[Freeipa-devel] [freeipa PR#1575][opened] [Backport][ipa-4-5] - External ca py crypto backport

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1575
Author: Rezney
 Title: #1575: [Backport][ipa-4-5] - External ca py crypto backport
Action: opened

PR body:
"""
Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka 
Reviewed-By: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1575/head:pr1575
git checkout pr1575
From b6361b91de213fbc10e6030cbf4356dee77e845c Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Fri, 8 Sep 2017 08:52:38 +0200
Subject: [PATCH] test_external_ca: switch to python-cryptography

Switch external CA generation from certutil to python-cryptography
as this way of handling the certificates should be more readable,
maintainable and extendable (e.g. extensions handling).

Also as external CA is now a separate module we can import it and
use elsewhere.

https://pagure.io/freeipa/issue/7154

Reviewed-By: Stanislav Laznicka 
Reviewed-By: Christian Heimes 
---
 ipatests/test_integration/create_external_ca.py | 155 
 ipatests/test_integration/test_external_ca.py   |  82 +++--
 2 files changed, 174 insertions(+), 63 deletions(-)
 create mode 100644 ipatests/test_integration/create_external_ca.py

diff --git a/ipatests/test_integration/create_external_ca.py b/ipatests/test_integration/create_external_ca.py
new file mode 100644
index 00..dc4ef048cc
--- /dev/null
+++ b/ipatests/test_integration/create_external_ca.py
@@ -0,0 +1,155 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+import datetime
+import six
+
+
+class ExternalCA(object):
+"""
+Provide external CA for testing
+"""
+def create_ca(self, cn='example.test'):
+"""Create root CA.
+
+:returns: bytes -- Root CA in PEM format.
+"""
+self.ca_key = rsa.generate_private_key(
+public_exponent=65537,
+key_size=2048,
+backend=default_backend(),
+)
+
+self.ca_public_key = self.ca_key.public_key()
+
+subject = self.issuer = x509.Name([
+x509.NameAttribute(NameOID.COMMON_NAME, six.text_type(cn)),
+])
+
+builder = x509.CertificateBuilder()
+builder = builder.subject_name(subject)
+builder = builder.issuer_name(self.issuer)
+builder = builder.public_key(self.ca_public_key)
+builder = builder.serial_number(x509.random_serial_number())
+builder = builder.not_valid_before(datetime.datetime.utcnow())
+builder = builder.not_valid_after(
+  datetime.datetime.utcnow() + datetime.timedelta(days=365)
+  )
+
+builder = builder.add_extension(
+x509.KeyUsage(
+digital_signature=False,
+content_commitment=False,
+key_encipherment=False,
+data_encipherment=False,
+key_agreement=False,
+key_cert_sign=True,
+crl_sign=True,
+encipher_only=False,
+decipher_only=False,
+),
+critical=True,
+)
+
+builder = builder.add_extension(
+x509.BasicConstraints(ca=True, path_length=None),
+critical=True,
+)
+
+builder = builder.add_extension(
+x509.SubjectKeyIdentifier.from_public_key(self.ca_public_key),
+critical=False,
+)
+
+builder = builder.add_extension(
+x509.AuthorityKeyIdentifier.from_issuer_public_key(
+ self.ca_public_key
+ ),
+critical=False,
+

[Freeipa-devel] [freeipa PR#1579][closed] [Backport][ipa-4-5] - test_renewal_master: add ipa csreplica-manage test

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1579
Author: Rezney
 Title: #1579: [Backport][ipa-4-5] - test_renewal_master: add ipa 
csreplica-manage test
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1579/head:pr1579
git checkout pr1579
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1576][opened] [Backport][ipa-4-5] [Backport][ipa-4-6] - Help cache test

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1576
Author: Rezney
 Title: #1576: [Backport][ipa-4-5] [Backport][ipa-4-6] - Help cache test
Action: opened

PR body:
"""
This PR was opened automatically because PR #1570 was pushed to ipa-4-6 and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1576/head:pr1576
git checkout pr1576
From d1a8b15eb5a7f43c59511d1f46fd1126f5a49ed3 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Fri, 15 Dec 2017 14:49:40 +0100
Subject: [PATCH] test_help: test "help" command without cache

This test case addresses upsteam ticket #6999, where "ipa help"
does not work if called when no schema is cached.

https://pagure.io/freeipa/issue/7325

Reviewed-By: Christian Heimes 
---
 ipatests/test_cmdline/test_help.py | 25 +
 1 file changed, 25 insertions(+)

diff --git a/ipatests/test_cmdline/test_help.py b/ipatests/test_cmdline/test_help.py
index b28aa2303d..919e60885a 100644
--- a/ipatests/test_cmdline/test_help.py
+++ b/ipatests/test_cmdline/test_help.py
@@ -18,6 +18,9 @@
 #
 
 import sys
+import os
+import shutil
+import errno
 
 import six
 from six import StringIO
@@ -70,6 +73,27 @@ def test_ipa_help():
 assert ctx.stderr == ''
 
 
+def test_ipa_help_without_cache():
+"""Test `ipa help` without schema cache"""
+cache_dir = os.path.expanduser('~/.cache/ipa/schema/')
+backup_dir = os.path.expanduser('~/.cache/ipa/schema.bak/')
+shutil.rmtree(backup_dir, ignore_errors=True)
+if os.path.isdir(cache_dir):
+os.rename(cache_dir, backup_dir)
+try:
+with CLITestContext() as ctx:
+return_value = api.Backend.cli.run(['help'])
+assert return_value == 0
+assert ctx.stderr == ''
+finally:
+shutil.rmtree(cache_dir, ignore_errors=True)
+try:
+os.rename(backup_dir, cache_dir)
+except OSError as e:
+if e.errno != errno.ENOENT:
+raise
+
+
 def test_ipa_without_arguments():
 """Test that `ipa` errors out, and prints the help to stderr"""
 with CLITestContext(exception=SystemExit) as ctx:
@@ -134,6 +158,7 @@ def test_ambiguous_command_or_topic():
 
 assert h_ctx.stdout != help_ctx.stdout
 
+
 def test_multiline_description():
 """Test that all of a multi-line command description appears in output
 """
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1570][closed] [Backport][ipa-4-6] - Help cache test

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1570
Author: Rezney
 Title: #1570: [Backport][ipa-4-6] - Help cache test
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1570/head:pr1570
git checkout pr1570
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1577][opened] [Backport][ipa-4-6] Test to check if userroot.ldif have proper ownership

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1577
Author: tiran
 Title: #1577: [Backport][ipa-4-6] Test to check if userroot.ldif have proper 
ownership
Action: opened

PR body:
"""
This PR was opened automatically because PR #1497 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1577/head:pr1577
git checkout pr1577
From 278c98649c42410500a26a3256ad789b268358ab Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan Yusuf 
Date: Thu, 25 Jan 2018 15:42:07 +0530
Subject: [PATCH] Before the fix, when ipa-backup was called for the first
 time, the LDAP database exported to
 /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is
 called for this and it runs under root, hence files were owned by root.

When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)

This test check if files are owned by dirsrv and db2ldif doesn't
fails

related ticket: https://pagure.io/freeipa/issue/7010

Signed-off-by: Mohammad Rizwan Yusuf 
---
 .../test_integration/test_backup_and_restore.py| 52 ++
 1 file changed, 52 insertions(+)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index ba24c366b4..266c36e3fd 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -478,3 +478,55 @@ def test_full_backup_and_restore_with_replica(self):
 
 tasks.install_replica(self.master, replica)
 check_replication(self.master, replica, "testuser1")
+
+
+class TestUserrootFilesOwnership(IntegrationTest):
+"""Test to check if userroot.ldif have proper ownership.
+
+Before the fix, when ipa-backup was called for the first time,
+the LDAP database exported to
+/var/lib/dirsrv/slapd-/ldif/-userRoot.ldif.
+db2ldif is called for this and it runs under root, hence files
+were owned by root.
+
+When ipa-backup called the next time, the db2ldif fails,
+because the tool does not have permissions to write to the ldif
+file which was owned by root (instead of dirsrv).
+
+This test check if files are owned by dirsrv and db2ldif doesn't
+fail
+
+related ticket: https://pagure.io/freeipa/issue/7010
+"""
+
+def test_userroot_ldif_files_ownership(self):
+"""backup, uninstall, restore, backup"""
+tasks.install_master(self.master)
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+stdin_text=dirman_password + '\nyes')
+
+# check if files have proper owner and group.
+dashed_domain = self.master.domain.realm.replace(".", '-')
+arg = ['stat',
+   '-c', '%U%G',
+   '/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif']
+cmd = self.master.run_command(arg)
+assert 'dirsrvdirsrv' in cmd.stdout_text
+
+arg = ['stat',
+   '-c', '%U%G',
+   '/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif/']
+cmd = self.master.run_command(arg)
+assert 'dirsrvdirsrv' in cmd.stdout_text
+
+cmd = self.master.run_command(['ipa-backup', '-d'])
+unexp_str = "CRITICAL: db2ldif failed:"
+assert cmd.returncode == 0
+assert unexp_str not in cmd.stdout_text
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1497][closed] Test to check if userroot.ldif have proper ownership

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1497
Author: mrizwan93
 Title: #1497: Test to check if userroot.ldif have proper ownership
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1497/head:pr1497
git checkout pr1497
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1578][opened] [Backport][ipa-4-5] Test to check if userroot.ldif have proper ownership

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1578
Author: tiran
 Title: #1578: [Backport][ipa-4-5] Test to check if userroot.ldif have proper 
ownership
Action: opened

PR body:
"""
This PR was opened automatically because PR #1497 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1578/head:pr1578
git checkout pr1578
From a62f5e2171b5d987c25f3a49d66bc1c2d9dc322d Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan Yusuf 
Date: Thu, 25 Jan 2018 15:42:07 +0530
Subject: [PATCH] Before the fix, when ipa-backup was called for the first
 time, the LDAP database exported to
 /var/lib/dirsrv/slapd-/ldif/-userRoot.ldif. db2ldif is
 called for this and it runs under root, hence files were owned by root.

When ipa-backup called the next time, the db2ldif fails,
because the tool does not have permissions to write to the ldif
file which was owned by root (instead of dirsrv)

This test check if files are owned by dirsrv and db2ldif doesn't
fails

related ticket: https://pagure.io/freeipa/issue/7010

Signed-off-by: Mohammad Rizwan Yusuf 
---
 .../test_integration/test_backup_and_restore.py| 52 ++
 1 file changed, 52 insertions(+)

diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index d534a58a6d..a8010ad808 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -468,3 +468,55 @@ def test_full_backup_and_restore_with_replica(self):
 
 tasks.install_replica(self.master, replica)
 check_replication(self.master, replica, "testuser1")
+
+
+class TestUserrootFilesOwnership(IntegrationTest):
+"""Test to check if userroot.ldif have proper ownership.
+
+Before the fix, when ipa-backup was called for the first time,
+the LDAP database exported to
+/var/lib/dirsrv/slapd-/ldif/-userRoot.ldif.
+db2ldif is called for this and it runs under root, hence files
+were owned by root.
+
+When ipa-backup called the next time, the db2ldif fails,
+because the tool does not have permissions to write to the ldif
+file which was owned by root (instead of dirsrv).
+
+This test check if files are owned by dirsrv and db2ldif doesn't
+fail
+
+related ticket: https://pagure.io/freeipa/issue/7010
+"""
+
+def test_userroot_ldif_files_ownership(self):
+"""backup, uninstall, restore, backup"""
+tasks.install_master(self.master)
+backup_path = backup(self.master)
+
+self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+
+dirman_password = self.master.config.dirman_password
+self.master.run_command(['ipa-restore', backup_path],
+stdin_text=dirman_password + '\nyes')
+
+# check if files have proper owner and group.
+dashed_domain = self.master.domain.realm.replace(".", '-')
+arg = ['stat',
+   '-c', '%U%G',
+   '/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif']
+cmd = self.master.run_command(arg)
+assert 'dirsrvdirsrv' in cmd.stdout_text
+
+arg = ['stat',
+   '-c', '%U%G',
+   '/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif/']
+cmd = self.master.run_command(arg)
+assert 'dirsrvdirsrv' in cmd.stdout_text
+
+cmd = self.master.run_command(['ipa-backup', '-d'])
+unexp_str = "CRITICAL: db2ldif failed:"
+assert cmd.returncode == 0
+assert unexp_str not in cmd.stdout_text
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1572][closed] [Backport][ipa-4-5] - cn to san backport

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1572
Author: Rezney
 Title: #1572: [Backport][ipa-4-5] - cn to san backport
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1572/head:pr1572
git checkout pr1572
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1575][closed] [Backport][ipa-4-5] - External ca py crypto backport

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1575
Author: Rezney
 Title: #1575: [Backport][ipa-4-5] - External ca py crypto backport
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1575/head:pr1575
git checkout pr1575
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1581][opened] [Backport][ipa-4-5]- Ca > ext > ca backport-4-6

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1581
Author: Rezney
 Title: #1581: [Backport][ipa-4-5]- Ca > ext  > ca backport-4-6
Action: opened

PR body:
"""
Backport of https://github.com/freeipa/freeipa/pull/1372

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1581/head:pr1581
git checkout pr1581
From 7e69ea7fe118aeb2a9d2f765fcccf4b496da43cf Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Wed, 6 Dec 2017 11:34:47 +0100
Subject: [PATCH 1/4] paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants

Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud 
---
 ipaplatform/base/paths.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 3b39fe5487..2b21eceb76 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -271,6 +271,8 @@ class BasePathNamespace(object):
 DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
 DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
 IPA_CA_CSR = "/var/lib/ipa/ca.csr"
+IPA_CACERT_MANAGE = "/usr/sbin/ipa-cacert-manage"
+IPA_CERTUPDATE = "/usr/sbin/ipa-certupdate"
 PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
 REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
 REPLICA_INFO_GPG_TEMPLATE = "/var/lib/ipa/replica-info-%s.gpg"

From b2ed6af5adaf082dd93afdebd564f56c3650d348 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Wed, 6 Dec 2017 11:49:09 +0100
Subject: [PATCH 2/4] test_tasks: add sign_ca_and_transport() function

Add sign_ca_and_transport() function which will sign provided csr
and transport root CA and signed IPA CA to the host.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud 
---
 ipatests/pytest_plugins/integration/tasks.py | 28 
 1 file changed, 28 insertions(+)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index d9ba187d92..f2789a11ca 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -42,6 +42,7 @@
 from ipalib.constants import (
 DEFAULT_CONFIG, DOMAIN_SUFFIX_NAME, DOMAIN_LEVEL_0)
 
+from .create_external_ca import ExternalCA
 from .env_config import env_to_script
 from .host import Host
 
@@ -1382,3 +1383,30 @@ def add_dns_zone(master, zone, skip_overlap_check=False,
 host.hostname + ".", '--a-rec', host.ip])
 else:
 logger.debug('Zone %s already added.', zone)
+
+
+def sign_ca_and_transport(host, csr_name, root_ca_name, ipa_ca_name):
+"""
+Sign ipa csr and save signed CA together with root CA back to the host.
+Returns root CA and IPA CA paths on the host.
+"""
+
+test_dir = host.config.test_dir
+
+# Get IPA CSR as bytes
+ipa_csr = host.get_file_contents(csr_name)
+
+external_ca = ExternalCA()
+# Create root CA
+root_ca = external_ca.create_ca()
+# Sign CSR
+ipa_ca = external_ca.sign_csr(ipa_csr)
+
+root_ca_fname = os.path.join(test_dir, root_ca_name)
+ipa_ca_fname = os.path.join(test_dir, ipa_ca_name)
+
+# Transport certificates (string > file) to master
+host.put_file_contents(root_ca_fname, root_ca)
+host.put_file_contents(ipa_ca_fname, ipa_ca)
+
+return (root_ca_fname, ipa_ca_fname)

From 2842f63b4beefcc580402decdb57160f3167d428 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Wed, 6 Dec 2017 11:53:35 +0100
Subject: [PATCH 3/4] test_external_ca: selfsigned->ext_ca->selfsigned

Add selfsigned > external_ca > selfsigned test case.

Covers Pagure issue #7106

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud 
---
 ipatests/test_integration/test_external_ca.py | 125 ++
 1 file changed, 106 insertions(+), 19 deletions(-)

diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index e3c44100e4..6d23f06de9 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -15,11 +15,53 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
-import os
+import re
+import time
 
 from ipatests.pytest_plugins.integration import tasks
 from ipatests.test_integration.base import IntegrationTest
-from ipatests.test_integration.create_external_ca import ExternalCA
+from ipaplatform.paths import paths
+
+from itertools import chain, repeat
+
+IPA_CA = 'ipa_ca.crt'
+ROOT_CA = 'root_ca.crt'
+
+# string to identify PKI restart in the journal
+PKI_START_STR = 'Started pki_tomcatd'
+
+
+def check_CA_flag(host,

[Freeipa-devel] [freeipa PR#1580][opened] Generate same API.txt under Python 2 and 3

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1580
Author: tiran
 Title: #1580: Generate same API.txt under Python 2 and 3
Action: opened

PR body:
"""
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1580/head:pr1580
git checkout pr1580
From 52ee20d72f663e7a0e98e62f9a2d893d504e69db Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 14 Feb 2018 12:03:02 +0100
Subject: [PATCH] Generate same API.txt under Python 2 and 3

Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.

Signed-off-by: Christian Heimes 
---
 API.txt |  8 
 ipalib/output.py|  3 ++-
 ipalib/parameters.py|  9 ++---
 ipalib/util.py  | 38 +
 ipaserver/plugins/idrange.py|  4 ++--
 ipaserver/plugins/migration.py  |  2 +-
 ipaserver/plugins/trust.py  |  4 ++--
 ipatests/test_ipalib/test_output.py |  8 ++--
 8 files changed, 61 insertions(+), 15 deletions(-)

diff --git a/API.txt b/API.txt
index 0526d5a902..05dec4475c 100644
--- a/API.txt
+++ b/API.txt
@@ -2973,7 +2973,7 @@ option: Int('ipabaserid?', cli_name='rid_base')
 option: Int('ipaidrangesize', cli_name='range_size')
 option: Str('ipanttrusteddomainname?', cli_name='dom_name')
 option: Str('ipanttrusteddomainsid?', cli_name='dom_sid')
-option: StrEnum('iparangetype?', cli_name='type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local'])
+option: StrEnum('iparangetype?', cli_name='type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix', u'ipa-local'])
 option: Int('ipasecondarybaserid?', cli_name='secondary_rid_base')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
@@ -2998,7 +2998,7 @@ option: Int('ipabaseid?', autofill=False, cli_name='base_id')
 option: Int('ipabaserid?', autofill=False, cli_name='rid_base')
 option: Int('ipaidrangesize?', autofill=False, cli_name='range_size')
 option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='dom_sid')
-option: StrEnum('iparangetype?', autofill=False, cli_name='type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust', u'ipa-local'])
+option: StrEnum('iparangetype?', autofill=False, cli_name='type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix', u'ipa-local'])
 option: Int('ipasecondarybaserid?', autofill=False, cli_name='secondary_rid_base')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -3255,7 +3255,7 @@ option: Str('groupignoreobjectclass*', autofill=True, cli_name='group_ignore_obj
 option: Str('groupobjectclass+', autofill=True, cli_name='group_objectclass', default=[u'groupOfUniqueNames', u'groupOfNames'])
 option: Flag('groupoverwritegid', autofill=True, cli_name='group_overwrite_gid', default=False)
 option: StrEnum('schema?', autofill=True, cli_name='schema', default=u'RFC2307bis', values=[u'RFC2307bis', u'RFC2307'])
-option: StrEnum('scope', autofill=True, cli_name='scope', default=u'onelevel', values=[u'base', u'subtree', u'onelevel'])
+option: StrEnum('scope', autofill=True, cli_name='scope', default=u'onelevel', values=[u'base', u'onelevel', u'subtree'])
 option: Bool('use_def_group?', autofill=True, cli_name='use_default_group', default=True)
 option: DNParam('usercontainer', autofill=True, cli_name='user_container', default=ipapython.dn.DN('ou=people'))
 option: Str('userignoreattribute*', autofill=True, cli_name='user_ignore_attribute', default=[])
@@ -5721,7 +5721,7 @@ option: Int('base_id?', cli_name='base_id')
 option: Bool('bidirectional?', cli_name='two_way', default=False)
 option: Bool('external?', cli_name='external', default=False)
 option: Int('range_size?', cli_name='range_size')
-option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust'])
+option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust', u'ipa-ad-trust-posix'])
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('realm_admin?', cli_name='admin')
 option: Password('realm_passwd?', cli_name='password', confirm=False)
diff --git a/ipalib/output.py b/ipalib/output.py
index b104584631..afcbefa110 100644
--- a/ipalib/output.py
+++ b/ipalib/output.py
@@ -25,6 +25,7 @@
 from ipalib.plugable import ReadOnly, lock
 from ipalib.capabilities import client_has_capability
 from ipalib.text import _
+from ipalib.util import apirepr
 
 if six.PY3:
 unicode = str
@@ -98,7 +99,7

[Freeipa-devel] [freeipa PR#1578][closed] [Backport][ipa-4-5] Test to check if userroot.ldif have proper ownership

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1578
Author: tiran
 Title: #1578: [Backport][ipa-4-5] Test to check if userroot.ldif have proper 
ownership
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1578/head:pr1578
git checkout pr1578
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1581][closed] [Backport][ipa-4-6]- Ca > ext > ca backport-4-6

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1581
Author: Rezney
 Title: #1581: [Backport][ipa-4-6]- Ca > ext  > ca backport-4-6
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1581/head:pr1581
git checkout pr1581
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1582][opened] User must not be able to delete his last active otp token

2018-02-14 Thread flo-renaud via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1582
Author: flo-renaud
 Title: #1582: User must not be able to delete his last active otp token
Action: opened

PR body:
"""
Fix and unit test for the issue. When an OTP token is the last active token, 
the user should not be allowed to delete its token if 'otp' is the only allowed 
authentication method.

Fixes:
https://pagure.io/freeipa/issue/7012

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1582/head:pr1582
git checkout pr1582
From aeddfdb345b9e86c481cc4ed1e4e2772457279e9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Wed, 14 Feb 2018 13:56:08 +0100
Subject: [PATCH 1/2] User must not be able to delete his last active otp token

The 389-ds plugin for OTP last token is performing data initialization
in its ipa_otp_lasttoken_init method, which is wrong according to
the Plug-in Guide:
> For example, the init function should not attempt to perform an
> internal search or other internal operation, because the all of
> the subsystems are not up and running during the init phase.

This init method fills a structure containing the configuration of
allowed authentication types. As the method is called too early, the
method does not find any suffix and leaves the structure empty.
Subsequent calls find an empty structure and take the default values
(for authentication methods, the default is 1 = password).

Because of that, the code consider that the global configuration defines
password authentication method, and in this case it is allowed to delete
a user's last otp token.

The fix implements a SLAPI_PLUGIN_START_FN method that will be called
when 389-ds is ready to initialize the plugin data, ensuring that the
structure is properly initialized.

Fixes:
https://pagure.io/freeipa/issue/7012
---
 .../ipa-otp-lasttoken/ipa_otp_lasttoken.c  | 32 --
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index a085a3a328..b7a2ba7f01 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -50,6 +50,7 @@
 #define OTP_CONTAINER "cn=otp,%s"
 
 static struct otp_config *otp_config;
+void *ipa_otp_lasttoken_plugin_id;
 
 static bool entry_is_token(Slapi_Entry *entry)
 {
@@ -255,6 +256,17 @@ static int postop_init(Slapi_PBlock *pb)
 return ret;
 }
 
+/* Init data structs */
+static int ipa_otp_lasttoken_start(Slapi_PBlock *pb)
+{
+/* NOTE: We never call otp_config_fini() from a destructor. This is because
+ *   it may race with threaded requests at shutdown. This leak should
+ *   only occur when the DS is exiting, so it isn't a big deal.
+ */
+otp_config = otp_config_init(ipa_otp_lasttoken_plugin_id);
+return LDAP_SUCCESS;
+}
+
 int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
 {
 static const Slapi_PluginDesc preop_desc = {
@@ -264,20 +276,24 @@ int ipa_otp_lasttoken_init(Slapi_PBlock *pb)
 "Protect the user's last active token"
 };
 
-Slapi_ComponentId *plugin_id = NULL;
 int ret = 0;
 
-ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY, _id);
+ret |= slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY,
+_otp_lasttoken_plugin_id);
 ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01);
 ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) _desc);
 ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init,
- PLUGIN_NAME " betxnpreoperation", NULL, plugin_id);
+ PLUGIN_NAME " betxnpreoperation", NULL,
+ ipa_otp_lasttoken_plugin_id);
 ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init,
- PLUGIN_NAME " postoperation", NULL, plugin_id);
-ret |= slapi_register_plugin("internalpostoperation", 1, __func__, intpostop_init,
- PLUGIN_NAME " internalpostoperation", NULL, plugin_id);
+ PLUGIN_NAME " postoperation", NULL,
+ ipa_otp_lasttoken_plugin_id);
+ret |= slapi_register_plugin("internalpostoperation", 1, __func__,
+ intpostop_init,
+ PLUGIN_NAME " internalpostoperation", NULL,
+ ipa_otp_lasttoken_plugin_id);
+ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN,
+(void *)ipa_otp_lasttoken_start);
 
-/* NOTE: leak otp_config on process exit. */
-otp_config = otp_config_init(plugin_id);
 return ret;
 }

From 67df89b4bb36c0c7279af9e89972cbad6c4ca016 Mon Sep 17 00:00:00 2001
From: Florence

[Freeipa-devel] [freeipa PR#1577][closed] [Backport][ipa-4-6] Test to check if userroot.ldif have proper ownership

2018-02-14 Thread tiran via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1577
Author: tiran
 Title: #1577: [Backport][ipa-4-6] Test to check if userroot.ldif have proper 
ownership
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1577/head:pr1577
git checkout pr1577
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: authconfig replacement design

2018-02-14 Thread Alexander Bokovoy via FreeIPA-devel 

On ke, 14 helmi 2018, Alexander Koksharov via FreeIPA-devel wrote:

Hello,

Please take a look on a design page here:
https://www.freeipa.org/page/V4/Authselect_migration
I would like to
​ ​
hear you critics and suggessions.

Thanks!

One note I have is about authconfig arguments. We gather them together
and launch only one authconfig command. There is, I believe, a
conceptual difference when you run authconfig with all options in a
single line and as separate executions so you'd get different
configurations.

This may be subtle on a first view but we need to ensure that an
authselect replacement would continue to provide the same configuration
in the end.


I assume you are going to add actual authselect part later.
--
/ Alexander Bokovoy
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] authconfig replacement design

2018-02-14 Thread Alexander Koksharov via FreeIPA-devel 
Hello,

Please take a look on a design page here:
https://www.freeipa.org/page/V4/Authselect_migration
I would like to
​ ​
hear you critics and suggessions.

Thank you

--
Alexander
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1579][opened] [Backport][ipa-4-5] [Backport][ipa-4-6] - test_renewal_master: add ipa csreplica-manage test

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1579
Author: Rezney
 Title: #1579: [Backport][ipa-4-5] [Backport][ipa-4-6] - test_renewal_master: 
add ipa csreplica-manage test
Action: opened

PR body:
"""
This PR was opened automatically because PR #1573 was pushed to ipa-4-6 and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1579/head:pr1579
git checkout pr1579
From 43f3979a03daa8f25a80148a5224e65e91ad1b7f Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Wed, 13 Dec 2017 09:49:54 +0100
Subject: [PATCH] test_renewal_master: add ipa csreplica-manage test

Add test case for setting renewal master using command
ipa-csreplica-manage.

Automation related to upstream ticket #7120. Testing using
config-mod already covered.

https://pagure.io/freeipa/issue/7321

Reviewed-By: Christian Heimes 
---
 .../test_integration/test_replica_promotion.py | 46 +-
 1 file changed, 44 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 4629d1ff05..5ee79601e4 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -454,6 +454,13 @@ class TestRenewalMaster(IntegrationTest):
 def uninstall(cls, mh):
 super(TestRenewalMaster, cls).uninstall(mh)
 
+def assertCARenewalMaster(self, host, expected):
+""" Ensure there is only one CA renewal master set """
+result = host.run_command(["ipa", "config-show"]).stdout_text
+matches = list(re.finditer('IPA CA renewal master: (.*)', result))
+assert len(matches), 1
+assert matches[0].group(1) == expected
+
 def test_replica_not_marked_as_renewal_master(self):
 """
 https://fedorahosted.org/freeipa/ticket/5902
@@ -476,10 +483,45 @@ def test_manual_renewal_master_transfer(self):
 assert("IPA CA renewal master: %s" % replica.hostname in result), (
 "Replica hostname not found among CA renewal masters"
 )
+# additional check e.g. to see if there is only one renewal master
+self.assertCARenewalMaster(replica, replica.hostname)
+
+def test_renewal_master_with_csreplica_manage(self):
+
+master = self.master
+replica = self.replicas[0]
+
+self.assertCARenewalMaster(master, replica.hostname)
+self.assertCARenewalMaster(replica, replica.hostname)
+
+master.run_command(['ipa-csreplica-manage', 'set-renewal-master',
+'-p', master.config.dirman_password])
+result = master.run_command(["ipa", "config-show"]).stdout_text
+
+assert("IPA CA renewal master: %s" % master.hostname in result), (
+"Master hostname not found among CA renewal masters"
+)
+
+# lets give replication some time
+time.sleep(60)
+
+self.assertCARenewalMaster(master, master.hostname)
+self.assertCARenewalMaster(replica, master.hostname)
+
+replica.run_command(['ipa-csreplica-manage', 'set-renewal-master',
+ '-p', replica.config.dirman_password])
+result = replica.run_command(["ipa", "config-show"]).stdout_text
+
+assert("IPA CA renewal master: %s" % replica.hostname in result), (
+"Replica hostname not found among CA renewal masters"
+)
+
+self.assertCARenewalMaster(master, replica.hostname)
+self.assertCARenewalMaster(replica, replica.hostname)
 
 def test_automatic_renewal_master_transfer_ondelete(self):
-# Test that after master uninstallation, replica overtakes the cert
-# renewal master role
+# Test that after replica uninstallation, master overtakes the cert
+# renewal master role from replica (which was previously set there)
 tasks.uninstall_master(self.replicas[0])
 result = self.master.run_command(['ipa', 'config-show']).stdout_text
 assert("IPA CA renewal master: %s" % self.master.hostname in result), (
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1573][closed] [Backport][ipa-4-6] - test_renewal_master: add ipa csreplica-manage test

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1573
Author: Rezney
 Title: #1573: [Backport][ipa-4-6] - test_renewal_master: add ipa 
csreplica-manage test
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1573/head:pr1573
git checkout pr1573
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1574][closed] [Backport][ipa-4-5] - ipa_tests: test subca key replication

2018-02-14 Thread Rezney via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1574
Author: Rezney
 Title: #1574: [Backport][ipa-4-5] - ipa_tests: test subca key replication
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1574/head:pr1574
git checkout pr1574
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1416][closed] Do not allow users delete their last otp token

2018-02-14 Thread flo-renaud via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/1416
Author: felipevolpone
 Title: #1416: Do not allow users delete their last otp token
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1416/head:pr1416
git checkout pr1416
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org