[Freeipa-devel] [freeipa PR#812][+ack] Refactoring cert-find to use API call directly instead of using

[frasertweedale via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/812
Title: #812: Refactoring cert-find to use API call directly instead of using

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#843][opened] [WIP] Fixing test_installation.py tests

[felipevolpone via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/843
Author: felipevolpone
 Title: #843: [WIP] Fixing test_installation.py tests
Action: opened

PR body:
"""
I've been working on the test_installation.py suite and figure out how to solve 
some of them.

The TestInstallWithCA1 have 9 tests failing; 6 of them can be fixed adding 
```bash
 ipa-ca.$DOMAIN
```
into the master `/etc/hosts`. After that, three of them are still failing.
The log: 
https://paste.fedoraproject.org/paste/7n3CMEH5nhiHu~Vai8cObV5M1UNdIGYhyRLivL9gydE=.
 

They are:
 * test_replica1_with_ca_install
 * test_replica2_with_ca_kra_install
 * test_replica1_ipa_kra_install

I've moved the tests 
 * test_replica2_with_ca_kra_install
 * test_replica1_ipa_kra_install

to a new class (TestInstallWithCA1_KRA1) and created a new install method, 
which use the `setup_kra=True` option in the install_master method. The tests 
are still failing, but for another reason, the logs: 
https://paste.fedoraproject.org/paste/ytzzIUDhh5ARcunpSfSubV5M1UNdIGYhyRLivL9gydE=

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/843/head:pr843
git checkout pr843
From d38d090333e6c3e53a2e9c2545e61f26e1d35a11 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 1 Jun 2017 23:09:25 -0300
Subject: [PATCH] Fixing broken tests in test_installation.py

---
 ipatests/test_integration/test_installation.py | 21 +
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index f3e9ebac1c..d304543cf9 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -110,7 +110,6 @@ def test_replica1_all_components_adtrust(self):
 ##
 # Master X Replicas installation tests
 ##
-
 class TestInstallWithCA1(InstallTestBase1):
 
 @classmethod
@@ -119,18 +118,24 @@ def install(cls, mh):
 
 @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
 reason='does not work on DOMAIN_LEVEL_0 by design')
-def test_replica1_ipa_kra_install(self):
-super(TestInstallWithCA1, self).test_replica1_ipa_kra_install()
+def test_replica2_ipa_dns_install(self):
+super(TestInstallWithCA1, self).test_replica2_ipa_dns_install()
+
+
+class TestInstallWithCA1_KRA1(InstallTestBase1):
+
+@classmethod
+def install(cls, mh):
+tasks.install_master(cls.master, setup_dns=False, setup_kra=True)
 
 @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
 reason='does not work on DOMAIN_LEVEL_0 by design')
 def test_replica2_with_ca_kra_install(self):
-super(TestInstallWithCA1, self).test_replica2_with_ca_kra_install()
+super(TestInstallWithCA1_KRA1, 
+  self).test_replica2_with_ca_kra_install()
 
-@pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
-reason='does not work on DOMAIN_LEVEL_0 by design')
-def test_replica2_ipa_dns_install(self):
-super(TestInstallWithCA1, self).test_replica2_ipa_dns_install()
+def test_replica1_ipa_kra_install(self):
+super(TestInstallWithCA1_KRA1, self).test_replica1_ipa_kra_install()
 
 
 class TestInstallWithCA2(InstallTestBase2):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#837][synchronized] ca-add: fix permission issue

[frasertweedale via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/837
Author: frasertweedale
 Title: #837: ca-add: fix permission issue
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/837/head:pr837
git checkout pr837
From 3e136705b46f037892e9284ebcbec342c28eb8be Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 1 Jun 2017 13:12:53 +1000
Subject: [PATCH] ca-add: fix permission issue

The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs.  Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.

To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag.  If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag.  If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.

This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted.  But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails.  Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.

The GetEffectiveRights problem is being tracked upstream as
https://pagure.io/389-ds-base/issue/49278.  When that ticket has
been fixed, this workaround can and should be reverted.

Fixes: https://pagure.io/freeipa/issue/6609
---
 ACI.txt |  2 +-
 ipaserver/plugins/ca.py | 50 +
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 185812a881..1e30dba9cc 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -23,7 +23,7 @@ aci: (targetattr = "automountmapname || description")(targetfilter = "(objectcla
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
-aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add,delete,write) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 8db6ec549f..2a8bdfd2d9 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -15,6 +15,7 @@
 LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
 from ipaserver.plugins.cert import ca_enabled_check
 from ipalib import _, ngettext, x509
+from ipapython.dn import DN
 
 
 __doc__ = _("""
@@ -135,7 +136,7 @@ class ca(LDAPObject):
 },
 },
 'System: Add CA': {
-'ipapermright': {'add'},
+'ipapermright': {'add', 'delete', 'write'},
 'replaces': [
 '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX;)(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)',
 ],
@@ -234,11 +235,6 @@ class ca_add(LDAPCreate):
 )
 
 def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
-ca_enabled_check(self.api)
-if not ldap.can_add(dn[1:]):
-raise errors.ACIError(
-info=_("Insufficient 'add' privilege for entry '%s'.") % dn)
-
 # check that DN only includes standard naming attributes
 dn_attrs = {
 ava.attr.lower()
@@ -271,19 +267,41 @@ def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
 "Subject DN is already used by CA '%s'"
 ) % result['result'][0]['cn'][0])
 
-# Create the CA in Dogtag.
-with self.api.Backend.ra_lightweight_ca as ca_api:
-resp = ca_api.create_ca(options['ipacasubjectdn'])
-entry['ipacaid'] = [resp['id']]
-entry['ipacaissuerdn'] = [resp['issuerDN']]
-
-# In the event that the issued certificate's subject DN
-# differs from what was requested, record the 

[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue

[frasertweedale via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/837
Title: #837: ca-add: fix permission issue

frasertweedale commented:
"""
On Thu, Jun 01, 2017 at 06:55:59AM -0700, Rob Crittenden wrote:
> Ok cool. I shouldn't have been so terse in my previous comment, what I should 
> have added was "does it make sense to include a pointer to the bug as a hint 
> so workaround can be removed some time in the future?"
> 
> This PR is sort of a brute-force solution but given the infrequency it will 
> be executed it seems perfectly reasonable.
> 
Good idea; I'll add a link to the bug in the patch itself.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/837#issuecomment-305653601
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#842][edited] Changed ownership of ldiffile to DS_USER

[tscherf via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/842
Author: tscherf
 Title: #842: Changed ownership of ldiffile to DS_USER
Action: edited

 Changed field: body
Original value:
"""
Changes the ownership of the modified ldiffile created by ipa-restore to 
dirsrv. 
"""

___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#842][opened] Changed ownership of ldiffile to DS_USER

[tscherf via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/842
Author: tscherf
 Title: #842: Changed ownership of ldiffile to DS_USER
Action: opened

PR body:
"""
Changes the ownership of the modified ldiffile created by ipa-restore to 
dirsrv. 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/842/head:pr842
git checkout pr842
From a570d66b7ed64e5232df2534781268db6325c080 Mon Sep 17 00:00:00 2001
From: Thorsten Scherf 
Date: Thu, 1 Jun 2017 22:02:57 +0200
Subject: [PATCH] Changed ownership of ldiffile to DS_USER

---
 ipaserver/install/ipa_restore.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index d85c4874d8..637d3f3f4a 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -545,6 +545,10 @@ def ldif2db(self, instance, backend, online=True):
 ldif_parser = RemoveRUVParser(in_file, ldif_writer, self.log)
 ldif_parser.parse()
 
+# Make sure the modified ldiffile is owned by DS_USER
+pent = pwd.getpwnam(constants.DS_USER)
+os.chown(ldiffile, pent.pw_uid, pent.pw_gid)
+
 if online:
 conn = self.get_connection()
 ent = conn.make_entry(
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, the reload only happens during processing the PKINIT request if the 
rules are older than 5 minutes. It is not a timed event which runs all the time 
every 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose You're right but then there's ~6 hours gap where no reload 
happened. I would expect that there would be one attempt to reload every 5 
minutes. Or do I understand it wrong?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305518700
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue

[rcritten via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/837
Title: #837: ca-add: fix permission issue

rcritten commented:
"""
Ok cool. I shouldn't have been so terse in my previous comment, what I should 
have added was "does it make sense to include a pointer to the bug as a hint so 
workaround can be removed some time in the future?"

This PR is sort of a brute-force solution but given the infrequency it will be 
executed it seems perfectly reasonable.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/837#issuecomment-305500636
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

sumit-bose commented:
"""
@dkupka, ah, this is a side effect of having multiple workers (3907-3912). The 
IPA context is not share between the workers so each will load the certificate 
mapping rule on its own.

If I checked the reload times of the different workers correctly none does it 
more often then once in 5 minutes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose Yes, I added rule that should allow the user to kinit with 
certificate. I tried and it worked. Then I modified the rule so it no longer 
matched the user and immediate pkinit failed. I see the message with each kinit 
not it the interval:

```
$ sudo grep "Initializing IPA certauth plugin" /var/log/krb5kdc.log
Jun 01 08:44:45 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:45:07 vm-150.example.com krb5kdc[3910](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:54 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:57 vm-150.example.com krb5kdc[3911](info): Initializing IPA 
certauth plugin.
Jun 01 08:53:22 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:56:50 vm-150.example.com krb5kdc[3909](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:14 vm-150.example.com krb5kdc[3912](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:33 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 14:55:21 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305485079
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#840][opened] Add Role 'Client Administrator'

[Tiboris via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/840
Author: Tiboris
 Title: #840: Add Role 'Client Administrator'
Action: opened

PR body:
"""
User with the 'Client Administrator' role assigned to is
able to enroll host against a FreeIPA server as a client
using the ipa-client-install command.

The 'Client Administrator' contains 'Host Enrollment' privilege only.

Points to: https://pagure.io/freeipa/issue/6852
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/840/head:pr840
git checkout pr840
From 7335d69600a41dbc0821e2bce8c6f1297ef3e1dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= 
Date: Thu, 1 Jun 2017 14:27:02 +0200
Subject: [PATCH] Add Role 'Client Administrator'

User with the 'Client Administrator' role assigned to is
able to enroll host against a FreeIPA server as a client
using the ipa-client-install command.

Points to: https://pagure.io/freeipa/issue/6852
---
 install/updates/45-roles.update | 9 +
 1 file changed, 9 insertions(+)

diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update
index fb28464f25..aa0fe7ea81 100644
--- a/install/updates/45-roles.update
+++ b/install/updates/45-roles.update
@@ -91,3 +91,12 @@ add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
 dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX
 add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX
 
+dn: cn=Client Administrator,cn=roles,cn=accounts,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:objectClass: top
+default:cn: Client Administrator
+default:description: Client Administrator responsible for client(host) enrollment
+
+dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX
+add:member: cn=Client Administrator,cn=roles,cn=accounts,$SUFFIX
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue

[frasertweedale via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/837
Title: #837: ca-add: fix permission issue

frasertweedale commented:
"""
@rcritten yes: https://pagure.io/389-ds-base/issue/49278
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/837#issuecomment-305474305
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue

[rcritten via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/837
Title: #837: ca-add: fix permission issue

rcritten commented:
"""
Is there a bug filed on the GER issue?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/837#issuecomment-305473444
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][comment] Avoid possible endless recursion in RPC call from client

[flo-renaud via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/818
Title: #818: Avoid possible endless recursion in RPC call from client

flo-renaud commented:
"""
Hi @stlaz 
Thank you, the patch looks good to me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/818#issuecomment-305470664
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][+ack] Avoid possible endless recursion in RPC call from client

[flo-renaud via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/818
Title: #818: Avoid possible endless recursion in RPC call from client

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/818
Author: stlaz
 Title: #818: Avoid possible endless recursion in RPC call from client
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/818/head:pr818
git checkout pr818
From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 26 May 2017 08:37:36 +0200
Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call

This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796
---
 ipalib/rpc.py | 95 +--
 1 file changed, 54 insertions(+), 41 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index e23ca3d061..297ed80414 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw):
 :param kw: Keyword arguments to pass to remote command.
 """
 server = getattr(context, 'request_url', None)
-self.log.info("Forwarding '%s' to %s server '%s'",
-  name, self.protocol, server)
 command = getattr(self.conn, name)
 params = [args, kw]
-try:
-return self._call_command(command, params)
-except Fault as e:
-e = decode_fault(e)
-self.debug('Caught fault %d from server %s: %s', e.faultCode,
-server, e.faultString)
-if e.faultCode in errors_by_code:
-error = errors_by_code[e.faultCode]
-raise error(message=e.faultString)
-raise UnknownError(
-code=e.faultCode,
-error=e.faultString,
-server=server,
-)
-except SSLError as e:
-raise NetworkError(uri=server, error=str(e))
-except ProtocolError as e:
-# By catching a 401 here we can detect the case where we have
-# a single IPA server and the session is invalid. Otherwise
-# we always have to do a ping().
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie and e.errcode == 401:
-# Unauthorized. Remove the session and try again.
-delattr(context, 'session_cookie')
-try:
-principal = getattr(context, 'principal', None)
-delete_persistent_client_session_data(principal)
-except Exception as e:
-# This shouldn't happen if we have a session but it isn't fatal.
-pass
 
-# Create a new serverproxy with the non-session URI
-serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
-setattr(context, self.id, Connection(serverproxy, self.disconnect))
-return self.forward(name, *args, **kw)
-raise NetworkError(uri=server, error=e.errmsg)
-except socket.error as e:
-raise NetworkError(uri=server, error=str(e))
-except (OverflowError, TypeError) as e:
-raise XMLRPCMarshallError(error=str(e))
+# we'll be trying to connect multiple times with a new session cookie
+# each time should we be getting UNAUTHORIZED error from the server
+max_tries = 5
+for try_num in range(0, max_tries):
+self.log.info("[try %d]: Forwarding '%s' to %s server '%s'",
+  try_num+1, name, self.protocol, server)
+try:
+return self._call_command(command, params)
+except Fault as e:
+e = decode_fault(e)
+self.debug('Caught fault %d from server %s: %s', e.faultCode,
+   server, e.faultString)
+if e.faultCode in errors_by_code:
+error = errors_by_code[e.faultCode]
+raise error(message=e.faultString)
+raise UnknownError(
+code=e.faultCode,
+error=e.faultString,
+server=server,
+)
+except ProtocolError as e:
+# By catching a 401 here we can detect the case where we have
+# a single IPA server and the session is invalid. Otherwise
+# we always have to do a ping().
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie and e.errcode == 401:
+# Unauthorized. Remove the session and try again.
+delattr(context, 'session_cookie')
+try:
+principal = getattr(context, 'principal', None)
+delete_persistent_client_session_data(principal)
+

[Freeipa-devel] [freeipa PR#837][synchronized] ca-add: fix permission issue

[frasertweedale via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/837
Author: frasertweedale
 Title: #837: ca-add: fix permission issue
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/837/head:pr837
git checkout pr837
From fcd9cb1d3af70e9553e7dfbcb20df93809064cc5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 1 Jun 2017 13:12:53 +1000
Subject: [PATCH] ca-add: fix permission issue

The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs.  Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.

To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag.  If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag.  If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.

This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted.  But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails.  Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.

Fixes: https://pagure.io/freeipa/issue/6609
---
 ACI.txt |  2 +-
 ipaserver/plugins/ca.py | 46 ++
 2 files changed, 31 insertions(+), 17 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 185812a881..1e30dba9cc 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -23,7 +23,7 @@ aci: (targetattr = "automountmapname || description")(targetfilter = "(objectcla
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
-aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add,delete,write) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=cas,cn=ca,dc=ipa,dc=example
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 8db6ec549f..0a5f75c096 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -15,6 +15,7 @@
 LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
 from ipaserver.plugins.cert import ca_enabled_check
 from ipalib import _, ngettext, x509
+from ipapython.dn import DN
 
 
 __doc__ = _("""
@@ -135,7 +136,7 @@ class ca(LDAPObject):
 },
 },
 'System: Add CA': {
-'ipapermright': {'add'},
+'ipapermright': {'add', 'delete', 'write'},
 'replaces': [
 '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX;)(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)',
 ],
@@ -234,11 +235,6 @@ class ca_add(LDAPCreate):
 )
 
 def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
-ca_enabled_check(self.api)
-if not ldap.can_add(dn[1:]):
-raise errors.ACIError(
-info=_("Insufficient 'add' privilege for entry '%s'.") % dn)
-
 # check that DN only includes standard naming attributes
 dn_attrs = {
 ava.attr.lower()
@@ -271,19 +267,37 @@ def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
 "Subject DN is already used by CA '%s'"
 ) % result['result'][0]['cn'][0])
 
-# Create the CA in Dogtag.
-with self.api.Backend.ra_lightweight_ca as ca_api:
-resp = ca_api.create_ca(options['ipacasubjectdn'])
-entry['ipacaid'] = [resp['id']]
-entry['ipacaissuerdn'] = [resp['issuerDN']]
-
-# In the event that the issued certificate's subject DN
-# differs from what was requested, record the actual DN.
-#
-entry['ipacasubjectdn'] = [resp['dn']]
+# Use dummy values for the unknown MUST attributes;
+# we will update them later.
+

[Freeipa-devel] [freeipa PR#838][opened] Explicitly ask for py2 dependencies in py2 packages

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/838
Author: MartinBasti
 Title: #838: Explicitly ask for py2 dependencies in py2 packages
Action: opened

PR body:
"""
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.

This commit changes only dependencies that are available in both F25 and
F26

https://pagure.io/freeipa/issue/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/838/head:pr838
git checkout pr838
From 61ec8905cadecf8cd69ea63829bca1f5ad756e6a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 1 Jun 2017 10:45:08 +0200
Subject: [PATCH] Explicitly ask for py2 dependencies in py2 packages

In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.

This commit changes only dependencies that are available in both F25 and
F26

https://pagure.io/freeipa/issue/4985
---
 freeipa.spec.in | 74 -
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1446dfbb7c..e6a5e6be8c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -139,12 +139,12 @@ BuildRequires:  python-lesscpy
 #
 BuildRequires:  python-ldap
 BuildRequires:  python-netaddr
-BuildRequires:  python-pyasn1
-BuildRequires:  python-pyasn1-modules
-BuildRequires:  python-dns
+BuildRequires:  python2-pyasn1
+BuildRequires:  python2-pyasn1-modules
+BuildRequires:  python2-dns
 BuildRequires:  python-six
-BuildRequires:  python-libsss_nss_idmap
-BuildRequires:  python-cffi
+BuildRequires:  python2-libsss_nss_idmap
+BuildRequires:  python2-cffi
 
 #
 # Build dependencies for wheel packaging and PyPI upload
@@ -152,7 +152,7 @@ BuildRequires:  python-cffi
 %if 0%{?with_wheels}
 BuildRequires:  dbus-glib-devel
 BuildRequires:  libffi-devel
-BuildRequires:  python-tox
+BuildRequires:  python2-tox
 BuildRequires:  python2-twine
 BuildRequires:  python2-wheel
 %if 0%{?with_python3}
@@ -177,14 +177,14 @@ BuildRequires:  pylint >= 1.6
 %endif
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python2-polib
-BuildRequires:  python-libipa_hbac
-BuildRequires:  python-lxml
+BuildRequires:  python2-libipa_hbac
+BuildRequires:  python2-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python-qrcode-core >= 5.0.0
 # 1.15: python-dns changed return type in to_text() method in PY3
-BuildRequires:  python-dns >= 1.15
+BuildRequires:  python2-dns >= 1.15
 BuildRequires:  jsl
-BuildRequires:  python-yubico
+BuildRequires:  python2-yubico
 # pki Python package
 BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
@@ -193,17 +193,17 @@ BuildRequires:  python-jwcrypto
 # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
 BuildRequires:  python2-custodia >= 0.3.1
 BuildRequires:  dbus-python
-BuildRequires:  python-dateutil
+BuildRequires:  python2-dateutil
 BuildRequires:  python-enum34
 BuildRequires:  python-netifaces
-BuildRequires:  python-sss
-BuildRequires:  python-sss-murmur
-BuildRequires:  python-sssdconfig
-BuildRequires:  python-nose
-BuildRequires:  python-paste
+BuildRequires:  python2-sss
+BuildRequires:  python2-sss-murmur
+BuildRequires:  python2-sssdconfig
+BuildRequires:  python2-nose
+BuildRequires:  python2-paste
 BuildRequires:  systemd-python
 BuildRequires:  python2-jinja2
-BuildRequires:  python-augeas
+BuildRequires:  python2-augeas
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -360,16 +360,16 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
 Requires: python2-custodia >= 0.3.1
 Requires: python-ldap >= 2.4.15
-Requires: python-lxml
+Requires: python2-lxml
 Requires: python-gssapi >= 1.2.0
-Requires: python-sssdconfig
-Requires: python-pyasn1
+Requires: python2-sssdconfig
+Requires: python2-pyasn1
 Requires: dbus-python
-Requires: python-dns >= 1.15
+Requires: python2-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 Requires: pki-base-python2
-Requires: python-augeas
+Requires: python2-augeas
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -552,7 +552,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
-Requires: python-dns >= 1.15
+Requires: python2-dns >= 1.15
 Requires: python2-jinja2
 
 %description -n python2-ipaclient
@@ -658,21 +658,21 @@ Requires: pyOpenSSL
 Requires: python >= 2.7.9
 Requires: python2-cryptography >= 1.6
 Requires: python-netaddr >= %{python_netaddr_version}
-Requires: python-libipa_hbac
+Requires: python2-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
-Requires: python-pyasn1

[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/818
Author: stlaz
 Title: #818: Avoid possible endless recursion in RPC call from client
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/818/head:pr818
git checkout pr818
From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 26 May 2017 08:37:36 +0200
Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call

This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796
---
 ipalib/rpc.py | 95 +--
 1 file changed, 54 insertions(+), 41 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index e23ca3d061..297ed80414 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw):
 :param kw: Keyword arguments to pass to remote command.
 """
 server = getattr(context, 'request_url', None)
-self.log.info("Forwarding '%s' to %s server '%s'",
-  name, self.protocol, server)
 command = getattr(self.conn, name)
 params = [args, kw]
-try:
-return self._call_command(command, params)
-except Fault as e:
-e = decode_fault(e)
-self.debug('Caught fault %d from server %s: %s', e.faultCode,
-server, e.faultString)
-if e.faultCode in errors_by_code:
-error = errors_by_code[e.faultCode]
-raise error(message=e.faultString)
-raise UnknownError(
-code=e.faultCode,
-error=e.faultString,
-server=server,
-)
-except SSLError as e:
-raise NetworkError(uri=server, error=str(e))
-except ProtocolError as e:
-# By catching a 401 here we can detect the case where we have
-# a single IPA server and the session is invalid. Otherwise
-# we always have to do a ping().
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie and e.errcode == 401:
-# Unauthorized. Remove the session and try again.
-delattr(context, 'session_cookie')
-try:
-principal = getattr(context, 'principal', None)
-delete_persistent_client_session_data(principal)
-except Exception as e:
-# This shouldn't happen if we have a session but it isn't fatal.
-pass
 
-# Create a new serverproxy with the non-session URI
-serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
-setattr(context, self.id, Connection(serverproxy, self.disconnect))
-return self.forward(name, *args, **kw)
-raise NetworkError(uri=server, error=e.errmsg)
-except socket.error as e:
-raise NetworkError(uri=server, error=str(e))
-except (OverflowError, TypeError) as e:
-raise XMLRPCMarshallError(error=str(e))
+# we'll be trying to connect multiple times with a new session cookie
+# each time should we be getting UNAUTHORIZED error from the server
+max_tries = 5
+for try_num in range(0, max_tries):
+self.log.info("[try %d]: Forwarding '%s' to %s server '%s'",
+  try_num+1, name, self.protocol, server)
+try:
+return self._call_command(command, params)
+except Fault as e:
+e = decode_fault(e)
+self.debug('Caught fault %d from server %s: %s', e.faultCode,
+   server, e.faultString)
+if e.faultCode in errors_by_code:
+error = errors_by_code[e.faultCode]
+raise error(message=e.faultString)
+raise UnknownError(
+code=e.faultCode,
+error=e.faultString,
+server=server,
+)
+except ProtocolError as e:
+# By catching a 401 here we can detect the case where we have
+# a single IPA server and the session is invalid. Otherwise
+# we always have to do a ping().
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie and e.errcode == 401:
+# Unauthorized. Remove the session and try again.
+delattr(context, 'session_cookie')
+try:
+principal = getattr(context, 'principal', None)
+delete_persistent_client_session_data(principal)
+

[Freeipa-devel] [freeipa PR#803][comment] ipatests: add systemd journal collection for multihost tests

[tomaskrizek via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/803
Title: #803: ipatests: add systemd journal collection for multihost tests

tomaskrizek commented:
"""
@MartinBasti Done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/803#issuecomment-305421773
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#803][synchronized] ipatests: add systemd journal collection for multihost tests

[tomaskrizek via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/803
Author: tomaskrizek
 Title: #803: ipatests: add systemd journal collection for multihost tests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/803/head:pr803
git checkout pr803
From ee6195889ea60f36d1f8fc14925fd04e8053fa57 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 22 May 2017 18:27:44 +0200
Subject: [PATCH 1/2] ipatests: change logdir naming pattern for multihost
 tests

Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.

Related: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek 
---
 ipatests/pytest_plugins/integration/__init__.py | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py
index f1d8a0b91d..d126b413ae 100644
--- a/ipatests/pytest_plugins/integration/__init__.py
+++ b/ipatests/pytest_plugins/integration/__init__.py
@@ -24,6 +24,7 @@
 import os
 import tempfile
 import shutil
+import re
 
 import pytest
 from pytest_multihost import make_multihost_fixture
@@ -46,6 +47,14 @@ def pytest_addoption(parser):
 help="Directory to store integration test logs in.")
 
 
+def _get_logname_from_node(node):
+name = node.nodeid
+name = re.sub('\(\)/', '', name)  # remove ()/
+name = re.sub('[()]', '', name)   # and standalone brackets
+name = re.sub('(/|::)', '-', name)
+return name
+
+
 def collect_test_logs(node, logs_dict, test_config):
 """Collect logs from a test
 
@@ -56,7 +65,7 @@ def collect_test_logs(node, logs_dict, test_config):
 :param test_config: Pytest configuration
 """
 collect_logs(
-name=node.nodeid.replace('/', '-').replace('::', '-'),
+name=_get_logname_from_node(node),
 logs_dict=logs_dict,
 logfile_dir=test_config.getoption('logfile_dir'),
 beakerlib_plugin=test_config.pluginmanager.getplugin('BeakerLibPlugin'),

From e7421125b6cb96952fb0badb04d42bfe966b05c5 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 22 May 2017 18:33:49 +0200
Subject: [PATCH 2/2] ipatests: add systemd journal collection for multihost
 tests

Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek 
---
 ipatests/pytest_plugins/integration/__init__.py   | 32 +++
 ipatests/pytest_plugins/integration/config.py |  2 ++
 ipatests/pytest_plugins/integration/env_config.py |  2 ++
 ipatests/test_integration/test_testconfig.py  |  4 ++-
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py
index d126b413ae..20e60e9192 100644
--- a/ipatests/pytest_plugins/integration/__init__.py
+++ b/ipatests/pytest_plugins/integration/__init__.py
@@ -72,6 +72,36 @@ def collect_test_logs(node, logs_dict, test_config):
 )
 
 
+def collect_systemd_journal(node, hosts, test_config):
+"""Collect systemd journal from remote hosts
+
+:param node: The pytest collection node (request.node)
+:param hosts: List of hosts from which to collect journal
+:param test_config: Pytest configuration
+"""
+name = _get_logname_from_node(node)
+logfile_dir = test_config.getoption('logfile_dir')
+
+for host in hosts:
+log.info("Collecting journal from: %s", host.hostname)
+
+topdirname = os.path.join(logfile_dir, name, host.hostname)
+if not os.path.exists(topdirname):
+os.makedirs(topdirname)
+
+# Get journal content
+cmd = host.run_command(
+['journalctl', '--since', host.config.log_journal_since],
+log_stdout=False, raiseonerr=False)
+if cmd.returncode:
+log.error('An error occurred while collecting journal')
+continue
+
+# Write journal to file
+with open(os.path.join(topdirname, "journal"), 'w') as f:
+f.write(cmd.stdout_text)
+
+
 def collect_logs(name, logs_dict, logfile_dir=None, beakerlib_plugin=None):
 """Collect logs from remote hosts
 
@@ -158,7 +188,9 @@ def integration_logs(class_integration_logs, request):
 """Provides access to test integration logs, and collects after each test
 """
 yield class_integration_logs
+hosts = class_integration_logs.keys()
 collect_test_logs(request.node, class_integration_logs, request.config)
+collect_systemd_journal(request.node, hosts, request.config)
 
 
 @yield_fixture(scope='class')
diff --git a/ipatests/pytest_plugins/integration/config.py 

[Freeipa-devel] [freeipa PR#827][comment] pylint: explicitly depends on python2-pylint

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/827
Title: #827: pylint: explicitly depends on python2-pylint

MartinBasti commented:
"""
master:

* be1415b6cc8f5dadc1ac3766305a33f370fdf9bb pylint: explicitly depends on 
python2-pylint


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/827#issuecomment-305417588
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#827][closed] pylint: explicitly depends on python2-pylint

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/827
Author: MartinBasti
 Title: #827: pylint: explicitly depends on python2-pylint
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/827/head:pr827
git checkout pr827
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#827][+pushed] pylint: explicitly depends on python2-pylint

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/827
Title: #827: pylint: explicitly depends on python2-pylint

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#827][+ack] pylint: explicitly depends on python2-pylint

[stlaz via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/827
Title: #827: pylint: explicitly depends on python2-pylint

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#834][closed] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/834
Author: tomaskrizek
 Title: #834: [4.4] NSSNickname enclosed in single quotes causes 
ipa-server-certinstall failure
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/834/head:pr834
git checkout pr834
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#834][comment] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/834
Title: #834: [4.4] NSSNickname enclosed in single quotes causes 
ipa-server-certinstall failure

MartinBasti commented:
"""
ipa-4-4:

* e4363c5c26982f9126e7df16ba7a1a060cdb8721 Fix the installutils.set_directive 
docstring
* e40f9a5183fc3ebe160ea6b6ae4fb5c3190c1462 installutils: improve directive 
value parsing in `get_directive`
* 67c8f5fd4e50283e7680e7ded142e3234c7ab5f1 Delegate directive value 
quoting/unquoting to separate functions
* 60a05de4122a26f3a9d148b8c014668d296229fc Explicitly handle quoting/unquoting 
of NSSNickname directive


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/834#issuecomment-305416276
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#834][+pushed] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/834
Title: #834: [4.4] NSSNickname enclosed in single quotes causes 
ipa-server-certinstall failure

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][comment] Avoid possible endless recursion in RPC call from client

[stlaz via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/818
Title: #818: Avoid possible endless recursion in RPC call from client

stlaz commented:
"""
Thanks for the good catch, @flo-renaud. While the recursion in the `forward()` 
method was quite easy to fix, it was not so in the `create_connection()`. I 
tried to do several improvements to the code on the way and I am submitting it 
to testing here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/818#issuecomment-305412672
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/818
Author: stlaz
 Title: #818: Avoid possible endless recursion in RPC call from client
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/818/head:pr818
git checkout pr818
From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 26 May 2017 08:37:36 +0200
Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call

This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796
---
 ipalib/rpc.py | 95 +--
 1 file changed, 54 insertions(+), 41 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index e23ca3d061..297ed80414 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw):
 :param kw: Keyword arguments to pass to remote command.
 """
 server = getattr(context, 'request_url', None)
-self.log.info("Forwarding '%s' to %s server '%s'",
-  name, self.protocol, server)
 command = getattr(self.conn, name)
 params = [args, kw]
-try:
-return self._call_command(command, params)
-except Fault as e:
-e = decode_fault(e)
-self.debug('Caught fault %d from server %s: %s', e.faultCode,
-server, e.faultString)
-if e.faultCode in errors_by_code:
-error = errors_by_code[e.faultCode]
-raise error(message=e.faultString)
-raise UnknownError(
-code=e.faultCode,
-error=e.faultString,
-server=server,
-)
-except SSLError as e:
-raise NetworkError(uri=server, error=str(e))
-except ProtocolError as e:
-# By catching a 401 here we can detect the case where we have
-# a single IPA server and the session is invalid. Otherwise
-# we always have to do a ping().
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie and e.errcode == 401:
-# Unauthorized. Remove the session and try again.
-delattr(context, 'session_cookie')
-try:
-principal = getattr(context, 'principal', None)
-delete_persistent_client_session_data(principal)
-except Exception as e:
-# This shouldn't happen if we have a session but it isn't fatal.
-pass
 
-# Create a new serverproxy with the non-session URI
-serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
-setattr(context, self.id, Connection(serverproxy, self.disconnect))
-return self.forward(name, *args, **kw)
-raise NetworkError(uri=server, error=e.errmsg)
-except socket.error as e:
-raise NetworkError(uri=server, error=str(e))
-except (OverflowError, TypeError) as e:
-raise XMLRPCMarshallError(error=str(e))
+# we'll be trying to connect multiple times with a new session cookie
+# each time should we be getting UNAUTHORIZED error from the server
+max_tries = 5
+for try_num in range(0, max_tries):
+self.log.info("[try %d]: Forwarding '%s' to %s server '%s'",
+  try_num+1, name, self.protocol, server)
+try:
+return self._call_command(command, params)
+except Fault as e:
+e = decode_fault(e)
+self.debug('Caught fault %d from server %s: %s', e.faultCode,
+   server, e.faultString)
+if e.faultCode in errors_by_code:
+error = errors_by_code[e.faultCode]
+raise error(message=e.faultString)
+raise UnknownError(
+code=e.faultCode,
+error=e.faultString,
+server=server,
+)
+except ProtocolError as e:
+# By catching a 401 here we can detect the case where we have
+# a single IPA server and the session is invalid. Otherwise
+# we always have to do a ping().
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie and e.errcode == 401:
+# Unauthorized. Remove the session and try again.
+delattr(context, 'session_cookie')
+try:
+principal = getattr(context, 'principal', None)
+delete_persistent_client_session_data(principal)
+

[Freeipa-devel] [freeipa PR#824][+pushed] ca-add: validate Subject DN name attributes

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/824
Title: #824: ca-add: validate Subject DN name attributes

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#824][comment] ca-add: validate Subject DN name attributes

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/824
Title: #824: ca-add: validate Subject DN name attributes

MartinBasti commented:
"""
master:

* 5f0e13ce9c3d1ead02de61a148de973fc6787b96 ca-add: validate Subject DN name 
attributes


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/824#issuecomment-305412301
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#824][closed] ca-add: validate Subject DN name attributes

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/824
Author: frasertweedale
 Title: #824: ca-add: validate Subject DN name attributes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/824/head:pr824
git checkout pr824
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/818
Author: stlaz
 Title: #818: Avoid possible endless recursion in RPC call from client
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/818/head:pr818
git checkout pr818
From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 26 May 2017 08:37:36 +0200
Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call

This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796
---
 ipalib/rpc.py | 95 +--
 1 file changed, 54 insertions(+), 41 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index e23ca3d061..297ed80414 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw):
 :param kw: Keyword arguments to pass to remote command.
 """
 server = getattr(context, 'request_url', None)
-self.log.info("Forwarding '%s' to %s server '%s'",
-  name, self.protocol, server)
 command = getattr(self.conn, name)
 params = [args, kw]
-try:
-return self._call_command(command, params)
-except Fault as e:
-e = decode_fault(e)
-self.debug('Caught fault %d from server %s: %s', e.faultCode,
-server, e.faultString)
-if e.faultCode in errors_by_code:
-error = errors_by_code[e.faultCode]
-raise error(message=e.faultString)
-raise UnknownError(
-code=e.faultCode,
-error=e.faultString,
-server=server,
-)
-except SSLError as e:
-raise NetworkError(uri=server, error=str(e))
-except ProtocolError as e:
-# By catching a 401 here we can detect the case where we have
-# a single IPA server and the session is invalid. Otherwise
-# we always have to do a ping().
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie and e.errcode == 401:
-# Unauthorized. Remove the session and try again.
-delattr(context, 'session_cookie')
-try:
-principal = getattr(context, 'principal', None)
-delete_persistent_client_session_data(principal)
-except Exception as e:
-# This shouldn't happen if we have a session but it isn't fatal.
-pass
 
-# Create a new serverproxy with the non-session URI
-serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate)
-setattr(context, self.id, Connection(serverproxy, self.disconnect))
-return self.forward(name, *args, **kw)
-raise NetworkError(uri=server, error=e.errmsg)
-except socket.error as e:
-raise NetworkError(uri=server, error=str(e))
-except (OverflowError, TypeError) as e:
-raise XMLRPCMarshallError(error=str(e))
+# we'll be trying to connect multiple times with a new session cookie
+# each time should we be getting UNAUTHORIZED error from the server
+max_tries = 5
+for try_num in range(0, max_tries):
+self.log.info("[try %d]: Forwarding '%s' to %s server '%s'",
+  try_num+1, name, self.protocol, server)
+try:
+return self._call_command(command, params)
+except Fault as e:
+e = decode_fault(e)
+self.debug('Caught fault %d from server %s: %s', e.faultCode,
+   server, e.faultString)
+if e.faultCode in errors_by_code:
+error = errors_by_code[e.faultCode]
+raise error(message=e.faultString)
+raise UnknownError(
+code=e.faultCode,
+error=e.faultString,
+server=server,
+)
+except ProtocolError as e:
+# By catching a 401 here we can detect the case where we have
+# a single IPA server and the session is invalid. Otherwise
+# we always have to do a ping().
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie and e.errcode == 401:
+# Unauthorized. Remove the session and try again.
+delattr(context, 'session_cookie')
+try:
+principal = getattr(context, 'principal', None)
+delete_persistent_client_session_data(principal)
+

[Freeipa-devel] [freeipa PR#460][closed] ipa-server-install, ipa-server-upgrade fixes

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/460
Author: MartinBasti
 Title: #460: ipa-server-install, ipa-server-upgrade fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/460/head:pr460
git checkout pr460
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#460][comment] ipa-server-install, ipa-server-upgrade fixes

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/460
Title: #460: ipa-server-install, ipa-server-upgrade fixes

MartinBasti commented:
"""
master:

* 2e63ec42d0f879f2d129c4f81f88a1712ce86b8c py3: use ConfigParser instead of 
SafeConfigParser
* 6e7071d6add24e8923d705d35a362761f356d56d py3: ConfigParser: replace 
deprecated readfd with read
* 27f8f9f03d69276f9ee410169b76574da2461794 py3: ipaldap: encode Boolean as bytes
* d7a9e81fbd7a33941a8c5ae9f29252522944 py3: softhsm key_id must be bytes
* bc9addac30d69d88f5040e194be1e32a881cfba9 py3: LDAP updates: use only 
bytes/raw values
* d89de4219d0e8ee33e81d6b6d1bc6c22ac9ffbaa py3: schemaupdate: fix BytesWarning
* b09a941f34507cfce682d8c5a3acf6dfe7fa624e py3: cainstance: fix BytesWarning
* c6a57d8091aeefb6067711189ee0ce11411dee57 py3: urlfetch: use "file://" prefix 
with filenames
* 99771ceb9ffcf21d0364bf57994716322b24551e py3: update_mod_nss_cipher_suite: 
ordering doesn't work with None


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/460#issuecomment-305411368
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#824][+ack] ca-add: validate Subject DN name attributes

[stlaz via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/824
Title: #824: ca-add: validate Subject DN name attributes

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org