ipapython 4.10.2__py2.py3-none-any.whl → 4.13.1__py2.py3-none-any.whl

ipapython/admintool.py

@@ -26,7 +26,6 @@ import logging
 import sys
 import os
 import traceback
-from optparse import OptionGroup  # pylint: disable=deprecated-module
 
 from ipaplatform.osinfo import osinfo
 from ipapython import version
@@ -40,6 +39,45 @@ SERVER_NOT_CONFIGURED = 2
 logger = logging.getLogger(__name__)
 
 
+def admin_cleanup_global_argv(option_parser, options, argv):
+    """Takes option parser and generated options and scrubs sensitive arguments
+    from the global program arguments. Note that this only works for GNU GLIBC
+    as Python has no generic way to get access to the original argv values to
+    modify them in place.
+
+    The code assumes Python behavior, e.g. there are two additional args in the
+    list (/path/to/python -I ...) than what's passed as 'argv' here.
+    """
+    import ctypes
+    import ctypes.util
+    try:
+        _c = ctypes.CDLL(ctypes.util.find_library("c"))
+        if _c._name is None:
+            return
+        _argv = ctypes.POINTER(ctypes.c_voidp).in_dll(_c, "_dl_argv")
+        # since we run as 'python -I <executable> ...', add two args
+        _argc = len(argv) + 2
+        all_options = []
+        if '_get_all_options' in dir(option_parser):
+            # OptParse parser
+            all_options = option_parser._get_all_options()
+        elif '_actions' in dir(option_parser):
+            # ArgParse parser
+            all_options = option_parser._actions
+
+        for opt in all_options:
+            if getattr(opt, 'sensitive', False):
+                v = getattr(options, opt.dest)
+                for i in range(0, _argc):
+                    vi = ctypes.cast(_argv[i],
+                                     ctypes.c_char_p
+                                     ).value.decode('utf-8')
+                    if vi == v:
+                        ctypes.memset(_argv[i], ord('X'), len(v))
+    except Exception:
+        pass
+
+
 class ScriptError(Exception):
     """An exception that records an error message and a return value
     """
@@ -113,7 +151,7 @@ class AdminTool:
         :param parser: The parser to add options to
         :param debug_option: Add a --debug option as an alias to --verbose
         """
-        group = OptionGroup(parser, "Logging and output options")
+        group = config.OptionGroup(parser, "Logging and output options")
         group.add_option("-v", "--verbose", dest="verbose", default=False,
             action="store_true", help="print debugging information")
         if debug_option:
@@ -149,6 +187,7 @@ class AdminTool:
             cls._option_parsers[cls] = cls.option_parser
 
         options, args = cls.option_parser.parse_args(argv[1:])
+        admin_cleanup_global_argv(cls.option_parser, options, argv)
 
         command_class = cls.get_command_class(options, args)
         command = command_class(options, args)

ipapython/certdb.py

@@ -511,7 +511,8 @@ class NSSDatabase:
 
         :return: List of (name, trust_flags) tuples
         """
-        result = self.run_certutil(["-L"], capture_output=True)
+        args = ["-L"]
+        result = self.run_certutil(args, capture_output=True)
         certs = result.output.splitlines()
 
         # FIXME, this relies on NSS never changing the formatting of certutil
@@ -632,7 +633,7 @@ class NSSDatabase:
                 pkcs12_password_file.close()
 
     def import_files(self, files, import_keys=False, key_password=None,
-                     key_nickname=None):
+                     key_nickname=None, trust_flags=EMPTY_TRUST_FLAGS):
         """
         Import certificates and a single private key from multiple files
 
@@ -808,7 +809,7 @@ class NSSDatabase:
 
         for cert in extracted_certs:
             nickname = str(DN(cert.subject))
-            self.add_cert(cert, nickname, EMPTY_TRUST_FLAGS)
+            self.add_cert(cert, nickname, trust_flags)
 
         if extracted_key:
             with tempfile.NamedTemporaryFile() as in_file, \
@@ -866,6 +867,27 @@ class NSSDatabase:
         cert, _start = find_cert_from_txt(result.output, start=0)
         return cert
 
+    def get_all_certs(self, nickname):
+        """
+        :param nickname: nickname of the certificate in the NSS database
+        :returns: list of bytes of all certificates for the nickname
+        """
+        args = ['-L', '-n', nickname, '-a']
+        try:
+            result = self.run_certutil(args, capture_output=True)
+        except ipautil.CalledProcessError:
+            raise RuntimeError("Failed to get %s" % nickname)
+        certs = []
+
+        st = 0
+        while True:
+            try:
+                cert, st = find_cert_from_txt(result.output, start=st)
+            except RuntimeError:
+                break
+            certs.append(cert)
+        return certs
+
     def has_nickname(self, nickname):
         try:
             self.get_cert(nickname)
@@ -943,20 +965,21 @@ class NSSDatabase:
     def _verify_cert_validity(self, cert):
         """Common checks for cert validity
         """
-        utcnow = datetime.datetime.utcnow()
-        if cert.not_valid_before > utcnow:
+        utcnow = datetime.datetime.now(tz=datetime.timezone.utc)
+        if cert.not_valid_before_utc > utcnow:
             raise ValueError(
-                f"not valid before {cert.not_valid_before} UTC is in the "
-                "future."
+                f"not valid before {cert.not_valid_before_utc} UTC is in "
+                "the future."
             )
-        if cert.not_valid_after < utcnow:
+        if cert.not_valid_after_utc < utcnow:
             raise ValueError(
-                f"has expired {cert.not_valid_after} UTC"
+                f"has expired {cert.not_valid_after_utc} UTC"
             )
         # make sure the cert does not expire during installation
-        if cert.not_valid_after + datetime.timedelta(hours=1) < utcnow:
+        if cert.not_valid_after_utc + datetime.timedelta(hours=1) < utcnow:
             raise ValueError(
-                f"expires in less than one hour ({cert.not_valid_after} UTC)"
+                f"expires in less than one hour ({cert.not_valid_after_utc} "
+                "UTC)"
             )
 
     def verify_server_cert_validity(self, nickname, hostname):
@@ -988,53 +1011,58 @@ class NSSDatabase:
             raise ValueError('invalid for server %s' % hostname)
 
     def verify_ca_cert_validity(self, nickname, minpathlen=None):
-        cert = self.get_cert(nickname)
-        self._verify_cert_validity(cert)
+        def verify_ca_cert(cert, nickname, minpathlen):
+            self._verify_cert_validity(cert)
 
-        if not cert.subject:
-            raise ValueError("has empty subject")
+            if not cert.subject:
+                raise ValueError("has empty subject")
 
-        try:
-            bc = cert.extensions.get_extension_for_class(
+            try:
+                bc = cert.extensions.get_extension_for_class(
                     cryptography.x509.BasicConstraints)
-        except cryptography.x509.ExtensionNotFound:
-            raise ValueError("missing basic constraints")
-
-        if not bc.value.ca:
-            raise ValueError("not a CA certificate")
-        if minpathlen is not None:
-            # path_length is None means no limitation
-            pl = bc.value.path_length
-            if pl is not None and pl < minpathlen:
-                raise ValueError(
-                    "basic contraint pathlen {}, must be at least {}".format(
-                        pl, minpathlen
+            except cryptography.x509.ExtensionNotFound:
+                raise ValueError("missing basic constraints")
+
+            if not bc.value.ca:
+                raise ValueError("not a CA certificate")
+            if minpathlen is not None:
+                # path_length is None means no limitation
+                pl = bc.value.path_length
+                if pl is not None and pl < minpathlen:
+                    raise ValueError(
+                        "basic contraint pathlen {}, "
+                        "must be at least {}".format(
+                            pl, minpathlen
+                        )
                     )
-                )
 
-        try:
-            ski = cert.extensions.get_extension_for_class(
+            try:
+                ski = cert.extensions.get_extension_for_class(
                     cryptography.x509.SubjectKeyIdentifier)
-        except cryptography.x509.ExtensionNotFound:
-            raise ValueError("missing subject key identifier extension")
-        else:
-            if len(ski.value.digest) == 0:
-                raise ValueError("subject key identifier must not be empty")
+            except cryptography.x509.ExtensionNotFound:
+                raise ValueError("missing subject key identifier extension")
+            else:
+                if len(ski.value.digest) == 0:
+                    raise ValueError("subject key identifier must not be empty")
 
-        try:
-            self.run_certutil(
-                [
-                    '-V',       # check validity of cert and attrs
-                    '-n', nickname,
-                    '-u', 'L',  # usage; 'L' means "SSL CA"
-                    '-e',       # check signature(s); this checks
-                                # key sizes, sig algorithm, etc.
-                ],
-                capture_output=True)
-        except ipautil.CalledProcessError as e:
-            # certutil output in case of error is
-            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
-            raise ValueError(e.output)
+            try:
+                self.run_certutil(
+                    [
+                        '-V',       # check validity of cert and attrs
+                        '-n', nickname,
+                        '-u', 'L',  # usage; 'L' means "SSL CA"
+                        '-e',       # check signature(s); this checks
+                                    # key sizes, sig algorithm, etc.
+                    ],
+                    capture_output=True)
+            except ipautil.CalledProcessError as e:
+                # certutil output in case of error is
+                # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+                raise ValueError(e.output)
+
+        certlist = self.get_all_certs(nickname)
+        for cert in certlist:
+            verify_ca_cert(cert, nickname, minpathlen)
 
     def verify_kdc_cert_validity(self, nickname, realm):
         nicknames = self.get_trust_chain(nickname)

ipapython/config.py

@@ -18,9 +18,9 @@
 #
 from __future__ import absolute_import
 
-# pylint: disable=deprecated-module
-from optparse import (
-    Option, Values, OptionParser, IndentedHelpFormatter, OptionValueError)
+# pylint: disable=deprecated-module, disable=unused-import
+from optparse import (Option, Values, OptionGroup, OptionParser, SUPPRESS_HELP,
+                      IndentedHelpFormatter, OptionValueError, make_option)
 # pylint: enable=deprecated-module
 from copy import copy
 from configparser import ConfigParser as SafeConfigParser
@@ -113,10 +113,14 @@ class IPAOptionParser(OptionParser):
                  description=None,
                  formatter=None,
                  add_help_option=True,
-                 prog=None):
-        OptionParser.__init__(self, usage, option_list, option_class,
-                              version, conflict_handler, description,
-                              formatter, add_help_option, prog)
+                 prog=None,
+                 epilog=None):
+        OptionParser.__init__(self, usage=usage, option_list=option_list,
+                              option_class=option_class, version=version,
+                              conflict_handler=conflict_handler,
+                              description=description, formatter=formatter,
+                              add_help_option=add_help_option, prog=prog,
+                              epilog=epilog)
 
     def get_safe_opts(self, opts):
         """

ipapython/cookie.py

@@ -652,7 +652,7 @@ class Cookie:
 
         cookie_expiration = self.get_expiration()
         if cookie_expiration is not None:
-            now = datetime.datetime.utcnow()
+            now = datetime.datetime.now(tz=datetime.timezone.utc)
             if cookie_expiration < now:
                 raise Cookie.Expired("cookie named '%s'; expired at %s'" % \
                                      (cookie_name,

ipapython/directivesetter.py

@@ -182,6 +182,9 @@ def get_directive(filename, directive, separator=' '):
     if separator == ' ':
         separator = '[ \t]+'
 
+    if directive is None:
+        return None
+
     result = None
     with open(filename, "r") as fd:
         for line in fd:
@@ -193,7 +196,7 @@ def get_directive(filename, directive, separator=' '):
                 if match:
                     value = match.group(1)
                 else:
-                    raise ValueError("Malformed directive: {}".format(line))
+                    continue
 
                 result = unquote_directive_value(value.strip(), '"')
                 result = result.strip(' ')

ipapython/dn.py

@@ -1462,4 +1462,5 @@ ATTR_NAME_BY_OID = {
     cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET',
     cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode',
     cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID',
+    cryptography.x509.ObjectIdentifier('2.5.4.97'): 'organizationIdentifier',
 }

ipapython/dogtag.py

@@ -63,6 +63,14 @@ INCLUDED_PROFILES = {
 
 DEFAULT_PROFILE = u'caIPAserviceCert'
 KDC_PROFILE = u'KDCs_PKINIT_Certs'
+OCSP_PROFILE = 'caOCSPCert'
+SUBSYSTEM_PROFILE = 'caSubsystemCert'
+AUDIT_PROFILE = 'caSignedLogCert'
+CACERT_PROFILE = 'caCACert'
+CASERVER_PROFILE = 'caServerCert'
+KRA_AUDIT_PROFILE = 'caAuditSigningCert'
+KRA_STORAGE_PROFILE = 'caStorageCert'
+KRA_TRANSPORT_PROFILE = 'caTransportCert'
 
 
 if six.PY3:

ipapython/graph.py

@@ -34,7 +34,7 @@ class Graph:
     def remove_edge(self, tail, head):
         try:
             self.edges.remove((tail, head))
-        except KeyError:
+        except ValueError:
             raise ValueError(
                 "graph does not contain edge: ({0}, {1})".format(tail, head)
             )

ipapython/ipaldap.py

@@ -23,7 +23,7 @@ import binascii
 import errno
 import logging
 import time
-import datetime
+from datetime import datetime
 from decimal import Decimal
 from copy import deepcopy
 import contextlib
@@ -33,7 +33,6 @@ import warnings
 
 from collections import OrderedDict
 
-from cryptography import x509 as crypto_x509
 from cryptography.hazmat.primitives import serialization
 
 import ldap
@@ -689,11 +688,12 @@ class LDAPClient:
         '1.3.6.1.4.1.1466.115.121.1.10'  : bytes, # Certificate Pair
         '1.3.6.1.4.1.1466.115.121.1.12'  : DN,  # Distinguished Name
         '1.3.6.1.4.1.1466.115.121.1.23'  : bytes, # Fax
-        '1.3.6.1.4.1.1466.115.121.1.24'  : datetime.datetime,
+        '1.3.6.1.4.1.1466.115.121.1.24'  : datetime,  # GeneralizedTime
         '1.3.6.1.4.1.1466.115.121.1.28'  : bytes, # JPEG
         '1.3.6.1.4.1.1466.115.121.1.40'  : bytes, # OctetString (same as Binary)
         '1.3.6.1.4.1.1466.115.121.1.49'  : bytes, # Supported Algorithm
         '1.3.6.1.4.1.1466.115.121.1.51'  : bytes, # Teletext Terminal Identifier
+        '1.3.6.1.4.1.5322.21.2.5'        : datetime,  # krbLastAdminUnlock
 
         '2.16.840.1.113730.3.8.3.3'      : DN,  # enrolledBy
         '2.16.840.1.113730.3.8.3.18'     : DN,  # managedBy
@@ -706,16 +706,23 @@ class LDAPClient:
         '2.16.840.1.113730.3.8.7.1'      : DN,  # memberAllowCmd
         '2.16.840.1.113730.3.8.7.2'      : DN,  # memberDenyCmd
 
+        '2.16.840.1.113719.1.301.4.6.1'  : datetime,  # krbPrincipalExpiration
         '2.16.840.1.113719.1.301.4.14.1' : DN,  # krbRealmReferences
         '2.16.840.1.113719.1.301.4.17.1' : DN,  # krbKdcServers
         '2.16.840.1.113719.1.301.4.18.1' : DN,  # krbPwdServers
         '2.16.840.1.113719.1.301.4.26.1' : DN,  # krbPrincipalReferences
         '2.16.840.1.113719.1.301.4.29.1' : DN,  # krbAdmServers
         '2.16.840.1.113719.1.301.4.36.1' : DN,  # krbPwdPolicyReference
+        '2.16.840.1.113719.1.301.4.37.1' : datetime,  # krbPasswordExpiration
         '2.16.840.1.113719.1.301.4.40.1' : DN,  # krbTicketPolicyReference
         '2.16.840.1.113719.1.301.4.41.1' : DN,  # krbSubTrees
+        '2.16.840.1.113719.1.301.4.45.1' : datetime,  # krbLastPwdChange
+        '2.16.840.1.113719.1.301.4.48.1' : datetime,  # krbLastSuccessfulAuth
+        '2.16.840.1.113719.1.301.4.49.1' : datetime,  # krbLastFailedAuth
         '2.16.840.1.113719.1.301.4.52.1' : DN,  # krbObjectReferences
         '2.16.840.1.113719.1.301.4.53.1' : DN,  # krbPrincContainerRef
+        '2.16.840.1.113730.3.8.16.1.3'   : datetime,  # ipatokenNotBefore
+        '2.16.840.1.113730.3.8.16.1.4'   : datetime,  # ipatokenNotAfter
     }
 
     # In most cases we lookup the syntax from the schema returned by
@@ -740,10 +747,10 @@ class LDAPClient:
         'dnszoneidnsname': DNSName,
         'krbcanonicalname': Principal,
         'krbprincipalname': Principal,
-        'usercertificate': crypto_x509.Certificate,
-        'usercertificate;binary': crypto_x509.Certificate,
-        'cACertificate': crypto_x509.Certificate,
-        'cACertificate;binary': crypto_x509.Certificate,
+        'usercertificate': x509.IPACertificate,
+        'usercertificate;binary': x509.IPACertificate,
+        'cACertificate': x509.IPACertificate,
+        'cACertificate;binary': x509.IPACertificate,
         'nsds5replicalastupdatestart': unicode,
         'nsds5replicalastupdateend': unicode,
         'nsds5replicalastinitstart': unicode,
@@ -990,9 +997,9 @@ class LDAPClient:
             # key in dict must be str not bytes
             dct = dict((k, self.encode(v)) for k, v in val.items())
             return dct
-        elif isinstance(val, datetime.datetime):
+        elif isinstance(val, datetime):
             return val.strftime(LDAP_GENERALIZED_TIME_FORMAT).encode('utf-8')
-        elif isinstance(val, crypto_x509.Certificate):
+        elif isinstance(val, x509.IPACertificate):
             return val.public_bytes(x509.Encoding.DER)
         elif val is None:
             return None
@@ -1012,14 +1019,14 @@ class LDAPClient:
                     return val.decode('utf-8')
                 elif target_type is bool:
                     return val.decode('utf-8') == 'TRUE'
-                elif target_type is datetime.datetime:
-                    return datetime.datetime.strptime(
+                elif target_type is datetime:
+                    return datetime.strptime(
                         val.decode('utf-8'), LDAP_GENERALIZED_TIME_FORMAT)
                 elif target_type is DNSName:
                     return DNSName.from_text(val.decode('utf-8'))
                 elif target_type in (DN, Principal):
                     return target_type(val.decode('utf-8'))
-                elif target_type is crypto_x509.Certificate:
+                elif target_type is x509.IPACertificate:
                     return x509.load_der_x509_certificate(val)
                 else:
                     return target_type(val)
@@ -1177,14 +1184,23 @@ class LDAPClient:
         """schema associated with this LDAP server"""
         return self._get_schema()
 
-    def get_allowed_attributes(self, objectclasses, raise_on_unknown=False):
+    def get_allowed_attributes(self, objectclasses, raise_on_unknown=False,
+                               attributes="all"):
         if self.schema is None:
             return None
         allowed_attributes = []
         for oc in objectclasses:
             obj = self.schema.get_obj(ldap.schema.ObjectClass, oc)
             if obj is not None:
-                allowed_attributes += obj.must + obj.may
+                if attributes == "must":
+                    # Only return required(must) attrs
+                    allowed_attributes += obj.must
+                elif attributes == "may":
+                    # Only return allowed(may) attrs
+                    allowed_attributes += obj.may
+                else:
+                    # Return both allowed & required attrs
+                    allowed_attributes += obj.must + obj.may
             elif raise_on_unknown:
                 raise errors.NotFound(
                     reason=_('objectclass %s not found') % oc)
@@ -1193,7 +1209,6 @@ class LDAPClient:
     def __enter__(self):
         return self
 
-
     def __exit__(self, exc_type, exc_value, traceback):
         self.close()
 
@@ -1365,13 +1380,17 @@ class LDAPClient:
             ]
             return cls.combine_filters(flts, rules)
         elif value is not None:
-            if isinstance(value, crypto_x509.Certificate):
+            if isinstance(value, x509.IPACertificate):
                 value = value.public_bytes(serialization.Encoding.DER)
             if isinstance(value, bytes):
                 value = binascii.hexlify(value).decode('ascii')
                 # value[-2:0] is empty string for the initial '\\'
                 value = u'\\'.join(
                     value[i:i+2] for i in six.moves.range(-2, len(value), 2))
+            elif isinstance(value, datetime):
+                value = value.strftime(
+                    LDAP_GENERALIZED_TIME_FORMAT)
+                value = ldap.filter.escape_filter_chars(value)
             else:
                 value = str(value)
                 value = ldap.filter.escape_filter_chars(value)

ipapython/ipautil.py

@@ -48,9 +48,9 @@ import six
 from six.moves import input
 
 try:
-    import netifaces
+    import ifaddr
 except ImportError:
-    netifaces = None
+    ifaddr = None
 
 from ipapython.dn import DN
 from ipaplatform.paths import paths
@@ -119,7 +119,7 @@ class UnsafeIPAddress(netaddr.IPAddress):
                 if addr.version != 6:
                     raise
         except ValueError:
-            self._net = netaddr.IPNetwork(addr, flags=self.netaddr_ip_flags)
+            self._net = netaddr.IPNetwork(addr, flags=0)
             addr = self._net.ip
         super(UnsafeIPAddress, self).__init__(addr,
                                               flags=self.netaddr_ip_flags)
@@ -203,42 +203,37 @@ class CheckedIPAddress(UnsafeIPAddress):
         :return: InterfaceDetails named tuple or None if no interface has
         this address
         """
-        if netifaces is None:
-            raise ImportError("netifaces")
+        if ifaddr is None:
+            raise ImportError("ifaddr")
         logger.debug("Searching for an interface of IP address: %s", self)
+
         if self.version == 4:
-            family = netifaces.AF_INET
+            family_ips = (
+                (ip.ip, ip.network_prefix, ip.nice_name)
+                for ips in [a.ips for a in ifaddr.get_adapters()]
+                for ip in ips if not isinstance(ip.ip, tuple)
+            )
         elif self.version == 6:
-            family = netifaces.AF_INET6
+            family_ips = (
+                (ip.ip[0], ip.network_prefix, ip.nice_name)
+                for ips in [a.ips for a in ifaddr.get_adapters()]
+                for ip in ips if isinstance(ip.ip, tuple)
+            )
         else:
             raise ValueError(
                 "Unsupported address family ({})".format(self.version)
             )
 
-        for interface in netifaces.interfaces():
-            for ifdata in netifaces.ifaddresses(interface).get(family, []):
-
-                # link-local addresses contain '%suffix' that causes parse
-                # errors in IPNetwork
-                ifaddr = ifdata['addr'].split(u'%', 1)[0]
-
-                # newer versions of netifaces provide IPv6 netmask in format
-                # 'ffff:ffff:ffff:ffff::/64'. We have to split and use prefix
-                # or the netmask with older versions
-                ifmask = ifdata['netmask'].split(u'/')[-1]
-
-                ifaddrmask = '{addr}/{netmask}'.format(
-                    addr=ifaddr,
-                    netmask=ifmask
-                )
-                logger.debug(
-                    "Testing local IP address: %s (interface: %s)",
-                    ifaddrmask, interface)
+        for ip, prefix, ifname in family_ips:
+            ifaddrmask = "{ip}/{prefix}".format(ip=ip, prefix=prefix)
+            logger.debug(
+                "Testing local IP address: %s (interface: %s)",
+                ifaddrmask, ifname)
+            ifnet = netaddr.IPNetwork(ifaddrmask)
 
-                ifnet = netaddr.IPNetwork(ifaddrmask)
+            if ifnet.ip == self:
+                return InterfaceDetails(ifname, ifnet)
 
-                if ifnet.ip == self:
-                    return InterfaceDetails(interface, ifnet)
         return None
 
     def set_ip_net(self, ifnet):
@@ -271,6 +266,19 @@ class CheckedIPAddressLoopback(CheckedIPAddress):
                   file=sys.stderr)
 
 
+class IPAddressDoTForwarder(str):
+    """IPv4 or IPv6 address with added hostname as needed for DNS over TLS
+    configuration. Example: 1.2.3.4#dns.hostname.test
+    """
+    def __init__(self, addr):
+        addr_split = addr.split("#")
+        if len(addr_split) != 2 or not valid_ip(addr_split[0]):
+            raise ValueError(
+                "DoT forwarder must be in the format "
+                "of '1.2.3.4#dns.example.test'."
+            )
+
+
 def valid_ip(addr):
     return netaddr.valid_ipv4(addr) or netaddr.valid_ipv6(addr)
 
@@ -1663,9 +1671,16 @@ def remove_ccache(ccache_path=None, run_as=None):
             "Failed to clear Kerberos credentials cache: %s", e)
 
 
-def remove_file(filename):
+def remove_file(filename, only_if_empty=False):
     """Remove a file and log any exceptions raised.
+
+       :only_if_empty: only remove the file if empty. Default False.
     """
+    if only_if_empty and os.path.exists(filename):
+        file_stat = os.stat(filename)
+        if file_stat.st_size > 0:
+            logger.debug('%s is not empty.', filename)
+            return
     try:
         os.unlink(filename)
     except Exception as e:
@@ -1674,6 +1689,15 @@ def remove_file(filename):
             logger.error('Error removing %s: %s', filename, str(e))
 
 
+def remove_directory(dir):
+    """Remove an empty directory."""
+    try:
+        os.rmdir(dir)
+    except OSError as e:
+        if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}:
+            logger.error("Failed to remove directory %s", dir)
+
+
 def rmtree(path):
     """
     Remove a directory structure and log any exceptions raised.
@@ -1798,3 +1822,30 @@ def get_config_debug(context):
         return False
 
     return parser.get(CONFIG_SECTION, 'debug').lower() == 'true'
+
+
+@contextmanager
+def log_level_override():
+    """The PKI python libraries log to info() which ends up polluting
+       the ipa server installation output. Switch the log level
+       prior to calling any PKI library functions and then restore
+       the value in order to suppress the output. Lines like:
+
+       INFO Connecting to https://localhost:8443
+       INFO Getting PKI server info from /pki/v2/info
+
+       This won't affect what is logged to files.
+    """
+    stream_handlers = [
+        (handler, handler.level) for handler in logging.root.handlers
+        if type(handler) is logging.StreamHandler
+    ]
+    for (handler, _level) in stream_handlers:
+        handler.setLevel(logging.ERROR)
+    try:
+        yield
+    except Exception as e:
+        raise e
+    finally:
+        for (handler, orig_level) in stream_handlers:
+            handler.setLevel(orig_level)

ipapython/session_storage.py

@@ -111,7 +111,7 @@ class KRB5Error(Exception):
 
 
 def krb5_errcheck(result, func, arguments):
-    """Error checker for krb5_error return value"""
+    """Error checker for krb5_error_code return value"""
     if result != 0:
         raise KRB5Error(result, func.__name__, arguments)
 
@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments):
 krb5_context = ctypes.POINTER(_krb5_context)
 krb5_ccache = ctypes.POINTER(_krb5_ccache)
 krb5_data_p = ctypes.POINTER(_krb5_data)
-krb5_error = ctypes.c_int32
 krb5_creds = _krb5_creds
 krb5_pointer = ctypes.c_void_p
 krb5_cc_cursor = krb5_pointer
 
 krb5_init_context = LIBKRB5.krb5_init_context
 krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), )
-krb5_init_context.restype = krb5_error
+krb5_init_context.restype = krb5_error_code
 krb5_init_context.errcheck = krb5_errcheck
 
 krb5_free_context = LIBKRB5.krb5_free_context
@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None
 
 krb5_cc_default = LIBKRB5.krb5_cc_default
 krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), )
-krb5_cc_default.restype = krb5_error
+krb5_cc_default.restype = krb5_error_code
 krb5_cc_default.errcheck = krb5_errcheck
 
 krb5_cc_close = LIBKRB5.krb5_cc_close
 krb5_cc_close.argtypes = (krb5_context, krb5_ccache, )
-krb5_cc_close.restype = krb5_error
+krb5_cc_close.restype = krb5_error_code
 krb5_cc_close.errcheck = krb5_errcheck
 
 krb5_parse_name = LIBKRB5.krb5_parse_name
 krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p,
                             ctypes.POINTER(krb5_principal), )
-krb5_parse_name.restype = krb5_error
+krb5_parse_name.restype = krb5_error_code
 krb5_parse_name.errcheck = krb5_errcheck
 
 krb5_cc_set_config = LIBKRB5.krb5_cc_set_config
 krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal,
                                ctypes.c_char_p, krb5_data_p, )
-krb5_cc_set_config.restype = krb5_error
+krb5_cc_set_config.restype = krb5_error_code
 krb5_cc_set_config.errcheck = krb5_errcheck
 
 krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal
 krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache,
                                   ctypes.POINTER(krb5_principal), )
-krb5_cc_get_principal.restype = krb5_error
+krb5_cc_get_principal.restype = krb5_error_code
 krb5_cc_get_principal.errcheck = krb5_errcheck
 
 # krb5_build_principal is a variadic function but that can't be expressed
@@ -177,32 +176,31 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal),
                                  ctypes.c_uint, ctypes.c_char_p,
                                  ctypes.c_char_p, ctypes.c_char_p,
                                  ctypes.c_char_p, ctypes.c_char_p, )
-krb5_build_principal.restype = krb5_error
+krb5_build_principal.restype = krb5_error_code
 krb5_build_principal.errcheck = krb5_errcheck
 
 krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get
 krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache,
                                   ctypes.POINTER(krb5_cc_cursor), )
-krb5_cc_start_seq_get.restype = krb5_error
+krb5_cc_start_seq_get.restype = krb5_error_code
 krb5_cc_start_seq_get.errcheck = krb5_errcheck
 
 krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred
 krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache,
                               ctypes.POINTER(krb5_cc_cursor),
                               ctypes.POINTER(krb5_creds), )
-krb5_cc_next_cred.restype = krb5_error
+krb5_cc_next_cred.restype = krb5_error_code
 krb5_cc_next_cred.errcheck = krb5_errcheck
 
 krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get
 krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache,
                                 ctypes.POINTER(krb5_cc_cursor), )
-krb5_cc_end_seq_get.restype = krb5_error
+krb5_cc_end_seq_get.restype = krb5_error_code
 krb5_cc_end_seq_get.errcheck = krb5_errcheck
 
 krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents
 krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds))
-krb5_free_cred_contents.restype = krb5_error
-krb5_free_cred_contents.errcheck = krb5_errcheck
+krb5_free_cred_contents.restype = None
 
 krb5_principal_compare = LIBKRB5.krb5_principal_compare
 krb5_principal_compare.argtypes = (krb5_context, krb5_principal,
@@ -212,7 +210,7 @@ krb5_principal_compare.restype = krb5_boolean
 krb5_unparse_name = LIBKRB5.krb5_unparse_name
 krb5_unparse_name.argtypes = (krb5_context, krb5_principal,
                               ctypes.POINTER(ctypes.c_char_p), )
-krb5_unparse_name.restype = krb5_error
+krb5_unparse_name.restype = krb5_error_code
 krb5_unparse_name.errcheck = krb5_errcheck
 
 krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name
@@ -314,8 +312,12 @@ def get_data(princ_name, key):
                 checkcreds = krb5_creds()
                 # the next function will throw an error and break out of the
                 # while loop when we try to access past the last cred
-                krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
-                                  ctypes.byref(checkcreds))
+                try:
+                    krb5_cc_next_cred(context, ccache, ctypes.byref(cursor),
+                                      ctypes.byref(checkcreds))
+                except KRB5Error:
+                    break
+
                 if (krb5_principal_compare(context, principal,
                                           checkcreds.client) == 1 and
                     krb5_principal_compare(context, srv_princ,
@@ -330,8 +332,6 @@ def get_data(princ_name, key):
                 else:
                     krb5_free_cred_contents(context,
                                             ctypes.byref(checkcreds))
-        except KRB5Error:
-            pass
         finally:
             krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor))
 

ipapython/version.py

@@ -17,13 +17,13 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-from pkg_resources import parse_version
+from packaging.version import parse as parse_version
 
 # The full version including strings
-VERSION = "4.10.2"
+VERSION = "4.13.1"
 
 # A fuller version including the vendor tag (e.g. 3.3.3-34.fc20)
-VENDOR_VERSION = "4.10.2"
+VENDOR_VERSION = "4.13.1"
 
 
 # Just the numeric portion of the version so one can do direct numeric
@@ -43,11 +43,11 @@ VENDOR_VERSION = "4.10.2"
 #   IPA 3.2.1:  NUM_VERSION=30201
 #   IPA 3.2.99: NUM_VERSION=30299 (development version)
 #   IPA 3.3.0:  NUM_VERSION=30300
-NUM_VERSION = 41002
+NUM_VERSION = 41301
 
 
 # The version of the API.
-API_VERSION = "2.252"
+API_VERSION = "2.257"
 
 
 DEFAULT_PLUGINS = frozenset(l.strip() for l in """
@@ -393,6 +393,9 @@ output_show/1
 param/1
 param_find/1
 param_show/1
+passkeyconfig/1
+passkeyconfig_mod/1
+passkeyconfig_show/1
 passwd/1
 permission/1
 permission_add/1
@@ -518,6 +521,7 @@ stageuser_add/1
 stageuser_add_cert/1
 stageuser_add_certmapdata/1
 stageuser_add_manager/1
+stageuser_add_passkey/1
 stageuser_add_principal/1
 stageuser_del/1
 stageuser_find/1
@@ -525,6 +529,7 @@ stageuser_mod/1
 stageuser_remove_cert/1
 stageuser_remove_certmapdata/1
 stageuser_remove_manager/1
+stageuser_remove_passkey/1
 stageuser_remove_principal/1
 stageuser_show/1
 subid/1
@@ -572,6 +577,15 @@ sudorule_remove_runasgroup/1
 sudorule_remove_runasuser/1
 sudorule_remove_user/1
 sudorule_show/1
+sysaccount/1
+sysaccount_add/1
+sysaccount_del/1
+sysaccount_disable/1
+sysaccount_enable/1
+sysaccount_find/1
+sysaccount_mod/1
+sysaccount_policy/1
+sysaccount_show/1
 topic/1
 topic_find/1
 topic_show/1
@@ -613,6 +627,7 @@ user_add/1
 user_add_cert/1
 user_add_certmapdata/1
 user_add_manager/1
+user_add_passkey/1
 user_add_principal/1
 user_del/1
 user_disable/1
@@ -622,6 +637,7 @@ user_mod/1
 user_remove_cert/1
 user_remove_certmapdata/1
 user_remove_manager/1
+user_remove_passkey/1
 user_remove_principal/1
 user_show/1
 user_stage/1
@@ -651,4 +667,4 @@ vaultcontainer_show/1
 whoami/1
 """.strip().splitlines())
 
-KRB5_BUILD_VERSION = parse_version("1.19.2")
+KRB5_BUILD_VERSION = parse_version("1.21.3")

{ipapython-4.10.2.dist-info → ipapython-4.13.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: ipapython
-Version: 4.10.2
+Version: 4.13.1
 Summary: FreeIPA python support library
 Home-page: https://www.freeipa.org/
 Download-URL: https://www.freeipa.org/page/Downloads
@@ -25,17 +25,32 @@ Classifier: Topic :: Internet :: Name Service (DNS)
 Classifier: Topic :: Security
 Classifier: Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP
 Requires-Python: >=3.6.0
-License-File: ../COPYING
+License-File: COPYING
 Requires-Dist: cffi
-Requires-Dist: cryptography (>=1.6)
-Requires-Dist: dnspython (>=1.15)
-Requires-Dist: gssapi (>=1.2.0)
-Requires-Dist: ipaplatform (==4.10.2)
+Requires-Dist: cryptography>=1.6
+Requires-Dist: dnspython>=1.15
+Requires-Dist: gssapi>=1.2.0
+Requires-Dist: ipaplatform==4.13.1
 Requires-Dist: netaddr
 Requires-Dist: six
 Provides-Extra: ldap
-Requires-Dist: python-ldap ; extra == 'ldap'
-Provides-Extra: netifaces
-Requires-Dist: netifaces ; extra == 'netifaces'
+Requires-Dist: python-ldap; extra == "ldap"
+Provides-Extra: ifaddr
+Requires-Dist: ifaddr; extra == "ifaddr"
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: download-url
+Dynamic: home-page
+Dynamic: license
+Dynamic: license-file
+Dynamic: maintainer
+Dynamic: maintainer-email
+Dynamic: platform
+Dynamic: provides-extra
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
 
 FreeIPA python support library

ipapython-4.13.1.dist-info/RECORD

@@ -0,0 +1,29 @@
+ipapython/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ipapython/admintool.py,sha256=d9C0S5YGW0PN0OUQPN-ZsjQcJoyySlSyiU5P2z-C9Ao,13828
+ipapython/certdb.py,sha256=wV7Lu6WRLVDNC8gZ1ZNPP9UcKa5t1omNEvbAHpgH7-s,39064
+ipapython/config.py,sha256=iTQDsxhBxprR5d79Zo_jbQg84Ar3POaiAO0Y1qZguLI,9721
+ipapython/cookie.py,sha256=-X_UojEtLPw6vx1XxBEGX17i3aLyCylFPXDQWMBN0V4,24920
+ipapython/directivesetter.py,sha256=O1t8BtQ_sUt5ac7BQffHmLwIQczU3al-WN0Z2hXNEdg,7673
+ipapython/dn.py,sha256=9Lbw9cpygjvUSFqNCYvU-nFSQFqJYrSE1Dji8mr3Xws,49528
+ipapython/dn_ctypes.py,sha256=ZJ5Q8ZhA8HnM5Xu4j-K62Q33amZfcTcPQY6i2rpu8CI,3905
+ipapython/dnsutil.py,sha256=nxvtyaYuARFSj9Vj5GPL1HNaN2-DISf4y1zs-Bn5L3I,22125
+ipapython/dogtag.py,sha256=TesFrK9Mzo_gCmFsHgfm4T5R2PE3Qg1yvyw6U6xPzv4,9693
+ipapython/errors.py,sha256=VEkqUTs5JrTmKooeFxcSPCvqx48Zy3Pa5LOxPrOlCe4,1984
+ipapython/fqdn.py,sha256=P6OoSODkn6hQLSN3sMpLz1U7uwzpGb97l5DaI6-azCc,1220
+ipapython/graph.py,sha256=G-I5tJKQxvO3YokjolS3pgT-K5u8cUV2KVpknM6yBmI,2492
+ipapython/ipa_log_manager.py,sha256=GNZV1HuTRrYSsNdgyw2oZVjZOESJpH91Jb9rsvhzj0E,3881
+ipapython/ipachangeconf.py,sha256=JT5QKYgvpbVrLAR49so6XtpLoxsNDt7FEvqjmP7xcdM,20086
+ipapython/ipaldap.py,sha256=e4G_jHhyzMTH0A7IKjhmbCpsdyQ86E5SF0dz-B_QE_0,73753
+ipapython/ipautil.py,sha256=jCz8NYj-c11Bj7LVVuzdwjHPXBFbbj_yXHHfboWckOA,61886
+ipapython/ipavalidate.py,sha256=EqKFgw4Bz3lTuT7hjRRH7_YkoGRIG1GQ-TB4oOHLKVs,3633
+ipapython/kerberos.py,sha256=5JJ_4dqJAgVhY0Gi7OHDLM3-vG6owRFm-NVQsZKVcgg,6300
+ipapython/kernel_keyring.py,sha256=vInQCwrH-Njknfh3U5nUkeqFdHG4ZRIUK8h0-ODu_nU,4903
+ipapython/nsslib.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ipapython/session_storage.py,sha256=t7eMnPx6OAHTCajSEsMfDKFySvvllFIDwsG1HuxzYPg,13247
+ipapython/ssh.py,sha256=aEGqBooQi4osOi5rJfdAcUZs-9V-oNJf0pci5ZchKIE,6713
+ipapython/version.py,sha256=hC2UszYu7S_1C2lvqkfbFzLnc4oAGOgIrplaBr_0Rx0,13116
+ipapython-4.13.1.dist-info/licenses/COPYING,sha256=jOtLnuWt7d5Hsx6XXB2QxzrSe2sWWh3NgMfFRetluQM,35147
+ipapython-4.13.1.dist-info/METADATA,sha256=LsXxqGVj9nOa04v4n8eNvZrRKjFv2RGpVjlaPtlcff0,1816
+ipapython-4.13.1.dist-info/WHEEL,sha256=Mk1ST5gDzEO5il5kYREiBnzzM469m5sI8ESPl7TRhJY,110
+ipapython-4.13.1.dist-info/top_level.txt,sha256=ND3uLjnGYtcHS21Gj-Lk9jrodr1Vzxz9ebTopaAS9WI,10
+ipapython-4.13.1.dist-info/RECORD,,

{ipapython-4.10.2.dist-info → ipapython-4.13.1.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.37.1)
+Generator: setuptools (80.10.2)
 Root-Is-Purelib: true
 Tag: py2-none-any
 Tag: py3-none-any

ipapython-4.10.2.dist-info/RECORD

@@ -1,29 +0,0 @@
-ipapython/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-ipapython/admintool.py,sha256=0TG9COpf9AQd1RLcQ-uttksESd0Kb4Dk-9sS-aGCXd0,12258
-ipapython/certdb.py,sha256=Qc1kgyelWvU0k8aBTRUaRBtXzt21DXynWPH4uQW6tg8,37937
-ipapython/config.py,sha256=3pjybgxq42rrUmvzm4gLdboi-TmbEB5PgQ_wD9iyn-I,9406
-ipapython/cookie.py,sha256=pOAzewR_r-VLMGbQYY8j9kYOI3fTNpFdzabvjx1bRyY,24899
-ipapython/directivesetter.py,sha256=cRl2Cwk7hZ1bRWW5Mu95NFK5PF9H12XJmKrEX21HG40,7674
-ipapython/dn.py,sha256=zTMMW-8XpudF_6QjeU84leH2tM3vPD7Xar6jBeCjAAc,49450
-ipapython/dn_ctypes.py,sha256=ZJ5Q8ZhA8HnM5Xu4j-K62Q33amZfcTcPQY6i2rpu8CI,3905
-ipapython/dnsutil.py,sha256=nxvtyaYuARFSj9Vj5GPL1HNaN2-DISf4y1zs-Bn5L3I,22125
-ipapython/dogtag.py,sha256=YTmXvPuOaFe_jLbrhiETBJ45XPJEOvndXNHWy7GbgFM,9410
-ipapython/errors.py,sha256=VEkqUTs5JrTmKooeFxcSPCvqx48Zy3Pa5LOxPrOlCe4,1984
-ipapython/fqdn.py,sha256=P6OoSODkn6hQLSN3sMpLz1U7uwzpGb97l5DaI6-azCc,1220
-ipapython/graph.py,sha256=tgf5gZtKSlQNKDA9vX5HlQMn57zjibtDONRx8nqwUCQ,2490
-ipapython/ipa_log_manager.py,sha256=GNZV1HuTRrYSsNdgyw2oZVjZOESJpH91Jb9rsvhzj0E,3881
-ipapython/ipachangeconf.py,sha256=JT5QKYgvpbVrLAR49so6XtpLoxsNDt7FEvqjmP7xcdM,20086
-ipapython/ipaldap.py,sha256=xjoorpJlO55Rq-vQSlJofZMRrk3qUb0ahWL-LjEJatI,72601
-ipapython/ipautil.py,sha256=ImbGEicTHvfxCTCfFF1ADn9_cgbg2_4_S8opMFBD2uo,60303
-ipapython/ipavalidate.py,sha256=EqKFgw4Bz3lTuT7hjRRH7_YkoGRIG1GQ-TB4oOHLKVs,3633
-ipapython/kerberos.py,sha256=5JJ_4dqJAgVhY0Gi7OHDLM3-vG6owRFm-NVQsZKVcgg,6300
-ipapython/kernel_keyring.py,sha256=vInQCwrH-Njknfh3U5nUkeqFdHG4ZRIUK8h0-ODu_nU,4903
-ipapython/nsslib.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-ipapython/session_storage.py,sha256=mDIy9MKar_RuzRCaR8Qs-7_E2yLGNEjc21WbxtwJLr4,13223
-ipapython/ssh.py,sha256=aEGqBooQi4osOi5rJfdAcUZs-9V-oNJf0pci5ZchKIE,6713
-ipapython/version.py,sha256=Z2ib0IOq52rqjpvfWTRa8qqb99tazQBkHsHNp9B13uw,12793
-ipapython-4.10.2.dist-info/COPYING,sha256=jOtLnuWt7d5Hsx6XXB2QxzrSe2sWWh3NgMfFRetluQM,35147
-ipapython-4.10.2.dist-info/METADATA,sha256=koxTHUkd-FWVVhwM-llmKyh34C_aepSvYDvRKpd68bM,1530
-ipapython-4.10.2.dist-info/WHEEL,sha256=z9j0xAa_JmUKMpmz72K0ZGALSM_n-wQVmGbleXx2VHg,110
-ipapython-4.10.2.dist-info/top_level.txt,sha256=ND3uLjnGYtcHS21Gj-Lk9jrodr1Vzxz9ebTopaAS9WI,10
-ipapython-4.10.2.dist-info/RECORD,,