[Freeipa-devel] [freeipa PR#812][+ack] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: Refactoring cert-find to use API call directly instead of using Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#843][opened] [WIP] Fixing test_installation.py tests
URL: https://github.com/freeipa/freeipa/pull/843 Author: felipevolpone Title: #843: [WIP] Fixing test_installation.py tests Action: opened PR body: """ I've been working on the test_installation.py suite and figure out how to solve some of them. The TestInstallWithCA1 have 9 tests failing; 6 of them can be fixed adding ```bash ipa-ca.$DOMAIN ``` into the master `/etc/hosts`. After that, three of them are still failing. The log: https://paste.fedoraproject.org/paste/7n3CMEH5nhiHu~Vai8cObV5M1UNdIGYhyRLivL9gydE=. They are: * test_replica1_with_ca_install * test_replica2_with_ca_kra_install * test_replica1_ipa_kra_install I've moved the tests * test_replica2_with_ca_kra_install * test_replica1_ipa_kra_install to a new class (TestInstallWithCA1_KRA1) and created a new install method, which use the `setup_kra=True` option in the install_master method. The tests are still failing, but for another reason, the logs: https://paste.fedoraproject.org/paste/ytzzIUDhh5ARcunpSfSubV5M1UNdIGYhyRLivL9gydE= """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/843/head:pr843 git checkout pr843 From d38d090333e6c3e53a2e9c2545e61f26e1d35a11 Mon Sep 17 00:00:00 2001 From: Felipe VolponeDate: Thu, 1 Jun 2017 23:09:25 -0300 Subject: [PATCH] Fixing broken tests in test_installation.py --- ipatests/test_integration/test_installation.py | 21 + 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index f3e9ebac1c..d304543cf9 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -110,7 +110,6 @@ def test_replica1_all_components_adtrust(self): ## # Master X Replicas installation tests ## - class TestInstallWithCA1(InstallTestBase1): @classmethod @@ -119,18 +118,24 @@ def install(cls, mh): @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') -def test_replica1_ipa_kra_install(self): -super(TestInstallWithCA1, self).test_replica1_ipa_kra_install() +def test_replica2_ipa_dns_install(self): +super(TestInstallWithCA1, self).test_replica2_ipa_dns_install() + + +class TestInstallWithCA1_KRA1(InstallTestBase1): + +@classmethod +def install(cls, mh): +tasks.install_master(cls.master, setup_dns=False, setup_kra=True) @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') def test_replica2_with_ca_kra_install(self): -super(TestInstallWithCA1, self).test_replica2_with_ca_kra_install() +super(TestInstallWithCA1_KRA1, + self).test_replica2_with_ca_kra_install() -@pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, -reason='does not work on DOMAIN_LEVEL_0 by design') -def test_replica2_ipa_dns_install(self): -super(TestInstallWithCA1, self).test_replica2_ipa_dns_install() +def test_replica1_ipa_kra_install(self): +super(TestInstallWithCA1_KRA1, self).test_replica1_ipa_kra_install() class TestInstallWithCA2(InstallTestBase2): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#837][synchronized] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Author: frasertweedale Title: #837: ca-add: fix permission issue Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/837/head:pr837 git checkout pr837 From 3e136705b46f037892e9284ebcbec342c28eb8be Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Thu, 1 Jun 2017 13:12:53 +1000 Subject: [PATCH] ca-add: fix permission issue The ca-add command pre_callback uses ldap.can_add() to check whether the user has permission to add CAs. Alas, the GetEffectiveRights control used by ldap.can_add() doesn't correctly interpret ACIs with 'targetfilter' constraints, and returns a false-negative for non-admin users, even when they have the 'System: Add CA' permission. To work around this, add the CA object to FreeIPA before attempting to create the CA in Dogtag. If the CA creation in Dogtag succeds, the user then updates the FreeIPA object with the Authority ID and other authoritative data returned by Dogtag. If the CA creation in Dogtag fails, the user cleans up by deleting the newly-created CA object from FreeIPA. This modified procedure ensures that the user certainly has the 'System: Add CA' permission before the CA creation in Dogtag is attempted. But it also means that the user must have 'write' and 'delete' permission on 'ipaca' objects in FreeIPA, so that it can complete the object after CA creation in Dogtag, or clean up if that step fails. Therefore, update the 'System: Add CA' permission to confer 'write' and 'delete' access on 'ipaca' objects, as well as 'add' access. The GetEffectiveRights problem is being tracked upstream as https://pagure.io/389-ds-base/issue/49278. When that ticket has been fixed, this workaround can and should be reverted. Fixes: https://pagure.io/freeipa/issue/6609 --- ACI.txt | 2 +- ipaserver/plugins/ca.py | 50 + 2 files changed, 35 insertions(+), 17 deletions(-) diff --git a/ACI.txt b/ACI.txt index 185812a881..1e30dba9cc 100644 --- a/ACI.txt +++ b/ACI.txt @@ -23,7 +23,7 @@ aci: (targetattr = "automountmapname || description")(targetfilter = "(objectcla dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example -aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add,delete,write) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 8db6ec549f..2a8bdfd2d9 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -15,6 +15,7 @@ LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check from ipalib import _, ngettext, x509 +from ipapython.dn import DN __doc__ = _(""" @@ -135,7 +136,7 @@ class ca(LDAPObject): }, }, 'System: Add CA': { -'ipapermright': {'add'}, +'ipapermright': {'add', 'delete', 'write'}, 'replaces': [ '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX;)(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', ], @@ -234,11 +235,6 @@ class ca_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): -ca_enabled_check(self.api) -if not ldap.can_add(dn[1:]): -raise errors.ACIError( -info=_("Insufficient 'add' privilege for entry '%s'.") % dn) - # check that DN only includes standard naming attributes dn_attrs = { ava.attr.lower() @@ -271,19 +267,41 @@ def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): "Subject DN is already used by CA '%s'" ) % result['result'][0]['cn'][0]) -# Create the CA in Dogtag. -with self.api.Backend.ra_lightweight_ca as ca_api: -resp = ca_api.create_ca(options['ipacasubjectdn']) -entry['ipacaid'] = [resp['id']] -entry['ipacaissuerdn'] = [resp['issuerDN']] - -# In the event that the issued certificate's subject DN -# differs from what was requested, record the
[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Title: #837: ca-add: fix permission issue frasertweedale commented: """ On Thu, Jun 01, 2017 at 06:55:59AM -0700, Rob Crittenden wrote: > Ok cool. I shouldn't have been so terse in my previous comment, what I should > have added was "does it make sense to include a pointer to the bug as a hint > so workaround can be removed some time in the future?" > > This PR is sort of a brute-force solution but given the infrequency it will > be executed it seems perfectly reasonable. > Good idea; I'll add a link to the bug in the patch itself. """ See the full comment at https://github.com/freeipa/freeipa/pull/837#issuecomment-305653601 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#842][edited] Changed ownership of ldiffile to DS_USER
URL: https://github.com/freeipa/freeipa/pull/842 Author: tscherf Title: #842: Changed ownership of ldiffile to DS_USER Action: edited Changed field: body Original value: """ Changes the ownership of the modified ldiffile created by ipa-restore to dirsrv. """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#842][opened] Changed ownership of ldiffile to DS_USER
URL: https://github.com/freeipa/freeipa/pull/842 Author: tscherf Title: #842: Changed ownership of ldiffile to DS_USER Action: opened PR body: """ Changes the ownership of the modified ldiffile created by ipa-restore to dirsrv. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/842/head:pr842 git checkout pr842 From a570d66b7ed64e5232df2534781268db6325c080 Mon Sep 17 00:00:00 2001 From: Thorsten ScherfDate: Thu, 1 Jun 2017 22:02:57 +0200 Subject: [PATCH] Changed ownership of ldiffile to DS_USER --- ipaserver/install/ipa_restore.py | 4 1 file changed, 4 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index d85c4874d8..637d3f3f4a 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -545,6 +545,10 @@ def ldif2db(self, instance, backend, online=True): ldif_parser = RemoveRUVParser(in_file, ldif_writer, self.log) ldif_parser.parse() +# Make sure the modified ldiffile is owned by DS_USER +pent = pwd.getpwnam(constants.DS_USER) +os.chown(ldiffile, pent.pw_uid, pent.pw_gid) + if online: conn = self.get_connection() ent = conn.make_entry( ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, the reload only happens during processing the PKINIT request if the rules are older than 5 minutes. It is not a timed event which runs all the time every 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305523652 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose You're right but then there's ~6 hours gap where no reload happened. I would expect that there would be one attempt to reload every 5 minutes. Or do I understand it wrong? """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305518700 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Title: #837: ca-add: fix permission issue rcritten commented: """ Ok cool. I shouldn't have been so terse in my previous comment, what I should have added was "does it make sense to include a pointer to the bug as a hint so workaround can be removed some time in the future?" This PR is sort of a brute-force solution but given the infrequency it will be executed it seems perfectly reasonable. """ See the full comment at https://github.com/freeipa/freeipa/pull/837#issuecomment-305500636 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically sumit-bose commented: """ @dkupka, ah, this is a side effect of having multiple workers (3907-3912). The IPA context is not share between the workers so each will load the certificate mapping rule on its own. If I checked the reload times of the different workers correctly none does it more often then once in 5 minutes. """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305487292 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically
URL: https://github.com/freeipa/freeipa/pull/823 Title: #823: ipa-kdb: reload certificate mapping rules periodically dkupka commented: """ @sumit-bose Yes, I added rule that should allow the user to kinit with certificate. I tried and it worked. Then I modified the rule so it no longer matched the user and immediate pkinit failed. I see the message with each kinit not it the interval: ``` $ sudo grep "Initializing IPA certauth plugin" /var/log/krb5kdc.log Jun 01 08:44:45 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. Jun 01 08:45:07 vm-150.example.com krb5kdc[3910](info): Initializing IPA certauth plugin. Jun 01 08:52:54 vm-150.example.com krb5kdc[3907](info): Initializing IPA certauth plugin. Jun 01 08:52:57 vm-150.example.com krb5kdc[3911](info): Initializing IPA certauth plugin. Jun 01 08:53:22 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. Jun 01 08:56:50 vm-150.example.com krb5kdc[3909](info): Initializing IPA certauth plugin. Jun 01 09:02:14 vm-150.example.com krb5kdc[3912](info): Initializing IPA certauth plugin. Jun 01 09:02:33 vm-150.example.com krb5kdc[3907](info): Initializing IPA certauth plugin. Jun 01 14:55:21 vm-150.example.com krb5kdc[3908](info): Initializing IPA certauth plugin. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/823#issuecomment-305485079 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][opened] Add Role 'Client Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Author: Tiboris Title: #840: Add Role 'Client Administrator' Action: opened PR body: """ User with the 'Client Administrator' role assigned to is able to enroll host against a FreeIPA server as a client using the ipa-client-install command. The 'Client Administrator' contains 'Host Enrollment' privilege only. Points to: https://pagure.io/freeipa/issue/6852 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/840/head:pr840 git checkout pr840 From 7335d69600a41dbc0821e2bce8c6f1297ef3e1dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?=Date: Thu, 1 Jun 2017 14:27:02 +0200 Subject: [PATCH] Add Role 'Client Administrator' User with the 'Client Administrator' role assigned to is able to enroll host against a FreeIPA server as a client using the ipa-client-install command. Points to: https://pagure.io/freeipa/issue/6852 --- install/updates/45-roles.update | 9 + 1 file changed, 9 insertions(+) diff --git a/install/updates/45-roles.update b/install/updates/45-roles.update index fb28464f25..aa0fe7ea81 100644 --- a/install/updates/45-roles.update +++ b/install/updates/45-roles.update @@ -91,3 +91,12 @@ add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX dn: cn=Password Policy Administrator,cn=privileges,cn=pbac,$SUFFIX add:member: cn=Security Architect,cn=roles,cn=accounts,$SUFFIX +dn: cn=Client Administrator,cn=roles,cn=accounts,$SUFFIX +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:objectClass: top +default:cn: Client Administrator +default:description: Client Administrator responsible for client(host) enrollment + +dn: cn=Host Enrollment,cn=privileges,cn=pbac,$SUFFIX +add:member: cn=Client Administrator,cn=roles,cn=accounts,$SUFFIX ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Title: #837: ca-add: fix permission issue frasertweedale commented: """ @rcritten yes: https://pagure.io/389-ds-base/issue/49278 """ See the full comment at https://github.com/freeipa/freeipa/pull/837#issuecomment-305474305 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#837][comment] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Title: #837: ca-add: fix permission issue rcritten commented: """ Is there a bug filed on the GER issue? """ See the full comment at https://github.com/freeipa/freeipa/pull/837#issuecomment-305473444 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][comment] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Title: #818: Avoid possible endless recursion in RPC call from client flo-renaud commented: """ Hi @stlaz Thank you, the patch looks good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/818#issuecomment-305470664 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][+ack] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Title: #818: Avoid possible endless recursion in RPC call from client Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Author: stlaz Title: #818: Avoid possible endless recursion in RPC call from client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/818/head:pr818 git checkout pr818 From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 26 May 2017 08:37:36 +0200 Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call This commit removes recursion in RPCClient.forward() which may lack end condition. https://pagure.io/freeipa/issue/6796 --- ipalib/rpc.py | 95 +-- 1 file changed, 54 insertions(+), 41 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index e23ca3d061..297ed80414 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw): :param kw: Keyword arguments to pass to remote command. """ server = getattr(context, 'request_url', None) -self.log.info("Forwarding '%s' to %s server '%s'", - name, self.protocol, server) command = getattr(self.conn, name) params = [args, kw] -try: -return self._call_command(command, params) -except Fault as e: -e = decode_fault(e) -self.debug('Caught fault %d from server %s: %s', e.faultCode, -server, e.faultString) -if e.faultCode in errors_by_code: -error = errors_by_code[e.faultCode] -raise error(message=e.faultString) -raise UnknownError( -code=e.faultCode, -error=e.faultString, -server=server, -) -except SSLError as e: -raise NetworkError(uri=server, error=str(e)) -except ProtocolError as e: -# By catching a 401 here we can detect the case where we have -# a single IPA server and the session is invalid. Otherwise -# we always have to do a ping(). -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie and e.errcode == 401: -# Unauthorized. Remove the session and try again. -delattr(context, 'session_cookie') -try: -principal = getattr(context, 'principal', None) -delete_persistent_client_session_data(principal) -except Exception as e: -# This shouldn't happen if we have a session but it isn't fatal. -pass -# Create a new serverproxy with the non-session URI -serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate) -setattr(context, self.id, Connection(serverproxy, self.disconnect)) -return self.forward(name, *args, **kw) -raise NetworkError(uri=server, error=e.errmsg) -except socket.error as e: -raise NetworkError(uri=server, error=str(e)) -except (OverflowError, TypeError) as e: -raise XMLRPCMarshallError(error=str(e)) +# we'll be trying to connect multiple times with a new session cookie +# each time should we be getting UNAUTHORIZED error from the server +max_tries = 5 +for try_num in range(0, max_tries): +self.log.info("[try %d]: Forwarding '%s' to %s server '%s'", + try_num+1, name, self.protocol, server) +try: +return self._call_command(command, params) +except Fault as e: +e = decode_fault(e) +self.debug('Caught fault %d from server %s: %s', e.faultCode, + server, e.faultString) +if e.faultCode in errors_by_code: +error = errors_by_code[e.faultCode] +raise error(message=e.faultString) +raise UnknownError( +code=e.faultCode, +error=e.faultString, +server=server, +) +except ProtocolError as e: +# By catching a 401 here we can detect the case where we have +# a single IPA server and the session is invalid. Otherwise +# we always have to do a ping(). +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie and e.errcode == 401: +# Unauthorized. Remove the session and try again. +delattr(context, 'session_cookie') +try: +principal = getattr(context, 'principal', None) +delete_persistent_client_session_data(principal) +
[Freeipa-devel] [freeipa PR#837][synchronized] ca-add: fix permission issue
URL: https://github.com/freeipa/freeipa/pull/837 Author: frasertweedale Title: #837: ca-add: fix permission issue Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/837/head:pr837 git checkout pr837 From fcd9cb1d3af70e9553e7dfbcb20df93809064cc5 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Thu, 1 Jun 2017 13:12:53 +1000 Subject: [PATCH] ca-add: fix permission issue The ca-add command pre_callback uses ldap.can_add() to check whether the user has permission to add CAs. Alas, the GetEffectiveRights control used by ldap.can_add() doesn't correctly interpret ACIs with 'targetfilter' constraints, and returns a false-negative for non-admin users, even when they have the 'System: Add CA' permission. To work around this, add the CA object to FreeIPA before attempting to create the CA in Dogtag. If the CA creation in Dogtag succeds, the user then updates the FreeIPA object with the Authority ID and other authoritative data returned by Dogtag. If the CA creation in Dogtag fails, the user cleans up by deleting the newly-created CA object from FreeIPA. This modified procedure ensures that the user certainly has the 'System: Add CA' permission before the CA creation in Dogtag is attempted. But it also means that the user must have 'write' and 'delete' permission on 'ipaca' objects in FreeIPA, so that it can complete the object after CA creation in Dogtag, or clean up if that step fails. Therefore, update the 'System: Add CA' permission to confer 'write' and 'delete' access on 'ipaca' objects, as well as 'add' access. Fixes: https://pagure.io/freeipa/issue/6609 --- ACI.txt | 2 +- ipaserver/plugins/ca.py | 46 ++ 2 files changed, 31 insertions(+), 17 deletions(-) diff --git a/ACI.txt b/ACI.txt index 185812a881..1e30dba9cc 100644 --- a/ACI.txt +++ b/ACI.txt @@ -23,7 +23,7 @@ aci: (targetattr = "automountmapname || description")(targetfilter = "(objectcla dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example -aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add,delete,write) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=cas,cn=ca,dc=ipa,dc=example diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 8db6ec549f..0a5f75c096 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -15,6 +15,7 @@ LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check from ipalib import _, ngettext, x509 +from ipapython.dn import DN __doc__ = _(""" @@ -135,7 +136,7 @@ class ca(LDAPObject): }, }, 'System: Add CA': { -'ipapermright': {'add'}, +'ipapermright': {'add', 'delete', 'write'}, 'replaces': [ '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX;)(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', ], @@ -234,11 +235,6 @@ class ca_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): -ca_enabled_check(self.api) -if not ldap.can_add(dn[1:]): -raise errors.ACIError( -info=_("Insufficient 'add' privilege for entry '%s'.") % dn) - # check that DN only includes standard naming attributes dn_attrs = { ava.attr.lower() @@ -271,19 +267,37 @@ def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): "Subject DN is already used by CA '%s'" ) % result['result'][0]['cn'][0]) -# Create the CA in Dogtag. -with self.api.Backend.ra_lightweight_ca as ca_api: -resp = ca_api.create_ca(options['ipacasubjectdn']) -entry['ipacaid'] = [resp['id']] -entry['ipacaissuerdn'] = [resp['issuerDN']] - -# In the event that the issued certificate's subject DN -# differs from what was requested, record the actual DN. -# -entry['ipacasubjectdn'] = [resp['dn']] +# Use dummy values for the unknown MUST attributes; +# we will update them later. +
[Freeipa-devel] [freeipa PR#838][opened] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Author: MartinBasti Title: #838: Explicitly ask for py2 dependencies in py2 packages Action: opened PR body: """ In future default package names can start to pointing to py3 instead of py2. We have to explicitly ask for python2-* and python3-* packages. This commit changes only dependencies that are available in both F25 and F26 https://pagure.io/freeipa/issue/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/838/head:pr838 git checkout pr838 From 61ec8905cadecf8cd69ea63829bca1f5ad756e6a Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 1 Jun 2017 10:45:08 +0200 Subject: [PATCH] Explicitly ask for py2 dependencies in py2 packages In future default package names can start to pointing to py3 instead of py2. We have to explicitly ask for python2-* and python3-* packages. This commit changes only dependencies that are available in both F25 and F26 https://pagure.io/freeipa/issue/4985 --- freeipa.spec.in | 74 - 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 1446dfbb7c..e6a5e6be8c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -139,12 +139,12 @@ BuildRequires: python-lesscpy # BuildRequires: python-ldap BuildRequires: python-netaddr -BuildRequires: python-pyasn1 -BuildRequires: python-pyasn1-modules -BuildRequires: python-dns +BuildRequires: python2-pyasn1 +BuildRequires: python2-pyasn1-modules +BuildRequires: python2-dns BuildRequires: python-six -BuildRequires: python-libsss_nss_idmap -BuildRequires: python-cffi +BuildRequires: python2-libsss_nss_idmap +BuildRequires: python2-cffi # # Build dependencies for wheel packaging and PyPI upload @@ -152,7 +152,7 @@ BuildRequires: python-cffi %if 0%{?with_wheels} BuildRequires: dbus-glib-devel BuildRequires: libffi-devel -BuildRequires: python-tox +BuildRequires: python2-tox BuildRequires: python2-twine BuildRequires: python2-wheel %if 0%{?with_python3} @@ -177,14 +177,14 @@ BuildRequires: pylint >= 1.6 %endif # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-lxml +BuildRequires: python2-libipa_hbac +BuildRequires: python2-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 # 1.15: python-dns changed return type in to_text() method in PY3 -BuildRequires: python-dns >= 1.15 +BuildRequires: python2-dns >= 1.15 BuildRequires: jsl -BuildRequires: python-yubico +BuildRequires: python2-yubico # pki Python package BuildRequires: pki-base-python2 BuildRequires: python-pytest-multihost @@ -193,17 +193,17 @@ BuildRequires: python-jwcrypto # 0.3: sd_notify (https://pagure.io/freeipa/issue/5825) BuildRequires: python2-custodia >= 0.3.1 BuildRequires: dbus-python -BuildRequires: python-dateutil +BuildRequires: python2-dateutil BuildRequires: python-enum34 BuildRequires: python-netifaces -BuildRequires: python-sss -BuildRequires: python-sss-murmur -BuildRequires: python-sssdconfig -BuildRequires: python-nose -BuildRequires: python-paste +BuildRequires: python2-sss +BuildRequires: python2-sss-murmur +BuildRequires: python2-sssdconfig +BuildRequires: python2-nose +BuildRequires: python2-paste BuildRequires: systemd-python BuildRequires: python2-jinja2 -BuildRequires: python-augeas +BuildRequires: python2-augeas %if 0%{?with_python3} # FIXME: this depedency is missing - server will not work @@ -360,16 +360,16 @@ Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaclient = %{version}-%{release} Requires: python2-custodia >= 0.3.1 Requires: python-ldap >= 2.4.15 -Requires: python-lxml +Requires: python2-lxml Requires: python-gssapi >= 1.2.0 -Requires: python-sssdconfig -Requires: python-pyasn1 +Requires: python2-sssdconfig +Requires: python2-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.15 +Requires: python2-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs Requires: pki-base-python2 -Requires: python-augeas +Requires: python2-augeas %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -552,7 +552,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.15 +Requires: python2-dns >= 1.15 Requires: python2-jinja2 %description -n python2-ipaclient @@ -658,21 +658,21 @@ Requires: pyOpenSSL Requires: python >= 2.7.9 Requires: python2-cryptography >= 1.6 Requires: python-netaddr >= %{python_netaddr_version} -Requires: python-libipa_hbac +Requires: python2-libipa_hbac Requires: python-qrcode-core >= 5.0.0 -Requires: python-pyasn1
[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Author: stlaz Title: #818: Avoid possible endless recursion in RPC call from client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/818/head:pr818 git checkout pr818 From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 26 May 2017 08:37:36 +0200 Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call This commit removes recursion in RPCClient.forward() which may lack end condition. https://pagure.io/freeipa/issue/6796 --- ipalib/rpc.py | 95 +-- 1 file changed, 54 insertions(+), 41 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index e23ca3d061..297ed80414 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw): :param kw: Keyword arguments to pass to remote command. """ server = getattr(context, 'request_url', None) -self.log.info("Forwarding '%s' to %s server '%s'", - name, self.protocol, server) command = getattr(self.conn, name) params = [args, kw] -try: -return self._call_command(command, params) -except Fault as e: -e = decode_fault(e) -self.debug('Caught fault %d from server %s: %s', e.faultCode, -server, e.faultString) -if e.faultCode in errors_by_code: -error = errors_by_code[e.faultCode] -raise error(message=e.faultString) -raise UnknownError( -code=e.faultCode, -error=e.faultString, -server=server, -) -except SSLError as e: -raise NetworkError(uri=server, error=str(e)) -except ProtocolError as e: -# By catching a 401 here we can detect the case where we have -# a single IPA server and the session is invalid. Otherwise -# we always have to do a ping(). -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie and e.errcode == 401: -# Unauthorized. Remove the session and try again. -delattr(context, 'session_cookie') -try: -principal = getattr(context, 'principal', None) -delete_persistent_client_session_data(principal) -except Exception as e: -# This shouldn't happen if we have a session but it isn't fatal. -pass -# Create a new serverproxy with the non-session URI -serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate) -setattr(context, self.id, Connection(serverproxy, self.disconnect)) -return self.forward(name, *args, **kw) -raise NetworkError(uri=server, error=e.errmsg) -except socket.error as e: -raise NetworkError(uri=server, error=str(e)) -except (OverflowError, TypeError) as e: -raise XMLRPCMarshallError(error=str(e)) +# we'll be trying to connect multiple times with a new session cookie +# each time should we be getting UNAUTHORIZED error from the server +max_tries = 5 +for try_num in range(0, max_tries): +self.log.info("[try %d]: Forwarding '%s' to %s server '%s'", + try_num+1, name, self.protocol, server) +try: +return self._call_command(command, params) +except Fault as e: +e = decode_fault(e) +self.debug('Caught fault %d from server %s: %s', e.faultCode, + server, e.faultString) +if e.faultCode in errors_by_code: +error = errors_by_code[e.faultCode] +raise error(message=e.faultString) +raise UnknownError( +code=e.faultCode, +error=e.faultString, +server=server, +) +except ProtocolError as e: +# By catching a 401 here we can detect the case where we have +# a single IPA server and the session is invalid. Otherwise +# we always have to do a ping(). +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie and e.errcode == 401: +# Unauthorized. Remove the session and try again. +delattr(context, 'session_cookie') +try: +principal = getattr(context, 'principal', None) +delete_persistent_client_session_data(principal) +
[Freeipa-devel] [freeipa PR#803][comment] ipatests: add systemd journal collection for multihost tests
URL: https://github.com/freeipa/freeipa/pull/803 Title: #803: ipatests: add systemd journal collection for multihost tests tomaskrizek commented: """ @MartinBasti Done. """ See the full comment at https://github.com/freeipa/freeipa/pull/803#issuecomment-305421773 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#803][synchronized] ipatests: add systemd journal collection for multihost tests
URL: https://github.com/freeipa/freeipa/pull/803 Author: tomaskrizek Title: #803: ipatests: add systemd journal collection for multihost tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/803/head:pr803 git checkout pr803 From ee6195889ea60f36d1f8fc14925fd04e8053fa57 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Mon, 22 May 2017 18:27:44 +0200 Subject: [PATCH 1/2] ipatests: change logdir naming pattern for multihost tests Remove brackets from the paths in naming pattern of directories for multihost logs. Brackets in filenames require special handling in markdown URLs, bash paths etc. Related: https://pagure.io/freeipa/issue/6971 Signed-off-by: Tomas Krizek --- ipatests/pytest_plugins/integration/__init__.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py index f1d8a0b91d..d126b413ae 100644 --- a/ipatests/pytest_plugins/integration/__init__.py +++ b/ipatests/pytest_plugins/integration/__init__.py @@ -24,6 +24,7 @@ import os import tempfile import shutil +import re import pytest from pytest_multihost import make_multihost_fixture @@ -46,6 +47,14 @@ def pytest_addoption(parser): help="Directory to store integration test logs in.") +def _get_logname_from_node(node): +name = node.nodeid +name = re.sub('\(\)/', '', name) # remove ()/ +name = re.sub('[()]', '', name) # and standalone brackets +name = re.sub('(/|::)', '-', name) +return name + + def collect_test_logs(node, logs_dict, test_config): """Collect logs from a test @@ -56,7 +65,7 @@ def collect_test_logs(node, logs_dict, test_config): :param test_config: Pytest configuration """ collect_logs( -name=node.nodeid.replace('/', '-').replace('::', '-'), +name=_get_logname_from_node(node), logs_dict=logs_dict, logfile_dir=test_config.getoption('logfile_dir'), beakerlib_plugin=test_config.pluginmanager.getplugin('BeakerLibPlugin'), From e7421125b6cb96952fb0badb04d42bfe966b05c5 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Mon, 22 May 2017 18:33:49 +0200 Subject: [PATCH 2/2] ipatests: add systemd journal collection for multihost tests Some messages are only logged in journal. Collection of journal makes debugging failed tests from logs easier. Fixes: https://pagure.io/freeipa/issue/6971 Signed-off-by: Tomas Krizek --- ipatests/pytest_plugins/integration/__init__.py | 32 +++ ipatests/pytest_plugins/integration/config.py | 2 ++ ipatests/pytest_plugins/integration/env_config.py | 2 ++ ipatests/test_integration/test_testconfig.py | 4 ++- 4 files changed, 39 insertions(+), 1 deletion(-) diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py index d126b413ae..20e60e9192 100644 --- a/ipatests/pytest_plugins/integration/__init__.py +++ b/ipatests/pytest_plugins/integration/__init__.py @@ -72,6 +72,36 @@ def collect_test_logs(node, logs_dict, test_config): ) +def collect_systemd_journal(node, hosts, test_config): +"""Collect systemd journal from remote hosts + +:param node: The pytest collection node (request.node) +:param hosts: List of hosts from which to collect journal +:param test_config: Pytest configuration +""" +name = _get_logname_from_node(node) +logfile_dir = test_config.getoption('logfile_dir') + +for host in hosts: +log.info("Collecting journal from: %s", host.hostname) + +topdirname = os.path.join(logfile_dir, name, host.hostname) +if not os.path.exists(topdirname): +os.makedirs(topdirname) + +# Get journal content +cmd = host.run_command( +['journalctl', '--since', host.config.log_journal_since], +log_stdout=False, raiseonerr=False) +if cmd.returncode: +log.error('An error occurred while collecting journal') +continue + +# Write journal to file +with open(os.path.join(topdirname, "journal"), 'w') as f: +f.write(cmd.stdout_text) + + def collect_logs(name, logs_dict, logfile_dir=None, beakerlib_plugin=None): """Collect logs from remote hosts @@ -158,7 +188,9 @@ def integration_logs(class_integration_logs, request): """Provides access to test integration logs, and collects after each test """ yield class_integration_logs +hosts = class_integration_logs.keys() collect_test_logs(request.node, class_integration_logs, request.config) +collect_systemd_journal(request.node, hosts, request.config) @yield_fixture(scope='class') diff --git a/ipatests/pytest_plugins/integration/config.py
[Freeipa-devel] [freeipa PR#827][comment] pylint: explicitly depends on python2-pylint
URL: https://github.com/freeipa/freeipa/pull/827 Title: #827: pylint: explicitly depends on python2-pylint MartinBasti commented: """ master: * be1415b6cc8f5dadc1ac3766305a33f370fdf9bb pylint: explicitly depends on python2-pylint """ See the full comment at https://github.com/freeipa/freeipa/pull/827#issuecomment-305417588 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#827][closed] pylint: explicitly depends on python2-pylint
URL: https://github.com/freeipa/freeipa/pull/827 Author: MartinBasti Title: #827: pylint: explicitly depends on python2-pylint Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/827/head:pr827 git checkout pr827 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#827][+pushed] pylint: explicitly depends on python2-pylint
URL: https://github.com/freeipa/freeipa/pull/827 Title: #827: pylint: explicitly depends on python2-pylint Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#827][+ack] pylint: explicitly depends on python2-pylint
URL: https://github.com/freeipa/freeipa/pull/827 Title: #827: pylint: explicitly depends on python2-pylint Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#834][closed] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure
URL: https://github.com/freeipa/freeipa/pull/834 Author: tomaskrizek Title: #834: [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/834/head:pr834 git checkout pr834 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#834][comment] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure
URL: https://github.com/freeipa/freeipa/pull/834 Title: #834: [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure MartinBasti commented: """ ipa-4-4: * e4363c5c26982f9126e7df16ba7a1a060cdb8721 Fix the installutils.set_directive docstring * e40f9a5183fc3ebe160ea6b6ae4fb5c3190c1462 installutils: improve directive value parsing in `get_directive` * 67c8f5fd4e50283e7680e7ded142e3234c7ab5f1 Delegate directive value quoting/unquoting to separate functions * 60a05de4122a26f3a9d148b8c014668d296229fc Explicitly handle quoting/unquoting of NSSNickname directive """ See the full comment at https://github.com/freeipa/freeipa/pull/834#issuecomment-305416276 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#834][+pushed] [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure
URL: https://github.com/freeipa/freeipa/pull/834 Title: #834: [4.4] NSSNickname enclosed in single quotes causes ipa-server-certinstall failure Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][comment] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Title: #818: Avoid possible endless recursion in RPC call from client stlaz commented: """ Thanks for the good catch, @flo-renaud. While the recursion in the `forward()` method was quite easy to fix, it was not so in the `create_connection()`. I tried to do several improvements to the code on the way and I am submitting it to testing here. """ See the full comment at https://github.com/freeipa/freeipa/pull/818#issuecomment-305412672 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Author: stlaz Title: #818: Avoid possible endless recursion in RPC call from client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/818/head:pr818 git checkout pr818 From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 26 May 2017 08:37:36 +0200 Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call This commit removes recursion in RPCClient.forward() which may lack end condition. https://pagure.io/freeipa/issue/6796 --- ipalib/rpc.py | 95 +-- 1 file changed, 54 insertions(+), 41 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index e23ca3d061..297ed80414 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw): :param kw: Keyword arguments to pass to remote command. """ server = getattr(context, 'request_url', None) -self.log.info("Forwarding '%s' to %s server '%s'", - name, self.protocol, server) command = getattr(self.conn, name) params = [args, kw] -try: -return self._call_command(command, params) -except Fault as e: -e = decode_fault(e) -self.debug('Caught fault %d from server %s: %s', e.faultCode, -server, e.faultString) -if e.faultCode in errors_by_code: -error = errors_by_code[e.faultCode] -raise error(message=e.faultString) -raise UnknownError( -code=e.faultCode, -error=e.faultString, -server=server, -) -except SSLError as e: -raise NetworkError(uri=server, error=str(e)) -except ProtocolError as e: -# By catching a 401 here we can detect the case where we have -# a single IPA server and the session is invalid. Otherwise -# we always have to do a ping(). -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie and e.errcode == 401: -# Unauthorized. Remove the session and try again. -delattr(context, 'session_cookie') -try: -principal = getattr(context, 'principal', None) -delete_persistent_client_session_data(principal) -except Exception as e: -# This shouldn't happen if we have a session but it isn't fatal. -pass -# Create a new serverproxy with the non-session URI -serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate) -setattr(context, self.id, Connection(serverproxy, self.disconnect)) -return self.forward(name, *args, **kw) -raise NetworkError(uri=server, error=e.errmsg) -except socket.error as e: -raise NetworkError(uri=server, error=str(e)) -except (OverflowError, TypeError) as e: -raise XMLRPCMarshallError(error=str(e)) +# we'll be trying to connect multiple times with a new session cookie +# each time should we be getting UNAUTHORIZED error from the server +max_tries = 5 +for try_num in range(0, max_tries): +self.log.info("[try %d]: Forwarding '%s' to %s server '%s'", + try_num+1, name, self.protocol, server) +try: +return self._call_command(command, params) +except Fault as e: +e = decode_fault(e) +self.debug('Caught fault %d from server %s: %s', e.faultCode, + server, e.faultString) +if e.faultCode in errors_by_code: +error = errors_by_code[e.faultCode] +raise error(message=e.faultString) +raise UnknownError( +code=e.faultCode, +error=e.faultString, +server=server, +) +except ProtocolError as e: +# By catching a 401 here we can detect the case where we have +# a single IPA server and the session is invalid. Otherwise +# we always have to do a ping(). +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie and e.errcode == 401: +# Unauthorized. Remove the session and try again. +delattr(context, 'session_cookie') +try: +principal = getattr(context, 'principal', None) +delete_persistent_client_session_data(principal) +
[Freeipa-devel] [freeipa PR#824][+pushed] ca-add: validate Subject DN name attributes
URL: https://github.com/freeipa/freeipa/pull/824 Title: #824: ca-add: validate Subject DN name attributes Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#824][comment] ca-add: validate Subject DN name attributes
URL: https://github.com/freeipa/freeipa/pull/824 Title: #824: ca-add: validate Subject DN name attributes MartinBasti commented: """ master: * 5f0e13ce9c3d1ead02de61a148de973fc6787b96 ca-add: validate Subject DN name attributes """ See the full comment at https://github.com/freeipa/freeipa/pull/824#issuecomment-305412301 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#824][closed] ca-add: validate Subject DN name attributes
URL: https://github.com/freeipa/freeipa/pull/824 Author: frasertweedale Title: #824: ca-add: validate Subject DN name attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/824/head:pr824 git checkout pr824 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#818][synchronized] Avoid possible endless recursion in RPC call from client
URL: https://github.com/freeipa/freeipa/pull/818 Author: stlaz Title: #818: Avoid possible endless recursion in RPC call from client Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/818/head:pr818 git checkout pr818 From 8b2824c01cf74e43a61ebe4d62332dba344c5dc8 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Fri, 26 May 2017 08:37:36 +0200 Subject: [PATCH 1/3] Avoid possible endless recursion in RPC call This commit removes recursion in RPCClient.forward() which may lack end condition. https://pagure.io/freeipa/issue/6796 --- ipalib/rpc.py | 95 +-- 1 file changed, 54 insertions(+), 41 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index e23ca3d061..297ed80414 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -1088,50 +1088,63 @@ def forward(self, name, *args, **kw): :param kw: Keyword arguments to pass to remote command. """ server = getattr(context, 'request_url', None) -self.log.info("Forwarding '%s' to %s server '%s'", - name, self.protocol, server) command = getattr(self.conn, name) params = [args, kw] -try: -return self._call_command(command, params) -except Fault as e: -e = decode_fault(e) -self.debug('Caught fault %d from server %s: %s', e.faultCode, -server, e.faultString) -if e.faultCode in errors_by_code: -error = errors_by_code[e.faultCode] -raise error(message=e.faultString) -raise UnknownError( -code=e.faultCode, -error=e.faultString, -server=server, -) -except SSLError as e: -raise NetworkError(uri=server, error=str(e)) -except ProtocolError as e: -# By catching a 401 here we can detect the case where we have -# a single IPA server and the session is invalid. Otherwise -# we always have to do a ping(). -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie and e.errcode == 401: -# Unauthorized. Remove the session and try again. -delattr(context, 'session_cookie') -try: -principal = getattr(context, 'principal', None) -delete_persistent_client_session_data(principal) -except Exception as e: -# This shouldn't happen if we have a session but it isn't fatal. -pass -# Create a new serverproxy with the non-session URI -serverproxy = self.create_connection(os.environ.get('KRB5CCNAME'), self.env.verbose, self.env.fallback, self.env.delegate) -setattr(context, self.id, Connection(serverproxy, self.disconnect)) -return self.forward(name, *args, **kw) -raise NetworkError(uri=server, error=e.errmsg) -except socket.error as e: -raise NetworkError(uri=server, error=str(e)) -except (OverflowError, TypeError) as e: -raise XMLRPCMarshallError(error=str(e)) +# we'll be trying to connect multiple times with a new session cookie +# each time should we be getting UNAUTHORIZED error from the server +max_tries = 5 +for try_num in range(0, max_tries): +self.log.info("[try %d]: Forwarding '%s' to %s server '%s'", + try_num+1, name, self.protocol, server) +try: +return self._call_command(command, params) +except Fault as e: +e = decode_fault(e) +self.debug('Caught fault %d from server %s: %s', e.faultCode, + server, e.faultString) +if e.faultCode in errors_by_code: +error = errors_by_code[e.faultCode] +raise error(message=e.faultString) +raise UnknownError( +code=e.faultCode, +error=e.faultString, +server=server, +) +except ProtocolError as e: +# By catching a 401 here we can detect the case where we have +# a single IPA server and the session is invalid. Otherwise +# we always have to do a ping(). +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie and e.errcode == 401: +# Unauthorized. Remove the session and try again. +delattr(context, 'session_cookie') +try: +principal = getattr(context, 'principal', None) +delete_persistent_client_session_data(principal) +
[Freeipa-devel] [freeipa PR#460][closed] ipa-server-install, ipa-server-upgrade fixes
URL: https://github.com/freeipa/freeipa/pull/460 Author: MartinBasti Title: #460: ipa-server-install, ipa-server-upgrade fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/460/head:pr460 git checkout pr460 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#460][comment] ipa-server-install, ipa-server-upgrade fixes
URL: https://github.com/freeipa/freeipa/pull/460 Title: #460: ipa-server-install, ipa-server-upgrade fixes MartinBasti commented: """ master: * 2e63ec42d0f879f2d129c4f81f88a1712ce86b8c py3: use ConfigParser instead of SafeConfigParser * 6e7071d6add24e8923d705d35a362761f356d56d py3: ConfigParser: replace deprecated readfd with read * 27f8f9f03d69276f9ee410169b76574da2461794 py3: ipaldap: encode Boolean as bytes * d7a9e81fbd7a33941a8c5ae9f29252522944 py3: softhsm key_id must be bytes * bc9addac30d69d88f5040e194be1e32a881cfba9 py3: LDAP updates: use only bytes/raw values * d89de4219d0e8ee33e81d6b6d1bc6c22ac9ffbaa py3: schemaupdate: fix BytesWarning * b09a941f34507cfce682d8c5a3acf6dfe7fa624e py3: cainstance: fix BytesWarning * c6a57d8091aeefb6067711189ee0ce11411dee57 py3: urlfetch: use "file://" prefix with filenames * 99771ceb9ffcf21d0364bf57994716322b24551e py3: update_mod_nss_cipher_suite: ordering doesn't work with None """ See the full comment at https://github.com/freeipa/freeipa/pull/460#issuecomment-305411368 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#824][+ack] ca-add: validate Subject DN name attributes
URL: https://github.com/freeipa/freeipa/pull/824 Title: #824: ca-add: validate Subject DN name attributes Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org