FreeNAS/freenas 606b801src/middlewared/middlewared/plugins crypto.py

Periodically keep ssl up to date

This commit makes sure that we keep ssl related changes up to date by making sure that we 
generate all the ssl related files after a 24 hour window.

FreeNAS/freenas 7b846a5src/middlewared/middlewared/etc_files/local/openvpn/server openvpn_server.conf, src/middlewared/middlewared/plugins service.py

Generate openvpn-server config file on ca revocation

This commit introduces a change where we generate openvpn-server file again each time 
changes are introduced to crypto services. This is necessary because it ensures that crl 
file for ca which openvpn server is using always remains up to date. It is however not 
necessary to reload/restart openvpn server when we generate the config file again because 
it automatically picks up that change for crl.

FreeNAS/freenas f8a42d7src/middlewared/middlewared/plugins crypto.py

Revoke Certificate

This commit makes sure we are able to mark a certificate as revoked.

FreeNAS/freenas 3a0871esrc/middlewared/middlewared/etc_files generate_ssl_certs.py, src/middlewared/middlewared/plugins crypto.py

Write CRL to file

This commit makes sure that each time changes are introduced to a cert/ca wrt revocation 
status, we make a CRL for each ca and write it out respectively so that the services 
making use of it have an updated version.

FreeNAS/freenas 67dfbd0src/middlewared/middlewared/plugins crypto.py

Generate CRL

This commit adds a method to cryptokey service which enables us to generate a CRL for a 
list of certs using provided ca. There's a tricky situation here as to what happens if the 
root CA is compromised ? In normal world scenarios, that CA is removed from app's trust 
store and any subsequent certs it had issues wouldn't be validated by the app then. Making 
a CRL for a revoked root CA in normal cases doesn't make sense as the thief can sign a 
counter CRL saying that everything is fine. As our environment is controlled, i think we 
are safe to create a crl for root CA as well which we can publish for services which make 
use of it i.e openvpn and they'll know that the certs/ca's have been compromised.

FreeNAS/freenas c0aeb89src/middlewared/middlewared/plugins crypto.py

Revoke CA chain

When a CA is marked as revoked, we revoke the complete chain which starts off from that 
CA.

FreeNAS/freenas 1105037src/middlewared/middlewared/plugins crypto.py

Retrieve CA chain

This commit adds a generic method which will be used internally to gather ca chain.

FreeNAS/freenas 1a169e7tests/api2 interfaces.py delete_interfaces.py

Merge pull request #3074 from freenas/QE-NAS-101847

QE NAS-101847 Fix API v2 interface/checkin_waiting testing

FreeNAS/freenas 7355233tests/api1 system.py

Merge pull request #3073 from freenas/QE-NAS-101843

QE NAS-101843  Fix API v1 system/reboot tests for vm-bhyve 1.3.0
DeltaFile
+4-10tests/api1/system.py
+4-101 files

FreeNAS/freenas 1dc17fatests/api2 interfaces.py delete_interfaces.py

Fix API v2 interface/checkin_waiting testing

FreeNAS/freenas a818dbdtests/api1 system.py

Fix API v1 system/reboot tests for vm-bhyve 1.3.0
DeltaFile
+4-10tests/api1/system.py
+4-101 files

FreeNAS/freenas ebe23b9src/middlewared/middlewared/plugins ldap.py

Fix LDAP workgroup detection

FreeNAS/freenas 3f896eesrc/middlewared/middlewared/plugins ldap.py nis.py

Fix cache filling and LDAP validation

FreeNAS/freenas 0a7105bsrc/middlewared/middlewared/etc_files generate_ssl_certs.py, src/middlewared/middlewared/plugins crypto.py

Write CRL to file

This commit makes sure that each time changes are introduced to a cert/ca wrt revocation 
status, we make a CRL for each ca and write it out respectively so that the services 
making use of it have an updated version.

FreeNAS/freenas a1d39b2src/middlewared/middlewared/plugins activedirectory.py ldap.py

Remove timeout values for dscache entries
There is a cronjob automatically refreshing this every 24 hours.
Users have a UI button to rebuild the cache if needed.
This ends up introducing an unnecessary failure mode for getting the cache.

FreeNAS/freenas 7df6a4fsrc/middlewared/middlewared/plugins activedirectory.py

Fix arguments for activedirectory.fill_cache job

FreeNAS/freenas 26a64bdsrc/middlewared/middlewared/plugins crypto.py

Generate CRL

This commit adds a method to cryptokey service which enables us to generate a CRL for a 
list of certs using provided ca. There's a tricky situation here as to what happens if the 
root CA is compromised ? In normal world scenarios, that CA is removed from app's trust 
store and any subsequent certs it had issues wouldn't be validated by the app then. Making 
a CRL for a revoked root CA in normal cases doesn't make sense as the thief can sign a 
counter CRL saying that everything is fine. As our environment is controlled, i think we 
are safe to create a crl for root CA as well which we can publish for services which make 
use of it i.e openvpn and they'll know that the certs/ca's have been compromised.

FreeNAS/freenas 45bc3d0src/middlewared/middlewared/plugins crypto.py

Revoke CA chain

When a CA is marked as revoked, we revoke the complete chain which starts off from that 
CA.

FreeNAS/freenas a9d1383src/middlewared/middlewared/plugins crypto.py

Retrieve CA chain

This commit adds a generic method which will be used internally to gather ca chain.

FreeNAS/freenas edc93bagui/system models.py, gui/system/migrations 0044_revoked_field.py

Migrations for revoked field

This commit adds migrations for fields which will help us revoke certificates and generate 
Certificate Revocation Lists.

FreeNAS/freenas fdd85dfsrc/middlewared/middlewared/plugins crypto.py

Retrieve certificate extensions

This commit makes sure that we are able to retrieve certificate extensions from underlying 
cryptography module and it also provides a method which exposes these extensions. We right 
now don't support all of those, primarily because we don't have a need to do that and it 
requires a lot more work making sure that the parameters for each extension type are 
correct and of the correct type.

FreeNAS/freenas e660792src/middlewared/middlewared/etc_files/local/openvpn/client openvpn_client.conf, src/middlewared/middlewared/etc_files/local/openvpn/server openvpn_server.conf

Generate inline OpenVPN static key in configurations

This commit introduces changes so that we add the generated OpenVPN static key inline in 
the respective server/client conf file.

FreeNAS/freenas 550bc4dsrc/middlewared/middlewared/plugins vpn.py

Validate Server Config

This commit adds a method which can be called before we start OpenVPN server making sure 
that OpenVPN Server does not run with a misconfigured file resulting in further woes for 
the user. This will raise a CallError if the settings are not as they should be for 
OpenVPN server and we can skip generating the openvpn server file which will result in 
failure to start for the service.

FreeNAS/freenas 5863bf9src/middlewared/middlewared/plugins crypto.py

Add support for AuthorityKeyIdentifier extension

This commit adds support for AuthorityKeyIdentifier extension and also refines how we 
convert/retrieve params for extensions.

FreeNAS/freenas 52acb59src/middlewared/middlewared/plugins crypto.py

Generate certs/ca's with user defined extensions

This commit adds ability to generate certs/ca's with user defined extensions in the 
CryptoKeyService.

FreeNAS/freenas 7c67944src/middlewared/middlewared/plugins crypto.py

Add validation for cert extensions

This commit adds validation for cert extensions making use of cryptography module to 
actually validate the values and raising it above if it fails.

FreeNAS/freenas 31bfd18src/middlewared/middlewared/plugins vpn.py

Generate OpenVPN Static Key

This commit adds ability for the end user to authenticate/encrypt all control channel 
packets with a static key which OpenVPN generates.

FreeNAS/freenas c6d6ec7src/middlewared/middlewared/plugins vpn.py

Expose ciphers/digests

This commit makes sure that valid ciphers/digests are exposed by openvpn services so the 
user can correctly choose which one to use.

FreeNAS/freenas a677862src/middlewared/middlewared/plugins crypto.py

Add Profiles for Certificate Service

This commit adds profiles for OpenVPN server/client certificates in Certificate Service 
making it easier to generate correct certs for the respective use cases ( openvpn 
server/client ).

FreeNAS/freenas bf023fbsrc/freenas/etc/ix.rc.d ix-etc, src/middlewared/middlewared/etc_files/local/nginx nginx.conf

Get dhparams path and cover usages

This commit introduces changes so crypto plugin returns the path for dhparam.pem file and 
covers it's usages to make sure we don't hardcode the value and use the new method.

FreeNAS/freenas 5150ed7src/middlewared/middlewared/plugins crypto.py

Ensure certificate/ca service are able to use extensions

This commit makes sure that certificate/ca services work with the extension changes 
introduced.

FreeNAS/freenas 42b865dsrc/middlewared/middlewared/plugins vpn.py

Add validation for OpenVPN Server

This commit adds validation for OpenVPN Server Service.

FreeNAS/freenas 9711103src/middlewared/middlewared/plugins vpn.py

Expose valid ciphers

This commit adds ability to retrieve valid ciphers supported by openvpn and exposed them 
to vpn plugin.

FreeNAS/freenas 2a6ddf8src/middlewared/middlewared/plugins vpn.py

Validate Client Config

This commit adds a method which can be called before we start OpenVPN client making sure 
that OpenVPN Client does not run with a misconfigured file resulting in further woes for 
the user. This will raise a CallError if the settings are not as they should be for 
OpenVPN client and we can skip generating the openvpn client file which will result in 
failure to start for the service.

FreeNAS/freenas bafb155src/middlewared/middlewared/plugins crypto.py

Add CA profile for OpenVPN root CA

This commit introduces the concepts of profiles in certificate management. The idea is 
that we expose a set of prefilled fields which we consider safe for basic use. Each 
profile is tailored for a specific use case. Right now this commit introduces a profile 
for OpenVPN root CA exposing basic cert extensions and some other fields which the user 
can use to build his payload for creating a root CA. The UI can also make use of this by 
allowing user to select a profile and filling those fields beforehand so the user does not 
has to know the finer details of everything and if he does, then that means his use case 
is complex and he can change the fields to as he wishes.

FreeNAS/freenas 9592a6asrc/middlewared/middlewared/plugins vpn.py

Link rc scripts for server/client

This commit makes sure that when middlewared starts, we link openvpn rc script for the 
respective OpenVPN server/client service.

FreeNAS/freenas 4da8b1csrc/middlewared/middlewared/etc_files/local/openvpn/server openvpn_server.conf, src/middlewared/middlewared/plugins etc.py

Generate OpenVPN Server config file

This commit adds changes which give us the ability to generate openvpn server 
configuration file.

FreeNAS/freenas ec84cebsrc/middlewared/middlewared/plugins vpn.py

Expose valid digest algorithms

This commit adds ability to retrieve valid digest algorithms supported by openvpn and 
exposed them to vpn plugin.

FreeNAS/freenas df65704src/middlewared/middlewared/etc_files/local/openvpn/client openvpn_client.conf, src/middlewared/middlewared/plugins etc.py

Generate OpenVPN Client config file

This commit adds changes which give us the ability to generate openvpn client 
configuration file.

FreeNAS/freenas 488cc52src/middlewared/middlewared/etc_files rc.conf.py, src/middlewared/middlewared/plugins service.py

Setup OpenVPN Server as a service

This commit introduces changes where we add the capability of starting openvpn server from 
middlewared as a service and also generating relevant rc.conf bits.

FreeNAS/freenas 3969707src/middlewared/middlewared/plugins vpn.py

Normalize OpenVPN config

This commit normalizes openvpn.(client/server).config method making sure that we only show 
ids for foreign keys.

FreeNAS/freenas a74813csrc/middlewared/middlewared schema.py

Update list schema to correctly validate/clean items

This commit updates List schema to correctly validate/clean items when the length provided 
for items is more then one. The motivation behind the changes is that we should validate 
the given values in the list with all of the schemas provided in items and if we have a 
positive match for any one of it, we should allow that value in the list.

FreeNAS/freenas e4d2810src/middlewared/middlewared/plugins vpn.py

Common Validation for OpenVPN Services

This commit adds common validation for OpenVPN services.

FreeNAS/freenas a985f7asrc/middlewared/middlewared/plugins vpn.py

Require PKI to be setup before configuring OpenVPN

This commit adds some checks which make sure that we require PKI to be setup before 
configuring either OpenVPN service ( client / server ).

FreeNAS/freenas 47e4dc3src/middlewared/middlewared/plugins vpn.py

Add validation for OpenVPN Client

This commit adds validation for OpenVPN Client Service.

FreeNAS/freenas a37b94dsrc/middlewared/middlewared/etc_files rc.conf.py, src/middlewared/middlewared/plugins service.py

Setup OpenVPN Client as a service

This commit introduces changes where we add the capability of starting openvpn client from 
middlewared as a service and also generating relevant rc.conf bits.

FreeNAS/freenas ec30da4src/middlewared/middlewared/plugins etc.py

Create etc plugin's group directory

In case the parent directories where the group's conf file is to be written, do not exist, 
we create them automatically.

FreeNAS/freenas efa23d7src/middlewared/middlewared/plugins crypto.py

Deletion checks for OpenVPN certs/ca's

This commit adds checks to ensure that we don't allow to delete a certificate/ca which is 
being used by openvpn server/client.

FreeNAS/freenas f5d9ad3src/middlewared/middlewared/plugins vpn.py

Initial commit for VPN plugin

This commit adds basic classes and update method's schema to OpenVPN client/server 
services.

FreeNAS/freenas c14665bgui/services models.py, gui/services/migrations 0032_openvpn_models.py

Add OpenVPN models

This commit adds openvpn models and migrations.