[Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660. Honza -- Jan Cholasta From 1a42a07cfa02753053298c75d3a76cb1cb3bf839 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 22 Oct 2014 11:18:35 +0200 Subject: [PATCH] Do not check if port 8443 is available in step 2 of external CA install The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 --- install/tools/ipa-ca-install | 3 ++- install/tools/ipa-server-install | 9 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index cb072e6..1bda22d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -301,7 +301,8 @@ def install_master(safe_options, options): domain_name = api.env.domain host_name = api.env.host -check_ca() +if external != 2: +check_ca() dirname = dsinstance.config_dirname( dsinstance.realm_to_serverid(realm_name)) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 0394314..67dd21f 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -869,10 +869,11 @@ def main(): # Make sure the 389-ds ports are available check_dirsrv(options.unattended) -if setup_ca: -if not cainstance.check_port(): -print IPA requires port 8443 for PKI but it is currently in use. -sys.exit(Aborting installation) +if setup_ca: +if not cainstance.check_port(): +print (IPA requires port 8443 for PKI but it is currently in + use.) +sys.exit(Aborting installation) if options.conf_ntp: try: -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches
Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl -- Petr Vobornik From 662c7d3b20195a035f20251d0a1e15c2eb382d11 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Wed, 22 Oct 2014 12:20:05 +0200 Subject: [PATCH] build: increase java stack size for all arches Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl --- freeipa.spec.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index be13e69255e7612f84aeca22105645b544cc50b5..f3e0b198ae48ddb5c02152c5db3bfdaaf5a7f678 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -320,10 +320,9 @@ This package contains tests that verify IPA functionality. %setup -n freeipa-%{version} -q %build -%ifarch ppc %{power64} s390 s390x aarch64 # UI compilation segfaulted on some arches when the stack was lower (#1040576) export JAVA_STACK_SIZE=8m -%endif + export CFLAGS=%{optflags} $CFLAGS export LDFLAGS=%{__global_ldflags} $LDFLAGS export SUPPORTED_PLATFORM=%{platform_module} -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches
On 10/22/2014 12:27 PM, Petr Vobornik wrote: Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl ACK from me if it really fixes the problem on ARM and does not break other arch builds. I am now not sure why we did not make this setting default in the first place... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] isolated pkcs11 module
Hello, On 15.10.2014 16:24, Nikos Mavrogiannopoulos wrote: Hi, Concerning: https://bugs.freedesktop.org/show_bug.cgi?id=51949#c3 What are your requirements? We currently have working code (but not yet merged) for an isolated security module via p11-kit. Our requirements are to protect private keys by keeping them outside a process' boundary. FreeIPA has the same requirement in this regard + couple more. The main target is to run softhsm (v2) in an isolated mode. If we can This was our plan too :-) combine efforts would be nice. Definitely! The original intent was to design LDAP-backed PKCS#11 module which will be used for CA certificate distribution to clients. E.g. SSSD would download the CA certificates managed by FreeIPA to client and expose them via PKCS#11 to p11-kit. We hope that this would allow almost seamless CA roll-over. This is in scope of https://fedorahosted.org/freeipa/ticket/4322 Later we found out that DNSSEC support in FreeIPA needs to distribute and share private keys among all FreeIPA DNS servers. It seems that LDAP-backed PKCS#11 backend could be used for the same purpose. The idea how it can be done in secure way is described on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/Keys/Shortterm#Keydistribution We did not get to coding it yet but the very rough idea was to wrap local SoftHSM instance and use SSSD to do two-way synchronization between local HSM and LDAP-backend. It certainly could be extended to handle user credentials too (SSH private keys or passwords in GNOME keyring?). Jan Cholasta (CCed) can add more details, he is the main architect of this solution :-) -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install
On 10/22/2014 11:28 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660. Honza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 781 build: increase java stack size for all arches
On 22.10.2014 13:12, Martin Kosek wrote: On 10/22/2014 12:27 PM, Petr Vobornik wrote: Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues. Reason: build fail on armv7hl ACK from me if it really fixes the problem on ARM and does not break other arch builds. failed build: http://koji.fedoraproject.org/koji/taskinfo?taskID=7927120 successful scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=7928725 I am now not sure why we did not make this setting default in the first place... IIRC, one of the reason was that at the beginning it was only for two arches. But the very first patch has something similar, but not configurable through a env. variable. Pushed to: ipa-4-0: 4ac55bf52ff0d6817a130bd7d9bc65415c359bec ipa-4-1: 1300f82b9ce9c42b5314e018fa4989990af6218b master: 09808c92c001ba8a6d5705e719d63430eeeb3ecb -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install
Dne 22.10.2014 v 13:30 David Kupka napsal(a): On 10/22/2014 11:28 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660. Honza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, ACK. Thanks. See attachment for ipa-4-0 version of the patch. -- Jan Cholasta From dcb53769739e74de865ed54c5ee22f15eb287abc Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 22 Oct 2014 11:18:35 +0200 Subject: [PATCH] Do not check if port 8443 is available in step 2 of external CA install The port is never available in step 2 of external CA install, as Dogtag is already running. https://fedorahosted.org/freeipa/ticket/4660 --- install/tools/ipa-server-install | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index beb5cfe..3d34d4b 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -803,10 +803,11 @@ def main(): # Make sure the 389-ds ports are available check_dirsrv(options.unattended) -if setup_ca: -if not cainstance.check_port(): -print IPA requires port 8443 for PKI but it is currently in use. -sys.exit(Aborting installation) +if setup_ca: +if not cainstance.check_port(): +print (IPA requires port 8443 for PKI but it is currently in + use.) +sys.exit(Aborting installation) if options.conf_ntp: try: -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 358 Do not check if port 8443 is available in step 2 of external CA install
On 22.10.2014 13:57, Jan Cholasta wrote: Dne 22.10.2014 v 13:30 David Kupka napsal(a): On 10/22/2014 11:28 AM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4660. Honza Works for me, ACK. Thanks. See attachment for ipa-4-0 version of the patch. Looks good. Pushed to: ipa-4-0: 3cb982bc010216c7613de67ea537ba0dbe8d8342 ipa-4-1: e22cf5bafc4c862a16bd8ac0b950c7547b048ae9 master: 50e66337340ae8f9c243658b58409de4e911d1c4 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.
The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 -- Endi S. Dewata From d7b05ef151a59e6828b537ac2077d05b74b25903 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 16 Sep 2014 20:11:35 -0400 Subject: [PATCH] Modififed NSSConnection not to shutdown existing database. The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 --- ipalib/rpc.py | 34 +++--- ipapython/nsslib.py | 35 +++ 2 files changed, 42 insertions(+), 27 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..001b7f1ca06edadfc7aad635d9d564e517008a63 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -63,6 +63,7 @@ from ipaplatform.paths import paths from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ +import ipapython.nsslib from ipapython.nsslib import NSSHTTPS, NSSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE @@ -450,14 +451,10 @@ class LanguageAwareTransport(MultiProtocolTransport): class SSLTransport(LanguageAwareTransport): Handles an HTTPS transaction to an XML-RPC server. -def __nss_initialized(self, dbdir): +def get_connection_dbdir(self): -If there is another connections open it may have already -initialized NSS. This is likely to lead to an NSS shutdown -failure. One way to mitigate this is to tell NSS to not -initialize if it has already been done in another open connection. - -Returns True if another connection is using the same db. +If there is a connections open it may have already initialized +NSS database. Return the database location used by the connection. for value in context.__dict__.values(): if not isinstance(value, Connection): @@ -466,25 +463,32 @@ class SSLTransport(LanguageAwareTransport): getattr(value.conn, '_ServerProxy__transport', None), SSLTransport): continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \ - value.conn._ServerProxy__transport.dbdir == dbdir: -return True -return False +if hasattr(value.conn._ServerProxy__transport, 'dbdir'): +return value.conn._ServerProxy__transport.dbdir +return None def make_connection(self, host): host, self._extra_headers, x509 = self.get_host_info(host) # Python 2.7 changed the internal class used in xmlrpclib from # HTTP to HTTPConnection. We need to use the proper subclass -# If we an existing connection exists using the same NSS database -# there is no need to re-initialize. Pass thsi into the NSS -# connection creator. if sys.version_info = (2, 7): if self._connection and host == self._connection[0]: return self._connection[1] dbdir = getattr(context, 'nss_dir', paths.IPA_NSSDB_DIR) -no_init = self.__nss_initialized(dbdir) +connection_dbdir = self.get_connection_dbdir() + +if connection_dbdir: +# If an existing connection is already using the same NSS +# database there is no need to re-initialize. +no_init = dbdir == connection_dbdir + +else: +# If the NSS database is already being used there is no +# need to re-initialize. +no_init = dbdir == ipapython.nsslib.current_dbdir + if sys.version_info (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 93b0c56fcff4fc69841a6823aae8f694c1f76ff0..1452a2a5844a5fb017d4408aadf56f7fcfc7fa25 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -31,6 +31,9 @@ import nss.ssl as ssl import nss.error as error from ipaplatform.paths import paths +# NSS database currently open +current_dbdir = None + def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -184,19 +187,27 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) -if
Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.
On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote: The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI go create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. The certs.install_pem_from_p12() has been updated to generate the proper client certificate using the -clcerts option and also take a password file. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. Ticket #3872 New patch attached. It's identical to the previous one except I changed the ticket number to #4503. -- Endi S. Dewata From a3e5c4f872fade7e88f954452a64c310ba4ae380 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 1 Oct 2014 14:59:46 -0400 Subject: [PATCH] Fixed KRA backend. The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI go create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. The certs.install_pem_from_p12() has been updated to generate the proper client certificate using the -clcerts option and also take a password file. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. Ticket #4503 --- install/conf/ipa-pki-proxy.conf | 2 +- ipaplatform/base/paths.py| 4 +- ipaserver/install/cainstance.py | 4 +- ipaserver/install/certs.py | 10 ++-- ipaserver/install/ipa_backup.py | 3 +- ipaserver/install/krainstance.py | 83 --- ipaserver/plugins/dogtag.py | 120 +-- 7 files changed, 100 insertions(+), 126 deletions(-) diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -19,7 +19,7 @@ ProxyRequests Off /LocationMatch # matches for agent port and eeca port -LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove +LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index bbe6eed76ccb3c5f325fd368694ac6a2afbb72f0..01505594a7af926c860f867b817bd397c54efff5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -138,8 +138,8 @@ class BasePathNamespace(object): HOME_DIR = /home ROOT_IPA_CACHE = /root/.ipa_cache ROOT_PKI = /root/.pki -DOGTAG_AGENT_P12 = /root/ca-agent.p12 -DOGTAG_AGENT_PEM = /etc/httpd/alias/agent.pem +DOGTAG_ADMIN_P12 = /root/ca-agent.p12 +KRA_AGENT_PEM = /etc/httpd/alias/kra-agent.pem CACERT_P12 = /root/cacert.p12 ROOT_IPA_CSR = /root/ipa.csr ROOT_TMP_CA_P12 = /root/tmp-ca.p12 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1ae39639ac9702651851e6c3964faa69788db31e..fe95201517a577b9f6dba7642afe09b4eef2328d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
Hi, thank you for the patches, comments inline. On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 773 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type == We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID - UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense. Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type. We probably don't want to display the first RID if it is 0 and the type is ad-posix. This occurs in idrange-find: [tbabej@vm-043 labtool]$ ipa idrange-find 2 ranges matched Range name: DOM043.TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 51480 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes Number of entries returned 2 And also idrange-show: [tbabej@vm-043 labtool]$ ipa idrange-show TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range Range name: TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM_id_range First Posix ID of the range: 1 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-2997650941-1802118864-3094776726 Range type: Active Directory trust range with POSIX attributes No schema change is done. == [PATCH] 774 unittests: baserid for ipa-ad-trust-posix idranges == Looks good. == [PATCH] 775 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges == Can you use the paged_search=True in find_entries instead of having a infinite loop? It would make this code quite cleaner. New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix https://fedorahosted.org/freeipa/ticket/4221 == [PATCH] 776 idrange: include raw range type in output == iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers Solved by new iparangetyperaw output attribute which contains iparangetype's raw value Note: I don't like this approach. It would be better to return just the raw value a do the transformation in clients. But we do have a precedent: http://www.redhat.com/archives/freeipa-devel/2012-January/msg00190.html I am not happy about it either.. I guess we could create a capability for this, but it would probably be a overkill. == [PATCH] 777 webui: prohibit setting rid base with ipa-trust-ad-posix type == Base RID is no longer editable for ipa-trust-ad-posix range type Adder dialog: - Range type selector was moved up because it affects a field above it Details page: - Only fields relevant to range's type are visible Looks fine. On a related note, I added a new ticket https://fedorahosted.org/freeipa/ticket/4661 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 355 Added vault access control.
New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. Ticket #3872 This patch depends on #353-2. -- Endi S. Dewata From ccbfa01f40e2ac4c978e5ef0f1fbe167f96793a2 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. Ticket #3872 --- API.txt | 134 +-- VERSION | 4 +- install/share/60basev4.ldif | 4 +- install/updates/40-vault.update | 7 ++ ipalib/plugins/vault.py | 233 +++- 5 files changed, 366 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5 100644 --- a/API.txt +++ b/API.txt @@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('in?', cli_name='in') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option:
Re: [Freeipa-devel] [PATCH] 353 Added initial vault implementation.
On 10/16/2014 4:12 PM, Endi Sukma Dewata wrote: On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote: The NSSConnection class has to be modified not to shutdown existing database because some of the vault clients (e.g. vault-archive and vault-retrieve) also use a database to encrypt/decrypt the secret. The problem is described in more detail in this ticket: https://fedorahosted.org/freeipa/ticket/4638 The changes to the NSSConnection in the first patch caused the installation to fail. Attached is a new patch that uses the solution proposed by jdennis. New patch attached. It's now using the correct OID's for the schema. It also has been rebased on top of #352-1 and #354. -- Endi S. Dewata From 2284f5684149e9fdfb7cde13865fe28e265ff5a3 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 21 Oct 2014 10:57:08 -0400 Subject: [PATCH] Added initial vault implementation. This patch provides the initial vault implementation which allows the admin to create a vault, archive a secret, and retrieve the secret using a standard vault. It also included the initial LDAP schema. It currently has limitations including: - The vault only supports the standard vault type. - The vault can only be used by the admin user. - The transport certificate has to be installed manually. These limitations, other vault features, schema and ACL changes will be addressed in subsequent patches. Ticket #3872 --- API.txt| 160 VERSION| 4 +- install/share/60basev4.ldif| 3 + install/share/Makefile.am | 1 + install/share/copy-schema-to-ca.py | 1 + install/updates/40-vault.update| 27 ++ install/updates/Makefile.am| 1 + ipa-client/man/default.conf.5 | 1 + ipalib/constants.py| 1 + ipalib/plugins/user.py | 9 + ipalib/plugins/vault.py| 724 + ipaserver/install/dsinstance.py| 1 + 12 files changed, 931 insertions(+), 2 deletions(-) create mode 100644 install/share/60basev4.ldif create mode 100644 install/updates/40-vault.update create mode 100644 ipalib/plugins/vault.py diff --git a/API.txt b/API.txt index 491d7a76fd1d2d50208d314d1600839ce295..cfa6558fcf678e5915a90407da517f9a591a41bf 100644 --- a/API.txt +++ b/API.txt @@ -4475,6 +4475,166 @@ option: Str('version?', exclude='webui') output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add +args: 1,8,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Str('in?', cli_name='in') +option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Bytes('secret', attribute=True, cli_name='secret', multivalue=False, required=False) +option: Str('version?', exclude='webui') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_archive +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('encrypted_data?', cli_name='encrypted_data') +option: Str('in?', cli_name='in') +option: Bytes('nonce?', cli_name='nonce') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Bytes('secret?', cli_name='secret') +option: Str('version?', exclude='webui') +option: Bytes('wrapped_session_key?', cli_name='wrapped_session_key') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_del +args: 1,3,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('parent?',
[Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.
A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. Ticket #3872 This patch depends on #355. -- Endi S. Dewata From abeda85904f7247f1f0d679a71a7094bb2cefe0c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 22 Oct 2014 10:02:25 -0400 Subject: [PATCH] Added command to retrieve vault transport certificate. A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. Ticket #3872 --- API.txt | 5 +++ VERSION | 4 +-- ipalib/plugins/vault.py | 85 +++-- 3 files changed, 89 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e 100644 --- a/API.txt +++ b/API.txt @@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_transport_cert +args: 0,2,1 +option: Str('out?', cli_name='out') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vaultcontainer_add args: 1,8,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) diff --git a/VERSION b/VERSION index c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=110 -# Last change: edewata - added vault access control +IPA_API_VERSION_MINOR=111 +# Last change: edewata - added vault transport certificate diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -24,6 +24,8 @@ import shutil import string import tempfile +import nss.nss as nss + import pki import pki.account import pki.crypto @@ -109,7 +111,7 @@ EXAMPLES: ) register = Registry() -transport_cert_nickname = KRA Transport Certificate +transport_cert_filename = vault-transport.pem @register() class vaultcontainer(LDAPObject): @@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve): @register() +class vault_transport_cert(Command): +__doc__ = _('Retrieve vault transport certificate.') + + +# list of attributes we want exported to JSON +json_friendly_attributes = ( +'takes_args', +) + +takes_options = ( +Str('out?', +cli_name='out', +doc=_('Output file to store the transport certificate'), +), +) + +has_output_params = ( +Str('certificate', +label=_('Certificate'), +), +) + +def __json__(self): +json_dict = dict( +(a, getattr(self, a)) for a in self.json_friendly_attributes +) +json_dict['takes_options'] = list(self.get_json_options()) +return json_dict + +def execute(self, *args, **options): + +kra_client = api.Backend.kra.get_client() +transport_cert = kra_client.system_certs.get_transport_cert() +return { +'result': { +'certificate': transport_cert.encoded +} +} + +def forward(self, *args, **options): + +file = options.get('out') + +# don't send these parameters to server +if 'out' in options: +del options['out'] + +response = super(vault_transport_cert, self).forward(*args, **options) + +if file: +with open(file, 'w') as f: +f.write(response['result']['certificate']) + +return response + + +@register() class vault_archive(LDAPRetrieve): __doc__ = _('Archive a secret into a vault.') @@ -743,7 +802,17 @@ class vault_archive(LDAPRetrieve): nonce = crypto.generate_nonce_iv() session_key = crypto.generate_session_key() -nss_transport_cert = crypto.get_cert(transport_cert_nickname) + +