[Freeipa-devel] [freeipa PR#5590][closed] [Backport][ipa-4-9] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
URL: https://github.com/freeipa/freeipa/pull/5590 Author: frasertweedale Title: #5590: [Backport][ipa-4-9] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5590/head:pr5590 git checkout pr5590 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5590][opened] [Backport][ipa-4-9] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
URL: https://github.com/freeipa/freeipa/pull/5590 Author: frasertweedale Title: #5590: [Backport][ipa-4-9] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure Action: opened PR body: """ This PR was opened automatically because PR #5579 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5590/head:pr5590 git checkout pr5590 From 0254db36591a3491a8e8e95136e5282a9fc21956 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 19 Feb 2021 20:36:03 +1100 Subject: [PATCH] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure 'pki-server cert-fix' has a known and expected failure when the DS certificate is expired. 'ipa-cert-fix' handles this by optimistically ignoring the CalledProcessError and continuing when the DS certificate was up for renewal. This heuristic is a bit too optimistic. If 'pki-server cert-fix' fails due and returns nonzero due to some other, more serious error (as has been seen in the wild[1]), 'ipa-cert-fix' continues then fails later with a more confusing error, for example: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' [1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586 Improve the heuristic by also checking whether output files corresponding ot all of the "extra" certificate that we asked 'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates. Fixes: https://pagure.io/freeipa/issue/8721 --- ipaserver/install/ipa_cert_fix.py | 44 ++- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index 210cf80f160..36de2ac3447 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -57,6 +57,8 @@ """ +RENEWED_CERT_PATH_TEMPLATE = "/etc/pki/pki-tomcat/certs/{}-renewed.crt" + logger = logging.getLogger(__name__) @@ -145,11 +147,18 @@ def run(self): x[0] is IPACertType.LDAPS for x in extra_certs + non_renewed ): -# The DS cert was expired. This will cause -# 'pki-server cert-fix' to fail at the final -# restart. Therefore ignore the CalledProcessError -# and proceed to installing the IPA-specific certs. -pass +# The DS cert was expired. This will cause 'pki-server +# cert-fix' to fail at the final restart, and return nonzero. +# So this exception *might* be OK to ignore. +# +# If 'pki-server cert-fix' has written new certificates +# corresponding to all the extra_certs, then ignore the +# CalledProcessError and proceed to installing the IPA-specific +# certs. Otherwise re-raise. +if check_renewed_ipa_certs(extra_certs): +pass +else: +raise else: raise # otherwise re-raise @@ -365,11 +374,32 @@ def replicate_dogtag_certs(subject_base, ca_subject_dn, certs): replicate_cert(subject_base, ca_subject_dn, cert) +def check_renewed_ipa_certs(certs): +""" +Check whether all expected IPA-specific certs (extra_certs) were renewed +successfully. + +For now this subroutine just checks that the files that we expect +``pki-server cert-fix`` to have written do exist and contain an X.509 +certificate. + +Return ``True`` if everything seems to be as expected, otherwise ``False``. + +""" +for _certtype, oldcert in certs: +cert_path = RENEWED_CERT_PATH_TEMPLATE.format(oldcert.serial_number) +try: +x509.load_certificate_from_file(cert_path) +except (IOError, ValueError): +return False + +return True + + def install_ipa_certs(subject_base, ca_subject_dn, certs): """Print details and install renewed IPA certificates.""" for certtype, oldcert in certs: -cert_path = "/etc/pki/pki-tomcat/certs/{}-renewed.crt" \ -.format(oldcert.serial_number) +cert_path = RENEWED_CERT_PATH_TEMPLATE.format(oldcert.serial_number) cert = x509.load_certificate_from_file(cert_path) print_cert_info("Renewed IPA", certtype.value, cert) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5579][closed] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
URL: https://github.com/freeipa/freeipa/pull/5579 Author: frasertweedale Title: #5579: ipa-cert-fix: improve handling of 'pki-server cert-fix' failure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5579/head:pr5579 git checkout pr5579 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5579][opened] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
URL: https://github.com/freeipa/freeipa/pull/5579 Author: frasertweedale Title: #5579: ipa-cert-fix: improve handling of 'pki-server cert-fix' failure Action: opened PR body: """ 'pki-server cert-fix' has a known and expected failure when the DS certificate is expired. 'ipa-cert-fix' handles this by optimistically ignore the CalledProcessError and continuing when the DS certificate was up for renewal. This heuristic is a bit too optimistic. If 'pki-server cert-fix' fails due and returns nonzero due to some other, more serious error (as has been seen in the wild[1]), 'ipa-cert-fix' continues then fails later with a more confusing error, for example: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' [1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586 Improve the heuristic by also checking whether output files corresponding ot all of the "extra" certificate that we asked 'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1779984 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5579/head:pr5579 git checkout pr5579 From 0ab49a86e86f8d770b2797944c55657e5f1365f4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 19 Feb 2021 20:36:03 +1100 Subject: [PATCH] ipa-cert-fix: improve handling of 'pki-server cert-fix' failure 'pki-server cert-fix' has a known and expected failure when the DS certificate is expired. 'ipa-cert-fix' handles this by optimistically ignore the CalledProcessError and continuing when the DS certificate was up for renewal. This heuristic is a bit too optimistic. If 'pki-server cert-fix' fails due and returns nonzero due to some other, more serious error (as has been seen in the wild[1]), 'ipa-cert-fix' continues then fails later with a more confusing error, for example: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt' [1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586 Improve the heuristic by also checking whether output files corresponding ot all of the "extra" certificate that we asked 'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1779984 --- ipaserver/install/ipa_cert_fix.py | 44 ++- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index 210cf80f160..36de2ac3447 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -57,6 +57,8 @@ """ +RENEWED_CERT_PATH_TEMPLATE = "/etc/pki/pki-tomcat/certs/{}-renewed.crt" + logger = logging.getLogger(__name__) @@ -145,11 +147,18 @@ def run(self): x[0] is IPACertType.LDAPS for x in extra_certs + non_renewed ): -# The DS cert was expired. This will cause -# 'pki-server cert-fix' to fail at the final -# restart. Therefore ignore the CalledProcessError -# and proceed to installing the IPA-specific certs. -pass +# The DS cert was expired. This will cause 'pki-server +# cert-fix' to fail at the final restart, and return nonzero. +# So this exception *might* be OK to ignore. +# +# If 'pki-server cert-fix' has written new certificates +# corresponding to all the extra_certs, then ignore the +# CalledProcessError and proceed to installing the IPA-specific +# certs. Otherwise re-raise. +if check_renewed_ipa_certs(extra_certs): +pass +else: +raise else: raise # otherwise re-raise @@ -365,11 +374,32 @@ def replicate_dogtag_certs(subject_base, ca_subject_dn, certs): replicate_cert(subject_base, ca_subject_dn, cert) +def check_renewed_ipa_certs(certs): +""" +Check whether all expected IPA-specific certs (extra_certs) were renewed +successfully. + +For now this subroutine just checks that the files that we expect +``pki-server cert-fix`` to have written do exist and contain an X.509 +certificate. + +Return ``True`` if everything seems to be as expected, otherwise ``False``. + +""" +for _certtype, oldcert in certs: +cert_path = RENEWED_CERT_PATH_TEMPLATE.format(oldcert.serial_number) +try: +x509.load_certificate_from_file(cert_path) +except (IOError, ValueError): +return False + +return True + + def install_ipa_certs(subject_base, ca_subject_dn, certs): """Print details and install renewed IPA certificates.""" for certtype, oldcert in certs: -cert_path = "/etc/pki/pki-tomcat/certs/{}-renewed.crt" \ -.forma
[Freeipa-devel] [freeipa PR#5249][opened] mailmap: add ftweedal
URL: https://github.com/freeipa/freeipa/pull/5249 Author: frasertweedale Title: #5249: mailmap: add ftweedal Action: opened PR body: """ I noticed from draft release notes that some commits with a different email address slipped in. Add myself to mailmap so that I do not have doppelganger. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5249/head:pr5249 git checkout pr5249 From 5b72eb0f9b0d5ed43b3b3c98c78c5c157090c2e6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 11 Nov 2020 21:59:22 +1100 Subject: [PATCH] mailmap: add ftweedal I noticed from draft release notes that some commits with a different email address slipped in. Add myself to mailmap so that I do not have doppelganger. --- .mailmap | 1 + 1 file changed, 1 insertion(+) diff --git a/.mailmap b/.mailmap index 8e61b3fbcca..f1eafbdc79b 100644 --- a/.mailmap +++ b/.mailmap @@ -10,6 +10,7 @@ Felipe Volpone Felipe Volpone Felipe Volpone François Cami François Cami +Fraser Tweedale Gabe Alford Ganna Kaihorodova Jan Zelený ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5239][opened] dns: allow PTR records in arbitrary zones
URL: https://github.com/freeipa/freeipa/pull/5239 Author: frasertweedale Title: #5239: dns: allow PTR records in arbitrary zones Action: opened PR body: """ PTR records in zones other than in-addr.arpa and in6.arpa are legal, e.g. DNS-SD [RFC6763] uses such records. If in a reverse zone proceed with the existing checks, otherwise just accept the record. Fixes: https://pagure.io/freeipa/issue/5566 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5239/head:pr5239 git checkout pr5239 From 9b71e8e80fee861551fdac20c36d26dd45e3a9c9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 9 Nov 2020 15:22:34 +1100 Subject: [PATCH] dns: allow PTR records in arbitrary zones PTR records in zones other than in-addr.arpa and in6.arpa are legal, e.g. DNS-SD [RFC6763] uses such records. If in a reverse zone proceed with the existing checks, otherwise just accept the record. Fixes: https://pagure.io/freeipa/issue/5566 --- ipaserver/plugins/dns.py | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py index 5fd7922549d..7e516ea482c 100644 --- a/ipaserver/plugins/dns.py +++ b/ipaserver/plugins/dns.py @@ -3111,10 +3111,11 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): zone_len = REVERSE_DNS_ZONES[valid_zone] if not zone_len: -allowed_zones = ', '.join([unicode(revzone) for revzone in - REVERSE_DNS_ZONES]) -raise errors.ValidationError(name='ptrrecord', -error=unicode(_('Reverse zone for PTR record should be a sub-zone of one the following fully qualified domains: %s') % allowed_zones)) +# PTR records in zones other than in-addr.arpa and in6.arpa are +# legal, e.g. DNS-SD [RFC6763] uses such records. If we have +# such a record there's nothing more to do. Otherwise continue +# with the ip4/ip6 reverse zone checks below. +return addr_len = len(addr.labels) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5107][closed] [Container] Unify access to FQDN
URL: https://github.com/freeipa/freeipa/pull/5107 Author: tiran Title: #5107: [Container] Unify access to FQDN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5107/head:pr5107 git checkout pr5107 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5201][closed] Temporary PR to run nightly CI against changes from PR #5107
URL: https://github.com/freeipa/freeipa/pull/5201 Author: frasertweedale Title: #5201: Temporary PR to run nightly CI against changes from PR #5107 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5201/head:pr5201 git checkout pr5201 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5201][opened] rebase and temp commit to run nightly CI on #5107
URL: https://github.com/freeipa/freeipa/pull/5201 Author: frasertweedale Title: #5201: rebase and temp commit to run nightly CI on #5107 Action: opened PR body: """ Objective: increase confidence in the FQDN PR #5107 before merging. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5201/head:pr5201 git checkout pr5201 From 8bbccac442a2842569c2cf8eb37797faaf2f2855 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 11 Sep 2020 14:49:16 +0200 Subject: [PATCH 1/6] [Container] Unify access to FQDN FreeIPA's Python and C code used different approaches to get the FQDN of the host. Some places assumed that gethostname() returns a FQDN. Other code paths used glibc's resolver to resolve the current node name to a FQDN. Python code now uses the ipalib.constants.FQDN where a fully qualified domain name is expected. The variable is initialized only once and avoids potential DNS lookups. C code uses a new helper function ipa_gethostfqdn() in util package. The function implements similar logic as gethostfqdn() except it uses more modern getaddrinfo(). The result is cached as well. Fixes: https://pagure.io/freeipa/issue/8501 Signed-off-by: Christian Heimes --- daemons/ipa-otpd/Makefile.am | 2 + daemons/ipa-otpd/main.c | 5 +- daemons/ipa-sam/ipa_sam.c | 11 +- .../ipa-slapi-plugins/ipa-cldap/Makefile.am | 3 + .../ipa-cldap/ipa_cldap_netlogon.c| 7 +- install/tools/ipa-csreplica-manage.in | 7 +- install/tools/ipa-custodia-check.in | 9 -- install/tools/ipa-replica-conncheck.in| 3 +- install/tools/ipa-replica-manage.in | 3 +- ipaclient/discovery.py| 4 +- ipaclient/install/client.py | 6 +- ipalib/constants.py | 12 +- ipapython/config.py | 6 +- ipapython/fqdn.py | 30 + ipaserver/dcerpc.py | 4 +- ipaserver/install/installutils.py | 20 ++-- ipaserver/install/schemaupdate.py | 6 +- ipaserver/install/server/install.py | 6 +- ipaserver/install/service.py | 4 +- ipatests/test_install/test_updates.py | 5 +- util/Makefile.am | 10 +- util/ipa_hostname.c | 111 ++ util/ipa_hostname.h | 19 +++ 23 files changed, 226 insertions(+), 67 deletions(-) create mode 100644 ipapython/fqdn.py create mode 100644 util/ipa_hostname.c create mode 100644 util/ipa_hostname.h diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8672693004..975a0c935d 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -1,9 +1,11 @@ +AM_CPPFLAGS := -I$(top_srcdir)/util AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@ @NSPR_CFLAGS@ AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ @KRB5_LIBS@ noinst_HEADERS = internal.h appdir = $(libexecdir)/ipa/ app_PROGRAMS = ipa-otpd +ipa_otpd_LDADD = $(top_builddir)/util/libutil.la dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service diff --git a/daemons/ipa-otpd/main.c b/daemons/ipa-otpd/main.c index aebc039bc0..1538cb8614 100644 --- a/daemons/ipa-otpd/main.c +++ b/daemons/ipa-otpd/main.c @@ -32,6 +32,7 @@ #include #include +#include "ipa_hostname.h" /* Our global state. */ struct otpd_context ctx; @@ -212,7 +213,7 @@ static krb5_error_code setup_ldap(const char *uri, krb5_boolean bind, int main(int argc, char **argv) { -char hostname[HOST_NAME_MAX + 1]; +char hostname[IPA_HOST_NAME_LEN]; krb5_error_code retval; krb5_data hndata; verto_ev *sig; @@ -227,7 +228,7 @@ int main(int argc, char **argv) memset(&ctx, 0, sizeof(ctx)); ctx.exitstatus = 1; -if (gethostname(hostname, sizeof(hostname)) < 0) { +if (ipa_gethostfqdn(hostname) < 0) { otpd_log_err(errno, "Unable to get hostname"); goto error; } diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6431417b08..c0d63b9821 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -36,6 +36,7 @@ char *smb_xstrdup(const char *s); #include #include #include +#include "ipa_hostname.h" #include "ipa_asn1.h" #include "ipa_pwd.h" #include "ipa_mspac.h" @@ -4440,7 +4441,7 @@ static char *sec_key(TALLOC_CTX *mem_ctx, const char *d) static NTSTATUS save_sid_to_secret(struct ipasam_private *ipasam_state) { - char hostname[255]; + char hostname[IPA_HOST_NAME_LEN]; int ret; char *p; TALLOC_CTX *tmp_ctx; @@ -4466,13 +4467,12 @@ static NTSTATUS save_sid_to_secret(struct ipasam_private *ipasam_state) goto done; } - ret = gethostname(hostname, sizeof(hostname));
[Freeipa-devel] [freeipa PR#5117][opened] spec: require pki-acme if pki-ca >= 10.10
URL: https://github.com/freeipa/freeipa/pull/5117 Author: frasertweedale Title: #5117: spec: require pki-acme if pki-ca >= 10.10 Action: opened PR body: """ We can use conditional dependencies (described at [1]) to require the pki-acme package if pki-ca >= 10.10.0 (the version at which the ACME service was separated to a subpackage). [1] https://rpm.org/user_doc/boolean_dependencies.html I have tested this with repos having only pki-10.9.x (and therefore no pki-acme package), and dnf is happy. I have also testing package installation with pki-10.10 packages installed, but /without/ pki-acme installed. pki-acme was seen as a missing dependency and installed alongside the freeipa packages. This change seems to satisfy all the scenarios. Related: https://github.com/dogtagpki/pki/pull/513 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5117/head:pr5117 git checkout pr5117 From 1106dadcacc53a493e2425a298fa703c21c5beb3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 18 Sep 2020 15:30:50 +1000 Subject: [PATCH] spec: require pki-acme if pki-ca >= 10.10 We can use conditional dependencies (described at [1]) to require the pki-acme package if pki-ca >= 10.10.0 (the version at which the ACME service was separated to a subpackage). [1] https://rpm.org/user_doc/boolean_dependencies.html I have tested this with repos having only pki-10.9.x (and therefore no pki-acme package), and dnf is happy. I have also testing package installation with pki-10.10 packages installed, but /without/ pki-acme installed. pki-acme was seen as a missing dependency and installed alongside the freeipa packages. This change seems to satisfy all the scenarios. Related: https://github.com/dogtagpki/pki/pull/513 --- freeipa.spec.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8609f7ff42..6425a2d866 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -383,6 +383,8 @@ Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} Requires: pki-ca >= %{pki_version} Requires: pki-kra >= %{pki_version} +# pki-acme package was split out in pki-10.10.0 +Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) Requires(preun): systemd-units Requires(postun): systemd-units Requires: policycoreutils >= 2.1.12-5 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5077][opened] install: simplify host name verification
URL: https://github.com/freeipa/freeipa/pull/5077 Author: frasertweedale Title: #5077: install: simplify host name verification Action: opened PR body: """ Perform a small refactor to the installer code that chooses and verifies the hostname. In particular: - choice of hostname is separate from validation - read_host_name no longer performs validation - verify_fqdn is now called from one place - if/else branches are now "balanced" """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5077/head:pr5077 git checkout pr5077 From 7aabe6c8013bb70ea8784593fd5c8e15d73ca0d4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 3 Sep 2020 10:07:14 +1000 Subject: [PATCH] install: simplify host name verification Perform a small refactor to the installer code that chooses and verifies the hostname. In particular: - choice of hostname is separate from validation - read_host_name no longer performs validation - verify_fqdn is now called from one place - if/else branches are now "balanced" --- ipaserver/install/server/install.py | 18 +++--- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 381d86114a..50a0a60ddb 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -178,7 +178,11 @@ def write_cache(options): shutil.rmtree(top_dir) -def read_host_name(host_default, no_host_dns=False): +def read_host_name(host_default): +""" +Prompt user to input FQDN. Does not verify it. + +""" print("Enter the fully qualified domain name of the computer") print("on which you're setting up server software. Using the form") print(".") @@ -189,7 +193,6 @@ def read_host_name(host_default, no_host_dns=False): host_default = "master.example.com" host_name = user_input("Server host name", host_default, allow_empty=False) print("") -verify_fqdn(host_name, no_host_dns) return host_name @@ -490,12 +493,13 @@ def install_check(installer): else: host_default = get_fqdn() +if installer.interactive and not options.host_name: +host_name = read_host_name(host_default) +else: +host_name = host_default + try: -if not installer.interactive or options.host_name: -verify_fqdn(host_default, options.no_host_dns) -host_name = host_default -else: -host_name = read_host_name(host_default, options.no_host_dns) +verify_fqdn(host_default, options.no_host_dns) except BadHostError as e: raise ScriptError(e) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5076][opened] delete unused subroutine get_host_name()
URL: https://github.com/freeipa/freeipa/pull/5076 Author: frasertweedale Title: #5076: delete unused subroutine get_host_name() Action: opened PR body: """ Commit a42a711394178a459bde006e6b49ed799a7cce1a, from September 2018, removed the only call site of installutils.get_host_name(). Delete the definition. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5076/head:pr5076 git checkout pr5076 From be5fb28e429f7f3b23be3cc32a0215aff3d5e89d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 3 Sep 2020 09:49:16 +1000 Subject: [PATCH] delete unused subroutine get_host_name() Commit a42a711394178a459bde006e6b49ed799a7cce1a, from September 2018, removed the only call site of installutils.get_host_name(). Delete the definition. --- ipaserver/install/installutils.py | 12 1 file changed, 12 deletions(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a46acf9f5f..60dd6dcebc 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -457,18 +457,6 @@ def resolve_ip_addresses_nss(fqdn): logger.debug('Name %s resolved to %s', fqdn, ip_addresses) return ip_addresses -def get_host_name(no_host_dns): -""" -Get the current FQDN from the socket and verify that it is valid. - -no_host_dns is a boolean that determines whether we enforce that the -hostname is resolvable. - -Will raise a RuntimeError on error, returns hostname on success -""" -hostname = get_fqdn() -verify_fqdn(hostname, no_host_dns) -return hostname def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses): hostaddr = resolve_ip_addresses_nss(host_name) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4861][closed] certupdate: update config when deployment becomes CA-ful
URL: https://github.com/freeipa/freeipa/pull/4861 Author: frasertweedale Title: #4861: certupdate: update config when deployment becomes CA-ful Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4861/head:pr4861 git checkout pr4861 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4901][opened] [Backport][ipa-4-8] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4901 Author: frasertweedale Title: #4901: [Backport][ipa-4-8] certupdate: only add LWCA tracking requests on CA servers Action: opened PR body: """ This PR was opened automatically because PR #4896 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4901/head:pr4901 git checkout pr4901 From 31a35bba197d42cb2790b504889a23455c8aefb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Jul 2020 12:43:02 +1000 Subject: [PATCH] certupdate: only add LWCA tracking requests on CA servers ipa-certupdate throws an exception when executed on a non-CA server in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that we are on a CA server before attempting to create Certmonger tracking requests for LWCAs. HOW TO TEST 1. Install first server (with CA) 2. Install replica without CA 3. Create sub-CA (`ipa ca-add`) 4. Run `ipa-certupdate` on replica. Observe that no stack trace is produced. Fixes: https://pagure.io/freeipa/issue/8399 --- ipaclient/install/ipa_certupdate.py | 21 + 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 40a9283bd4..f7a92f34f1 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -107,14 +107,19 @@ def run_with_args(api): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): update_server(certs) -try: -# pylint: disable=import-error,ipa-forbidden-import -from ipaserver.install import cainstance -# pylint: enable=import-error,ipa-forbidden-import -cainstance.add_lightweight_ca_tracking_requests(lwcas) -except Exception: -logger.exception( -"Failed to add lightweight CA tracking requests") + +# pylint: disable=import-error,ipa-forbidden-import +from ipaserver.install import cainstance +# pylint: enable=import-error,ipa-forbidden-import + +# Add LWCA tracking requests. Only execute if *this server* +# has CA installed (ca_enabled indicates CA-ful topology). +if cainstance.CAInstance().is_configured(): +try: +cainstance.add_lightweight_ca_tracking_requests(lwcas) +except Exception: +logger.exception( +"Failed to add lightweight CA tracking requests") update_client(certs) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4902][opened] [Backport][ipa-4-6] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4902 Author: frasertweedale Title: #4902: [Backport][ipa-4-6] certupdate: only add LWCA tracking requests on CA servers Action: opened PR body: """ This PR was opened automatically because PR #4896 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4902/head:pr4902 git checkout pr4902 From a6e3aceeabbcca403581edadc79fc254fb4c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Jul 2020 12:43:02 +1000 Subject: [PATCH] certupdate: only add LWCA tracking requests on CA servers ipa-certupdate throws an exception when executed on a non-CA server in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that we are on a CA server before attempting to create Certmonger tracking requests for LWCAs. HOW TO TEST 1. Install first server (with CA) 2. Install replica without CA 3. Create sub-CA (`ipa ca-add`) 4. Run `ipa-certupdate` on replica. Observe that no stack trace is produced. Fixes: https://pagure.io/freeipa/issue/8399 --- ipaclient/install/ipa_certupdate.py | 21 + 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 1311dc62e8..0e8129c465 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -110,14 +110,19 @@ def run_with_args(api): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): update_server(certs) -try: -# pylint: disable=import-error,ipa-forbidden-import -from ipaserver.install import cainstance -# pylint: enable=import-error,ipa-forbidden-import -cainstance.add_lightweight_ca_tracking_requests(lwcas) -except Exception: -logger.exception( -"Failed to add lightweight CA tracking requests") + +# pylint: disable=import-error,ipa-forbidden-import +from ipaserver.install import cainstance +# pylint: enable=import-error,ipa-forbidden-import + +# Add LWCA tracking requests. Only execute if *this server* +# has CA installed (ca_enabled indicates CA-ful topology). +if cainstance.CAInstance().is_configured(): +try: +cainstance.add_lightweight_ca_tracking_requests(lwcas) +except Exception: +logger.exception( +"Failed to add lightweight CA tracking requests") update_client(certs) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4896][closed] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4896 Author: frasertweedale Title: #4896: certupdate: only add LWCA tracking requests on CA servers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4896/head:pr4896 git checkout pr4896 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4896][opened] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4896 Author: frasertweedale Title: #4896: certupdate: only add LWCA tracking requests on CA servers Action: opened PR body: """ ipa-certupdate throws an exception when executed on a non-CA server in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that we are on a CA server before attempting to create Certmonger tracking requests for LWCAs. HOW TO TEST 1. Install first server (with CA) 2. Install replica without CA 3. Create sub-CA (`ipa ca-add`) 4. Run `ipa-certupdate` on replica. Observe that no stack trace is produced. Fixes: https://pagure.io/freeipa/issue/8399 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4896/head:pr4896 git checkout pr4896 From 2dc177ae056ae8366b1935d489bd6263e24b1720 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Jul 2020 12:43:02 +1000 Subject: [PATCH] certupdate: only add LWCA tracking requests on CA servers ipa-certupdate throws an exception when executed on a non-CA server in a CA-ful deployment with lightweight sub-CAs (LWCAs). Check that we are on a CA server before attempting to create Certmonger tracking requests for LWCAs. HOW TO TEST 1. Install first server (with CA) 2. Install replica without CA 3. Create sub-CA (`ipa ca-add`) 4. Run `ipa-certupdate` on replica. Observe that no stack trace is produced. Fixes: https://pagure.io/freeipa/issue/8399 --- ipaclient/install/ipa_certupdate.py | 21 + 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py index 40a9283bd4..f7a92f34f1 100644 --- a/ipaclient/install/ipa_certupdate.py +++ b/ipaclient/install/ipa_certupdate.py @@ -107,14 +107,19 @@ def run_with_args(api): server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): update_server(certs) -try: -# pylint: disable=import-error,ipa-forbidden-import -from ipaserver.install import cainstance -# pylint: enable=import-error,ipa-forbidden-import -cainstance.add_lightweight_ca_tracking_requests(lwcas) -except Exception: -logger.exception( -"Failed to add lightweight CA tracking requests") + +# pylint: disable=import-error,ipa-forbidden-import +from ipaserver.install import cainstance +# pylint: enable=import-error,ipa-forbidden-import + +# Add LWCA tracking requests. Only execute if *this server* +# has CA installed (ca_enabled indicates CA-ful topology). +if cainstance.CAInstance().is_configured(): +try: +cainstance.add_lightweight_ca_tracking_requests(lwcas) +except Exception: +logger.exception( +"Failed to add lightweight CA tracking requests") update_client(certs) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4893][closed] [Backport][ipa-4-8] cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf
URL: https://github.com/freeipa/freeipa/pull/4893 Author: abbra Title: #4893: [Backport][ipa-4-8] cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4893/head:pr4893 git checkout pr4893 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4810][opened] fix iPAddress cert issuance for >1 host/service
URL: https://github.com/freeipa/freeipa/pull/4810 Author: frasertweedale Title: #4810: fix iPAddress cert issuance for >1 host/service Action: opened PR body: """ The 'cert_request' command accumulates DNS names from the CSR, before checking that all IP addresses in the CSR are reachable from those DNS names. Before adding a DNS name to the set, we check that that it corresponds to the FQDN of a known host/service principal (including principal aliases). When a DNS name maps to a "alternative" principal (i.e. not the one given via the 'principal' argument), this check was not being performed correctly. Specifically, we were looking for the 'krbprincipalname' field on the RPC response object directly, instead of its 'result' field. To resolve the issue, dereference the RPC response to its 'result' field before invoking the '_dns_name_matches_principal' subroutine. Fixes: https://pagure.io/freeipa/issue/8368 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4810/head:pr4810 git checkout pr4810 From 6d257fb82bfe36983b58ffc0c70eb10f140b7f4c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 11 Jun 2020 22:42:38 +1000 Subject: [PATCH] fix iPAddress cert issuance for >1 host/service The 'cert_request' command accumulates DNS names from the CSR, before checking that all IP addresses in the CSR are reachable from those DNS names. Before adding a DNS name to the set, we check that that it corresponds to the FQDN of a known host/service principal (including principal aliases). When a DNS name maps to a "alternative" principal (i.e. not the one given via the 'principal' argument), this check was not being performed correctly. Specifically, we were looking for the 'krbprincipalname' field on the RPC response object directly, instead of its 'result' field. To resolve the issue, dereference the RPC response to its 'result' field before invoking the '_dns_name_matches_principal' subroutine. Fixes: https://pagure.io/freeipa/issue/8368 --- ipaserver/plugins/cert.py | 6 +- .../test_cert_request_ip_address.py | 62 +-- 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index b5008aed2e..60846e34ee 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -827,13 +827,13 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): try: if principal_type == HOST: alt_principal_obj = api.Command['host_show']( -name, all=True) +name, all=True)['result'] elif principal_type == KRBTGT: alt_principal = kerberos.Principal( (u'host', name), principal.realm) elif principal_type == SERVICE: alt_principal_obj = api.Command['service_show']( -alt_principal, all=True) +alt_principal, all=True)['result'] except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -866,7 +866,7 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw): pass # Now check write access and caacl -altdn = alt_principal_obj['result']['dn'] +altdn = alt_principal_obj['dn'] if not ldap.can_write(altdn, "usercertificate"): raise errors.ACIError(info=_( "Insufficient privilege to create a certificate " diff --git a/ipatests/test_xmlrpc/test_cert_request_ip_address.py b/ipatests/test_xmlrpc/test_cert_request_ip_address.py index bf4de05bf0..ff3def302a 100644 --- a/ipatests/test_xmlrpc/test_cert_request_ip_address.py +++ b/ipatests/test_xmlrpc/test_cert_request_ip_address.py @@ -28,10 +28,16 @@ from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test -host_fqdn = f'iptest.{api.env.domain}' +host_shortname = 'iptest' +host_fqdn = f'{host_shortname}.{api.env.domain}' host_princ = f'host/{host_fqdn}' host_ptr = f'{host_fqdn}.' +host2_shortname = 'iptest2' +host2_fqdn = f'{host2_shortname}.{api.env.domain}' +host2_princ = f'host/{host2_fqdn}' +host2_ptr = f'{host2_fqdn}.' + other_fqdn = f'other.{api.env.domain}' other_ptr = f'{other_fqdn}.' @@ -39,6 +45,10 @@ ipv4_revzone_s = '0.254.169.in-addr.arpa.' ipv4_revrec_s = '42' +host2_ipv4_address = '169.254.0.43' +host2_ipv4_revzone_s = '0.254.169.in-addr.arpa.' +host2_ipv4_revrec_s = '43' + ipv6_address = 'fe80::8f18:bdab:4299:95fa' ipv6_revzone_s = '0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.' ipv6_revrec_s = 'a.f.5.9.9.9.2.
[Freeipa-devel] [freeipa PR#4193][closed] [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
URL: https://github.com/freeipa/freeipa/pull/4193 Author: frasertweedale Title: #4193: [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4193/head:pr4193 git checkout pr4193 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4382][closed] [WIP] fix for ExternalCA failing tests
URL: https://github.com/freeipa/freeipa/pull/4382 Author: frasertweedale Title: #4382: [WIP] fix for ExternalCA failing tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4382/head:pr4382 git checkout pr4382 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4382][opened] [WIP] fix for ExternalCA failing tests
URL: https://github.com/freeipa/freeipa/pull/4382 Author: frasertweedale Title: #4382: [WIP] fix for ExternalCA failing tests Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4382/head:pr4382 git checkout pr4382 From 2048138f93bcd941e7c1f504c1dff4357237d139 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 18 Mar 2020 20:58:21 +1100 Subject: [PATCH 1/2] ipatests: generate 3072-bit key for external CA tests Tests are failing due to small external CA key size. Use a 3072-bit signing key for external CA tests. Related: https://pagure.io/dogtagpki/issue/3162 --- ipatests/create_external_ca.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py index 7d14fdcf23..43360f6758 100644 --- a/ipatests/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -40,7 +40,7 @@ def __init__(self, days=365, key_size=None): self.ca_key = None self.ca_public_key = None self.issuer = None -self.key_size = key_size or 2048 +self.key_size = key_size or 3072 def create_ca_key(self): """Create private and public key for CA From fa4402a81174adecadeacb7b4046cc5669de8d77 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 18 Mar 2020 21:06:01 +1100 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 49 ++ 2 files changed, 24 insertions(+), 27 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 6bb37ca6dc..430b9b38f3 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -3,16 +3,11 @@ # # $ ln -sf ipatests/prci_definitions/temp_commit.yaml .freeipa-pr-ci.yaml # - topologies: build: &build name: build cpu: 2 memory: 3800 - master_3client: &master_3client -name: master_3client -cpu: 5 -memory: 10150 master_1repl: &master_1repl name: master_1repl cpu: 4 @@ -33,21 +28,9 @@ topologies: name: master_3repl_1client cpu: 6 memory: 12900 - ad_master_2client: &ad_master_2client -name: ad_master_2client -cpu: 4 -memory: 12000 - ad_master: &ad_master -name: ad_master -cpu: 4 -memory: 12000 - adroot_adchild_adtree_master_1client: &adroot_adchild_adtree_master_1client -name: adroot_adchild_adtree_master_1client -cpu: 8 -memory: 14500 jobs: - fedora-latest/build: + pki-fedora/build: requires: [] priority: 100 job: @@ -55,20 +38,34 @@ jobs: args: git_repo: '{git_repo}' git_refspec: '{git_refspec}' -template: &ci-master-latest - name: freeipa/ci-master-f31 - version: 0.0.4 +template: &pki-master-latest + name: freeipa/pki-master-f31 + version: 0.0.2 timeout: 1800 topology: *build - fedora-latest/temp_commit: -requires: [fedora-latest/build] + pki-fedora/simple_replication: +requires: [pki-fedora/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py -template: *ci-master-latest +build_url: '{pki-fedora/build_url}' +update_packages: True +test_suite: test_integration/test_simple_replication.py +template: *pki-master-latest timeout: 3600 +topology: *master_1repl + + pki-fedora/test_external_ca_TestExternalCA: +requires: [pki-fedora/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{pki-fedora/build_url}' +update_packages: True +test_suite: test_integration/test_external_ca.py::TestExternalCA +template: *pki-master-latest +timeout: 4800 topology: *master_1repl_1client ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3509][closed] [Backport][ipa-4-6] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3509 Author: frasertweedale Title: #3509: [Backport][ipa-4-6] Profile-based system cert renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3509/head:pr3509 git checkout pr3509 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3508][closed] [Backport][ipa-4-7] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3508 Author: frasertweedale Title: #3508: [Backport][ipa-4-7] Profile-based system cert renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3508/head:pr3508 git checkout pr3508 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4190][closed] Removed hard-coded default profile subsystem class name
URL: https://github.com/freeipa/freeipa/pull/4190 Author: edewata Title: #4190: Removed hard-coded default profile subsystem class name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4190/head:pr4190 git checkout pr4190 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4193][opened] [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
URL: https://github.com/freeipa/freeipa/pull/4193 Author: frasertweedale Title: #4193: [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates Action: opened PR body: """ First PR for the ACME effort. This is needed so ACME clients can reach IPA ACME service via the ``ipa-ca.$DOMAIN`` DNS name (ACME requires TLS). This change is also reasonable, independent of the ACME effort. https://pagure.io/freeipa/issue/8186 ``` 83a5a3aa6 (Fraser Tweedale, 11 hours ago) upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName, resubmit the certificate request to add the name. This action is performed after the tracking request has already been updated. Note: due to https://pagure.io/certmonger/issue/143 the resubmitted request, if it does not immediately succeed and if the notAfter date of the current certificate is still far off, the request could get stuck in state CA_UNREACHABLE until a Certmonger restart. There is not much we can do about that in the middle of ipa-server-upgrade. Part of: https://pagure.io/freeipa/issue/8186 efe071539 (Fraser Tweedale, 12 hours ago) httpinstance: add ipa-ca.$DOMAIN alias in initial request For new server/replica installation, issue the HTTP server certificate with the 'ipa-ca.$DOMAIN' SAN dNSName. This is accomplished by adding the name to the Certmonger tracking request. Part of: https://pagure.io/freeipa/issue/8186 feea49420 (Fraser Tweedale, 3 days ago) cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers ACME support requires TLS and we want ACME clients to access the service via the ipa-ca.$DOMAIN DNS name. So we need to add the ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To facilitiate this, add a special case to the cert-request command processing. The rule is: - if the dnsName being validated is "ipa-ca.$DOMAIN" - and the subject principal is an "HTTP/..." service - and the subject principal's hostname is an IPA server Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed. Otherwise continue with the usual dnsName validation. Part of: https://pagure.io/freeipa/issue/8186 62129a44a (Fraser Tweedale, 3 days ago) httpinstance: add fqdn and ipa-ca alias to Certmonger request When (re-)tracking the HTTP certificate, explicitly add the server FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request. Part of: https://pagure.io/freeipa/issue/8186 fe3489cf4 (Fraser Tweedale, 4 days ago) certmonger: support dnsname as request search criterion We need to be able to filter Certmonger tracking requests by the DNS names defined for the request. The goal is to add the 'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so we will use that name as a search criterion. Implement support for this. As a result of this commit it will be easy to add support for subset match of other Certmonger request list properties. Just add the property name to the ARRAY_PROPERTIES list (and update the 'criteria' description in the module docstring!) Part of: https://pagure.io/freeipa/issue/8186 ea6d31bdf (Fraser Tweedale, 4 days ago) certmonger: move 'criteria' description to module docstring The 'criteria' parameter is used by several subroutines in the ipalib.install.certmonger module. It has incomplete documentation spread across several of these subroutines. Move the documentation to the module docstring and reference it where appropriate. Part of: https://pagure.io/freeipa/issue/8186 aa7b88ad6 (Fraser Tweedale, 4 days ago) certmonger: avoid mutable default argument certmonger._get_requests has a mutable default argument. Although at the present time it is never modified, this is an antipattern to be avoided. Part of: https://pagure.io/freeipa/issue/8186 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4193/head:pr4193 git checkout pr4193 From aa7b88ad6b71901a871a74cdb5ab4aa3382e6b18 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Jan 2020 21:01:10 +1100 Subject: [PATCH 1/7] certmonger: avoid mutable default argument certmonger._get_requests has a mutable default argument. Although at the present time it is never modified, this is an antipattern to be avoided. Part of: https://pagure.io/freeipa/issue/8186 --- ipalib/install/certmonger.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 33eaa919aa..e6ac17dd66 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -156,10 +156,11 @@ def __init__(self): DBUS_CM_IF) -def _get_requests(criteria=dict()): +def _get_requests(criteria=None): """ Get all requests that matches the provided cr
[Freeipa-devel] [freeipa PR#4172][closed] [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4172 Author: frasertweedale Title: #4172: [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4172/head:pr4172 git checkout pr4172 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4171][closed] [Backport][ipa-4-7] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4171 Author: frasertweedale Title: #4171: [Backport][ipa-4-7] Do not renew externally-signed CA as self-signed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4171/head:pr4171 git checkout pr4171 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4170][closed] [Backport][ipa-4-8] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4170 Author: frasertweedale Title: #4170: [Backport][ipa-4-8] Do not renew externally-signed CA as self-signed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4170/head:pr4170 git checkout pr4170 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4172][opened] [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4172 Author: frasertweedale Title: #4172: [Backport][ipa-4-6] Do not renew externally-signed CA as self-signed Action: opened PR body: """ (manual backport of https://github.com/freeipa/freeipa/pull/4148) Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4172/head:pr4172 git checkout pr4172 From d595aa0c15dba8a1422f8eeb93e1474e0eb6f8f2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Jan 2020 15:38:25 +1100 Subject: [PATCH] Do not renew externally-signed CA as self-signed Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud --- .../certmonger/dogtag-ipa-ca-renew-agent-submit| 14 -- ipalib/constants.py| 5 + ipaserver/install/cainstance.py| 6 +++--- ipaserver/install/dogtaginstance.py| 12 ipaserver/install/ipa_cacert_manage.py | 6 -- ipaserver/install/krainstance.py | 2 +- ipaserver/install/server/upgrade.py| 4 +++- 7 files changed, 36 insertions(+), 13 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 289c5cadef..2444a8ee5d 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -402,7 +402,7 @@ def retrieve_cert(**kwargs): return result -def renew_ca_cert(reuse_existing, **kwargs): +def renew_ca_cert(reuse_existing, force_self_signed, **kwargs): """ This is used for automatic CA certificate renewal. """ @@ -420,7 +420,8 @@ def renew_ca_cert(reuse_existing, **kwargs): if operation == 'SUBMIT': state = 'retrieve' -if not reuse_existing and is_renewal_master(): +if (is_self_signed or force_self_signed) \ +and not reuse_existing and is_renewal_master(): state = 'request' csr_file = paths.IPA_CA_CSR @@ -473,7 +474,9 @@ def renew_ca_cert(reuse_existing, **kwargs): def main(): kwargs = { 'reuse_existing': False, +'force_self_signed': False, } + try: sys.argv.remove('--reuse-existing') except ValueError: @@ -481,6 +484,13 @@ def main(): else: kwargs['reuse_existing'] = True +try: +sys.argv.remove('--force-self-signed') +except ValueError: +pass +else: +kwargs['force_self_signed'] = True + api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() diff --git a/ipalib/constants.py b/ipalib/constants.py index 64736b45ef..c894c459e3 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -307,6 +307,11 @@ IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' +RENEWAL_SELFSIGNED_CA_NAME = 'dogtag-ipa-ca-renew-agent-selfsigned' +# The RA agent cert is used for client cert authentication. In the past IPA +# used caServerCert profile, which adds clientAuth and serverAuth E
[Freeipa-devel] [freeipa PR#4171][opened] [Backport][ipa-4-7] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4171 Author: frasertweedale Title: #4171: [Backport][ipa-4-7] Do not renew externally-signed CA as self-signed Action: opened PR body: """ (manual backport of https://github.com/freeipa/freeipa/pull/4148) Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4171/head:pr4171 git checkout pr4171 From 25e6b4546d66a5a9db362292498942db8e49ceff Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Jan 2020 15:38:25 +1100 Subject: [PATCH] Do not renew externally-signed CA as self-signed Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 Reviewed-By: Florence Blanc-Renaud --- .../certmonger/dogtag-ipa-ca-renew-agent-submit.in | 14 -- ipalib/constants.py| 5 + ipaserver/install/cainstance.py| 6 +++--- ipaserver/install/dogtaginstance.py| 12 ipaserver/install/ipa_cacert_manage.py | 6 -- ipaserver/install/krainstance.py | 2 +- ipaserver/install/server/upgrade.py| 4 +++- 7 files changed, 36 insertions(+), 13 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index eafbae7845..42227b08b5 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -402,7 +402,7 @@ def retrieve_cert(**kwargs): return result -def renew_ca_cert(reuse_existing, **kwargs): +def renew_ca_cert(reuse_existing, force_self_signed, **kwargs): """ This is used for automatic CA certificate renewal. """ @@ -420,7 +420,8 @@ def renew_ca_cert(reuse_existing, **kwargs): if operation == 'SUBMIT': state = 'retrieve' -if not reuse_existing and is_renewal_master(): +if (is_self_signed or force_self_signed) \ +and not reuse_existing and is_renewal_master(): state = 'request' csr_file = paths.IPA_CA_CSR @@ -473,7 +474,9 @@ def renew_ca_cert(reuse_existing, **kwargs): def main(): kwargs = { 'reuse_existing': False, +'force_self_signed': False, } + try: sys.argv.remove('--reuse-existing') except ValueError: @@ -481,6 +484,13 @@ def main(): else: kwargs['reuse_existing'] = True +try: +sys.argv.remove('--force-self-signed') +except ValueError: +pass +else: +kwargs['force_self_signed'] = True + api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) api.finalize() diff --git a/ipalib/constants.py b/ipalib/constants.py index d4577d668f..710f33c1ec 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -306,6 +306,11 @@ IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' +RENEWAL_SELFSIGNED_CA_NAME = 'dogtag-ipa-ca-renew-agent-selfsigned' +# The RA agent cert is used for client cert authentication. In the past IPA +# used caServerCert profile, which adds clientAuth and
[Freeipa-devel] [freeipa PR#4170][opened] [Backport][ipa-4-8] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4170 Author: frasertweedale Title: #4170: [Backport][ipa-4-8] Do not renew externally-signed CA as self-signed Action: opened PR body: """ This PR was opened automatically because PR #4148 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4170/head:pr4170 git checkout pr4170 From cfa712e9478d018159d61dfc502f5685409ce949 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Jan 2020 15:38:25 +1100 Subject: [PATCH] Do not renew externally-signed CA as self-signed Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 --- .../certmonger/dogtag-ipa-ca-renew-agent-submit.in | 14 -- ipalib/constants.py| 1 + ipaserver/install/cainstance.py| 4 ++-- ipaserver/install/dogtaginstance.py| 8 ++-- ipaserver/install/ipa_cacert_manage.py | 6 -- ipaserver/install/krainstance.py | 2 +- ipaserver/install/server/upgrade.py| 4 +++- 7 files changed, 29 insertions(+), 10 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 95ad080578..95886e5a30 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -402,7 +402,7 @@ def retrieve_cert(**kwargs): return result -def renew_ca_cert(reuse_existing, **kwargs): +def renew_ca_cert(reuse_existing, force_self_signed, **kwargs): """ This is used for automatic CA certificate renewal. """ @@ -420,7 +420,8 @@ def renew_ca_cert(reuse_existing, **kwargs): if operation == 'SUBMIT': state = 'retrieve' -if not reuse_existing and is_renewal_master(): +if (is_self_signed or force_self_signed) \ +and not reuse_existing and is_renewal_master(): state = 'request' csr_file = paths.IPA_CA_CSR @@ -473,7 +474,9 @@ def renew_ca_cert(reuse_existing, **kwargs): def main(): kwargs = { 'reuse_existing': False, +'force_self_signed': False, } + try: sys.argv.remove('--reuse-existing') except ValueError: @@ -481,6 +484,13 @@ def main(): else: kwargs['reuse_existing'] = True +try: +sys.argv.remove('--force-self-signed') +except ValueError: +pass +else: +kwargs['force_self_signed'] = True + operation = os.environ.get('CERTMONGER_OPERATION') if operation not in ('SUBMIT', 'POLL'): return OPERATION_NOT_SUPPORTED_BY_HELPER diff --git a/ipalib/constants.py b/ipalib/constants.py index 047991198e..e73a5b9dd4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -310,6 +310,7 @@ IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' +RENEWAL_SELFSIGNED_CA_NAME = 'dogtag-ipa-ca-renew-agent-selfsigned' # The RA agent cert is used for client cert authentication. In the past IPA # used caServerCert profile, which adds clientAuth and serverAuth EKU. The # serverAuth EKU caused trouble with NamedConstraints, see RHBZ#1670239. diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 252a29f840..fe63229af1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -424,7 +424,7 @@ def configure_instance(self, host_name, dm_password, admin_password, if self.external != 1: if not has_ra_cert: self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) + self.configure_certmonger_renewal_helpers) if not self.clone: self.step("requesting RA certificate from CA", self.__request_ra_certificate) elif promote: @@ -998,7 +998,7 @@ def uninstall(self): obj = bus.get_object('org.fe
[Freeipa-devel] [freeipa PR#4148][closed] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4148 Author: frasertweedale Title: #4148: Do not renew externally-signed CA as self-signed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4148/head:pr4148 git checkout pr4148 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4148][opened] Do not renew externally-signed CA as self-signed
URL: https://github.com/freeipa/freeipa/pull/4148 Author: frasertweedale Title: #4148: Do not renew externally-signed CA as self-signed Action: opened PR body: """ Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4148/head:pr4148 git checkout pr4148 From 9b51470a3d391693c3bad4b835a6880a3f33e88a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 22 Jan 2020 15:38:25 +1100 Subject: [PATCH] Do not renew externally-signed CA as self-signed Commit 49cf5ec64b1b7a7437ca285430353473c215540e fixed a bug that prevented migration from externally-signed to self-signed IPA CA. But it introduced a subtle new issue: certmonger-initiated renewal renews an externally-signed IPA CA as a self-signed CA. To resolve this issue, introduce the `--force-self-signed' flag for the dogtag-ipa-ca-renew-agent script. Add another certmonger CA definition that calls this script with the `--force-self-signed' flag. Update dogtag-ipa-ca-renew-agent to only issue a self-signed CA certificate if the existing certificate is self-signed or if `--force-self-signed' was given. Update `ipa-cacert-manage renew' to supply `--force-self-signed' when appropriate. As a result of these changes, certmonger-initiated renewal of an externally-signed IPA CA certificate will not issue a self-signed certificate. Fixes: https://pagure.io/freeipa/issue/8176 --- .../certmonger/dogtag-ipa-ca-renew-agent-submit.in | 14 -- ipalib/constants.py| 1 + ipaserver/install/cainstance.py| 4 ++-- ipaserver/install/dogtaginstance.py| 8 ++-- ipaserver/install/ipa_cacert_manage.py | 6 -- ipaserver/install/krainstance.py | 2 +- ipaserver/install/server/upgrade.py| 4 +++- 7 files changed, 29 insertions(+), 10 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 95ad080578..95886e5a30 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -402,7 +402,7 @@ def retrieve_cert(**kwargs): return result -def renew_ca_cert(reuse_existing, **kwargs): +def renew_ca_cert(reuse_existing, force_self_signed, **kwargs): """ This is used for automatic CA certificate renewal. """ @@ -420,7 +420,8 @@ def renew_ca_cert(reuse_existing, **kwargs): if operation == 'SUBMIT': state = 'retrieve' -if not reuse_existing and is_renewal_master(): +if (is_self_signed or force_self_signed) \ +and not reuse_existing and is_renewal_master(): state = 'request' csr_file = paths.IPA_CA_CSR @@ -473,7 +474,9 @@ def renew_ca_cert(reuse_existing, **kwargs): def main(): kwargs = { 'reuse_existing': False, +'force_self_signed': False, } + try: sys.argv.remove('--reuse-existing') except ValueError: @@ -481,6 +484,13 @@ def main(): else: kwargs['reuse_existing'] = True +try: +sys.argv.remove('--force-self-signed') +except ValueError: +pass +else: +kwargs['force_self_signed'] = True + operation = os.environ.get('CERTMONGER_OPERATION') if operation not in ('SUBMIT', 'POLL'): return OPERATION_NOT_SUPPORTED_BY_HELPER diff --git a/ipalib/constants.py b/ipalib/constants.py index 047991198e..e73a5b9dd4 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -310,6 +310,7 @@ IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' RENEWAL_REUSE_CA_NAME = 'dogtag-ipa-ca-renew-agent-reuse' +RENEWAL_SELFSIGNED_CA_NAME = 'dogtag-ipa-ca-renew-agent-selfsigned' # The RA agent cert is used for client cert authentication. In the past IPA # used caServerCert profile, which adds clientAuth and serverAuth EKU. The # serverAuth EKU caused trouble with NamedConstraints, see RHBZ#1670239. diff --git a/ipaserver/
[Freeipa-devel] [freeipa PR#4063][closed] [Backport][ipa-4-8] ipatests: add test for certinstall with notBefore in the future
URL: https://github.com/freeipa/freeipa/pull/4063 Author: flo-renaud Title: #4063: [Backport][ipa-4-8] ipatests: add test for certinstall with notBefore in the future Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4063/head:pr4063 git checkout pr4063 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4055][opened] ipatests: add test for certinstall with notBefore in the future
URL: https://github.com/freeipa/freeipa/pull/4055 Author: frasertweedale Title: #4055: ipatests: add test for certinstall with notBefore in the future Action: opened PR body: """ Part of: https://pagure.io/freeipa/issue/8142 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4055/head:pr4055 git checkout pr4055 From 45a763937affd6f588ee6f9be112a6cf7510413b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 18 Dec 2019 14:57:43 +1100 Subject: [PATCH 1/2] ipatests: add test for certinstall with notBefore in the future Part of: https://pagure.io/freeipa/issue/8142 --- .../pytest_ipa/integration/create_caless_pki.py | 9 + ipatests/test_integration/test_caless.py | 15 +++ 2 files changed, 24 insertions(+) diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py index 36bb1802f7..ebc236d2b8 100644 --- a/ipatests/pytest_ipa/integration/create_caless_pki.py +++ b/ipatests/pytest_ipa/integration/create_caless_pki.py @@ -409,6 +409,15 @@ def gen_server_certs(nick_base, hostname, org, ca=None): ]), ca, dns_name=hostname, warp=-2 * YEAR ) +gen_cert(profile_server, nick_base + u'-not-yet-valid', + x509.Name([ +x509.NameAttribute(NameOID.ORGANIZATION_NAME, org), +x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, + u'Not Yet Valid'), +x509.NameAttribute(NameOID.COMMON_NAME, hostname) + ]), + ca, dns_name=hostname, warp=1 * DAY + ) gen_cert(profile_server, nick_base + u'-badusage', x509.Name([ x509.NameAttribute(NameOID.ORGANIZATION_NAME, org), diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 928f5cf742..650cf2927f 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -1353,6 +1353,21 @@ def test_expired_http(self): def test_expired_ds(self): self._test_expired_service_cert('d') +def _test_not_yet_valid_service_cert(self, w_or_d): +"""Install new not-yet-valid HTTP/DS certificate.""" +result = self.certinstall(w_or_d, 'ca1/server-not-yet-valid') +pattern = re.compile( +r'The server certificate in server\.p12 is not valid: ' +'.*not valid before .* is in the future' +) +assert_error(result, pattern) + +def test_not_yet_valid_http(self): +self._test_not_yet_valid_service_cert('w') + +def test_not_yet_valid_ds(self): +self._test_not_yet_valid_service_cert('d') + def test_http_bad_usage(self): "Install new HTTP certificate with invalid key usage" From 81e432aca0a017710758b613c7cc9c0e2afdfefe Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 17 Dec 2019 15:06:06 +1100 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b63..8065669008 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 5afbe014f9..7ecbe99df6 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -57,14 +57,14 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/test_caless_TestCertInstall: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_caless.py::TestCertInstall template: *ci-master-latest -timeout: 3600 -topology: *master_1repl_1client +timeout: 5400 +topology: *master_1repl ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4049][opened] Fix nightly CI regressions in CA-less tests
URL: https://github.com/freeipa/freeipa/pull/4049 Author: frasertweedale Title: #4049: Fix nightly CI regressions in CA-less tests Action: opened PR body: """ ``` 118eadef6 (Fraser Tweedale, 19 minutes ago) Fix test regressions caused by certificate validation changes Some integration tests (that were enabled in nightly CI but not PR-CI) are failing due to changes in the error messages. Update the error message assertions to get these tests going again. Part of: https://pagure.io/freeipa/issue/8142 2e863efb5 (Fraser Tweedale, 30 minutes ago) ipatests: assert_error: allow regexp match Enhance the assert_error subroutine to provide regular expression matching against the command's stderr output, in additional to substring match. Part of: https://pagure.io/freeipa/issue/8142 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4049/head:pr4049 git checkout pr4049 From 2e863efb52aeb2f1acfde05585462a386fc105d3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 17 Dec 2019 14:48:35 +1100 Subject: [PATCH 1/3] ipatests: assert_error: allow regexp match Enhance the assert_error subroutine to provide regular expression matching against the command's stderr output, in additional to substring match. Part of: https://pagure.io/freeipa/issue/8142 --- ipatests/pytest_ipa/integration/tasks.py | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 4b9947cc9e..6b7362a150 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1604,9 +1604,19 @@ def upload_temp_contents(host, contents, encoding='utf-8'): return tmpname -def assert_error(result, stderr_text, returncode=None): -"Assert that `result` command failed and its stderr contains `stderr_text`" -assert stderr_text in result.stderr_text, result.stderr_text +def assert_error(result, pattern, returncode=None): +""" +Assert that `result` command failed and its stderr contains ``pattern``. +``pattern`` may be a ``str`` or a ``re.Pattern`` (regular expression). + +""" +if isinstance(pattern, re.Pattern): +assert pattern.search(result.stderr_text), \ +f"pattern {pattern} not found in stderr {result.stderr_text!r}" +else: +assert stderr_text in result.stderr_text, \ +f"substring {pattern} not found in stderr {result.stderr_text!r}" + if returncode is not None: assert result.returncode == returncode else: From 118eadef6c4779b0a75a7ac6a986eb9497fc03c4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 17 Dec 2019 14:59:19 +1100 Subject: [PATCH 2/3] Fix test regressions caused by certificate validation changes Some integration tests (that were enabled in nightly CI but not PR-CI) are failing due to changes in the error messages. Update the error message assertions to get these tests going again. Part of: https://pagure.io/freeipa/issue/8142 --- ipatests/test_integration/test_caless.py | 69 +--- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index ab0c886a65..928f5cf742 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -22,6 +22,7 @@ import functools import logging import os +import re import tempfile import shutil import glob @@ -50,7 +51,6 @@ assert_error = tasks.assert_error NSS_INVALID_FMT = "certutil: certificate is invalid: %s" -CERT_EXPIRED_MSG = NSS_INVALID_FMT % "Peer's Certificate has expired." BAD_USAGE_MSG = NSS_INVALID_FMT % ("Certificate key usage inadequate for " "attempted operation.") @@ -576,10 +576,12 @@ def test_expired_http(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') -assert_error(result, - 'The server certificate in {dir}/http.p12 is not valid: ' - '{err}'.format(dir=self.master.config.test_dir, -err=CERT_EXPIRED_MSG)) + +pattern = re.compile( +r'The server certificate in {dir}/http\.p12 is not valid: ' +'.*has expired'.format(dir=re.escape(self.master.config.test_dir)) +) +assert_error(result, pattern) @server_install_teardown def test_expired_ds(self): @@ -591,10 +593,12 @@ def test_expired_ds(self): result = self.install_server(http_pkcs12='http.p12', dirsrv_pkcs12='dirsrv.p12') -assert_error(result, - 'The server certificate in {dir}/dirsrv.p12 is not ' - 'valid: {err}'.format(dir=self.master.config.test_dir, -
[Freeipa-devel] [freeipa PR#3815][closed] Fix errors found by Pylint-2.4.3
URL: https://github.com/freeipa/freeipa/pull/3815 Author: stanislavlevin Title: #3815: Fix errors found by Pylint-2.4.3 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3815/head:pr3815 git checkout pr3815 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3806][closed] [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3806 Author: frasertweedale Title: #3806: [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3806/head:pr3806 git checkout pr3806 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3805][closed] [Backport][ipa-4-7] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3805 Author: frasertweedale Title: #3805: [Backport][ipa-4-7] krainstance: set correct issuer DN in uid=ipakra entry Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3805/head:pr3805 git checkout pr3805 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3804][closed] [Backport][ipa-4-8] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3804 Author: frasertweedale Title: #3804: [Backport][ipa-4-8] krainstance: set correct issuer DN in uid=ipakra entry Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3804/head:pr3804 git checkout pr3804 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3806][opened] [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3806 Author: frasertweedale Title: #3806: [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3764 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3806/head:pr3806 git checkout pr3806 From fd296c359daca9d686ac2f348a33cff7523d97e3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 4 Oct 2019 13:30:37 +1000 Subject: [PATCH 1/3] krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 --- ipaserver/install/kra.py | 5 - ipaserver/install/krainstance.py | 9 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 15149ed557..dba65dd61c 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -18,7 +18,7 @@ from ipapython import certdb from ipapython import ipautil from ipapython.install.core import group -from ipaserver.install import cainstance +from ipaserver.install import ca, cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service as _service @@ -112,9 +112,12 @@ def install(api, replica_config, options, custodia): master_host = replica_config.kra_host_name promote = options.promote +ca_subject = ca.lookup_ca_subject(api, subject_base) + kra = krainstance.KRAInstance(realm_name) kra.configure_instance(realm_name, host_name, dm_password, dm_password, subject_base=subject_base, + ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index c1daa2869b..355460cf76 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -80,7 +80,7 @@ def __init__(self, realm): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None, subject=None, + subject_base=None, ca_subject=None, promote=False): """Create a KRA instance. @@ -97,8 +97,9 @@ def configure_instance(self, realm_name, host_name, dm_password, self.subject_base = \ subject_base or installutils.default_subject_base(realm_name) -self.subject = \ -subject or installutils.default_ca_subject_dn(self.subject_base) + +# eagerly convert to DN to ensure validity +self.ca_subject = DN(ca_subject) self.realm = realm_name self.suffix = ipautil.realm_to_suffix(realm_name) @@ -333,7 +334,7 @@ def __create_kra_agent(self): userCertificate=[cert], description=['2;%s;%s;%s' % ( cert.serial_number, -DN(self.subject), +self.ca_subject, DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry) From 9c11ada83a8aed29ff904a5a1c98b04fc2c9566c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Oct 2019 15:56:10 +1100 Subject: [PATCH 2/3] upgrade: fix ipakra people entry 'description' attribute Add an upgrade script to detect when ipakra people entry has incorrect 'description' attribute and fix it. Part of: https://pagure.io/freeipa/issue/8084 --- .../updates/90-post_upgrade_plugins.update| 1 + ipaserver/install/krainstance.py | 15 ++-- .../install/plugins/fix_kra_people_entry.py | 76 +++ 3 files changed, 85 insertions(+), 7 deletions(-) create mode 100644 ipaserver/install/plugins/fix_kra_people_entry.py diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index e3afb3423c..5ebfabc24f 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -22,6 +22,7 @@ plugin: update_upload_cacrt # update_ra_cert_store has to be executed after update_ca_renewal_master plugin: update_ra_cert_store plugin: update_mapping_Guests_to_nobody +plugin: fix_kra_people_entry # last # DNS version 1 diff --git a/ipaserver/install/krainstance.py b/ipaserver/
[Freeipa-devel] [freeipa PR#3805][opened] [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3805 Author: frasertweedale Title: #3805: [Backport][ipa-4-6] krainstance: set correct issuer DN in uid=ipakra entry Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3764 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3805/head:pr3805 git checkout pr3805 From 38e4bf647f1b64a5991ca494748d7dc9292e0e81 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 4 Oct 2019 13:30:37 +1000 Subject: [PATCH 1/4] krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 --- ipaserver/install/kra.py | 5 - ipaserver/install/krainstance.py | 9 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index ab1e3f6392..2edcd69eef 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -16,7 +16,7 @@ from ipaplatform.paths import paths from ipapython import ipautil from ipapython.install.core import group -from ipaserver.install import cainstance +from ipaserver.install import ca, cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service as _service @@ -86,9 +86,12 @@ def install(api, replica_config, options, custodia): master_host = replica_config.kra_host_name promote = True +ca_subject = ca.lookup_ca_subject(api, subject_base) + kra = krainstance.KRAInstance(realm_name) kra.configure_instance(realm_name, host_name, dm_password, dm_password, subject_base=subject_base, + ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote) diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 3b44651819..2f0834e382 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -81,7 +81,7 @@ def __init__(self, realm): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None, subject=None, + subject_base=None, ca_subject=None, promote=False): """Create a KRA instance. @@ -98,8 +98,9 @@ def configure_instance(self, realm_name, host_name, dm_password, self.subject_base = \ subject_base or installutils.default_subject_base(realm_name) -self.subject = \ -subject or installutils.default_ca_subject_dn(self.subject_base) + +# eagerly convert to DN to ensure validity +self.ca_subject = DN(ca_subject) self.realm = realm_name self.suffix = ipautil.realm_to_suffix(realm_name) @@ -332,7 +333,7 @@ def __create_kra_agent(self): userCertificate=[cert], description=['2;%s;%s;%s' % ( cert.serial_number, -DN(self.subject), +self.ca_subject, DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry) From 47060497ac92c424084262821bfdf3e2560c26a7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Oct 2019 15:56:10 +1100 Subject: [PATCH 2/4] upgrade: fix ipakra people entry 'description' attribute Add an upgrade script to detect when ipakra people entry has incorrect 'description' attribute and fix it. Part of: https://pagure.io/freeipa/issue/8084 --- .../updates/90-post_upgrade_plugins.update| 1 + ipaserver/install/krainstance.py | 15 ++-- .../install/plugins/fix_kra_people_entry.py | 76 +++ 3 files changed, 85 insertions(+), 7 deletions(-) create mode 100644 ipaserver/install/plugins/fix_kra_people_entry.py diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index e3afb3423c..5ebfabc24f 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -22,6 +22,7 @@ plugin: update_upload_cacrt # update_ra_cert_store has to be executed after update_ca_renewal_master plugin: update_ra_cert_store plugin: update_mapping_Guests_to_nobody +plugin: fix_kra_people_entry # last # DNS version 1 diff --git a/ipaserver/install/krainstance.py b/ipaserver/instal
[Freeipa-devel] [freeipa PR#3804][opened] [Backport][ipa-4-8] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3804 Author: frasertweedale Title: #3804: [Backport][ipa-4-8] krainstance: set correct issuer DN in uid=ipakra entry Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3764 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3804/head:pr3804 git checkout pr3804 From 4b934900d86efcc6132f8ce83ed5e2ef82eb12ca Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 4 Oct 2019 13:30:37 +1000 Subject: [PATCH 1/4] krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 --- ipaserver/install/kra.py | 5 - ipaserver/install/krainstance.py | 9 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 3cc020896b..746c534dcf 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -16,7 +16,7 @@ from ipaplatform.paths import paths from ipapython import ipautil from ipapython.install.core import group -from ipaserver.install import cainstance +from ipaserver.install import ca, cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service as _service @@ -86,10 +86,13 @@ def install(api, replica_config, options, custodia): master_host = replica_config.kra_host_name promote = True +ca_subject = ca.lookup_ca_subject(api, subject_base) + kra = krainstance.KRAInstance(realm_name) kra.configure_instance( realm_name, host_name, dm_password, dm_password, subject_base=subject_base, +ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote, diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 4f8849b73e..46c9c63ea8 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -81,7 +81,7 @@ def __init__(self, realm): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None, subject=None, + subject_base=None, ca_subject=None, promote=False, pki_config_override=None): """Create a KRA instance. @@ -99,8 +99,9 @@ def configure_instance(self, realm_name, host_name, dm_password, self.subject_base = \ subject_base or installutils.default_subject_base(realm_name) -self.subject = \ -subject or installutils.default_ca_subject_dn(self.subject_base) + +# eagerly convert to DN to ensure validity +self.ca_subject = DN(ca_subject) self.realm = realm_name self.suffix = ipautil.realm_to_suffix(realm_name) @@ -258,7 +259,7 @@ def __create_kra_agent(self): userCertificate=[cert], description=['2;%s;%s;%s' % ( cert.serial_number, -DN(self.subject), +self.ca_subject, DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry) From 4bf2d72a92e1a6cf1d1c39d08672c58bf0360024 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Oct 2019 15:56:10 +1100 Subject: [PATCH 2/4] upgrade: fix ipakra people entry 'description' attribute Add an upgrade script to detect when ipakra people entry has incorrect 'description' attribute and fix it. Part of: https://pagure.io/freeipa/issue/8084 --- .../updates/90-post_upgrade_plugins.update| 1 + ipaserver/install/krainstance.py | 15 ++-- .../install/plugins/fix_kra_people_entry.py | 76 +++ 3 files changed, 85 insertions(+), 7 deletions(-) create mode 100644 ipaserver/install/plugins/fix_kra_people_entry.py diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 8eb197739e..26b8820e8c 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -23,6 +23,7 @@ plugin: update_upload_cacrt # update_ra_cert_store has to be executed after update_ca_renewal_master plugin: update_ra_cert_store plugin: update_mapping_Guests_to_nobody +plugin: fix_kra_people_entry # last # DNS version 1 diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 46c9c63ea8..c23f73ac5d 100644 --- a
[Freeipa-devel] [freeipa PR#3764][opened] krainstance: set correct issuer DN in uid=ipakra entry
URL: https://github.com/freeipa/freeipa/pull/3764 Author: frasertweedale Title: #3764: krainstance: set correct issuer DN in uid=ipakra entry Action: opened PR body: """ If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3764/head:pr3764 git checkout pr3764 From bf1e195776e06bfe6494a657615d4ff6fb57c25c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 4 Oct 2019 13:30:37 +1000 Subject: [PATCH] krainstance: set correct issuer DN in uid=ipakra entry If IPA CA has custom subject DN (not "CN=Certificate Authority,{subject_base}"), the uid=ipakra people entry gets an incorrect 'description' attribute. The issuer DN in the 'description' attribute is based on the aforementioned pattern, instead of the actual IPA CA subject DN. Update KRAInstance.configure_instance() to require the CA subject DN argument. Update ipaserver.install.kra.install() to pass the CA subject DN. Fixes: https://pagure.io/freeipa/issue/8084 --- ipaserver/install/kra.py | 5 - ipaserver/install/krainstance.py | 9 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 3cc020896b..746c534dcf 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -16,7 +16,7 @@ from ipaplatform.paths import paths from ipapython import ipautil from ipapython.install.core import group -from ipaserver.install import cainstance +from ipaserver.install import ca, cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service as _service @@ -86,10 +86,13 @@ def install(api, replica_config, options, custodia): master_host = replica_config.kra_host_name promote = True +ca_subject = ca.lookup_ca_subject(api, subject_base) + kra = krainstance.KRAInstance(realm_name) kra.configure_instance( realm_name, host_name, dm_password, dm_password, subject_base=subject_base, +ca_subject=ca_subject, pkcs12_info=pkcs12_info, master_host=master_host, promote=promote, diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 4f8849b73e..46c9c63ea8 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -81,7 +81,7 @@ def __init__(self, realm): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None, subject=None, + subject_base=None, ca_subject=None, promote=False, pki_config_override=None): """Create a KRA instance. @@ -99,8 +99,9 @@ def configure_instance(self, realm_name, host_name, dm_password, self.subject_base = \ subject_base or installutils.default_subject_base(realm_name) -self.subject = \ -subject or installutils.default_ca_subject_dn(self.subject_base) + +# eagerly convert to DN to ensure validity +self.ca_subject = DN(ca_subject) self.realm = realm_name self.suffix = ipautil.realm_to_suffix(realm_name) @@ -258,7 +259,7 @@ def __create_kra_agent(self): userCertificate=[cert], description=['2;%s;%s;%s' % ( cert.serial_number, -DN(self.subject), +self.ca_subject, DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3731][closed] [Backport][ipa-4-6] Wrap CustodiaClient in context manager
URL: https://github.com/freeipa/freeipa/pull/3731 Author: frasertweedale Title: #3731: [Backport][ipa-4-6] Wrap CustodiaClient in context manager Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3731/head:pr3731 git checkout pr3731 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3730][closed] [Backport][ipa-4-8] Support AES wrapping in LWCA key replication
URL: https://github.com/freeipa/freeipa/pull/3730 Author: frasertweedale Title: #3730: [Backport][ipa-4-8] Support AES wrapping in LWCA key replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3730/head:pr3730 git checkout pr3730 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3737][closed] [Backport][ipa-4-6] Fixed errors newly exposed by pylint 2.4.0
URL: https://github.com/freeipa/freeipa/pull/3737 Author: frasertweedale Title: #3737: [Backport][ipa-4-6] Fixed errors newly exposed by pylint 2.4.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3737/head:pr3737 git checkout pr3737 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3737][opened] [Backport][ipa-4-6] Fixed errors newly exposed by pylint 2.4.0
URL: https://github.com/freeipa/freeipa/pull/3737 Author: frasertweedale Title: #3737: [Backport][ipa-4-6] Fixed errors newly exposed by pylint 2.4.0 Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3727. Newest Pylint introduced additional checks [1]: - import-outside-toplevel [2] > This check warns when modules are imported from places other than a module toplevel, e.g. inside a function or a class. - no-else-continue [3] > These checks highlight unnecessary else and elif blocks after break and continue statements. - unnecessary-comprehension [4] > This check is emitted when pylint finds list-, set- or dict-comprehensions, that are unnecessary and can be rewritten with the list-, set- or dict-constructors. [1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst [2] https://github.com/PyCQA/pylint/issues/3067 [3] https://github.com/PyCQA/pylint/issues/2327 [4] https://github.com/PyCQA/pylint/issues/2905 Fixes: https://pagure.io/freeipa/issue/8077 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3737/head:pr3737 git checkout pr3737 From 8a601ba807088af8597bd890e15305c79ea119bd Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Tue, 24 Sep 2019 21:27:04 +0300 Subject: [PATCH] Fixed errors newly exposed by pylint 2.4.0 Newest Pylint introduced additional checks [1]: - import-outside-toplevel [2] > This check warns when modules are imported from places other than a module toplevel, e.g. inside a function or a class. - no-else-continue [3] > These checks highlight unnecessary else and elif blocks after break and continue statements. - unnecessary-comprehension [4] > This check is emitted when pylint finds list-, set- or dict-comprehensions, that are unnecessary and can be rewritten with the list-, set- or dict-constructors. [1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst [2] https://github.com/PyCQA/pylint/issues/3067 [3] https://github.com/PyCQA/pylint/issues/2327 [4] https://github.com/PyCQA/pylint/issues/2905 Fixes: https://pagure.io/freeipa/issue/8077 Signed-off-by: Stanislav Levin --- ipalib/__init__.py | 13 + ipalib/frontend.py | 11 +-- ipalib/parameters.py | 16 ipalib/plugable.py | 9 + 4 files changed, 31 insertions(+), 18 deletions(-) diff --git a/ipalib/__init__.py b/ipalib/__init__.py index f1ffe51f3b..1aca30939f 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -886,8 +886,10 @@ class my_command(Command): def _enable_warnings(error=False): """Enable additional warnings during development """ +# pylint: disable=import-outside-toplevel import ctypes import warnings +# pylint: enable=import-outside-toplevel # get reference to Py_BytesWarningFlag from Python CAPI byteswarnings = ctypes.c_int.in_dll( # pylint: disable=no-member @@ -937,14 +939,23 @@ class API(plugable.API): def packages(self): if self.env.in_server: # pylint: disable=import-error,ipa-forbidden-import +# pylint: disable=import-outside-toplevel import ipaserver.plugins # pylint: enable=import-error,ipa-forbidden-import +# pylint: enable=import-outside-toplevel result = ( ipaserver.plugins, ) else: +# disables immediately after an else clause +# do not work properly: +# https://github.com/PyCQA/pylint/issues/872 +# Thus, below line was added as a workaround +result = None +# pylint: disable=import-outside-toplevel import ipaclient.remote_plugins import ipaclient.plugins +# pylint: enable=import-outside-toplevel result = ( ipaclient.remote_plugins.get_package(self), ipaclient.plugins, @@ -952,8 +963,10 @@ def packages(self): if self.env.context in ('installer', 'updates'): # pylint: disable=import-error,ipa-forbidden-import +# pylint: disable=import-outside-toplevel import ipaserver.install.plugins # pylint: enable=import-error,ipa-forbidden-import +# pylint: enable=import-outside-toplevel result += (ipaserver.install.plugins,) return result diff --git a/ipalib/frontend.py b/ipalib/frontend.py index b6e6147237..2235c0cf62 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -575,7 +575,7 @@ def __attributes_2_entry(self, kw): if self.params[name].attribute and name in kw: value = kw[name] if isinstance(value, tuple): -yield (name, [v for v in value]) +yield (name, list(value)) else: yield (name, kw[name]) @@ -1064,15 +1064,14 @@ def output_for_cli
[Freeipa-devel] [freeipa PR#3733][closed] [Backport][ipa-4-8] Fix errors newly exposed by pylint 2.4.0
URL: https://github.com/freeipa/freeipa/pull/3733 Author: frasertweedale Title: #3733: [Backport][ipa-4-8] Fix errors newly exposed by pylint 2.4.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3733/head:pr3733 git checkout pr3733 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3727][closed] Fix errors newly exposed by pylint 2.4.0
URL: https://github.com/freeipa/freeipa/pull/3727 Author: stanislavlevin Title: #3727: Fix errors newly exposed by pylint 2.4.0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3727/head:pr3727 git checkout pr3727 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3733][opened] [Backport][ipa-4-8] Fix errors newly exposed by pylint 2.4.0
URL: https://github.com/freeipa/freeipa/pull/3733 Author: frasertweedale Title: #3733: [Backport][ipa-4-8] Fix errors newly exposed by pylint 2.4.0 Action: opened PR body: """ This PR was opened automatically because PR #3727 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3733/head:pr3733 git checkout pr3733 From afa1742261a066a4d28088d2a37a558c8cf3ed46 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Tue, 24 Sep 2019 21:27:04 +0300 Subject: [PATCH 1/2] Fixed errors newly exposed by pylint 2.4.0 Newest Pylint introduced additional checks [1]: - import-outside-toplevel [2] > This check warns when modules are imported from places other than a module toplevel, e.g. inside a function or a class. - no-else-continue [3] > These checks highlight unnecessary else and elif blocks after break and continue statements. - unnecessary-comprehension [4] > This check is emitted when pylint finds list-, set- or dict-comprehensions, that are unnecessary and can be rewritten with the list-, set- or dict-constructors. [1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst [2] https://github.com/PyCQA/pylint/issues/3067 [3] https://github.com/PyCQA/pylint/issues/2327 [4] https://github.com/PyCQA/pylint/issues/2905 Fixes: https://pagure.io/freeipa/issue/8077 Signed-off-by: Stanislav Levin --- ipaclient/discovery.py | 2 ++ ipalib/__init__.py | 13 + ipalib/frontend.py | 11 +-- ipalib/parameters.py | 16 ipalib/plugable.py | 9 + ipapython/ipachangeconf.py | 2 +- 6 files changed, 34 insertions(+), 19 deletions(-) diff --git a/ipaclient/discovery.py b/ipaclient/discovery.py index c322e97124..2edbf2c9da 100644 --- a/ipaclient/discovery.py +++ b/ipaclient/discovery.py @@ -605,9 +605,11 @@ def ipadnssearchkrbkdc(self, domain=None): def main(): +# pylint: disable=import-outside-toplevel import argparse import os from ipapython.ipa_log_manager import standard_logging_setup +# pylint: enable=import-outside-toplevel parser = argparse.ArgumentParser(__name__) diff --git a/ipalib/__init__.py b/ipalib/__init__.py index f0780aa1f9..36f5765ddb 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -886,8 +886,10 @@ class my_command(Command): def _enable_warnings(error=False): """Enable additional warnings during development """ +# pylint: disable=import-outside-toplevel import ctypes import warnings +# pylint: enable=import-outside-toplevel # get reference to Py_BytesWarningFlag from Python CAPI byteswarnings = ctypes.c_int.in_dll( # pylint: disable=no-member @@ -937,14 +939,23 @@ class API(plugable.API): def packages(self): if self.env.in_server: # pylint: disable=import-error,ipa-forbidden-import +# pylint: disable=import-outside-toplevel import ipaserver.plugins # pylint: enable=import-error,ipa-forbidden-import +# pylint: enable=import-outside-toplevel result = ( ipaserver.plugins, ) else: +# disables immediately after an else clause +# do not work properly: +# https://github.com/PyCQA/pylint/issues/872 +# Thus, below line was added as a workaround +result = None +# pylint: disable=import-outside-toplevel import ipaclient.remote_plugins import ipaclient.plugins +# pylint: enable=import-outside-toplevel result = ( ipaclient.remote_plugins.get_package(self), ipaclient.plugins, @@ -952,8 +963,10 @@ def packages(self): if self.env.context in ('installer', 'updates'): # pylint: disable=import-error,ipa-forbidden-import +# pylint: disable=import-outside-toplevel import ipaserver.install.plugins # pylint: enable=import-error,ipa-forbidden-import +# pylint: enable=import-outside-toplevel result += (ipaserver.install.plugins,) return result diff --git a/ipalib/frontend.py b/ipalib/frontend.py index 63a9069260..ec14ad1027 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -575,7 +575,7 @@ def __attributes_2_entry(self, kw): if self.params[name].attribute and name in kw: value = kw[name] if isinstance(value, tuple): -yield (name, [v for v in value]) +yield (name, list(value)) else: yield (name, kw[name]) @@ -1069,15 +1069,14 @@ def output_for_cli(self, textui, output, *args, **options): if o == 'value': continue -elif o.lower() == 'count' and result == 0: +
[Freeipa-devel] [freeipa PR#3731][opened] [Backport][ipa-4-7] Wrap CustodiaClient in context manager
URL: https://github.com/freeipa/freeipa/pull/3731 Author: frasertweedale Title: #3731: [Backport][ipa-4-7] Wrap CustodiaClient in context manager Action: opened PR body: """ Backport of https://github.com/freeipa/freeipa/pull/3287. A CustodiaClient object has to the process environment a bit, e.g. set up GSSAPI credentials. To reuse the credentials in libldap connections, it is also necessary to set up a custom ccache store and configure KRBCCNAME. Credential initialization and ccache is now handled in a context manager. https://pagure.io/freeipa/issue/7964 https://bugzilla.redhat.com/show_bug.cgi?id=1755223 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3731/head:pr3731 git checkout pr3731 From 890fa79719f8321c1ef7fa9a765ad93d6c38af49 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 May 2019 20:57:10 +1000 Subject: [PATCH 1/5] Handle missing LWCA certificate or chain If lightweight CA key replication has not completed, requests for the certificate or chain will return 404**. This can occur in normal operation, and should be a temporary condition. Detect this case and handle it by simply omitting the 'certificate' and/or 'certificate_out' fields in the response, and add a warning message to the response. Also update the client-side plugin that handles the --certificate-out option. Because the CLI will automatically print the warning message, if the expected field is missing from the response, just ignore it and continue processing. ** after the Dogtag NullPointerException gets fixed! Part of: https://pagure.io/freeipa/issue/7964 Reviewed-By: Christian Heimes Reviewed-By: Fraser Tweedale Reviewed-By: Alexander Bokovoy --- ipaclient/plugins/ca.py | 19 +++--- ipalib/messages.py | 9 +++ ipaserver/plugins/ca.py | 57 +++-- 3 files changed, 68 insertions(+), 17 deletions(-) diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py index f0e7d5ced0..ab47ae85df 100644 --- a/ipaclient/plugins/ca.py +++ b/ipaclient/plugins/ca.py @@ -33,13 +33,24 @@ def forward(self, *keys, **options): error=str(e)) result = super(WithCertOutArgs, self).forward(*keys, **options) + if filename: +# if result certificate / certificate_chain not present in result, +# it means Dogtag did not provide it (probably due to LWCA key +# replication lag or failure. The server transmits a warning +# message in this case, which the client automatically prints. +# So in this section we just ignore it and move on. +certs = None if options.get('chain', False): -certs = result['result']['certificate_chain'] +if 'certificate_chain' in result['result']: +certs = result['result']['certificate_chain'] else: -certs = [base64.b64decode(result['result']['certificate'])] -certs = (x509.load_der_x509_certificate(cert) for cert in certs) -x509.write_certificate_list(certs, filename) +if 'certificate' in result['result']: +certs = [base64.b64decode(result['result']['certificate'])] +if certs: +x509.write_certificate_list( +(x509.load_der_x509_certificate(cert) for cert in certs), +filename) return result diff --git a/ipalib/messages.py b/ipalib/messages.py index 9e2c990d6d..6466627956 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage): "%(reason)s") +class LightweightCACertificateNotAvailable(PublicMessage): +""" +**13031** Certificate is not available +""" +errno = 13031 +type = "error" +format = _("The certificate for %(ca)s is not available on this server.") + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 88e7ec2a9f..c8f1630c65 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -6,7 +6,7 @@ import six -from ipalib import api, errors, output, Bytes, DNParam, Flag, Str +from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipapython.dn import ATTR_NAME_BY_OID @@ -163,28 +163,53 @@ class ca(LDAPObject): def set_certificate_attrs(entry, options, want_cert=True): +""" +Set certificate attributes into the entry. Depending on +options, this may contact Dogtag to retrieve certificate or +chain. If the retrieval fails with 404 (which can occur under +normal operation due to lightweight CA key replication delay), +return a message object that should be
[Freeipa-devel] [freeipa PR#3483][closed] Support AES wrapping in LWCA key replication
URL: https://github.com/freeipa/freeipa/pull/3483 Author: frasertweedale Title: #3483: Support AES wrapping in LWCA key replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3483/head:pr3483 git checkout pr3483 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3730][opened] [Backport][ipa-4-8] Support AES wrapping in LWCA key replication
URL: https://github.com/freeipa/freeipa/pull/3730 Author: frasertweedale Title: #3730: [Backport][ipa-4-8] Support AES wrapping in LWCA key replication Action: opened PR body: """ This PR was opened automatically because PR #3483 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3730/head:pr3730 git checkout pr3730 From d7405ad1e2de32365ae7d77e666d5b9ee738f8b4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Jul 2019 13:45:29 +1000 Subject: [PATCH 1/4] IPASecStore: support extra key arguments To support lightweight CA key replication using AES, while retaining backwards compatibility with old servers, it is necessary to signal support for AES. Whereas we currently request a key with the path: /keys/ca_wrapped/ and whereas paths with > 3 components are unsupported, add support for handlers to signal that they support extra arguments (defaulting to False), those arguments being conveyed as additional path components, e.g.: # 2.16.840.1.101.3.4.1.2 = aes128-cbc /keys/ca_wrapped//2.16.840.1.101.3.4.1.2 This commit only adds the Custodia support for extra handler arguments. Work to support LWCA key replication with AES wrapping will continue in subsequent commits. Part of: https://pagure.io/freeipa/issue/8020 --- ipaserver/secrets/store.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index b40008c182..684828dd84 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -15,8 +15,13 @@ class UnknownKeyName(Exception): pass +class InvalidKeyArguments(Exception): +pass + + class DBMAPHandler: dbtype = None +supports_extra_args = False def __init__(self, config, dbmap, nickname): dbtype = dbmap.get('type') @@ -162,12 +167,15 @@ def __init__(self, config=None): def _get_handler(self, key): path = key.split('/', 3) -if len(path) != 3 or path[0] != 'keys': +if len(path) < 3 or path[0] != 'keys': raise ValueError('Invalid name') if path[1] not in NAME_DB_MAP: raise UnknownKeyName("Unknown DB named '%s'" % path[1]) dbmap = NAME_DB_MAP[path[1]] -return dbmap['handler'](self.config, dbmap, path[2]) +handler = dbmap['handler'] +if len(path) > 3 and not handler.supports_extra_args: +raise InvalidKeyArguments('Handler does not support extra args') +return handler(self.config, dbmap, path[2], *path[3:]) def get(self, key): try: From 1e86d7ef6565c4a5ad9c28d9e8abc610a9118b16 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Jul 2019 14:10:29 +1000 Subject: [PATCH 2/4] NSSWrappedCertDB: accept optional symmetric algorithm Add support for Custodia ca_wrapped clients to specify the desired symmetric encryption algorithm for exporting the wrapped signing key (this mechanism is used for LWCA key replication). If not specified, we must assume that the client has an older Dogtag version that can only import keys wrapped with DES-EDE3-CBC encryption. The selected algorithm gets passed to the 'nsswrappedcert' handler, which in turn passes it to the 'pki ca-authority-key-export' command (which is part of Dogtag). Client-side changes will occur in a subsequent commit. Part of: https://pagure.io/freeipa/issue/8020 --- ipaserver/secrets/handlers/nsswrappedcert.py | 12 + ipaserver/secrets/store.py | 28 +++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/ipaserver/secrets/handlers/nsswrappedcert.py b/ipaserver/secrets/handlers/nsswrappedcert.py index 6b7b142f9f..2714d0375c 100644 --- a/ipaserver/secrets/handlers/nsswrappedcert.py +++ b/ipaserver/secrets/handlers/nsswrappedcert.py @@ -26,6 +26,7 @@ def export_key(args, tmpdir): 'ca-authority-key-export', '--wrap-nickname', args.wrap_nickname, '--target-nickname', args.nickname, +'--algorithm', args.algorithm, '-o', wrapped_key_file ]) @@ -95,6 +96,17 @@ def pki_tomcat_parser(): help='nick name of target key', required=True ) + +# Caller must specify a cipher. This gets passed on to +# the 'pki ca-authority-key-export' command (part of +# Dogtag) via its own --algorithm option. +parser.add_argument( +'--algorithm', +dest='algorithm', +help='OID of symmetric wrap algorithm', +required=True +) + parser.set_defaults( nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR, nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index 684828dd84..eba1b3b5f3 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -86,9 +86,35 @@ class NSSWrappedCertDB(DBMAPCommandHandler)
[Freeipa-devel] [freeipa PR#3509][opened] [Backport][ipa-4-7] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3509 Author: frasertweedale Title: #3509: [Backport][ipa-4-7] Profile-based system cert renewal Action: opened PR body: """ Manual backport of #3316 to ipa-4-7. We may need to backport this change all the way to ipa-4-6 to allow us to change the IPA RA certificate profile on older releases. See also https://github.com/freeipa/freeipa/pull/3508 which is the ipa-4-7 backport PR. There were some trivial conflicts. There were substantive conflicts for two patches, but these were due to the switch from mod_nss to mod_ssl, and from NSSDB-based IPA RA cert to PEM files. Those patches were not relevant, and were dropped. https://pagure.io/freeipa/issue/7991 Do not rely on CI only; I will have to test this change myself so I'll add WIP label, and remove it when I'm satisfied. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3509/head:pr3509 git checkout pr3509 From 2296e8051634fe98bcf74a2ee5d572d8ef0c2734 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Apr 2019 13:47:38 +0200 Subject: [PATCH 01/13] Pass token_name to certmonger For HSM support, IPA has to pass the token name for CA and subsystem certificates to certmonger. For now, only the default 'internal' token is supported. Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Rob Crittenden --- ipalib/install/certmonger.py| 11 +-- ipaserver/install/dogtaginstance.py | 29 ++--- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 3e1862192e..11a250116a 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -427,7 +427,8 @@ def request_cert( def start_tracking( certpath, ca='IPA', nickname=None, pin=None, pinfile=None, -pre_command=None, post_command=None, profile=None, storage="NSSDB"): +pre_command=None, post_command=None, profile=None, storage="NSSDB", +token_name=None): """ Tell certmonger to track the given certificate in either a file or an NSS database. The certificate access can be protected by a password_file. @@ -460,6 +461,8 @@ def start_tracking( NSS or OpenSSL backend to track the certificate in ``certpath`` :param profile: Which certificate profile should be used. +:param token_name: +Hardware token name for HSM support :returns: certificate tracking nickname. """ if storage == 'FILE': @@ -500,6 +503,10 @@ def start_tracking( params['cert-postsave-command'] = post_command if profile: params['ca-profile'] = profile +if token_name not in {None, "internal"}: +# only pass token names for external tokens (e.g. HSM) +params['key-token'] = token_name +params['cert-token'] = token_name result = cm.obj_if.add_request(params) try: @@ -663,7 +670,7 @@ def modify_ca_helper(ca_name, helper): return old_helper -def get_pin(token): +def get_pin(token="internal"): """ Dogtag stores its NSS pin in a file formatted as token:PIN. diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index e733aa423f..3cd49b65f3 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -92,6 +92,10 @@ class DogtagInstance(service.Service): tracking_reqs = None server_cert_name = None +# token for CA and subsystem certificates. For now, only internal token +# is supported. +token_name = "internal" + ipaca_groups = DN(('ou', 'groups'), ('o', 'ipaca')) ipaca_people = DN(('ou', 'people'), ('o', 'ipaca')) groups_aci = ( @@ -193,6 +197,12 @@ def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ +sub_system_nickname = "subsystemCert cert-pki-ca" +if self.token_name != "internal": +# TODO: Dogtag 10.6.9 does not like "internal" prefix. +sub_system_nickname = '{}:{}'.format( +self.token_name, sub_system_nickname +) with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( @@ -202,7 +212,7 @@ def enable_client_auth_to_db(self): installutils.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', -'subsystemCert cert-pki-ca', quotes=False, separator='=') +sub_system_nickname, quotes=False, separator='=') installutils.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', @@ -220,7 +230,7 @@ def enable_client_auth_to_db(self): installutils.set_directive( se
[Freeipa-devel] [freeipa PR#3508][opened] [Backport][ipa-4-7] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3508 Author: frasertweedale Title: #3508: [Backport][ipa-4-7] Profile-based system cert renewal Action: opened PR body: """ Manual backport of https://github.com/freeipa/freeipa/pull/3316 to ipa-4-7. We may need to backport this change all the way to ipa-4-6 to allow us to change the IPA RA certificate profile on older releases. Currently this change is on master and ipa-4-8, so ipa-4-7 is the next step. There were some trivial conflicts. The only substantive conflicts were in `dogtaginstance.py`. These were resolved by cherry-picking 8686cd3b4b69f725aee05c9cdd3034d7436055d3 ahead of the original patchset. https://pagure.io/freeipa/issue/7991 Do not rely on CI only; I will have to test this change myself so I'll add WIP label, and remove it when I'm satisfied. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3508/head:pr3508 git checkout pr3508 From c0e1de49560ee8acc1ef13d5b871b187461fe42a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Apr 2019 13:47:38 +0200 Subject: [PATCH 01/15] Pass token_name to certmonger For HSM support, IPA has to pass the token name for CA and subsystem certificates to certmonger. For now, only the default 'internal' token is supported. Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Rob Crittenden --- ipalib/install/certmonger.py| 11 +-- ipaserver/install/dogtaginstance.py | 29 ++--- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 03caff964a..3c1844797b 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -427,7 +427,8 @@ def request_cert( def start_tracking( certpath, ca='IPA', nickname=None, pin=None, pinfile=None, -pre_command=None, post_command=None, profile=None, storage="NSSDB"): +pre_command=None, post_command=None, profile=None, storage="NSSDB", +token_name=None): """ Tell certmonger to track the given certificate in either a file or an NSS database. The certificate access can be protected by a password_file. @@ -460,6 +461,8 @@ def start_tracking( NSS or OpenSSL backend to track the certificate in ``certpath`` :param profile: Which certificate profile should be used. +:param token_name: +Hardware token name for HSM support :returns: certificate tracking nickname. """ if storage == 'FILE': @@ -500,6 +503,10 @@ def start_tracking( params['cert-postsave-command'] = post_command if profile: params['ca-profile'] = profile +if token_name not in {None, "internal"}: +# only pass token names for external tokens (e.g. HSM) +params['key-token'] = token_name +params['cert-token'] = token_name result = cm.obj_if.add_request(params) try: @@ -663,7 +670,7 @@ def modify_ca_helper(ca_name, helper): return old_helper -def get_pin(token): +def get_pin(token="internal"): """ Dogtag stores its NSS pin in a file formatted as token:PIN. diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index d70651728b..91e352559a 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -92,6 +92,10 @@ class DogtagInstance(service.Service): tracking_reqs = None server_cert_name = None +# token for CA and subsystem certificates. For now, only internal token +# is supported. +token_name = "internal" + ipaca_groups = DN(('ou', 'groups'), ('o', 'ipaca')) ipaca_people = DN(('ou', 'people'), ('o', 'ipaca')) groups_aci = ( @@ -195,6 +199,12 @@ def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ +sub_system_nickname = "subsystemCert cert-pki-ca" +if self.token_name != "internal": +# TODO: Dogtag 10.6.9 does not like "internal" prefix. +sub_system_nickname = '{}:{}'.format( +self.token_name, sub_system_nickname +) with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( @@ -204,7 +214,7 @@ def enable_client_auth_to_db(self): directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', -'subsystemCert cert-pki-ca', quotes=False, separator='=') +sub_system_nickname, quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', @@ -222,7 +232,7 @@ def enable_client_auth_to_db(self): directivesetter.set_directive(
[Freeipa-devel] [freeipa PR#3483][opened] Support AES wrapping in LWCA key replication
URL: https://github.com/freeipa/freeipa/pull/3483 Author: frasertweedale Title: #3483: Support AES wrapping in LWCA key replication Action: opened PR body: """ The PR enhances the NSSWrappedCertDB custodia store to accept an optional symmetric encryption algorithm OID to use for encrypting the key. Also update the ipa-pki-retrieve-key program to request AES wrapping. For backwards compatibility when older servers request a key, default to 3DES (which is what the older server supports). For backwards compatibility when retrieving a key from an older server, try AES first, and on HTTP 404 retry without the algorithm OID. This change depends on Dogtag PR https://github.com/dogtagpki/pki/pull/232, and new Dogtag release containing the change (so that we can bump the dep min bound in FreeIPA). Changes: ``` 4afb3c3fa (Fraser Tweedale, 21 hours ago) ipa-pki-retrieve-key: request AES encryption (with fallback) Update the ipa-pki-retrieve-key client to issue a request that specifies that AES encryption should be used. Fall back to a simple request (which will use default export algorithm) if the server returns 404. The 404 indicates that either: - It is an old server that does not support extra key arguments - It is a new server but the key does not exist, in which case the fallback request will also fail with 404. Fixes: https://pagure.io/freeipa/issue/8020 c5d150a39 (Fraser Tweedale, 8 days ago) NSSWrappedCertDB: accept optional symmetric algorithm Add support for specifying the desired symmetric encryption algorithm for exporting wrapped key (for LWCA key replication). If not specified, defaults to DES-EDE3-CBC for backwards compatibility. Client-side changes will occur in a subsequent commit. Part of: https://pagure.io/freeipa/issue/8020 86ba401cc (Fraser Tweedale, 8 days ago) IPASecStore: support extra key arguments To support lightweight CA key replication using AES, while retaining backwards compatibility with old servers, it is necessary to signal support for AES. Whereas we currently request a key with the path: /keys/ca_wrapped/ and whereas paths with > 3 components are unsupported, add support for handlers to signal that they support extra arguments (defaulting to False), those arguments being conveyed as additional path components, e.g.: # 2.16.840.1.101.3.4.1.2 = aes128-cbc /keys/ca_wrapped//2.16.840.1.101.3.4.1.2 This commit only adds the Custodia support for extra handler arguments. Work to support LWCA key replication with AES wrapping will continue in subsequent commits. Part of: https://pagure.io/freeipa/issue/8020 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3483/head:pr3483 git checkout pr3483 From 86ba401ccfa0b7afff2f7462dc775babcfdc37bb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Jul 2019 13:45:29 +1000 Subject: [PATCH 1/3] IPASecStore: support extra key arguments To support lightweight CA key replication using AES, while retaining backwards compatibility with old servers, it is necessary to signal support for AES. Whereas we currently request a key with the path: /keys/ca_wrapped/ and whereas paths with > 3 components are unsupported, add support for handlers to signal that they support extra arguments (defaulting to False), those arguments being conveyed as additional path components, e.g.: # 2.16.840.1.101.3.4.1.2 = aes128-cbc /keys/ca_wrapped//2.16.840.1.101.3.4.1.2 This commit only adds the Custodia support for extra handler arguments. Work to support LWCA key replication with AES wrapping will continue in subsequent commits. Part of: https://pagure.io/freeipa/issue/8020 --- ipaserver/secrets/store.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index b40008c182..684828dd84 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -15,8 +15,13 @@ class UnknownKeyName(Exception): pass +class InvalidKeyArguments(Exception): +pass + + class DBMAPHandler: dbtype = None +supports_extra_args = False def __init__(self, config, dbmap, nickname): dbtype = dbmap.get('type') @@ -162,12 +167,15 @@ def __init__(self, config=None): def _get_handler(self, key): path = key.split('/', 3) -if len(path) != 3 or path[0] != 'keys': +if len(path) < 3 or path[0] != 'keys': raise ValueError('Invalid name') if path[1] not in NAME_DB_MAP: raise UnknownKeyName("Unknown DB named '%s'" % path[1]) dbmap = NAME_DB_MAP[path[1]] -return dbmap['handler'](self.config, dbmap, path[2]) +handler = dbmap['handler'] +if len(path) > 3 and not handler.supports_extra_args: +raise InvalidKeyArguments('Handler does not support extra args
[Freeipa-devel] [freeipa PR#3427][closed] [Backport][ipa-4-8] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3427 Author: frasertweedale Title: #3427: [Backport][ipa-4-8] Profile-based system cert renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3427/head:pr3427 git checkout pr3427 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3427][opened] [Backport][ipa-4-8] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3427 Author: frasertweedale Title: #3427: [Backport][ipa-4-8] Profile-based system cert renewal Action: opened PR body: """ This PR was opened automatically because PR #3316 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3427/head:pr3427 git checkout pr3427 From 6e9a42a6847af79196b09c633081e912cfdd4b02 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 May 2019 16:04:14 +1000 Subject: [PATCH 01/14] dogtaginstance: add profile to tracking requests Enabling "fresh" renewals (c.f. "renewal"-based renewals that reference the expired certificate and its associated request object) will improve renewal robustness. To use fresh renewals the tracking request must record the profile to be used. Make dogtaginstance record the profile when creating tracking requests for both CA and KRA. Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use profile 'caServerCert', which is the default (according to dogtag-ipa-renew-agent which is part of Certmonger). So we do not need any special handling for those certificates. This commit does not handle upgrade. It will be handled in a subsequent commit. Part of: https://pagure.io/freeipa/issue/7991 --- ipaserver/install/cainstance.py | 10 ++ ipaserver/install/dogtaginstance.py | 8 +++- ipaserver/install/krainstance.py| 8 +--- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2295581870..a609b99531 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -267,10 +267,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation """ -tracking_reqs = ('auditSigningCert cert-pki-ca', - 'ocspSigningCert cert-pki-ca', - 'subsystemCert cert-pki-ca', - 'caSigningCert cert-pki-ca') +tracking_reqs = { +'auditSigningCert cert-pki-ca': 'caSignedLogCert', +'ocspSigningCert cert-pki-ca': 'caOCSPCert', +'subsystemCert cert-pki-ca': 'caSubsystemCert', +'caSigningCert cert-pki-ca': 'caCACert', +} server_cert_name = 'Server-Cert cert-pki-ca' # The following must be aligned with the RewriteRule defined in # install/share/ipa-pki-proxy.conf.template diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 5dca721d6c..1827edbe00 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -95,7 +95,12 @@ class DogtagInstance(service.Service): CA, KRA, and eventually TKS and TPS. """ -tracking_reqs = None +# Mapping of nicknames for tracking requests, and the profile to use for +# that certificate. 'configure_renewal()' reads this dict and adds the +# profile if configured. Certificates that use the default profile +# ("caServerCert", as defined by dogtag-ipa-renew-agent which is part of +# Certmonger) are omitted. +tracking_reqs = dict() server_cert_name = None # token for CA and subsystem certificates. For now, only internal token @@ -330,6 +335,7 @@ def configure_renewal(self): pin=pin, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % nickname, +profile=self.tracking_reqs[nickname], ) except RuntimeError as e: logger.error( diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 90512ed91e..e083400f19 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -60,9 +60,11 @@ class KRAInstance(DogtagInstance): be the same for both the CA and KRA. """ -tracking_reqs = ('auditSigningCert cert-pki-kra', - 'transportCert cert-pki-kra', - 'storageCert cert-pki-kra') +tracking_reqs = { +'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert', +'transportCert cert-pki-kra': 'caInternalAuthTransportCert', +'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert', +} def __init__(self, realm): super(KRAInstance, self).__init__( From 73046a904b9bed7ae5a987127e7d0cb3fe8e0e00 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 May 2019 16:30:47 +1000 Subject: [PATCH 02/14] upgrade: add profile to Dogtag tracking requests To use profile-based renewal (rather than "renewal existing cert" renewal which is brittle against database corruption or deleted certificate / request objects), Certmonger tracking requests for Dogtag system certs must record the profile to be used. Update the upgrade method that checks tracking requests to look for the profile. Tracking requests
[Freeipa-devel] [freeipa PR#3316][closed] Profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3316 Author: frasertweedale Title: #3316: Profile-based system cert renewal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3316/head:pr3316 git checkout pr3316 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3316][opened] [WIP] profile-based system cert renewal
URL: https://github.com/freeipa/freeipa/pull/3316 Author: frasertweedale Title: #3316: [WIP] profile-based system cert renewal Action: opened PR body: """ https://pagure.io/freeipa/issue/7991 Early PR to see what CI has to say about it... """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3316/head:pr3316 git checkout pr3316 From 5a83d40525a4f7cc471cac2651e91c8fe8e9ada6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 May 2019 16:04:14 +1000 Subject: [PATCH 1/7] dogtaginstance: add profile to tracking requests Enabling "fresh" renewals (c.f. "renewal"-based renewals that reference the expired certificate and its associated request object) will improve renewal robustness. To use fresh renewals the tracking request must record the profile to be used. Make dogtaginstance record the profile when creating tracking requests for both CA and KRA. Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use profile 'caServerCert', which is the default (according to dogtag-ipa-renew-agent which is part of Certmonger). So we do not need any special handling for those certificates. This commit does not handle upgrade. It will be handled in a subsequent commit. Part of: https://pagure.io/freeipa/issue/7991 --- ipaserver/install/cainstance.py | 10 ++ ipaserver/install/dogtaginstance.py | 8 +++- ipaserver/install/krainstance.py| 8 +--- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 51c987278a..cf63cc0efb 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -278,10 +278,12 @@ class CAInstance(DogtagInstance): 2 = have signed cert, continue installation """ -tracking_reqs = ('auditSigningCert cert-pki-ca', - 'ocspSigningCert cert-pki-ca', - 'subsystemCert cert-pki-ca', - 'caSigningCert cert-pki-ca') +tracking_reqs = { +'auditSigningCert cert-pki-ca': 'caSignedLogCert', +'ocspSigningCert cert-pki-ca': 'caOCSPCert', +'subsystemCert cert-pki-ca': 'caSubsystemCert', +'caSigningCert cert-pki-ca': 'caCACert', +} server_cert_name = 'Server-Cert cert-pki-ca' # The following must be aligned with the RewriteRule defined in # install/share/ipa-pki-proxy.conf.template diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index cc75d89746..cf46b8b80a 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -95,7 +95,12 @@ class DogtagInstance(service.Service): CA, KRA, and eventually TKS and TPS. """ -tracking_reqs = None +# Mapping of nicknames for tracking requests, and the profile to use for +# that certificate. 'configure_renewal()' reads this dict and adds the +# profile if configured. Certificates that use the default profile +# ("caServerCert", as defined by dogtag-ipa-renew-agent which is part of +# Certmonger) are omitted. +tracking_reqs = dict() server_cert_name = None # token for CA and subsystem certificates. For now, only internal token @@ -330,6 +335,7 @@ def configure_renewal(self): pin=pin, pre_command='stop_pkicad', post_command='renew_ca_cert "%s"' % nickname, +profile=self.tracking_reqs[nickname], ) except RuntimeError as e: logger.error( diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 90512ed91e..e083400f19 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -60,9 +60,11 @@ class KRAInstance(DogtagInstance): be the same for both the CA and KRA. """ -tracking_reqs = ('auditSigningCert cert-pki-kra', - 'transportCert cert-pki-kra', - 'storageCert cert-pki-kra') +tracking_reqs = { +'auditSigningCert cert-pki-kra': 'caInternalAuthAuditSigningCert', +'transportCert cert-pki-kra': 'caInternalAuthTransportCert', +'storageCert cert-pki-kra': 'caInternalAuthDRMstorageCert', +} def __init__(self, realm): super(KRAInstance, self).__init__( From 89375fb4c747073e6ed35c66bacb5816810cafb2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 May 2019 16:30:47 +1000 Subject: [PATCH 2/7] upgrade: add profile to Dogtag tracking requests To use profile-based renewal (rather than "renewal existing cert" renewal which is brittle against database corruption or deleted certificate / request objects), Certmonger tracking requests for Dogtag system certs must record the profile to be used. Update the upgrade method that checks tracking requests to look for the profile. Tracking requests will be recreated if the expected data are
[Freeipa-devel] [freeipa PR#3293][opened] [Backport][ipa-4-7] Fix Pytest4.x warnings
URL: https://github.com/freeipa/freeipa/pull/3293 Author: frasertweedale Title: #3293: [Backport][ipa-4-7] Fix Pytest4.x warnings Action: opened PR body: """ This PR was opened automatically because PR #3284 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3293/head:pr3293 git checkout pr3293 From d568d92e2c4d2adaf5378cb076a407c1870e6ce2 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Mon, 17 Jun 2019 13:28:21 +0300 Subject: [PATCH 1/2] Fix Pytest4.1+ warnings about pytest.config pytest.config global is deprecated since Pytest4.1: https://docs.pytest.org/en/latest/deprecations.html#pytest-config-global https://github.com/pytest-dev/pytest/issues/3050 Fixes: https://pagure.io/freeipa/issue/7981 Co-authored-by: Christian Heimes Signed-off-by: Stanislav Levin --- ipatests/conftest.py | 10 -- ipatests/test_util.py | 4 ++-- ipatests/util.py | 18 -- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ipatests/conftest.py b/ipatests/conftest.py index f7e7c84e41..c09df4aed6 100644 --- a/ipatests/conftest.py +++ b/ipatests/conftest.py @@ -13,6 +13,7 @@ from ipalib import api from ipalib.cli import cli_plugins +import ipatests.util try: import ipaplatform # pylint: disable=unused-import @@ -84,6 +85,11 @@ def pytest_configure(config): # always run doc tests config.option.doctestmodules = True +# apply global options +ipatests.util.SKIP_IPAAPI = config.option.skip_ipaapi +ipatests.util.IPACLIENT_UNITTESTS = config.option.ipaclient_unittests +ipatests.util.PRETTY_PRINT = config.option.pretty_print + def pytest_addoption(parser): group = parser.getgroup("IPA integration tests") @@ -135,11 +141,11 @@ def pytest_runtest_setup(item): get_marker = item.get_marker # pylint: disable=no-member if get_marker('skip_ipaclient_unittest'): # pylint: disable=no-member -if pytest.config.option.ipaclient_unittests: +if item.config.option.ipaclient_unittests: pytest.skip("Skip in ipaclient unittest mode") if get_marker('needs_ipaapi'): # pylint: disable=no-member -if pytest.config.option.skip_ipaapi: +if item.config.option.skip_ipaapi: pytest.skip("Skip tests that needs an IPA API") diff --git a/ipatests/test_util.py b/ipatests/test_util.py index 078c46294d..68db1ca68e 100644 --- a/ipatests/test_util.py +++ b/ipatests/test_util.py @@ -152,10 +152,10 @@ def test_eq(self): assert (None == self.klass()) is True -def test_assert_deepequal(): +def test_assert_deepequal(pytestconfig): f = util.assert_deepequal try: # pylint: disable=no-member -pretty = pytest.config.getoption("pretty_print") +pretty = pytestconfig.getoption("pretty_print") except (AttributeError, ValueError): pretty = False diff --git a/ipatests/util.py b/ipatests/util.py index 60c5ff73ca..fd9c7a41b0 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -67,12 +67,16 @@ PYTEST_VERSION = tuple(int(v) for v in pytest.__version__.split('.')) +# settings are configured by conftest +IPACLIENT_UNITTESTS = None +SKIP_IPAAPI = None +PRETTY_PRINT = None + def check_ipaclient_unittests(reason="Skip in ipaclient unittest mode"): """Call this in a package to skip the package in ipaclient-unittest mode """ -config = pytest.config # pylint: disable=no-member -if config.getoption('ipaclient_unittests', False): +if IPACLIENT_UNITTESTS: if PYTEST_VERSION[0] >= 3: # pytest 3+ does no longer allow pytest.skip() on module level # pylint: disable=unexpected-keyword-arg @@ -85,8 +89,7 @@ def check_ipaclient_unittests(reason="Skip in ipaclient unittest mode"): def check_no_ipaapi(reason="Skip tests that needs an IPA API"): """Call this in a package to skip the package in no-ipaapi mode """ -config = pytest.config # pylint: disable=no-member -if config.getoption('skip_ipaapi', False): +if SKIP_IPAAPI: if PYTEST_VERSION[0] >= 3: # pylint: disable=unexpected-keyword-arg raise pytest.skip.Exception(reason, allow_module_level=True) @@ -384,12 +387,7 @@ def assert_deepequal(expected, got, doc='', stack=tuple()): Note that lists and tuples are considered equivalent, and the order of their elements does not matter. """ -try: -pretty_print = pytest.config.getoption("pretty_print") -except (AttributeError, ValueError): -pretty_print = False - -if pretty_print: +if PRETTY_PRINT: expected_str = struct_to_string(expected, EXPECTED_LEN) got_str = struct_to_string(got, GOT_LEN) else: From a163bf543f3c53432c6ae47299c941f9b63b9efe Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date:
[Freeipa-devel] [freeipa PR#3284][closed] Fix Pytest4.x warnings
URL: https://github.com/freeipa/freeipa/pull/3284 Author: stanislavlevin Title: #3284: Fix Pytest4.x warnings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3284/head:pr3284 git checkout pr3284 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3291][opened] [Backport][ipa-4-7] nfs.py: fix user creation
URL: https://github.com/freeipa/freeipa/pull/3291 Author: frasertweedale Title: #3291: [Backport][ipa-4-7] nfs.py: fix user creation Action: opened PR body: """ This PR was opened automatically because PR #3274 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3291/head:pr3291 git checkout pr3291 From 29c85a0bec6887b6a3ad1e92b3452659b0a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 14 Jun 2019 15:11:41 +0200 Subject: [PATCH] nfs.py: fix user creation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nfs.py calls "ipa user-add" without inputting the password twice leading to a timeout. Input password twice then. Signed-off-by: François Cami --- ipatests/test_integration/test_nfs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py index 56bdf2c81c..b215fcc7c9 100644 --- a/ipatests/test_integration/test_nfs.py +++ b/ipatests/test_integration/test_nfs.py @@ -117,7 +117,7 @@ def test_prepare_users(self): "ipa", "user-add", "%s" % user, "--first", "%s" % user, "--last", "%s" % users[user], -'--password'], stdin_text=temp_pass +'--password'], stdin_text="%s\n%s\n" % (temp_pass, temp_pass) ) self.master.run_command(["kdestroy", "-A"]) password = "Secret123" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3292][opened] [Backport][ipa-4-6] nfs.py: fix user creation
URL: https://github.com/freeipa/freeipa/pull/3292 Author: frasertweedale Title: #3292: [Backport][ipa-4-6] nfs.py: fix user creation Action: opened PR body: """ This PR was opened automatically because PR #3274 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3292/head:pr3292 git checkout pr3292 From 8aff760a3606bf78f4dad3ea58d86ddd34cd5442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 14 Jun 2019 15:11:41 +0200 Subject: [PATCH] nfs.py: fix user creation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nfs.py calls "ipa user-add" without inputting the password twice leading to a timeout. Input password twice then. Signed-off-by: François Cami --- ipatests/test_integration/test_nfs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py index d2d5ff83aa..5230e2e5c6 100644 --- a/ipatests/test_integration/test_nfs.py +++ b/ipatests/test_integration/test_nfs.py @@ -118,7 +118,7 @@ def test_prepare_users(self): "ipa", "user-add", "%s" % user, "--first", "%s" % user, "--last", "%s" % users[user], -'--password'], stdin_text=temp_pass +'--password'], stdin_text="%s\n%s\n" % (temp_pass, temp_pass) ) self.master.run_command(["kdestroy", "-A"]) password = "Secret123" ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3274][closed] nfs.py: fix user creation
URL: https://github.com/freeipa/freeipa/pull/3274 Author: fcami Title: #3274: nfs.py: fix user creation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3274/head:pr3274 git checkout pr3274 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3271][closed] [Backport][ipa-4-7] Hidden replica documentation: fix typo
URL: https://github.com/freeipa/freeipa/pull/3271 Author: fcami Title: #3271: [Backport][ipa-4-7] Hidden replica documentation: fix typo Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3271/head:pr3271 git checkout pr3271 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3286][closed] Add Fedora 30 test definitions and bump PR-CI template version
URL: https://github.com/freeipa/freeipa/pull/3286 Author: frasertweedale Title: #3286: Add Fedora 30 test definitions and bump PR-CI template version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3286/head:pr3286 git checkout pr3286 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3287][opened] [Backport][ipa-4-7] Wrap CustodiaClient in context manager
URL: https://github.com/freeipa/freeipa/pull/3287 Author: frasertweedale Title: #3287: [Backport][ipa-4-7] Wrap CustodiaClient in context manager Action: opened PR body: """ Manual backport of #3262 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3287/head:pr3287 git checkout pr3287 From 7c479a911a43943869a66f727c8e38eefcaafc32 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 May 2019 20:57:10 +1000 Subject: [PATCH 1/2] Handle missing LWCA certificate or chain If lightweight CA key replication has not completed, requests for the certificate or chain will return 404**. This can occur in normal operation, and should be a temporary condition. Detect this case and handle it by simply omitting the 'certificate' and/or 'certificate_out' fields in the response, and add a warning message to the response. Also update the client-side plugin that handles the --certificate-out option. Because the CLI will automatically print the warning message, if the expected field is missing from the response, just ignore it and continue processing. ** after the Dogtag NullPointerException gets fixed! Part of: https://pagure.io/freeipa/issue/7964 Reviewed-By: Christian Heimes Reviewed-By: Fraser Tweedale --- ipaclient/plugins/ca.py | 19 +++--- ipalib/messages.py | 9 +++ ipaserver/plugins/ca.py | 57 +++-- 3 files changed, 68 insertions(+), 17 deletions(-) diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py index f0e7d5ced0..ab47ae85df 100644 --- a/ipaclient/plugins/ca.py +++ b/ipaclient/plugins/ca.py @@ -33,13 +33,24 @@ def forward(self, *keys, **options): error=str(e)) result = super(WithCertOutArgs, self).forward(*keys, **options) + if filename: +# if result certificate / certificate_chain not present in result, +# it means Dogtag did not provide it (probably due to LWCA key +# replication lag or failure. The server transmits a warning +# message in this case, which the client automatically prints. +# So in this section we just ignore it and move on. +certs = None if options.get('chain', False): -certs = result['result']['certificate_chain'] +if 'certificate_chain' in result['result']: +certs = result['result']['certificate_chain'] else: -certs = [base64.b64decode(result['result']['certificate'])] -certs = (x509.load_der_x509_certificate(cert) for cert in certs) -x509.write_certificate_list(certs, filename) +if 'certificate' in result['result']: +certs = [base64.b64decode(result['result']['certificate'])] +if certs: +x509.write_certificate_list( +(x509.load_der_x509_certificate(cert) for cert in certs), +filename) return result diff --git a/ipalib/messages.py b/ipalib/messages.py index 9e2c990d6d..6466627956 100644 --- a/ipalib/messages.py +++ b/ipalib/messages.py @@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage): "%(reason)s") +class LightweightCACertificateNotAvailable(PublicMessage): +""" +**13031** Certificate is not available +""" +errno = 13031 +type = "error" +format = _("The certificate for %(ca)s is not available on this server.") + + def iter_messages(variables, base): """Return a tuple with all subclasses """ diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 88e7ec2a9f..c8f1630c65 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -6,7 +6,7 @@ import six -from ipalib import api, errors, output, Bytes, DNParam, Flag, Str +from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipapython.dn import ATTR_NAME_BY_OID @@ -163,28 +163,53 @@ class ca(LDAPObject): def set_certificate_attrs(entry, options, want_cert=True): +""" +Set certificate attributes into the entry. Depending on +options, this may contact Dogtag to retrieve certificate or +chain. If the retrieval fails with 404 (which can occur under +normal operation due to lightweight CA key replication delay), +return a message object that should be set in the response. + +""" try: ca_id = entry['ipacaid'][0] except KeyError: -return +return None full = options.get('all', False) want_chain = options.get('chain', False) want_data = want_cert or want_chain or full if not want_data: -return +return None + +msg = None with api.Backend.ra_lightweight_ca as ca_api: if want_cert or full: -der
[Freeipa-devel] [freeipa PR#3286][opened] Add Fedora 30 test definitions and bump template version
URL: https://github.com/freeipa/freeipa/pull/3286 Author: frasertweedale Title: #3286: Add Fedora 30 test definitions and bump template version Action: opened PR body: """ Re-do of #3210 now that #3262 was merged. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3286/head:pr3286 git checkout pr3286 From 8b9ee97cb21fe3ec41ea3ead0698ac3e1f15e64a Mon Sep 17 00:00:00 2001 From: Armando Neto Date: Tue, 28 May 2019 17:48:54 -0300 Subject: [PATCH] Add Fedora 30 test definitions and bump template version Signed-off-by: Armando Neto --- ipatests/prci_definitions/gating.yaml | 144 +- ipatests/prci_definitions/nightly_f29.yaml| 1230 + ipatests/prci_definitions/nightly_master.yaml | 786 +-- ipatests/prci_definitions/temp_commit.yaml| 16 +- 4 files changed, 1703 insertions(+), 473 deletions(-) create mode 100644 ipatests/prci_definitions/nightly_f29.yaml diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index 2630e7a411..b429427c40 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -13,7 +13,7 @@ topologies: memory: 7400 jobs: - fedora-29/build: + fedora-30/build: requires: [] priority: 100 job: @@ -21,213 +21,213 @@ jobs: args: git_repo: '{git_repo}' git_refspec: '{git_refspec}' -template: &ci-master-f29 - name: freeipa/ci-master-f29 - version: 0.2.1 +template: &ci-master-f30 + name: freeipa/ci-master-f30 + version: 0.0.2 timeout: 1800 topology: *build - fedora-29/test_installation_TestInstallMaster: -requires: [fedora-29/build] + fedora-30/test_installation_TestInstallMaster: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_installation.py::TestInstallMaster -template: *ci-master-f29 +template: *ci-master-f30 timeout: 3600 topology: *master_1repl - fedora-29/simple_replication: -requires: [fedora-29/build] + fedora-30/simple_replication: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_simple_replication.py -template: *ci-master-f29 +template: *ci-master-f30 timeout: 3600 topology: *master_1repl - fedora-29/caless: -requires: [fedora-29/build] + fedora-30/caless: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull -template: *ci-master-f29 +template: *ci-master-f30 timeout: 3600 topology: *master_1repl - fedora-29/external_ca_1: -requires: [fedora-29/build] + fedora-30/external_ca_1: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_external_ca.py::TestExternalCA -template: *ci-master-f29 +template: *ci-master-f30 timeout: 4800 topology: *master_1repl_1client - fedora-29/external_ca_2: -requires: [fedora-29/build] + fedora-30/external_ca_2: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall -template: *ci-master-f29 +template: *ci-master-f30 timeout: 3600 topology: *master_1repl - fedora-29/test_topologies: -requires: [fedora-29/build] + fedora-30/test_topologies: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_topologies.py -template: *ci-master-f29 +template: *ci-master-f30 timeout: 3600 topology: *master_1repl - fedora-29/test_sudo: -requires: [fedora-29/build] + fedora-30/test_sudo: +requires: [fedora-30/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-29/build_url}' +build_url: '{fedora-30/build_url}' test_suite: test_integration/test_sudo.py -template: *
[Freeipa-devel] [freeipa PR#3265][closed] Test PR 3262 on f30
URL: https://github.com/freeipa/freeipa/pull/3265 Author: frasertweedale Title: #3265: Test PR 3262 on f30 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3265/head:pr3265 git checkout pr3265 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3262][closed] Wrap CustodiaClient in context manager
URL: https://github.com/freeipa/freeipa/pull/3262 Author: tiran Title: #3262: Wrap CustodiaClient in context manager Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3262/head:pr3262 git checkout pr3262 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3273][closed] Bump release number to 4.7.91
URL: https://github.com/freeipa/freeipa/pull/3273 Author: tiran Title: #3273: Bump release number to 4.7.91 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3273/head:pr3273 git checkout pr3273 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3265][reopened] Test PR 3262 on f30
URL: https://github.com/freeipa/freeipa/pull/3265 Author: frasertweedale Title: #3265: Test PR 3262 on f30 Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3265/head:pr3265 git checkout pr3265 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3265][closed] Test PR 3262 on f30
URL: https://github.com/freeipa/freeipa/pull/3265 Author: frasertweedale Title: #3265: Test PR 3262 on f30 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3265/head:pr3265 git checkout pr3265 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3216][closed] fix LWCA key retrieval on f30
URL: https://github.com/freeipa/freeipa/pull/3216 Author: frasertweedale Title: #3216: fix LWCA key retrieval on f30 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3216/head:pr3216 git checkout pr3216 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3253][opened] [Backport][ipa-4-6] dn: sort AVAs when converting from x509.Name
URL: https://github.com/freeipa/freeipa/pull/3253 Author: frasertweedale Title: #3253: [Backport][ipa-4-6] dn: sort AVAs when converting from x509.Name Action: opened PR body: """ This PR was opened automatically because PR #3212 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3253/head:pr3253 git checkout pr3253 From b09f3cf0bad513443284a077f0bbe540fd7d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 May 2019 13:22:35 +1000 Subject: [PATCH] dn: sort AVAs when converting from x509.Name Equal DNs with multi-valued RDNs can compare inequal if one (or both) is constructed from a cryptography.x509.Name, because the AVAs in the multi-valued RDNs are not being sorted. Sort the AVAs when constructing from Name and add test cases for equality checks on multi-valued RDNs constructed from inputs with permuted AVA order. Part of: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 2 ++ ipatests/test_ipapython/test_dn.py | 21 + 2 files changed, 23 insertions(+) diff --git a/ipapython/dn.py b/ipapython/dn.py index 1f5e09cf5c..0086fcd75a 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1135,6 +1135,8 @@ def _rdns_from_value(self, value): ava.value) for ava in rdn] for rdn in value.rdns ])) +for rdn in rdns: +sort_avas(rdn) else: raise TypeError( "must be str, unicode, tuple, Name, RDN or DN, got %s instead" diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index 5e6436cdf2..7c80d729ed 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -669,6 +669,10 @@ def setUp(self): x509.RelativeDistinguishedName([c, st]), x509.RelativeDistinguishedName([cn]), ]) +self.x500nameMultiRDN2 = x509.Name([ +x509.RelativeDistinguishedName([st, c]), +x509.RelativeDistinguishedName([cn]), +]) def assertExpectedClass(self, klass, obj, component): self.assertIs(obj.__class__, expected_class(klass, component)) @@ -943,6 +947,23 @@ def test_cmp(self): self.assertFalse(self.container_rdn1 in self.base_dn) +def test_eq_multi_rdn(self): +dn1 = DN(self.ava1, 'ST=Queensland+C=AU') +dn2 = DN(self.ava1, 'C=AU+ST=Queensland') +self.assertEqual(dn1, dn2) + +# ensure AVAs get sorted when constructing from x509.Name +dn3 = DN(self.x500nameMultiRDN) +dn4 = DN(self.x500nameMultiRDN2) +self.assertEqual(dn3, dn4) + +# ensure AVAs get sorted in the same way regardless of what +# the DN was constructed from +self.assertEqual(dn1, dn3) +self.assertEqual(dn1, dn4) +self.assertEqual(dn2, dn3) +self.assertEqual(dn2, dn4) + def test_indexing(self): dn1 = DN(self.dn1) dn2 = DN(self.dn2) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3252][opened] [Backport][ipa-4-7] dn: sort AVAs when converting from x509.Name
URL: https://github.com/freeipa/freeipa/pull/3252 Author: frasertweedale Title: #3252: [Backport][ipa-4-7] dn: sort AVAs when converting from x509.Name Action: opened PR body: """ This PR was opened automatically because PR #3212 was pushed to master and backport to ipa-4-7 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3252/head:pr3252 git checkout pr3252 From 27f8ac1baa00026f77ff784e425a9297e5a3aa33 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 May 2019 13:22:35 +1000 Subject: [PATCH] dn: sort AVAs when converting from x509.Name Equal DNs with multi-valued RDNs can compare inequal if one (or both) is constructed from a cryptography.x509.Name, because the AVAs in the multi-valued RDNs are not being sorted. Sort the AVAs when constructing from Name and add test cases for equality checks on multi-valued RDNs constructed from inputs with permuted AVA order. Part of: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 2 ++ ipatests/test_ipapython/test_dn.py | 21 + 2 files changed, 23 insertions(+) diff --git a/ipapython/dn.py b/ipapython/dn.py index 1f5e09cf5c..0086fcd75a 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1135,6 +1135,8 @@ def _rdns_from_value(self, value): ava.value) for ava in rdn] for rdn in value.rdns ])) +for rdn in rdns: +sort_avas(rdn) else: raise TypeError( "must be str, unicode, tuple, Name, RDN or DN, got %s instead" diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index 5e6436cdf2..7c80d729ed 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -669,6 +669,10 @@ def setUp(self): x509.RelativeDistinguishedName([c, st]), x509.RelativeDistinguishedName([cn]), ]) +self.x500nameMultiRDN2 = x509.Name([ +x509.RelativeDistinguishedName([st, c]), +x509.RelativeDistinguishedName([cn]), +]) def assertExpectedClass(self, klass, obj, component): self.assertIs(obj.__class__, expected_class(klass, component)) @@ -943,6 +947,23 @@ def test_cmp(self): self.assertFalse(self.container_rdn1 in self.base_dn) +def test_eq_multi_rdn(self): +dn1 = DN(self.ava1, 'ST=Queensland+C=AU') +dn2 = DN(self.ava1, 'C=AU+ST=Queensland') +self.assertEqual(dn1, dn2) + +# ensure AVAs get sorted when constructing from x509.Name +dn3 = DN(self.x500nameMultiRDN) +dn4 = DN(self.x500nameMultiRDN2) +self.assertEqual(dn3, dn4) + +# ensure AVAs get sorted in the same way regardless of what +# the DN was constructed from +self.assertEqual(dn1, dn3) +self.assertEqual(dn1, dn4) +self.assertEqual(dn2, dn3) +self.assertEqual(dn2, dn4) + def test_indexing(self): dn1 = DN(self.dn1) dn2 = DN(self.dn2) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3212][closed] dn: sort AVAs when converting from x509.Name
URL: https://github.com/freeipa/freeipa/pull/3212 Author: frasertweedale Title: #3212: dn: sort AVAs when converting from x509.Name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3212/head:pr3212 git checkout pr3212 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3249][opened] .gitignore: add ipa-cert-fix program
URL: https://github.com/freeipa/freeipa/pull/3249 Author: frasertweedale Title: #3249: .gitignore: add ipa-cert-fix program Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3249/head:pr3249 git checkout pr3249 From 203172e8e4ab0c75645cf06c47731b99f3a86a0e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 31 May 2019 11:40:42 +1000 Subject: [PATCH] .gitignore: add ipa-cert-fix program --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 775d021711..724eaeda70 100644 --- a/.gitignore +++ b/.gitignore @@ -147,6 +147,7 @@ install/tools/ipa-advise install/tools/ipa-backup install/tools/ipa-cacert-manage install/tools/ipa-ca-install +install/tools/ipa-cert-fix install/tools/ipa-compat-manage install/tools/ipa-csreplica-manage install/tools/ipactl ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3219][closed] .gitignore: add ipa-cert-fix program
URL: https://github.com/freeipa/freeipa/pull/3219 Author: frasertweedale Title: #3219: .gitignore: add ipa-cert-fix program Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3219/head:pr3219 git checkout pr3219 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3219][opened] .gitignore: add ipa-cert-fix program
URL: https://github.com/freeipa/freeipa/pull/3219 Author: frasertweedale Title: #3219: .gitignore: add ipa-cert-fix program Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3219/head:pr3219 git checkout pr3219 From 640d0761da4cb9d958bc51a0bdec0124fb86f0e9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 31 May 2019 11:40:42 +1000 Subject: [PATCH] .gitignore: add ipa-cert-fix program --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 890af17498..abf7e44a90 100644 --- a/.gitignore +++ b/.gitignore @@ -151,6 +151,7 @@ install/tools/ipa-advise install/tools/ipa-backup install/tools/ipa-cacert-manage install/tools/ipa-ca-install +install/tools/ipa-cert-fix install/tools/ipa-compat-manage install/tools/ipa-csreplica-manage install/tools/ipactl ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3211][closed] [Backport][ipa-4-7] Add ipa-cert-fix tool
URL: https://github.com/freeipa/freeipa/pull/3211 Author: frasertweedale Title: #3211: [Backport][ipa-4-7] Add ipa-cert-fix tool Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3211/head:pr3211 git checkout pr3211 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3180][closed] [ipa-4-6] ipa-cert-fix fixes
URL: https://github.com/freeipa/freeipa/pull/3180 Author: frasertweedale Title: #3180: [ipa-4-6] ipa-cert-fix fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3180/head:pr3180 git checkout pr3180 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3212][opened] dn: sort AVAs when converting from x509.Name
URL: https://github.com/freeipa/freeipa/pull/3212 Author: frasertweedale Title: #3212: dn: sort AVAs when converting from x509.Name Action: opened PR body: """ Equal DNs with multi-valued RDNs can compare inequal if one (or both) is constructed from a cryptography.x509.Name, because the AVAs in the multi-valued RDNs are not being sorted. Sort the AVAs when constructing from Name and add test cases for equality checks on multi-valued RDNs constructed from inputs with permuted AVA order. Part of: https://pagure.io/freeipa/issue/7963 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3212/head:pr3212 git checkout pr3212 From e9f16176f2a74308a7f8892c5c1bc2b53edad678 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 May 2019 13:22:35 +1000 Subject: [PATCH] dn: sort AVAs when converting from x509.Name Equal DNs with multi-valued RDNs can compare inequal if one (or both) is constructed from a cryptography.x509.Name, because the AVAs in the multi-valued RDNs are not being sorted. Sort the AVAs when constructing from Name and add test cases for equality checks on multi-valued RDNs constructed from inputs with permuted AVA order. Part of: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 2 ++ ipatests/test_ipapython/test_dn.py | 21 + 2 files changed, 23 insertions(+) diff --git a/ipapython/dn.py b/ipapython/dn.py index fda28a3f9c..aa15c19ca7 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1141,6 +1141,8 @@ def _rdns_from_value(self, value): ava.value) for ava in rdn] for rdn in value.rdns ])) +for rdn in rdns: +sort_avas(rdn) else: raise TypeError( "must be str, unicode, tuple, Name, RDN or DN, got %s instead" diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a21abd69b1..7e3f8cb02d 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -672,6 +672,10 @@ def setUp(self): x509.RelativeDistinguishedName([c, st]), x509.RelativeDistinguishedName([cn]), ]) +self.x500nameMultiRDN2 = x509.Name([ +x509.RelativeDistinguishedName([st, c]), +x509.RelativeDistinguishedName([cn]), +]) def assertExpectedClass(self, klass, obj, component): self.assertIs(obj.__class__, expected_class(klass, component)) @@ -946,6 +950,23 @@ def test_cmp(self): self.assertFalse(self.container_rdn1 in self.base_dn) +def test_eq_multi_rdn(self): +dn1 = DN(self.ava1, 'ST=Queensland+C=AU') +dn2 = DN(self.ava1, 'C=AU+ST=Queensland') +self.assertEqual(dn1, dn2) + +# ensure AVAs get sorted when constructing from x509.Name +dn3 = DN(self.x500nameMultiRDN) +dn4 = DN(self.x500nameMultiRDN2) +self.assertEqual(dn3, dn4) + +# ensure AVAs get sorted in the same way regardless of what +# the DN was constructed from +self.assertEqual(dn1, dn3) +self.assertEqual(dn1, dn4) +self.assertEqual(dn2, dn3) +self.assertEqual(dn2, dn4) + def test_indexing(self): dn1 = DN(self.dn1) dn2 = DN(self.dn2) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3211][opened] [Backport][ipa-4-7] Add ipa-cert-fix tool
URL: https://github.com/freeipa/freeipa/pull/3211 Author: frasertweedale Title: #3211: [Backport][ipa-4-7] Add ipa-cert-fix tool Action: opened PR body: """ Backport of https://github.com/freeipa/freeipa/pull/3136. (ipatool automatic backport failed but performing 'git rebase' myself succeeded...) """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3211/head:pr3211 git checkout pr3211 From 37ece8607d5b8ae2f270da758cea208f2b98aac5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 13:37:45 +1100 Subject: [PATCH 01/10] Extract ca_renewal cert update subroutine When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 --- .../dogtag-ipa-ca-renew-agent-submit.in | 16 +--- ipaserver/install/cainstance.py | 26 +++ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 6961740bee..8171207f9d 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -270,23 +270,9 @@ def store_cert(**kwargs): return (REJECTED, "New certificate requests not supported") cert = x509.load_pem_x509_certificate(cert.encode('ascii')) -dn = DN(('cn', nickname), ('cn', 'ca_renewal'), -('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: with ldap_connect() as conn: -try: -entry = conn.get_entry(dn, ['usercertificate']) -entry['usercertificate'] = [cert] -conn.update_entry(entry) -except errors.NotFound: -entry = conn.make_entry( -dn, -objectclass=['top', 'pkiuser', 'nscontainer'], -cn=[nickname], -usercertificate=[cert]) -conn.add_entry(entry) -except errors.EmptyModlist: -pass +cainstance.update_ca_renewal_entry(conn, nickname, cert) except Exception as e: attempts += 1 if attempts < 10: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 01b232099d..ddf2ad5447 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1723,6 +1723,32 @@ def make_entry(cert, entry): return __update_entry_from_cert(make_filter, make_entry, cert) +def update_ca_renewal_entry(conn, nickname, cert): +""" +Update the ca_renewal entry for the given nickname. + +:param conn: A *connected* LDAP handle +:param nickname: NSSDB nickname +:param cert: python-cryptography X509Certificate + +""" +dn = DN(('cn', nickname), ('cn', 'ca_renewal'), +('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) +try: +entry = conn.get_entry(dn, ['usercertificate']) +entry['usercertificate'] = [cert] +conn.update_entry(entry) +except errors.NotFound: +entry = conn.make_entry( +dn, +objectclass=['top', 'pkiuser', 'nscontainer'], +cn=[nickname], +usercertificate=[cert]) +conn.add_entry(entry) +except errors.EmptyModlist: +pass + + def ensure_ldap_profiles_container(): ensure_entry( DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), From 84b90ae6ba970f2082ee98afdc88e1f2099a6385 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 15:22:21 +1100 Subject: [PATCH 02/10] cainstance: add function to determine ca_renewal nickname The ipa-cert-fix program needs to know where to put shared certificates. Extract the logic that computes the nickname from dogtag-ipa-ca-renew-agent to new subroutine cainstance.get_ca_renewal_nickname(). Part of: https://pagure.io/freeipa/issue/7885 --- .../dogtag-ipa-ca-renew-agent-submit.in | 16 ++-- ipaserver/install/cainstance.py | 26 +++ 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 8171207f9d..ceb6f9b1ed 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -85,20 +85,8 @@ def get_nickname(): ca_subject_dn = ca.lookup_ca_subject(api, subject_base) -nickname_by_subject_dn = { -DN(ca_subject_dn): 'caSigningCert cert-pki-ca', -DN('CN=CA Audit', subject_base): 'auditSigni
[Freeipa-devel] [freeipa PR#3136][closed] Add ipa-cert-fix tool
URL: https://github.com/freeipa/freeipa/pull/3136 Author: frasertweedale Title: #3136: Add ipa-cert-fix tool Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3136/head:pr3136 git checkout pr3136 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3197][closed] [Backport][ipa-4-6] dn: handle multi-valued RDNs in Name conversion
URL: https://github.com/freeipa/freeipa/pull/3197 Author: abbra Title: #3197: [Backport][ipa-4-6] dn: handle multi-valued RDNs in Name conversion Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3197/head:pr3197 git checkout pr3197 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3196][closed] [Backport][ipa-4-7] dn: handle multi-valued RDNs in Name conversion
URL: https://github.com/freeipa/freeipa/pull/3196 Author: abbra Title: #3196: [Backport][ipa-4-7] dn: handle multi-valued RDNs in Name conversion Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3196/head:pr3196 git checkout pr3196 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3203][opened] [Backport][ipa-4-6] dn: handle multi-valued RDNs in Name conversion
URL: https://github.com/freeipa/freeipa/pull/3203 Author: frasertweedale Title: #3203: [Backport][ipa-4-6] dn: handle multi-valued RDNs in Name conversion Action: opened PR body: """ When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3203/head:pr3203 git checkout pr3203 From 181825b82eaa1ea09ab1cdbfea132760e0e7b6f3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 28 May 2019 14:02:22 +1000 Subject: [PATCH] dn: handle multi-valued RDNs in Name conversion When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 4 ++-- ipatests/test_ipapython/test_dn.py | 23 +++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 9645753da1..1f5e09cf5c 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1132,8 +1132,8 @@ def _rdns_from_value(self, value): rdns = list(reversed([ [get_ava( ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), -ava.value)] -for ava in value +ava.value) for ava in rdn] +for rdn in value.rdns ])) else: raise TypeError( diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index 17187e48f3..5e6436cdf2 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -658,10 +658,16 @@ def setUp(self): self.base_container_dn = DN((self.attr1, self.value1), self.container_dn, self.base_dn) -self.x500name = x509.Name([ -x509.NameAttribute( -x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2), -x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1), +ou = x509.NameAttribute( +x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2) +cn = x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1) +c = x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'AU') +st = x509.NameAttribute( +x509.NameOID.STATE_OR_PROVINCE_NAME, u'Queensland') +self.x500name = x509.Name([ou, cn]) +self.x500nameMultiRDN = x509.Name([ +x509.RelativeDistinguishedName([c, st]), +x509.RelativeDistinguishedName([cn]), ]) def assertExpectedClass(self, klass, obj, component): @@ -814,6 +820,15 @@ def test_create(self): self.assertEqual(dn1[0], self.rdn1) self.assertEqual(dn1[1], self.rdn2) +# Create from 'Name' with multi-valued RDN +dn1 = DN(self.x500nameMultiRDN) +self.assertEqual(len(dn1), 2) +self.assertEqual(len(dn1[1]), 2) +self.assertIn(AVA('c', 'au'), dn1[1]) +self.assertIn(AVA('st', 'queensland'), dn1[1]) +self.assertEqual(len(dn1[0]), 1) +self.assertIn(self.ava1, dn1[0]) + # Create with RDN, and 2 DN's (e.g. attr + container + base) dn1 = DN((self.attr1, self.value1), self.container_dn, self.base_dn) self.assertEqual(len(dn1), 5) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3202][opened] [ipa-4-7] dn: handle multi-valued RDNs in Name conversion
URL: https://github.com/freeipa/freeipa/pull/3202 Author: frasertweedale Title: #3202: [ipa-4-7] dn: handle multi-valued RDNs in Name conversion Action: opened PR body: """ When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3202/head:pr3202 git checkout pr3202 From ad9cd3d135a62d37e7070645488e86d13e6c1a07 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 28 May 2019 14:02:22 +1000 Subject: [PATCH] dn: handle multi-valued RDNs in Name conversion When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 4 ++-- ipatests/test_ipapython/test_dn.py | 23 +++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 9645753da1..1f5e09cf5c 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1132,8 +1132,8 @@ def _rdns_from_value(self, value): rdns = list(reversed([ [get_ava( ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), -ava.value)] -for ava in value +ava.value) for ava in rdn] +for rdn in value.rdns ])) else: raise TypeError( diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index 17187e48f3..5e6436cdf2 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -658,10 +658,16 @@ def setUp(self): self.base_container_dn = DN((self.attr1, self.value1), self.container_dn, self.base_dn) -self.x500name = x509.Name([ -x509.NameAttribute( -x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2), -x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1), +ou = x509.NameAttribute( +x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2) +cn = x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1) +c = x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'AU') +st = x509.NameAttribute( +x509.NameOID.STATE_OR_PROVINCE_NAME, u'Queensland') +self.x500name = x509.Name([ou, cn]) +self.x500nameMultiRDN = x509.Name([ +x509.RelativeDistinguishedName([c, st]), +x509.RelativeDistinguishedName([cn]), ]) def assertExpectedClass(self, klass, obj, component): @@ -814,6 +820,15 @@ def test_create(self): self.assertEqual(dn1[0], self.rdn1) self.assertEqual(dn1[1], self.rdn2) +# Create from 'Name' with multi-valued RDN +dn1 = DN(self.x500nameMultiRDN) +self.assertEqual(len(dn1), 2) +self.assertEqual(len(dn1[1]), 2) +self.assertIn(AVA('c', 'au'), dn1[1]) +self.assertIn(AVA('st', 'queensland'), dn1[1]) +self.assertEqual(len(dn1[0]), 1) +self.assertIn(self.ava1, dn1[0]) + # Create with RDN, and 2 DN's (e.g. attr + container + base) dn1 = DN((self.attr1, self.value1), self.container_dn, self.base_dn) self.assertEqual(len(dn1), 5) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3200][opened] add test for external CA key size sanity check
URL: https://github.com/freeipa/freeipa/pull/3200 Author: frasertweedale Title: #3200: add test for external CA key size sanity check Action: opened PR body: """ We recently added validation of externally-signed CA certificate to ensure certificates signed by external CAs with too-small keys (according to system crypto policy) are rejected. Add an integration test that attempts to renew with a 1024-bit external CA, and asserts failure. (Manual backport to ipa-4-6 branch; cherry pick of f9b22283dd2160ec073e93df9b52ef6b47d6c335). Part of: https://pagure.io/freeipa/issue/7761 Reviewed-By: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3200/head:pr3200 git checkout pr3200 From 567f6cd0b93bfb7be42a12fa6fd7dce690f858e9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 27 May 2019 12:12:43 +1000 Subject: [PATCH] add test for external CA key size sanity check We recently added validation of externally-signed CA certificate to ensure certificates signed by external CAs with too-small keys (according to system crypto policy) are rejected. Add an integration test that attempts to renew with a 1024-bit external CA, and asserts failure. (Manual backport to ipa-4-6 branch; cherry pick of f9b22283dd2160ec073e93df9b52ef6b47d6c335). Part of: https://pagure.io/freeipa/issue/7761 Reviewed-By: Christian Heimes --- ipatests/create_external_ca.py| 5 +++-- ipatests/pytest_ipa/integration/tasks.py | 5 +++-- ipatests/test_integration/test_external_ca.py | 13 + 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py index 56bd588a42..72d8f8b337 100644 --- a/ipatests/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -34,9 +34,10 @@ class ExternalCA(object): """ Provide external CA for testing """ -def __init__(self, days=365): +def __init__(self, days=365, key_size=None): self.now = datetime.datetime.utcnow() self.delta = datetime.timedelta(days=days) +self.key_size = key_size or 2048 def create_ca(self, cn=ISSUER_CN, path_length=None): """Create root CA. @@ -45,7 +46,7 @@ def create_ca(self, cn=ISSUER_CN, path_length=None): """ self.ca_key = rsa.generate_private_key( public_exponent=65537, -key_size=2048, +key_size=self.key_size, backend=default_backend(), ) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index cad22b8119..70056859f4 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1619,7 +1619,8 @@ def add_dns_zone(master, zone, skip_overlap_check=False, def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, - root_ca_path_length=None, ipa_ca_path_length=1): + root_ca_path_length=None, ipa_ca_path_length=1, + key_size=None,): """ Sign ipa csr and save signed CA together with root CA back to the host. Returns root CA and IPA CA paths on the host. @@ -1630,7 +1631,7 @@ def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, # Get IPA CSR as bytes ipa_csr = host.get_file_contents(csr_name) -external_ca = ExternalCA() +external_ca = ExternalCA(key_size=key_size) # Create root CA root_ca = external_ca.create_ca(path_length=root_ca_path_length) # Sign CSR diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index 35f5362b9d..a2a04b264d 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -379,6 +379,19 @@ def test_external_ca(self): result = self.master.run_command(cmd, raiseonerr=False) assert result.returncode == 1 +def test_external_ca_with_too_small_key(self): +# reuse the existing deployment and renewal CSR +root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( +self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024) + +cmd = [ +paths.IPA_CACERT_MANAGE, 'renew', +'--external-cert-file', ipa_ca_fname, +'--external-cert-file', root_ca_fname, +] +result = self.master.run_command(cmd, raiseonerr=False) +assert result.returncode == 1 + class TestExternalCAInvalidIntermediate(IntegrationTest): """Test case for https://pagure.io/freeipa/issue/7877"""; ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_
[Freeipa-devel] [freeipa PR#3194][opened] dn: handle multi-valued RDNs in Name conversion
URL: https://github.com/freeipa/freeipa/pull/3194 Author: frasertweedale Title: #3194: dn: handle multi-valued RDNs in Name conversion Action: opened PR body: """ When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3194/head:pr3194 git checkout pr3194 From e27a2f31c66a32d50cb34bfcc09d9e9e58e94570 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 28 May 2019 14:02:22 +1000 Subject: [PATCH] dn: handle multi-valued RDNs in Name conversion When applying DN to a cryptography.x509.Name, multi-valued RDNs get "flattened" into separate RDNs. Update the constructor to correctly handle Name values with multi-valued RDNs. Fixes: https://pagure.io/freeipa/issue/7963 --- ipapython/dn.py| 4 ++-- ipatests/test_ipapython/test_dn.py | 23 +++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 145f33a87f..fda28a3f9c 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -1138,8 +1138,8 @@ def _rdns_from_value(self, value): rdns = list(reversed([ [get_ava( ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), -ava.value)] -for ava in value +ava.value) for ava in rdn] +for rdn in value.rdns ])) else: raise TypeError( diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index dac8a465f5..a21abd69b1 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -661,10 +661,16 @@ def setUp(self): self.base_container_dn = DN((self.attr1, self.value1), self.container_dn, self.base_dn) -self.x500name = x509.Name([ -x509.NameAttribute( -x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2), -x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1), +ou = x509.NameAttribute( +x509.NameOID.ORGANIZATIONAL_UNIT_NAME, self.value2) +cn = x509.NameAttribute(x509.NameOID.COMMON_NAME, self.value1) +c = x509.NameAttribute(x509.NameOID.COUNTRY_NAME, 'AU') +st = x509.NameAttribute( +x509.NameOID.STATE_OR_PROVINCE_NAME, 'Queensland') +self.x500name = x509.Name([ou, cn]) +self.x500nameMultiRDN = x509.Name([ +x509.RelativeDistinguishedName([c, st]), +x509.RelativeDistinguishedName([cn]), ]) def assertExpectedClass(self, klass, obj, component): @@ -817,6 +823,15 @@ def test_create(self): self.assertEqual(dn1[0], self.rdn1) self.assertEqual(dn1[1], self.rdn2) +# Create from 'Name' with multi-valued RDN +dn1 = DN(self.x500nameMultiRDN) +self.assertEqual(len(dn1), 2) +self.assertEqual(len(dn1[1]), 2) +self.assertIn(AVA('c', 'au'), dn1[1]) +self.assertIn(AVA('st', 'queensland'), dn1[1]) +self.assertEqual(len(dn1[0]), 1) +self.assertIn(self.ava1, dn1[0]) + # Create with RDN, and 2 DN's (e.g. attr + container + base) dn1 = DN((self.attr1, self.value1), self.container_dn, self.base_dn) self.assertEqual(len(dn1), 5) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3190][opened] add test for external CA key size sanity check
URL: https://github.com/freeipa/freeipa/pull/3190 Author: frasertweedale Title: #3190: add test for external CA key size sanity check Action: opened PR body: """ We recently added validation of externally-signed CA certificate to ensure certificates signed by external CAs with too-small keys (according to system crypto policy) are rejected. Add an integration test that attempts to renew with a 1024-bit external CA, and asserts failure. Part of: https://pagure.io/freeipa/issue/7761 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3190/head:pr3190 git checkout pr3190 From 263f9a9fff1b29c5efd676e8e680164a3354ea2e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 27 May 2019 12:12:43 +1000 Subject: [PATCH 1/2] add test for external CA key size sanity check We recently added validation of externally-signed CA certificate to ensure certificates signed by external CAs with too-small keys (according to system crypto policy) are rejected. Add an integration test that attempts to renew with a 1024-bit external CA, and asserts failure. Part of: https://pagure.io/freeipa/issue/7761 --- ipatests/create_external_ca.py| 7 --- ipatests/pytest_ipa/integration/tasks.py | 5 +++-- ipatests/test_integration/test_external_ca.py | 13 + 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py index 706782adc6..a318b8090e 100644 --- a/ipatests/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -34,14 +34,15 @@ class ExternalCA: """Provide external CA for testing """ -def __init__(self, days=365): +def __init__(self, days=365, key_size=None): self.now = datetime.datetime.utcnow() self.delta = datetime.timedelta(days=days) self.ca_key = None self.ca_public_key = None self.issuer = None +self.key_size = key_size or 2048 -def create_ca_key(self, key_size=2048): +def create_ca_key(self): """Create private and public key for CA Note: The test still creates 2048 although IPA CA uses 3072 bit RSA @@ -50,7 +51,7 @@ def create_ca_key(self, key_size=2048): """ self.ca_key = rsa.generate_private_key( public_exponent=65537, -key_size=key_size, +key_size=self.key_size, backend=default_backend(), ) self.ca_public_key = self.ca_key.public_key() diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index ec9c68958a..f073476190 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1678,7 +1678,8 @@ def add_dns_zone(master, zone, skip_overlap_check=False, def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, - root_ca_path_length=None, ipa_ca_path_length=1): + root_ca_path_length=None, ipa_ca_path_length=1, + key_size=None,): """ Sign ipa csr and save signed CA together with root CA back to the host. Returns root CA and IPA CA paths on the host. @@ -1689,7 +1690,7 @@ def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name, # Get IPA CSR as bytes ipa_csr = host.get_file_contents(csr_name) -external_ca = ExternalCA() +external_ca = ExternalCA(key_size=key_size) # Create root CA root_ca = external_ca.create_ca(path_length=root_ca_path_length) # Sign CSR diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py index 7ad0146c85..a42355217d 100644 --- a/ipatests/test_integration/test_external_ca.py +++ b/ipatests/test_integration/test_external_ca.py @@ -373,6 +373,19 @@ def test_external_ca(self): result = self.master.run_command(cmd, raiseonerr=False) assert result.returncode == 1 +def test_external_ca_with_too_small_key(self): +# reuse the existing deployment and renewal CSR +root_ca_fname, ipa_ca_fname = tasks.sign_ca_and_transport( +self.master, paths.IPA_CA_CSR, ROOT_CA, IPA_CA, key_size=1024) + +cmd = [ +paths.IPA_CACERT_MANAGE, 'renew', +'--external-cert-file', ipa_ca_fname, +'--external-cert-file', root_ca_fname, +] +result = self.master.run_command(cmd, raiseonerr=False) +assert result.returncode == 1 + class TestExternalCAInvalidIntermediate(IntegrationTest): """Test case for https://pagure.io/freeipa/issue/7877"""; From 9a76429f7c6d470802c9f34d97d2e7908eb5e2d3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 27 May 2019 12:24:59 +1000 Subject: [PATCH 2/2] temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletion
[Freeipa-devel] [freeipa PR#3180][opened] [ipa-4-6] ipa-cert-fix fixes
URL: https://github.com/freeipa/freeipa/pull/3180 Author: frasertweedale Title: #3180: [ipa-4-6] ipa-cert-fix fixes Action: opened PR body: """ Cherry-pick a couple of fixes from master-bound PR #3136. ``` 2ff6e1ac5 (Fraser Tweedale, 67 minutes ago) ipa-cert-fix: fix spurious renewal master change We only want to become the renewal master if we actually renewed a shared certificate. But there is a bug in the logic; even if the only Dogtag certificate to be renewed is the 'sslserver' (a non-shared certificate), the renewal master will be reset. Fix the bug. A static type system would have excluded this bug. Part of: https://pagure.io/freeipa/issue/7885 ee889d2d7 (Fraser Tweedale, 2 days ago) ipa-cert-fix: handle 'pki-server cert-fix' failure When DS cert is expired, 'pki-server cert-fix' will fail at the final step (restart). When this case arises, ignore the CalledProcessError and continue. We can't know for sure if the error was due to failure of final restart, or something going wrong earlier. But if it was a more serious failure, the next step (installing the renewed IPA-specific certificates) will fail. Part of: https://pagure.io/freeipa/issue/7885 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3180/head:pr3180 git checkout pr3180 From ee889d2d700371b0d6ca3774ed01df075e851ea7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Sun, 22 Aug 2021 18:06:56 +1000 Subject: [PATCH 1/2] ipa-cert-fix: handle 'pki-server cert-fix' failure When DS cert is expired, 'pki-server cert-fix' will fail at the final step (restart). When this case arises, ignore the CalledProcessError and continue. We can't know for sure if the error was due to failure of final restart, or something going wrong earlier. But if it was a more serious failure, the next step (installing the renewed IPA-specific certificates) will fail. Part of: https://pagure.io/freeipa/issue/7885 --- ipaserver/install/ipa_cert_fix.py | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index c8ee51faea..5d5668b1d8 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -113,7 +113,17 @@ def run(self): return 0 print("Proceeding.") -run_cert_fix(certs, extra_certs) +try: +run_cert_fix(certs, extra_certs) +except ipautil.CalledProcessError: +if any(x[0] is IPACertType.LDAPS for x in extra_certs): +# The DS cert was expired. This will cause +# 'pki-server cert-fix' to fail at the final +# restart. Therefore ignore the CalledProcessError +# and proceed to installing the IPA-specific certs. +pass +else: +raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) From 2ff6e1ac5352a2aff929c0d87a304411435543e1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 24 Aug 2021 14:33:45 +1000 Subject: [PATCH 2/2] ipa-cert-fix: fix spurious renewal master change We only want to become the renewal master if we actually renewed a shared certificate. But there is a bug in the logic; even if the only Dogtag certificate to be renewed is the 'sslserver' (a non-shared certificate), the renewal master will be reset. Fix the bug. A static type system would have excluded this bug. Part of: https://pagure.io/freeipa/issue/7885 --- ipaserver/install/ipa_cert_fix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py index 5d5668b1d8..fff054c230 100644 --- a/ipaserver/install/ipa_cert_fix.py +++ b/ipaserver/install/ipa_cert_fix.py @@ -128,7 +128,7 @@ def run(self): replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) -if any(x != 'sslserver' for x in certs) \ +if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3136][opened] Add ipa-cert-fix tool
URL: https://github.com/freeipa/freeipa/pull/3136 Author: frasertweedale Title: #3136: Add ipa-cert-fix tool Action: opened PR body: """ Forward-port of https://github.com/freeipa/freeipa/pull/2919 to `master` branch. ``` da189c9cc (Fraser Tweedale, 3 days ago) require Dogtag 10.7.0-1 Dogtag 10.7 includes the 'pki-server cert-fix' enhancements required by ipa-cert-fix. Bump the dep min bound. Part of: https://pagure.io/freeipa/issue/7885 54e967095 (Fraser Tweedale, 6 weeks ago) ipa-cert-fix: use customary exit statuses It is customary to return 2 when IPA is not configured, and 1 when other required bits are not installed or configured. Update ipa-cert-fix exit statuses accordingly. Part of: https://pagure.io/freeipa/issue/7885 7a836fb8c (Fraser Tweedale, 7 weeks ago) ipa-cert-fix: add man page Part of: https://pagure.io/freeipa/issue/7885 6c023f265 (Fraser Tweedale, 7 weeks ago) Add ipa-cert-fix tool The ipa-cert-fix tool wraps `pki-server cert-fix`, performing additional certificate requests for non-Dogtag IPA certificates and performing additional actions. In particular: - Run cert-fix with arguments particular to the IPA deployment. - Update IPA RA certificate in the ipara user entry (if renewed). - Add shared certificates (if renewed) to the ca_renewal LDAP container for replication. - Become the CA renewal master if shared certificates were renewed. This ensures other CA replicas, including the previous CA renewal master if not the current host, pick up those new certificates when Certmonger attempts to renew them. Fixes: https://pagure.io/freeipa/issue/7885 3d1ff725e (Fraser Tweedale, 7 weeks ago) constants: add ca_renewal container Part of: https://pagure.io/freeipa/issue/7885 c956bc658 (Fraser Tweedale, 7 weeks ago) cainstance: add function to determine ca_renewal nickname The ipa-cert-fix program needs to know where to put shared certificates. Extract the logic that computes the nickname from dogtag-ipa-ca-renew-agent to new subroutine cainstance.get_ca_renewal_nickname(). Part of: https://pagure.io/freeipa/issue/7885 4f4c32cc6 (Fraser Tweedale, 7 weeks ago) Extract ca_renewal cert update subroutine When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3136/head:pr3136 git checkout pr3136 From 4f4c32cc675da63a1b03184f7285796aac3c6908 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 13:37:45 +1100 Subject: [PATCH 1/7] Extract ca_renewal cert update subroutine When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 --- .../dogtag-ipa-ca-renew-agent-submit.in | 16 +--- ipaserver/install/cainstance.py | 26 +++ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 6961740bee..8171207f9d 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -270,23 +270,9 @@ def store_cert(**kwargs): return (REJECTED, "New certificate requests not supported") cert = x509.load_pem_x509_certificate(cert.encode('ascii')) -dn = DN(('cn', nickname), ('cn', 'ca_renewal'), -('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: with ldap_connect() as conn: -try: -entry = conn.get_entry(dn, ['usercertificate']) -entry['usercertificate'] = [cert] -conn.update_entry(entry) -except errors.NotFound: -entry = conn.make_entry( -dn, -objectclass=['top', 'pkiuser', 'nscontainer'], -cn=[nickname], -usercertificate=[cert]) -conn.add_entry(entry) -except errors.EmptyModlist: -pass +cainstance.update_ca_renewal_entry(conn, nickname, cert) except Exception as e: attempts += 1 if attempts < 10: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/
[Freeipa-devel] [freeipa PR#2919][opened] Add ipa-cert-fix tool
URL: https://github.com/freeipa/freeipa/pull/2919 Author: frasertweedale Title: #2919: Add ipa-cert-fix tool Action: opened PR body: """ The ipa-cert-fix tool wraps `pki-server cert-fix`, performing additional certificate requests for non-Dogtag IPA certificates and performing additional actions. In particular: - Run cert-fix with arguments particular to the IPA deployment. - Update IPA RA certificate in the ipara user entry (if renewed). - Add shared certificates (if renewed) to the ca_renewal LDAP container for replication. - Become the CA renewal master if shared certificates were renewed. This ensures other CA replicas, including the previous CA renewal master if not the current host, pick up those new certificates when Certmonger attempts to renew them. Fixes: https://pagure.io/freeipa/issue/7885 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2919/head:pr2919 git checkout pr2919 From 9e36259f948197dd61ee2110f5c79fb2885c7116 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 13:37:45 +1100 Subject: [PATCH 1/3] Extract ca_renewal cert update subroutine When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 --- .../dogtag-ipa-ca-renew-agent-submit | 16 +--- ipaserver/install/cainstance.py | 26 +++ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index c33404c18c..c2ba9cb842 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -270,23 +270,9 @@ def store_cert(**kwargs): return (REJECTED, "New certificate requests not supported") cert = x509.load_pem_x509_certificate(cert.encode('ascii')) -dn = DN(('cn', nickname), ('cn', 'ca_renewal'), -('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: with ldap_connect() as conn: -try: -entry = conn.get_entry(dn, ['usercertificate']) -entry['usercertificate'] = [cert] -conn.update_entry(entry) -except errors.NotFound: -entry = conn.make_entry( -dn, -objectclass=['top', 'pkiuser', 'nscontainer'], -cn=[nickname], -usercertificate=[cert]) -conn.add_entry(entry) -except errors.EmptyModlist: -pass +cainstance.update_ca_renewal_entry(conn, nickname, cert) except Exception as e: attempts += 1 if attempts < 10: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e101087ac2..7562fe11f7 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1711,6 +1711,32 @@ def make_entry(cert, entry): return __update_entry_from_cert(make_filter, make_entry, cert) +def update_ca_renewal_entry(conn, nickname, cert): +""" +Update the ca_renewal entry for the given nickname. + +:param conn: A *connected* LDAP handle +:param nickname: NSSDB nickname +:param cert: python-cryptography X509Certificate + +""" +dn = DN(('cn', nickname), ('cn', 'ca_renewal'), +('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) +try: +entry = conn.get_entry(dn, ['usercertificate']) +entry['usercertificate'] = [cert] +conn.update_entry(entry) +except errors.NotFound: +entry = conn.make_entry( +dn, +objectclass=['top', 'pkiuser', 'nscontainer'], +cn=[nickname], +usercertificate=[cert]) +conn.add_entry(entry) +except errors.EmptyModlist: +pass + + def ensure_ldap_profiles_container(): ensure_entry( DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), From 39c77e8c11ea8d672ee934e2eb296668b2af0308 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 15:22:21 +1100 Subject: [PATCH 2/3] cainstance: add function to determine ca_renewal nickname The ipa-cert-fix program needs to know where to put shared certificates. Add the cainstance.get_ca_renewal_nickname function that determines the nickname based on the given certificate. This code is very similar to (and a bit simpler than) some code in the dogtag-ipa-ca-renew-agent Certmonger renewal helper. We should refactor the renewal helper to use the new function. That will be done in a later commit, so that we can keep the ipa-cert-fix backport small and l
[Freeipa-devel] [freeipa PR#2883][closed] [ipa-4-6] SAN IP address support
URL: https://github.com/freeipa/freeipa/pull/2883 Author: frasertweedale Title: #2883: [ipa-4-6] SAN IP address support Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2883/head:pr2883 git checkout pr2883 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#2882][closed] [ipa-4-7] SAN IP address support
URL: https://github.com/freeipa/freeipa/pull/2882 Author: frasertweedale Title: #2882: [ipa-4-7] SAN IP address support Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2882/head:pr2882 git checkout pr2882 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org