohn Dennis2012-12-101-0/+699
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In summary this patch does: * Follow the defined rules for cookies when: - receiving a cookie (process the attributes) - storing a cookie (store cookie + attributes) - sending a cookie + validate the cookie domain against the request URL + validate the cookie path against the request URL + validate the cookie expiration + if valid then send only the cookie, no attribtues * Modifies how a request URL is stored during a XMLRPC request/response sequence. * Refactors a bit of the request/response logic to allow for making the decision whether to send a session cookie instead of full Kerberous auth easier. * The server now includes expiration information in the session cookie it sends to the client. The server always had the information available to prevent using an expired session cookie. Now that expiration timestamp is returned to the client as well and now the client will not send an expired session cookie back to the server. * Adds a new module and unit test for cookies (see below) Formerly we were always returning the session cookie no matter what the domain or path was in the URL. We were also sending the cookie attributes which are for the client only (used to determine if to return a cookie). The attributes are not meant to be sent to the server and the previous behavior was a protocol violation. We also were not checking the cookie expiration. Cookie library issues: We need a library to create, parse, manipulate and format cookies both in a client context and a server context. Core Python has two cookie libraries, Cookie.py and cookielib.py. Why did we add a new cookie module instead of using either of these two core Python libaries? Cookie.py is designed for server side generation but can be used to parse cookies on the client. It's the library we were using in the server. However when I tried to use it in the client I discovered it has some serious bugs. There are 7 defined cookie elements, it fails to correctly parse 3 of the 7 elements which makes it unusable because we depend on those elements. Since Cookie.py was designed for server side cookie processing it's not hard to understand how fails to correctly parse a cookie because that's a client side need. (Cookie.py also has an awkward baroque API and is missing some useful functionality we would have to build on top of it). cookielib.py is designed for client side. It's fully featured and obeys all the RFC's. It would be great to use however it's tightly coupled with another core library, urllib2.py. The http request and response objects must be urllib2 objects. But we don't use urllib2, rather we use httplib because xmlrpclib uses httplib. I don't see a reason why a cookie library should be so tightly coupled to a protocol library, but it is and that means we can't use it (I tried to just pick some isolated entrypoints for our use but I kept hitting interaction/dependency problems). I decided to solve the cookie library problems by writing a minimal cookie library that does what we need and no more than that. It is a new module in ipapython shared by both client and server and comes with a new unit test. The module has plenty of documentation, no need to repeat it here. Request URL issues: We also had problems in rpc.py whereby information from the request which is needed when we process the response is not available. Most important was the requesting URL. It turns out that the way the class and object relationships are structured it's impossible to get this information. Someone else must have run into the same issue because there was a routine called reconstruct_url() which attempted to recreate the request URL from other available information. Unfortunately reconstruct_url() was not callable from inside the response handler. So I decided to store the information in the thread context and when the request is received extract it from the thread context. It's perhaps not an ideal solution but we do similar things elsewhere so at least it's consistent. I removed the reconstruct_url() function because the exact information is now in the context and trying to apply heuristics to recreate the url is probably not robust. Ticket https://fedorahosted.org/freeipa/ticket/3022
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-074-5/+18
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Only update the list of running services in the installer or ipactl.Rob Crittenden2012-12-052-4/+17
| | | | | | | | The file is only present in the case of a server installation. It should only be touched by the server installer and ipactl. https://fedorahosted.org/freeipa/ticket/3277
* Change network configuration fileMartin Kosek2012-12-054-2/+138
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Drop unused readline importLubomir Rintel2012-12-041-1/+1
| | | | | | | | | | | | | | | | | | | The actual readline usage was removed in commit f19218f7 (Remove duplicate and unused utility code, https://fedorahosted.org/freeipa/ticket/2650) and the import remained. Readline should not be initialized if the output is not to terminal (and it does no checks itself, so import in anything that would be useful to redirect should be conditional), since it may garble the output [1]: $ TERM=xterm python -c 'import readline' |hexdump -C 00000000 1b 5b 3f 31 30 33 34 68 |.[?1034h| 00000008 [1] https://bugzilla.redhat.com/show_bug.cgi?id=304181#c1 https://fedorahosted.org/freeipa/ticket/2691 https://fedorahosted.org/freeipa/ticket/3276
* Use correct Dogtag configuration in get_pin and get_ca_certchainPetr Viktorin2012-11-232-4/+8
| | | | | | Some install utilities used Dogtag configuration before Dogtag was configured. Fix by passing the relevant dogtag_constants where they're needed.
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-1/+11
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Save service name on service startup/shutdownSimo Sorce2012-11-014-0/+50
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipactl to stop only and all the services that have been started by any ipa tool/install script
* Revert "Save service name on service startup"Simo Sorce2012-11-014-29/+0
| | | | | | | This reverts commit 1ef651e7f9f5f940051dc470385aa08eefcd60af. This was an olde version of the patch, next commit will put in the acked version.
* Save service name on service startupSimo Sorce2012-11-014-0/+29
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipacl to stop only and all the services that have been started by any ipa tool/install script
* Preserve original service_name in servicesSimo Sorce2012-11-012-15/+16
| | | | | | | | | This is needed to be able to reference stuff always wth the same name. The platform specific private name must be kept in a platform specific variable. In the case of systemd we store it in systemd_name For the redhat platform wellknown names and service name are the same so currently no special name is needed.