[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 186c84b68e541dabc51707f0bc93f0c69baa2f6e Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 01/12] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. The new HTTPS handling class, IPAHTTPSConnection, is prepared to handle authentication with client certificate for connections to Dogtag server as RA agent. It allows handling even for handling separate client cert/private key in separate files and also for encrypted private key files. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 70 +++--- ipalib/util.py | 106 4 files changed, 124 insertions(+), 56 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index fa20624..82147f3 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 31ed64e..1ea5d60 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,20 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() - -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir,
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From ca18b7f39e5d8f86ad122a5e66124f9e2ea7fcfe Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 70 --- ipalib/util.py | 94 + 4 files changed, 112 insertions(+), 56 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..0aeea1b 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,20 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() - -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443, +api.env.ca_certfile, +
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 72343881600556e394923489643029781474bd93 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 -- ipalib/util.py | 95 + 4 files changed, 113 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 6038830d9489cdfde4e7ac700a93c0fb2e99c7aa Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 -- ipalib/util.py | 95 + 4 files changed, 113 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 - ipalib/util.py | 97 + 4 files changed, 115 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 ++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 - ipalib/util.py | 97 + 4 files changed, 115 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host, 443,
[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Author: stlaz Title: #367: Remove nsslib from IPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/367/head:pr367 git checkout pr367 From 182bec40b1611bb5eac6162a49854dfdbb59a6fd Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 20 Dec 2016 10:05:36 +0100 Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py| 3 +++ ipalib/constants.py | 1 + ipalib/rpc.py | 69 ++ ipalib/util.py | 73 + 4 files changed, 91 insertions(+), 55 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..8ecada6 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -493,6 +493,9 @@ def _bootstrap(self, **overrides): if 'nss_dir' not in self: self.nss_dir = self._join('confdir', 'nssdb') +if 'ca_certfile' not in self: +self.ca_certfile = self._join('confdir', 'ca.crt') + # Set plugins_on_demand: if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da..4f40545 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -226,6 +226,7 @@ ('conf_default', object), # File containing context independent config ('plugins_on_demand', object), # Whether to finalize plugins on-demand (bool) ('nss_dir', object), # Path to nssdb, default {confdir}/nssdb +('ca_certfile', object), # Path to CA cert file # Set in Env._finalize_core(): ('in_server', object), # Whether or not running in-server (bool) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 921f5cb..66cd1c3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -44,7 +44,7 @@ import gssapi from dns import resolver, rdatatype from dns.exception import DNSException -from nss.error import NSPRError +from ssl import SSLError import six from six.moves import urllib @@ -60,8 +60,7 @@ from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ -import ipapython.nsslib -from ipapython.nsslib import NSSConnection +from ipalib.util import IPAHTTPSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal @@ -470,48 +469,21 @@ def get_host_info(self, host): return (host, extra_headers, x509) + class SSLTransport(LanguageAwareTransport): """Handles an HTTPS transaction to an XML-RPC server.""" - -def get_connection_dbdir(self): -""" -If there is a connections open it may have already initialized -NSS database. Return the database location used by the connection. -""" -for value in context.__dict__.values(): -if not isinstance(value, Connection): -continue -if not isinstance( -getattr(value.conn, '_ServerProxy__transport', None), -SSLTransport): -continue -if hasattr(value.conn._ServerProxy__transport, 'dbdir'): -return value.conn._ServerProxy__transport.dbdir -return None - def make_connection(self, host): host, self._extra_headers, _x509 = self.get_host_info(host) if self._connection and host == self._connection[0]: return self._connection[1] -dbdir = context.nss_dir -connection_dbdir = self.get_connection_dbdir() +ca_certfile = context.ca_certfile -if connection_dbdir: -# If an existing connection is already using the same NSS -# database there is no need to re-initialize. -no_init = dbdir == connection_dbdir - -else: -# If the NSS database is already being used there is no -# need to re-initialize. -no_init = dbdir == ipapython.nsslib.current_dbdir - -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) -self.dbdir=dbdir +conn = IPAHTTPSConnection( +host,