Re: [Freeipa-devel] [PATCH 0074] Make token window sizes configurable
On Thu, 2014-10-23 at 18:07 -0400, Nathaniel McCallum wrote: This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 NOTE: There is one known issue with this patch which I don't know how to solve. This patch changes the schema in install/share/60ipaconfig.ldif. On an upgrade, all of the new attributeTypes appear correctly. However, the modifications to the pre-existing objectClass do not show up on the server. What am I doing wrong? After modifying ipaGuiConfig manually, everything in this patch works just fine. This new version takes into account the new (proper) OIDs and attribute names. The above known issue still remains. Nathaniel From 70c85c066316acb7b15739c608c90ba1c0c38cbc Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 23 Oct 2014 15:18:26 -0400 Subject: [PATCH] Make token window sizes configurable This patch gives the administrator variables to control the size of the authentication and synchronization windows for OTP tokens. https://fedorahosted.org/freeipa/ticket/4511 --- API.txt | 6 +- VERSION | 4 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.c | 195 +- daemons/ipa-slapi-plugins/ipa-pwd-extop/authcfg.h | 17 ++ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 77 +++-- daemons/ipa-slapi-plugins/ipa-pwd-extop/syncreq.c | 5 +- daemons/ipa-slapi-plugins/libotp/libotp.c | 133 +++ daemons/ipa-slapi-plugins/libotp/libotp.h | 30 ++-- install/share/60ipaconfig.ldif| 7 +- install/ui/src/freeipa/serverconfig.js| 10 ++ install/ui/test/data/ipa_init.json| 3 +- install/updates/40-otp.update | 6 + ipalib/plugins/config.py | 31 +++- ipalib/plugins/internal.py| 1 + 14 files changed, 334 insertions(+), 191 deletions(-) diff --git a/API.txt b/API.txt index 491d7a76fd1d2d50208d314d1600839ce295..4f204d0fa2e33dc4c9202645e111c25d2a545d70 100644 --- a/API.txt +++ b/API.txt @@ -514,7 +514,7 @@ args: 0,1,1 option: Str('version?', exclude='webui') output: Output('result', None, None) command: config_mod -args: 0,25,3 +args: 0,29,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') @@ -525,6 +525,8 @@ option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name=' option: Str('ipagroupobjectclasses', attribute=True, autofill=False, cli_name='groupobjectclasses', csv=True, multivalue=True, required=False) option: IA5Str('ipagroupsearchfields', attribute=True, autofill=False, cli_name='groupsearch', multivalue=False, required=False) option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False) +option: Int('ipahotpauthwindow', attribute=True, autofill=False, cli_name='hotp_auth_window', maxvalue=1000, minvalue=1, multivalue=False, required=False) +option: Int('ipahotpsyncwindow', attribute=True, autofill=False, cli_name='hotp_sync_window', maxvalue=1000, minvalue=1, multivalue=False, required=False) option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD', u'nfs:NONE')) option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False) option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False) @@ -533,6 +535,8 @@ option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='s option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) +option: Int('ipatotpauthwindow', attribute=True, autofill=False, cli_name='totp_auth_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False) +option: Int('ipatotpsyncwindow', attribute=True, autofill=False, cli_name='totp_sync_window', maxvalue=2678400, minvalue=30, multivalue=False, required=False) option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp')) option: Str('ipauserobjectclasses', attribute=True, autofill=False,
[Freeipa-devel] [PATCH, slapi-nis] ID view-related patches to slapi-nis
Hi, two patches to slapi-nis are attached: - make sure only DNs from the schema-compat trees are targeted for ID view replacement. This solves issue of https://bugzilla.redhat.com/show_bug.cgi?id=1157989 found by Sumit. - support ID overrides in the BIND callback. So far the only thing we need is overriding uid. They need to be applied in this order, on top of 0.54 release version of slapi-nis. -- / Alexander Bokovoy From 4645af44d48c81d8332020eb390db877ab179b3b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Tue, 28 Oct 2014 10:09:47 +0200 Subject: [PATCH 1/2] ID views: ignore searches for views outside the subtrees of schema-compat sets schema-compat plugin may provide multiple disjoint subtrees which can be used to request overridden entries by prefixing the subtree suffix with a cn=name of view,cn=views,subtree suffix As subtrees may be disjoint, we cannot rely on the common suffix. Thus, any attempt to replace target DN and update filter terms must only be done once we are sure the search will be done in the subtree. This optimization prevents mistakenly changing the search filter when FreeIPA and SSSD search for the ID overrides themselves, as the same structure of the target DN is used for cn=views,cn=accounts,$SUFFIX subtree in FreeIPA. This subtree is never handled by slapi-nis and should be ignored. https://bugzilla.redhat.com/show_bug.cgi?id=1157989 --- src/back-sch-idview.c | 11 +-- src/back-sch.c| 83 +-- 2 files changed, 83 insertions(+), 11 deletions(-) diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index 5a2b450..a56a9e9 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config-override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata-state-plugin_desc-spd_id, + Overriding the filter %s with %s=%*s from the override %s\n., + filter_type, filter_type, bval-bv_len, bval-bv_val, + slapi_entry_get_dn_const(cbdata-overrides[i])); break; } } @@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config-override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata-state-plugin_desc-spd_id, + Overriding the filter %s with %s=%*s from the override %s\n., + filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, + bval-bv_len, bval-bv_val, + slapi_entry_get_dn_const(cbdata-overrides[i])); break; } @@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b * * Note that in reality we don't use original value of the uid/cn attribue. Instead, we use ipaAnchorUUID * to refer to the original entry. */ -extern char * -slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t bufsize ); void idview_replace_filter(struct backend_search_cbdata *cbdata) { diff --git a/src/back-sch.c b/src/back-sch.c index 27d5101..902adb2 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag, return TRUE; } +/* Routines to search if a target DN is within any of the sets we handle */ +static bool_t +backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_t flag, +void *backend_data, void *cb_data) +{ + struct backend_search_cbdata *cbdata; + struct backend_set_data *set_data; + + cbdata = cb_data; + set_data = backend_data; + + if (slapi_sdn_scope_test(cbdata-target_dn, +set_data-container_sdn, +cbdata-scope) == 1) { + cbdata-answer = TRUE; + } + + if (slapi_sdn_compare(set_data-container_sdn, +
Re: [Freeipa-devel] [PATCH] 352 Fixed KRA backend.
Thanks for the review. New patch attached. On 10/23/2014 3:59 AM, Petr Viktorin wrote: In IPA we usually include the full ticket URL, not just the number. Fixed. The build fails with a lint message: * Module ipaserver.plugins.dogtag ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg), kra.get_client] Unexpected keyword argument 'password_file' in constructor call) ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter), kra.get_client] No value for argument 'certdb_password' in constructor call) I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed takes password and not password_file. If a newer version is required you should put it in the spec. Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my COPR repo: dnf copr enable edewata/pki ipaserver.install.certs.CertDB.install_pem_from_p12: If p12_passwd is missing and pwd_fname is None, this will crash. Please document how the method should be called. And assert that exactly one of p12_passwd and pwd_fname is given. I reverted this change because the KRA backend actually no longer uses install_pem_from_p12(). The KRA backend is now using the CLI from the new Dogtag which generates the proper PEM format for client authentication, so I'll leave install_pem_from_p12() unmodified because it's still used by KrbInstance. ipaserver.plugins.dogtag.kra.get_client: Should every caller check if this returns None? If not, raise an exception instead. If yes, at least mention it in a docstring. Fixed. It's now raising a generic exception. Is there an existing exception that is more appropriate for backend issues like this? Typo in commit message: modified to use Dogtag's CLI *go* create Fixed. -- Endi S. Dewata From 6f1f289f32dd68c85c09a41422e5b2e0c204ee4c Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 1 Oct 2014 14:59:46 -0400 Subject: [PATCH] Fixed KRA backend. The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 --- freeipa.spec.in | 4 +- install/conf/ipa-pki-proxy.conf | 2 +- ipaplatform/base/paths.py| 4 +- ipaserver/install/cainstance.py | 4 +- ipaserver/install/ipa_backup.py | 3 +- ipaserver/install/krainstance.py | 83 +++--- ipaserver/plugins/dogtag.py | 122 ++- 7 files changed, 101 insertions(+), 121 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8fcb535e229db4f7a8eaaee3c99b18446eef7f1e..dc04be48b2bb52ff05f9fab371c4b333a15d24ca 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -130,8 +130,8 @@ Requires(post): systemd-units Requires: selinux-policy = %{selinux_policy_version} Requires(post): selinux-policy-base Requires: slapi-nis = 0.54-1 -Requires: pki-ca = 10.2.0-3 -Requires: pki-kra = 10.2.0 +Requires: pki-ca = 10.2.1-0.1 +Requires: pki-kra = 10.2.1-0.1 %if 0%{?rhel} Requires: subscription-manager %endif diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 2370b4d7a7467a7e47c0d223915e018c9a009e83..5d21156848f3b5ddf14c42d92a26a30a9f94af36 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -19,7 +19,7 @@ ProxyRequests Off /LocationMatch # matches for agent port and eeca port -LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove +LocationMatch ^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys|^/ca/rest/admin/kraconnector/remove NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient require ProxyPassMatch
Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.
On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote: The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 New patch attached. It's identical except for the ticket URL in the commit log. -- Endi S. Dewata From 34bd77959687673db9fbf71c443b6ffe5ed4ca71 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 16 Sep 2014 20:11:35 -0400 Subject: [PATCH] Modififed NSSConnection not to shutdown existing database. The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. https://fedorahosted.org/freeipa/ticket/4638 --- ipalib/rpc.py | 34 +++--- ipapython/nsslib.py | 35 +++ 2 files changed, 42 insertions(+), 27 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 5934f0c26e4b7c0a44adbab978c1f9b319d72e9f..001b7f1ca06edadfc7aad635d9d564e517008a63 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -63,6 +63,7 @@ from ipaplatform.paths import paths from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ +import ipapython.nsslib from ipapython.nsslib import NSSHTTPS, NSSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE @@ -450,14 +451,10 @@ class LanguageAwareTransport(MultiProtocolTransport): class SSLTransport(LanguageAwareTransport): Handles an HTTPS transaction to an XML-RPC server. -def __nss_initialized(self, dbdir): +def get_connection_dbdir(self): -If there is another connections open it may have already -initialized NSS. This is likely to lead to an NSS shutdown -failure. One way to mitigate this is to tell NSS to not -initialize if it has already been done in another open connection. - -Returns True if another connection is using the same db. +If there is a connections open it may have already initialized +NSS database. Return the database location used by the connection. for value in context.__dict__.values(): if not isinstance(value, Connection): @@ -466,25 +463,32 @@ class SSLTransport(LanguageAwareTransport): getattr(value.conn, '_ServerProxy__transport', None), SSLTransport): continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir') and \ - value.conn._ServerProxy__transport.dbdir == dbdir: -return True -return False +if hasattr(value.conn._ServerProxy__transport, 'dbdir'): +return value.conn._ServerProxy__transport.dbdir +return None def make_connection(self, host): host, self._extra_headers, x509 = self.get_host_info(host) # Python 2.7 changed the internal class used in xmlrpclib from # HTTP to HTTPConnection. We need to use the proper subclass -# If we an existing connection exists using the same NSS database -# there is no need to re-initialize. Pass thsi into the NSS -# connection creator. if sys.version_info = (2, 7): if self._connection and host == self._connection[0]: return self._connection[1] dbdir = getattr(context, 'nss_dir', paths.IPA_NSSDB_DIR) -no_init = self.__nss_initialized(dbdir) +connection_dbdir = self.get_connection_dbdir() + +if connection_dbdir: +# If an existing connection is already using the same NSS +# database there is no need to re-initialize. +no_init = dbdir == connection_dbdir + +else: +# If the NSS database is already being used there is no +# need to re-initialize. +no_init = dbdir == ipapython.nsslib.current_dbdir + if sys.version_info (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 93b0c56fcff4fc69841a6823aae8f694c1f76ff0..1452a2a5844a5fb017d4408aadf56f7fcfc7fa25 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -31,6 +31,9 @@ import nss.ssl as ssl import nss.error as error from ipaplatform.paths import paths +# NSS database currently open +current_dbdir = None + def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -184,19 +187,27 @@ class NSSConnection(httplib.HTTPConnection,
Re: [Freeipa-devel] [PATCH] 353 Added initial vault implementation.
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote: On 10/16/2014 4:12 PM, Endi Sukma Dewata wrote: On 10/15/2014 10:59 PM, Endi Sukma Dewata wrote: The NSSConnection class has to be modified not to shutdown existing database because some of the vault clients (e.g. vault-archive and vault-retrieve) also use a database to encrypt/decrypt the secret. The problem is described in more detail in this ticket: https://fedorahosted.org/freeipa/ticket/4638 The changes to the NSSConnection in the first patch caused the installation to fail. Attached is a new patch that uses the solution proposed by jdennis. New patch attached. It's now using the correct OID's for the schema. It also has been rebased on top of #352-1 and #354. New patch attached to fix the ticket URL. It depends on #352-2 and #354-1. -- Endi S. Dewata From cd3daa901f7139801ea61ae1e2716810da131bcc Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Tue, 21 Oct 2014 10:57:08 -0400 Subject: [PATCH] Added initial vault implementation. This patch provides the initial vault implementation which allows the admin to create a vault, archive a secret, and retrieve the secret using a standard vault. It also included the initial LDAP schema. It currently has limitations including: - The vault only supports the standard vault type. - The vault can only be used by the admin user. - The transport certificate has to be installed manually. These limitations, other vault features, schema and ACL changes will be addressed in subsequent patches. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt| 160 VERSION| 4 +- install/share/60basev4.ldif| 3 + install/share/Makefile.am | 1 + install/share/copy-schema-to-ca.py | 1 + install/updates/40-vault.update| 27 ++ install/updates/Makefile.am| 1 + ipa-client/man/default.conf.5 | 1 + ipalib/constants.py| 1 + ipalib/plugins/user.py | 9 + ipalib/plugins/vault.py| 724 + ipaserver/install/dsinstance.py| 1 + 12 files changed, 931 insertions(+), 2 deletions(-) create mode 100644 install/share/60basev4.ldif create mode 100644 install/updates/40-vault.update create mode 100644 ipalib/plugins/vault.py diff --git a/API.txt b/API.txt index 491d7a76fd1d2d50208d314d1600839ce295..cfa6558fcf678e5915a90407da517f9a591a41bf 100644 --- a/API.txt +++ b/API.txt @@ -4475,6 +4475,166 @@ option: Str('version?', exclude='webui') output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add +args: 1,8,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) +option: Str('in?', cli_name='in') +option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Bytes('secret', attribute=True, cli_name='secret', multivalue=False, required=False) +option: Str('version?', exclude='webui') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_archive +args: 1,10,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Bytes('encrypted_data?', cli_name='encrypted_data') +option: Str('in?', cli_name='in') +option: Bytes('nonce?', cli_name='nonce') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Flag('rights', autofill=True, default=False) +option: Bytes('secret?', cli_name='secret') +option: Str('version?', exclude='webui') +option: Bytes('wrapped_session_key?', cli_name='wrapped_session_key') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_del +args: 1,3,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
Re: [Freeipa-devel] [PATCH] 355 Added vault access control.
On 10/22/2014 3:04 PM, Endi Sukma Dewata wrote: New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. Ticket #3872 This patch depends on #353-2. New patch attached to fix the ticket URL. It depends on #353-3. -- Endi S. Dewata From 6f464581e4e30e6105522ff25047764ec97e5a53 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow users to create their own private vault container, to allow owners to manage vaults and containers, and to allow members to use the vaults. New CLIs have been added to manage the owner and member list. For archive and retrieve operations the access control has to be enforced by the plugins because the operations only affects KRA. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 134 +-- VERSION | 4 +- install/share/60basev4.ldif | 4 +- install/updates/40-vault.update | 7 ++ ipalib/plugins/vault.py | 233 +++- 5 files changed, 366 insertions(+), 16 deletions(-) diff --git a/API.txt b/API.txt index cfa6558fcf678e5915a90407da517f9a591a41bf..a46592ec9e82e618154bf09393c83d4b854315c5 100644 --- a/API.txt +++ b/API.txt @@ -4476,11 +4476,12 @@ output: Output('result', type 'bool', None) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) command: vault_add -args: 1,8,3 +args: 1,9,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Str('in?', cli_name='in') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('parent', attribute=False, cli_name='parent', multivalue=False, required=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) @@ -4489,12 +4490,39 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,7,3 +arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Str('parent?', cli_name='parent') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('version?', exclude='webui') +output: Output('completed', type 'int', None) +output: Output('failed', type 'dict', None) +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='vault_name', maxlength=255, multivalue=False,
Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.
On 10/23/2014 6:18 AM, Jan Cholasta wrote: Hi, Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a): A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. As part of the CA certificate renewal feature in 4.1, I have added a LDAP certificate store to IPA, see http://www.freeipa.org/page/V4/CA_certificate_renewal. Currently it supports only CA certificates, but can be extended to support end entity certificates rather easily. If you use it for the vault transport certificate, it can be added to the client NSS database automatically on install. Honza I'm attaching a new patch that's identical to the previous one with ticket URL updated. I'm thinking we should check this patch in first because it's already done, and then investigate the use of CA cert management utility as a separate enhancement since the it seems to need to be generalized before it can be used to manage KRA transport cert. I'll also need to investigate the KRA transport cert replacement process to make sure it can be accommodated via IPA's cert management utility. -- Endi S. Dewata From 1bffa29d35fee0ac06cb1bc943f9de8beee58d05 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Wed, 22 Oct 2014 10:02:25 -0400 Subject: [PATCH] Added command to retrieve vault transport certificate. A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. https://fedorahosted.org/freeipa/ticket/3872 --- API.txt | 5 +++ VERSION | 4 +-- ipalib/plugins/vault.py | 85 +++-- 3 files changed, 89 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e 100644 --- a/API.txt +++ b/API.txt @@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui') output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (type 'unicode', type 'NoneType'), None) output: PrimaryKey('value', None, None) +command: vault_transport_cert +args: 0,2,1 +option: Str('out?', cli_name='out') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vaultcontainer_add args: 1,8,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) diff --git a/VERSION b/VERSION index c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=110 -# Last change: edewata - added vault access control +IPA_API_VERSION_MINOR=111 +# Last change: edewata - added vault transport certificate diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -24,6 +24,8 @@ import shutil import string import tempfile +import nss.nss as nss + import pki import pki.account import pki.crypto @@ -109,7 +111,7 @@ EXAMPLES: ) register = Registry() -transport_cert_nickname = KRA Transport Certificate +transport_cert_filename = vault-transport.pem @register() class vaultcontainer(LDAPObject): @@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve): @register() +class vault_transport_cert(Command): +__doc__ = _('Retrieve vault transport certificate.') + + +# list of attributes we want exported to JSON +json_friendly_attributes = ( +'takes_args', +) + +takes_options = ( +Str('out?', +cli_name='out', +doc=_('Output file to store the transport certificate'), +), +) + +has_output_params = ( +Str('certificate', +label=_('Certificate'), +), +) + +def __json__(self): +json_dict = dict( +(a, getattr(self, a)) for a in self.json_friendly_attributes +) +json_dict['takes_options'] = list(self.get_json_options()) +return json_dict + +def execute(self, *args, **options): + +