Commits

https://fedorahosted.org/freeipa/ticket/4899

In case users want multiple CSR generation profiles that work with the same dogtag profile, or in case the profiles are not named the same, this flag allows specifying an alternative CSR generation profile. https://fedorahosted.org/freeipa/ticket/4899

Allows the `ipa cert-request` command to generate its own CSR. It no longer requires a CSR passed on the command line, instead it creates a config (bash script) with `cert-get-requestdata`, then runs it to build a CSR, and submits that CSR. Example usage (NSS database): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs Example usage (PEM private key file): $ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem https://fedorahosted.org/freeipa/ticket/4899

ipa-kra-install creates an admin cert file in /root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the parent directory exists. This situation can happen when uninstall + restore has been run. The fix creates the directory if not present. https://fedorahosted.org/freeipa/ticket/6606 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Calling str() on bytes causes undesired side effect: it adds prefix "b" to the result of conversion. The method decode() should be used instead. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

When using private_ccache, yield 'path' from the context manager. This is cleaner than inspecting 'os.environ['KRB5CCNAME']' within the context. Part of: https://fedorahosted.org/freeipa/ticket/5011 Reviewed-By: Martin Basti <mbasti@redhat.com>

https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Various method passed various bytes or unicode as parameter https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

csr must be in string because framework excpects only strings, so we have to decode it back https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Bytes are unsupported and we should raise a TypeError from Principal __init__ method otherwise we get hard to debug result Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Remove decode() as it causes error in py3 because the attribute is already string not bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Values passed to LDAP must be bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Update encoding/decoding accordingly to work under Py3 Removing functions that were used only once in code and give no real improvements https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

variable 'e' is valid only in except block in py3, so it must be assigned to different variable for further usage https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

WSGI prints TypeError into error log when IPA doesn't return bytes in list as result https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

ccache contains binary data, so it should be read and write in binary mode https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

Variable 'e' has only local scope in except block in Py3 https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

json library parses string so input must be decoded https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

This fix is temporal because Memcache will be removed soon, so it is more workaround than fix https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com>

https://fedorahosted.org/freeipa/ticket/6588r Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Using the whole entry is not needed as parameter because only DN is used and it prevents easier usage of this function https://fedorahosted.org/freeipa/ticket/6588 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

This patch also contains some code changes to make the code easier to test and to make the tests pass. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>

This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>

https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>

Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com>

When --subject-base and --ca-subject are not specified in ipa-ca-install, default values are used. DN objects are used as the default values in ipa-ca-install, but the CA installer expects the values to be strings. This causes ipa-ca-install to fail unless both --subject-base and --ca-subject are specified. Convert the DN objects to strings to fix the issue. https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

Improve the single/double quote handling during parsing/unparsing of nss.conf's NSSNickname directive. Single quotes are now added/stripped explicitly when handling the certificate nickname. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>

Separate functions were added to installutils module to quote/unquote a string in arbitrary characters. `installutils.get/set_directive` functions will use them to enclose the directive values in double quotes/strip the double quotes from retrieved values to maintain the original behavior. These functions can be used also for custom quoting/unquoting of retrieved values when desired. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>

`get_directive` value parsing was improved in order to bring its logic more in-line to changes in `set_directive`: a specified quoting character is now unquoted and stripped from the retrieved value. The function will now also error out when malformed directive is encountered. https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>

Add missing parameter descriptions and fix incorrect indentation https://fedorahosted.org/freeipa/ticket/6460 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>

If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

Commits on Feb 28, 2017

Commits on Feb 2, 2017

Commits on Jan 31, 2017

Commits on Jan 25, 2017

Commits on Jan 24, 2017