On 07/20/2016 12:10 PM, Martin Babinsky wrote:
On 07/19/2016 12:32 PM, Jan Cholasta wrote:
Hi,

On 18.7.2016 13:51, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/6078

I don't think we want the secret searchable. Add a 'no_search' flag to
the param to fix that.

Honza


'no_search' flag breaks the API backwards compatibility, so I am sending
another two patches which fix handling of deprecated options in the
framework and deprecate `--secret` in radiusproxy-find command.

I hope this solution is the best.



After discussion with Jan we realized that it is enough to hide the '--secret' option from CLI, not deprecate it.

Re-sending patch 190 and updated 193.1. Patch 192 will be send in separate thread since the actual issue it fixes is orthogonal to this one and requires a separate ticket.

--
Martin^3 Babinsky
From 645b7ece72e902c9b108d41a5e71d7e88a48720f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Mon, 18 Jul 2016 10:45:48 +0200
Subject: [PATCH] expose `--secret` option in radiusproxy-* commands

Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.

https://fedorahosted.org/freeipa/ticket/6078
---
 ipaserver/plugins/radiusproxy.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 44d87b9ae1337278bb6237d471f64693b0eac3db..5657e002c1ce66335b7697b98f95a49207c61d87 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -126,7 +126,6 @@ class radiusproxy(LDAPObject):
             label=_('Secret'),
             doc=_('The secret used to encrypt data'),
             confirm=True,
-            flags=['no_option'],
         ),
         Int('ipatokenradiustimeout?',
             cli_name='timeout',
-- 
2.7.4

From 5542508919a0615b4088329ba80eb92002d45f0f Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 21 Jul 2016 09:42:01 +0200
Subject: [PATCH] prevent search for RADIUS proxy servers by secret

radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.

https://fedorahosted.org/freeipa/ticket/6078
---
 ipaserver/plugins/radiusproxy.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
index 5657e002c1ce66335b7697b98f95a49207c61d87..3391b8aed77205fb1a586d5472d8cfdbc9fd1cd5 100644
--- a/ipaserver/plugins/radiusproxy.py
+++ b/ipaserver/plugins/radiusproxy.py
@@ -169,6 +169,14 @@ class radiusproxy_find(LDAPSearch):
         '%(count)d RADIUS proxy server matched', '%(count)d RADIUS proxy servers matched', 0
     )
 
+    def get_options(self):
+        for option in super(radiusproxy_find, self).get_options():
+            if option.name == 'ipatokenradiussecret':
+                option = option.clone(flags={'no_option'})
+
+            yield option
+
+
 @register()
 class radiusproxy_show(LDAPRetrieve):
     __doc__ = _('Display information about a RADIUS proxy server.')
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to