On 08/17/2016 04:11 PM, Tibor Dudlak wrote:


On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka <slazn...@redhat.com <mailto:slazn...@redhat.com>> wrote:

    On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
    Hi,

    I have edited this patch after review. It should be okay now.

    Thank you.

    On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik
    <pvobo...@redhat.com <mailto:pvobo...@redhat.com>> wrote:

        On 08/11/2016 07:21 PM, Martin Basti wrote:
        >
        >
        > On 11.08.2016 18:57, Pavel Vomacka wrote:
        >>
        >>
        >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
        >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
        >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
        >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
        >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander
        Bokovoy wrote:
        >>>>>>> Got it. One thing I would correct, though, -- don't use
        >>>>>>> kadmin.local, we
        >>>>>>> do support setting ok_as_delegate on the service
        principals via IPA
        >>>>>>> CLI:
        >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
        >>>>>>> --ok-as-delegate=BOOL
        >>>>>>>             Client credentials may be delegated to the
        >>>>>>> service
        >>>>>> I've tried
        >>>>>>
        >>>>>>      ipa service-mod --ok-as-delegate=True
        HTTP/$(hostname)
        >>>>>>
        >>>>>> but that does not seem to have the same effect as
        >>>>>>
        >>>>>>      modprinc +ok_to_auth_as_delegate
        HTTP/ipa.example.test
        >>>>>>
        >>>>>> -- obtaining the delegated certificated fails.
        >>>>> That's because ok_as_delegate and
        ok_to_auth_as_delegate are different
        >>>>> flags.
        >>>> Right. The following patch adds ok_to_auth_as_delegate
        to the service
        >>>> principal.
        >>>>
        >>>> I haven't added any tickets to it yet.
        >>>>
        >>>>
        >>> This might deserve also nice Web UI checkbox similar to
        "Trusted for
        >>> delegation". CCing Pavel.
        >>>
        >> Here is patch with new checkbox. It is without ticket in
        commit message so
        >> once we will have the ticket I will send another patch
        witch updated commit
        >> message.
        >
        > https://fedorahosted.org/freeipa/newticket
        <https://fedorahosted.org/freeipa/newticket>
        >
        > ;-)

        It's prerequisite for
        https://fedorahosted.org/freeipa/ticket/5764
        <https://fedorahosted.org/freeipa/ticket/5764> so we
        might use that.


    Please, add your answers at the end of the previous mail in the
    future.

    Also, your patch raises pep8 errors:
    ./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 >
    79 characters)
    ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

    Could you please fix them?


Hi,

thanks for review Stanislav. I understand ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation, that is my fault but really do not understand first one. Is there policy that you decided not to patch existing files, even if there was obviously longer line before patch until it is not necessary?
Anyway I hope it should be ok now.

Thank you.

There's a policy to try to be pep8 compliant as much as we can with any new patches. Your new patch would still raise some pep8 errors, please see the attached patch that should be ok. If it's ok with you then ACK, it seems to be working.

From e8f7cffe8fa24d2e02285ab2907e95463aad4311 Mon Sep 17 00:00:00 2001
From: Tiboris <tibor.dud...@gmail.com>
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method

Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
 ipaserver/plugins/xmlserver.py |  6 +++++-
 ipaserver/rpcserver.py         | 17 +++++++++++++----
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..08c7456ed6dbfcc59f532314894031fba584e20a 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,16 @@ register = Registry()
 
 
 if api.env.context in ('server', 'lite'):
-    from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+    from ipaserver.rpcserver import (
+        wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session,
+        login_kerberos, login_x509, login_password, change_password,
+        sync_token, xmlserver_session)
     register()(wsgi_dispatch)
     register()(xmlserver)
     register()(jsonserver_kerb)
     register()(jsonserver_session)
     register()(login_kerberos)
+    register()(login_x509)
     register()(login_password)
     register()(change_password)
     register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..e48dc3498d6ed8feb6ea44a9a678a8b8c50e8d9b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner):
     key = '/json'
 
 
-class login_kerberos(Backend, KerberosSession, HTTP_Status):
-    key = '/session/login_kerberos'
+class KerberosLogin(Backend, KerberosSession, HTTP_Status):
+    key = None
 
     def _on_finalize(self):
-        super(login_kerberos, self)._on_finalize()
+        super(KerberosLogin, self)._on_finalize()
         self.api.Backend.wsgi_dispatch.mount(self, self.key)
         self.kerb_session_on_finalize()
 
     def __call__(self, environ, start_response):
-        self.debug('WSGI login_kerberos.__call__:')
+        self.debug('WSGI KerberosLogin.__call__:')
 
         # Get the ccache created by mod_auth_gssapi
         user_ccache_name=environ.get('KRB5CCNAME')
@@ -876,6 +876,15 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
 
         return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
 
+
+class login_kerberos(KerberosLogin):
+    key = '/session/login_kerberos'
+
+
+class login_x509(KerberosLogin):
+    key = '/session/login_x509'
+
+
 class login_password(Backend, KerberosSession, HTTP_Status):
 
     content_type = 'text/plain'
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to