[Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
https://fedorahosted.org/freeipa/ticket/4620 -- David Kupka From b6aba1531af03ca3511690548de109d585828486 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 19 Nov 2014 09:57:59 -0500 Subject: [PATCH] Fix --{user,group}-ignore-attribute in migration plugin. Ignore case in attribute names. https://fedorahosted.org/freeipa/ticket/4620 --- ipalib/plugins/migration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6b630a464f0be163e82de95afe3a74b22889574b..57545b594f4ec6c53521abeab339399099d8125e 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -197,7 +197,7 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs # do not migrate all attributes for attr in entry_attrs.keys(): -if attr in attr_blacklist: +if attr.lower() in attr_blacklist: del entry_attrs[attr] # do not migrate all object classes @@ -394,7 +394,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg # do not migrate all attributes for attr in entry_attrs.keys(): -if attr in attr_blacklist: +if attr.lower() in attr_blacklist: del entry_attrs[attr] # do not migrate all object classes -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
On 11/20/2014 09:51 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4620 This should work fine, the change was also already tested by the reporter. Do we also normalize the user blacklist option so that it works if user passes for example a CamelCase'd attributes? Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0166] Workaround: warning if CA did not start at end of upgrade instead of raising error
On 19.11.2014 15:57, Simo Sorce wrote: On Wed, 19 Nov 2014 10:17:03 +0100 Martin Basti mba...@redhat.com wrote: Given the obstacles, I am inclining for - pushing B as a safe fix for Fedora 21 Final - fixing issues in A and pushing it for minor release after that to avoid the nasty warning and have some reasonable medium-term fix until the framework migrates to something better than httpslib, line python-requests maybe. Martin Sounds good to me. Patch required for F21 attached. (with proper number) I will send the second patch after release for fedora (or should I sooner?) Martin^2 Ack. simo. Pushed to: master: 43285b1fc3da7ab0c0fe411295e53a45f9a42106 ipa-4-1: 3f3f49ea93f8ca0c2cdd569a78c952492e7b520a -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Otherwise, ACK. I've tested it again and everything works except getting stronger than asked TGT enctype but this is not an issue with getkeytab controls. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
On 11/20/2014 10:03 AM, Jan Cholasta wrote: Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. This seems better, thanks. -- David Kupka From 94293d14e51507819c4296c52d5d8ce4def9a4c8 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 19 Nov 2014 09:57:59 -0500 Subject: [PATCH] Fix --{user,group}-ignore-attribute in migration plugin. Ignore case in attribute names. https://fedorahosted.org/freeipa/ticket/4620 --- ipalib/plugins/migration.py | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index 6b630a464f0be163e82de95afe3a74b22889574b..fa3d512bf1434c7d349713f78c292b481021303a 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -196,9 +196,8 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs entry_attrs.setdefault('loginshell', default_shell) # do not migrate all attributes -for attr in entry_attrs.keys(): -if attr in attr_blacklist: -del entry_attrs[attr] +for attr in attr_blacklist: +entry_attrs.pop(attr, None) # do not migrate all object classes if 'objectclass' in entry_attrs: @@ -393,9 +392,8 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg raise ValueError('Schema %s not supported' % schema) # do not migrate all attributes -for attr in entry_attrs.keys(): -if attr in attr_blacklist: -del entry_attrs[attr] +for attr in attr_blacklist: +entry_attrs.pop(attr, None) # do not migrate all object classes if 'objectclass' in entry_attrs: -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0655 Add additional backup restore checks
On 10/08/2014 04:41 PM, Petr Viktorin wrote: This adds basic checks that PAM, DNS, and Kerberos are working before after the backuprestore (in addition to DS, CA IPA CLI that were there before). Ping, can someone review this patch? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0655 Add additional backup restore checks
On 20/11/14 11:54, Petr Viktorin wrote: On 10/08/2014 04:41 PM, Petr Viktorin wrote: This adds basic checks that PAM, DNS, and Kerberos are working before after the backuprestore (in addition to DS, CA IPA CLI that were there before). Ping, can someone review this patch? I will review it. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 373 Update Requires on pki-ca to 10.2.1-0.1
On Wed, 19 Nov 2014, Jan Cholasta wrote: Dne 19.11.2014 v 14:07 Petr Vobornik napsal(a): On 19.11.2014 13:59, Jan Cholasta wrote: Dne 19.11.2014 v 13:55 Petr Vobornik napsal(a): On 18.11.2014 23:29, Nathaniel McCallum wrote: On Tue, 2014-11-18 at 19:56 +0100, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4645. ACK Shouldn't the version be 10.1.2-4 ? http://koji.fedoraproject.org/koji/buildinfo?buildID=594223 No. ok, nevermind, f21 has 10.2.1-0.1, but it doesn't list the fix in the changelog. But the patch needs a rebase because of Martin's patch. http://koji.fedoraproject.org/koji/buildinfo?buildID=588670 Rebased and pushed to ipa-4-1: 4e1193119b3e7f7c13f504f24445509958887927 I don't see 10.2.1-0.1 in Fedora 21. We have to remove this patch in the Fedora 21 packages because we are not going to get pki-ca FreezeException for this issue. Once F21 is released, we'll re-add the dependency in a subsequent build. https://admin.fedoraproject.org/updates/search/pki-core -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Releasing FreeIPA 4.1.2
Hello, We seem to have enough content to release 4.1.2 that will be required to fix some of the Fedora 21 blockers: https://bugzilla.redhat.com/show_bug.cgi?id=1165856 https://bugzilla.redhat.com/show_bug.cgi?id=1165261 and Freeze exception: https://bugzilla.redhat.com/show_bug.cgi?id=1165674 Current plan is to release stabilization release 4.1.2 with what we have as it contains the important installation and upgrade fixes. The only problem there is that some patches require components that are not in Fedora stable repos, more specifically commits: 7aa855a3 - requiring new certmonger 4e119311 - requiring new pki-core We can release 4.1.2 with them, but they would need to be removed from Fedora 21 downstream release and added back in normal 0day Fedora 21 update. Alternative way would be to just include selected patches for existing Fedora 21 build. Any comments, what else are missing in 4.1.2? I only know about https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 which is ACKed at the moment, AFAIK. -- Martin Kosek mko...@redhat.com Supervisor, Software Engineering - Identity Management Team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
On 20/11/14 11:53, David Kupka wrote: On 11/20/2014 10:03 AM, Jan Cholasta wrote: Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. This seems better, thanks. IMO the same problem is with objectclasses. # do not migrate all object classes if 'objectclass' in entry_attrs: for object_class in kwargs.get('oc_blacklist', []): try: entry_attrs['objectclass'].remove(object_class) # this is case sensitive except ValueError: # object class not present pass Am I right? Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Otherwise, ACK. I've tested it again and everything works except getting stronger than asked TGT enctype but this is not an issue with getkeytab controls. ok, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 789 restore: clear httpd ccache after restore
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) https://fedorahosted.org/freeipa/ticket/4726 -- Petr Vobornik From 4483d0edd36d56245dfd379dd4360b9af5d3bc86 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 20 Nov 2014 15:11:02 +0100 Subject: [PATCH] restore: clear httpd ccache after restore so that httpd ccache won't contain old credentials which would make ipa CLI fail with error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) https://fedorahosted.org/freeipa/ticket/4726 --- ipaserver/install/ipa_restore.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 8b1e80f5ed5e140ccb17ea0b63d92b6049507b74..72afcc5832bf38074318d98e795a779ee6475f34 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -315,6 +315,8 @@ class Restore(admintool.AdminTool): self.log.info('Restarting SSSD') sssd = services.service('sssd') sssd.restart() +http = httpinstance.HTTPInstance() +http.remove_httpd_ccache() finally: try: os.chdir(cwd) -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 376 Stop tracking certificates before restoring them in ipa-restore
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4727. Honza -- Jan Cholasta From 2cf85ec35cf4618279af81ba16d4a4805e8c590e Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 20 Nov 2014 13:57:46 + Subject: [PATCH] Stop tracking certificates before restoring them in ipa-restore https://fedorahosted.org/freeipa/ticket/4727 --- ipaserver/install/ipa_restore.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 7276ed3..a9a3cbf 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -26,7 +26,7 @@ import pwd from ConfigParser import SafeConfigParser from ipalib import api, errors -from ipapython import version, ipautil, certdb +from ipapython import version, ipautil, certdb, dogtag from ipapython.ipautil import run, user_input from ipapython import admintool from ipapython.dn import DN @@ -36,7 +36,7 @@ from ipaserver.install.cainstance import PKI_USER, create_ca_user from ipaserver.install.replication import (wait_for_task, ReplicationManager, get_cs_replication_manager) from ipaserver.install import installutils -from ipaserver.install import httpinstance +from ipaserver.install import dsinstance, httpinstance, cainstance from ipapython import ipaldap import ipapython.errors from ipaplatform.tasks import tasks @@ -663,6 +663,12 @@ class Restore(admintool.AdminTool): self.log.error('%s', e) def cert_restore_prepare(self): +cainstance.CAInstance().stop_tracking_certificates( +dogtag.configured_constants()) +httpinstance.HTTPInstance().stop_tracking_certificates() +dsinstance.DsInstance().stop_tracking_certificates( +realm_to_serverid(api.env.realm)) + for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: @@ -692,3 +698,5 @@ class Restore(admintool.AdminTool): (nickname, paths.IPA_NSSDB_DIR, e)) tasks.reload_systemwide_ca_store() + +services.knownservices.certmonger.restart() -- 2.1.0 From 70bfeade55dd359f722b6d6cfb5efd6842e5c1ba Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 20 Nov 2014 13:57:46 + Subject: [PATCH] Stop tracking certificates before restoring them in ipa-restore https://fedorahosted.org/freeipa/ticket/4727 --- ipaserver/install/ipa_restore.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 8b1e80f..bf1e5fd 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -26,7 +26,7 @@ import pwd from ConfigParser import SafeConfigParser from ipalib import api, errors -from ipapython import version, ipautil, certdb +from ipapython import version, ipautil, certdb, dogtag from ipapython.ipautil import run, user_input from ipapython import admintool from ipapython.dn import DN @@ -36,7 +36,7 @@ from ipaserver.install.cainstance import PKI_USER, create_ca_user from ipaserver.install.replication import (wait_for_task, ReplicationManager, get_cs_replication_manager) from ipaserver.install import installutils -from ipaserver.install import httpinstance +from ipaserver.install import dsinstance, httpinstance, cainstance from ipapython import ipaldap import ipapython.errors from ipaplatform.tasks import tasks @@ -664,6 +664,12 @@ class Restore(admintool.AdminTool): self.log.error('%s', e) def cert_restore_prepare(self): +cainstance.stop_tracking_certificates( +dogtag.configured_constants()) +httpinstance.HTTPInstance().stop_tracking_certificates() +dsinstance.DsInstance().stop_tracking_certificates( +realm_to_serverid(api.env.realm)) + for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'): filename = os.path.join(paths.IPA_NSSDB_DIR, basename) try: @@ -693,3 +699,5 @@ class Restore(admintool.AdminTool): (nickname, paths.IPA_NSSDB_DIR, e)) tasks.reload_systemwide_ca_store() + +services.knownservices.certmonger.restart() -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 2014-11-20 at 09:12 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Let's please not try to correct autogenerated code. Otherwise, ACK. I've tested it again and everything works except getting stronger than asked TGT enctype but this is not an issue with getkeytab controls. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
Dne 20.11.2014 v 14:51 Martin Basti napsal(a): On 20/11/14 11:53, David Kupka wrote: On 11/20/2014 10:03 AM, Jan Cholasta wrote: Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. This seems better, thanks. IMO the same problem is with objectclasses. # do not migrate all object classes if 'objectclass' in entry_attrs: for object_class in kwargs.get('oc_blacklist', []): try: entry_attrs['objectclass'].remove(object_class) # this is case sensitive except ValueError: # object class not present pass Am I right? Yes. LDAPEntry does not support case insensitivity in this case, although I plan to implement it in 4.2. -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
On 20/11/14 15:25, Jan Cholasta wrote: Dne 20.11.2014 v 14:51 Martin Basti napsal(a): On 20/11/14 11:53, David Kupka wrote: On 11/20/2014 10:03 AM, Jan Cholasta wrote: Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. This seems better, thanks. IMO the same problem is with objectclasses. # do not migrate all object classes if 'objectclass' in entry_attrs: for object_class in kwargs.get('oc_blacklist', []): try: entry_attrs['objectclass'].remove(object_class) # this is case sensitive except ValueError: # object class not present pass Am I right? Yes. LDAPEntry does not support case insensitivity in this case, although I plan to implement it in 4.2. objectclasses are normalized to lowercase before, so it is not a issue. The patch works fine, ACK :-) . -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 788 webui: fix potential XSS vulnerabilities
On 11/19/2014 06:51 PM, Petr Vobornik wrote: Escape user defined text to prevent XSS attacks. Extra precaution was taken to escape also parts which are unlikely to contain user-defined text. https://fedorahosted.org/freeipa/ticket/4742 resolves CVE-2014-7850 f21 blocker candidate, requires priority review. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK, works fine. Resolves issue described in CVE-2014-7850. Pushed to: master: bff97e8b2e8d80e75e989b661e873c8e72cd7429 ipa-4-1: af9fd4dfe2c18e52127480c959c35ad37b566095 -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 20 Nov 2014, Nathaniel McCallum wrote: On Thu, 2014-11-20 at 09:12 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Let's please not try to correct autogenerated code. I'm not tied to this but Simo now thinks it is better to run indenter in the generator rule as this will give less problems in actual comparison noise that git diff would give. I'll make sure to talk back to asn1c author to see if we can improve its generators upstream. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0286] baseldap: Handle missing parent objects properly in *-find
Dne 19.11.2014 v 15:12 Tomas Babej napsal(a): On 11/19/2014 02:03 PM, Jan Cholasta wrote: Dne 19.11.2014 v 13:44 Tomas Babej napsal(a): On 11/19/2014 12:51 PM, Martin Kosek wrote: On 11/19/2014 12:41 PM, Tomas Babej wrote: On 11/19/2014 12:24 PM, Martin Kosek wrote: On 11/19/2014 12:03 PM, Tomas Babej wrote: Hi, When constructing a parent DN in LDAPSearch, we should always check that the parent object exists (hence use get_dn_if_exists), rather than search on unexistant containers (which can happen with get_dn). Replaces get_dn calls with get_dn_if_exists in *-find commands and makes sure proper error message is raised. https://fedorahosted.org/freeipa/ticket/4659 Doesn't it produce extra LDAP search thus making all our search commands slower? Is that what we want? No it does not make all of our LDAP search slower. It only happens for the objects that have parent objects, such as idoverrides or dnsrecords. ... and makes them slower. What I was pointing out here is that this is not a issue for ALL *-find commands (e.g user-find, group-find will not suffer from it), as you incorrectly stated. Wouldn't it be better to distinguish between LDAP search with no results and LDAP search with missing parent DN? The reply looks different, at least in CLI: Up to discussion. We would probably need to introduce a new exception, like ParentObjectNotFound. # search result search: 4 result: 0 Success # search result search: 4 result: 32 No such object matchedDN: cn=accounts,dc=mkosek-f20,dc=test Also, I do not think you can just stop using get_dn(), some commands override this call to get more complex searches (like host-find searching for shortname). Look into the get_dn_if_exists, it just wraps around get_dn, so no issue here. Any custom behaviour is preserved. Ah, ok, thanks for info. To sum up, I think this is worth changing this behaviour by default, ignoring a non-matching value of the parent object is not a correct general approach in my opinion. Well, that's the question. Whether we would leave DS to validate the search itself or do all the pre-check ourselves. To me, doing just one LDAP search and processing the error correctly looks better. But I can live even with your version then, I will leave the framework guardians like Honza or Petr3 to decide. +1 on single LDAP search and proper error processing. I see now what you're trying to suggest. However, the reason boils down to ipaldap.find_entries method not differentiating between a LDAP search that returns error code 32 (No such object) and LDAP search returning error code 0 (Success), but returning no results. In both cases errors.NotFound is raised. The reason I did not go this way is that changing the find_entries method is quite more invasive as this is the method subsenqently called by almost any command. You can always derive the new error (ParentNotFound or whatever) on NotFound, so old code won't break. Thanks for the suggestsions. Attached is a new patch which hooks into find_entries method and differentiates between the cases. Why are you special casing base scope search? -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0163] Fix compiler warning for pk11helper module
On 11/13/2014 09:59 AM, Martin Basti wrote: On 12/11/14 15:55, Martin Basti wrote: Part of ticket: https://fedorahosted.org/freeipa/ticket/4657 And here is the patch, sorry :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Works for me, thanks, ACK. -- David Kupka ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 375 Restore file extended attributes and SELinux context in ipa-restore
On 11/20/2014 02:11 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4712. Honza Thank you! ACK, pushed to: master: 3d1e9813e641db59b7dff52f809949bff6c90ce0 ipa-4-1: 215f5451b284c627e9c298ebbc4ee786ced43720 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 789 restore: clear httpd ccache after restore
On 11/20/2014 03:15 PM, Petr Vobornik wrote: so that httpd ccache won't contain old credentials which would make ipa CLI fail with error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) https://fedorahosted.org/freeipa/ticket/4726 Thank you! ACK, pushed to: master: a3c799f2f4769c1ae8516600e3729a2188ca539f ipa-4-1: 7745e0fd563adae5aa7f58fc07488098fed97dc3 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0163] Fix compiler warning for pk11helper module
On 11/20/2014 04:31 PM, David Kupka wrote: On 11/13/2014 09:59 AM, Martin Basti wrote: On 12/11/14 15:55, Martin Basti wrote: Part of ticket: https://fedorahosted.org/freeipa/ticket/4657 And here is the patch, sorry :-) Works for me, thanks, ACK. Pushed to: master: 58737c7791b44d9d7cd011d3385bf66ea24d9830 ipa-4-1: b902ec294387eef29d07ab2ccff9ff17625aaa9c -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 20 Nov 2014 16:47:29 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 20 Nov 2014, Nathaniel McCallum wrote: On Thu, 2014-11-20 at 09:12 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Let's please not try to correct autogenerated code. I'm not tied to this but Simo now thinks it is better to run indenter in the generator rule as this will give less problems in actual comparison noise that git diff would give. I'll make sure to talk back to asn1c author to see if we can improve its generators upstream. So given Nathaniel doesn't like to touch autogenerated code I'll leave it as it is. I am going to push with the only change being to remove asn1/config.h.in~ with was added to the second commit by mistake. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 2014-11-20 at 10:47 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 16:47:29 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 20 Nov 2014, Nathaniel McCallum wrote: On Thu, 2014-11-20 at 09:12 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Let's please not try to correct autogenerated code. I'm not tied to this but Simo now thinks it is better to run indenter in the generator rule as this will give less problems in actual comparison noise that git diff would give. I'll make sure to talk back to asn1c author to see if we can improve its generators upstream. So given Nathaniel doesn't like to touch autogenerated code I'll leave it as it is. I am going to push with the only change being to remove asn1/config.h.in~ with was added to the second commit by mistake. LGTM ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0030 Fix --{user, group}-ignore-attribute in migration plugin.
On 11/20/2014 03:35 PM, Martin Basti wrote: On 20/11/14 15:25, Jan Cholasta wrote: Dne 20.11.2014 v 14:51 Martin Basti napsal(a): On 20/11/14 11:53, David Kupka wrote: On 11/20/2014 10:03 AM, Jan Cholasta wrote: Dne 20.11.2014 v 09:51 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4620 IMO changing the loop to: for attr in attr_blacklist: entry_attrs.pop(attr, None) would be better, because LDAPEntry already handles case insensitivity in attribute names. This seems better, thanks. IMO the same problem is with objectclasses. # do not migrate all object classes if 'objectclass' in entry_attrs: for object_class in kwargs.get('oc_blacklist', []): try: entry_attrs['objectclass'].remove(object_class) # this is case sensitive except ValueError: # object class not present pass Am I right? Yes. LDAPEntry does not support case insensitivity in this case, although I plan to implement it in 4.2. objectclasses are normalized to lowercase before, so it is not a issue. The patch works fine, ACK :-) . Pushed to: master: 35dad9684b22819a2c848e7ebb78cfbc438a30e6 ipa-4-1: 8ab85f161513b376c95094ccfe2b60202fe41baa -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Fix getkeytab operation
On Thu, 20 Nov 2014 10:47:35 -0500 Simo Sorce s...@redhat.com wrote: On Thu, 20 Nov 2014 16:47:29 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 20 Nov 2014, Nathaniel McCallum wrote: On Thu, 2014-11-20 at 09:12 -0500, Simo Sorce wrote: On Thu, 20 Nov 2014 12:36:45 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 19 Nov 2014, Simo Sorce wrote: - Original Message - From: Alexander Bokovoy aboko...@redhat.com [...] Regarding the patchset itself: Patch 0001: fix 'wuld' in the commit message. The rest is fine. Fixed. Patch 0002: - ticket number is missing in the commit message Added. - perhaps, an instruction how to regenerate asn1 code can be made a Makefile target? We don't need to call it ourselves but this would simplify things in future Added make regenerate target to asn1c makefile - I'm little uncomfortable how ASN_DEBUG() output goes explicitly to stderr but I guess this is something we currently cannot override with DS-specific log printing, so no big deal right now ASN_DEBUG() is currently disabled as EMIT_ASN_DEBUG is undefined, we can later provide a replacement ASN_DEBUG function to hook debugging, but given the same code is used in both DS plugins and ipa-getkeytab binary I did not want to assume anything, and how to wire it up (if we even want to) should probably be discussed at a later time. - any specific need to get asn1/compile committed? We don't commit it in the client code (ipa-client/compile). Added 'compile' to .gitignore in second patch Patch 0003: OK Nothing changed here. I also remembered the patch naming policy :-) so new patch names/numbers are 514,515,516, third revision. Thanks. The only complaint I have left is number of whitespace errors that git says are in the 515th patch. Yeah the autogenerated code is not a pretty sight style-wise, do we want to run an automatic indenter on it ? I was hesitant to do so, but I wouldn't mind adding that, if we feel strongly about it. Let's please not try to correct autogenerated code. I'm not tied to this but Simo now thinks it is better to run indenter in the generator rule as this will give less problems in actual comparison noise that git diff would give. I'll make sure to talk back to asn1c author to see if we can improve its generators upstream. So given Nathaniel doesn't like to touch autogenerated code I'll leave it as it is. I am going to push with the only change being to remove asn1/config.h.in~ with was added to the second commit by mistake. Pushed to master: b170851058d6712442d553ef3d11ecd21b282443 c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2 b1a30bff04fe9763b8b270590ec37084fd19b4e0 ipa-4-1: f065cec8a58bf4fee0334afdfb63db02f76c1ff7 45ceef14f9ffa5f3abf19088e991f427b7c5bd92 dd3e91639bc3e87b5a95e344b7d190136ad30de0 ipa-4-0: 55578e9cb33924085969102186250ee60c0a9d85 598b54716c6e177a6b5bfdbccf483d28bf40e0b8 aa988311d1b5eefe16eb60c04227900814468e9f Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0081] Add initial tests for OTP
This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Things not yet tested: * ipa-kdb * ipa-otpd * otptoken-sync * RADIUS proxy * token self-management * type specific attributes From 0ae7f469d5b9496cf9a63cc7f4b4b099d35dfab2 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Thu, 20 Nov 2014 11:02:00 -0500 Subject: [PATCH] Add initial tests for OTP This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Things not yet tested: * ipa-kdb * ipa-otpd * otptoken-sync * RADIUS proxy * token self-management * type specific attributes --- ipatests/test_xmlrpc/test_otptoken_plugin.py | 373 +++ 1 file changed, 373 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_otptoken_plugin.py diff --git a/ipatests/test_xmlrpc/test_otptoken_plugin.py b/ipatests/test_xmlrpc/test_otptoken_plugin.py new file mode 100644 index ..ca5cc5fb65ad4a869dbc0428de1eb7652e0aeea5 --- /dev/null +++ b/ipatests/test_xmlrpc/test_otptoken_plugin.py @@ -0,0 +1,373 @@ +# Authors: +# Nathaniel McCallum npmccal...@redhat.com +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + + +Test the `ipalib/plugins/otptoken.py` module. + + +import base64 +import datetime +import hashlib +import os +import urlparse +import UserDict +import uuid + +import ldap +import pyotp + +from ipalib import api +from xmlrpc_test import XMLRPC_test +from ipatests.util import assert_deepequal +from ipapython.dn import DN +from ipapython.version import API_VERSION + +class Token(UserDict.DictMixin): +_TYPED = ( +(u'TOTP', u'ipatokentotpclockoffset'), +(u'TOTP', u'ipatokentotptimestep'), +(u'HOTP', u'ipatokenhotpcounter'), +) + +def __getitem__(self, key): +if key in self.__data: +return self.__data[key] + +for t, a in self._TYPED: +if key == a and self.get(u'type', None) != t: +raise KeyError(repr(key)) + +if key in self.__defaults: +return self.__defaults[key] + +raise KeyError(repr(key)) + +def __setitem__(self, key, value): +if key == u'type': +value = value.upper() + +for t, a in self._TYPED: +if key != t: +self.__data.pop(a, None) +else: +for t, a in self._TYPED: +if key == a and self.__data.get(u'type', t) != t: +raise KeyError(repr(key) + str(self.__data.get(u'type', t))) + +self.__data[key] = value + +def __delitem__(self, key): +del self.__data[key] + +def keys(self): +type = self.get(u'type', None) + +exclude = [] +for t, a in self._TYPED: +if type != t: +exclude.append(a) + +keys = set(self.__data.keys() + self.__defaults.keys()) +return keys.difference(exclude) + +def __init__(self, obj=None, **kwargs): +self.__defaults = {} +for i in range(len(api.Object['otptoken'].params)): +param = api.Object['otptoken'].params[i] +if param.default is not None: +self.__defaults[param.name] = param.default + +self.__defaults.update({ +u'ipatokenuniqueid': unicode(uuid.uuid4()), +u'ipatokenotpkey': os.urandom(20) +}) + +self.__data = {} +if obj is not None: +self.update(obj) +if len(kwargs): +self.update(kwargs) + +def __repr__(self): +prefixes = ['ipatoken' + x for x in ('totp', 'hotp', 'otp', '')] +names = { +'algorithm': 'algo', +'timestep': 'ts', +'clockoffset': 'offset', +} + +args = {} +for k, v in self.items(): +for prefix in prefixes: +if k.startswith(prefix): +k = k[len(prefix):] +break + +if k in ('key', 'uniqueid', 'owner'): +continue + +
Re: [Freeipa-devel] [PATCH 0081] Add initial tests for OTP
On 11/20/2014 05:13 PM, Nathaniel McCallum wrote: This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Things not yet tested: * ipa-kdb * ipa-otpd * otptoken-sync * RADIUS proxy * token self-management * type specific attributes Hello, This reimplements functionality that I'm changing in the pytest patches. I'd like to rewrite these tests to use pytest best practices, both to make them work after the switch and as an example of pytest usage. Would that work for you? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0169] Fix: read_ip_address should return CheckedIPAddress instance instead of string
Ticket: https://fedorahosted.org/freeipa/ticket/4747 Patch attached: -- Martin Basti From 98ce62ec68a406fa30c4a9ed4249ebb1b1330e4e Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 20 Nov 2014 17:45:46 +0100 Subject: [PATCH] Fix: read_ip_addresses should return ipaddr object Interactive prompt callback returns list of str instead of CheckedIPAddress instances. Ticket: https://fedorahosted.org/freeipa/ticket/4747 --- ipaserver/install/installutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9cda26f16f09ddc04e708a94858fb039ee3a8360..b23b404d224e1fef6679582d9e9333ca533ca872 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -243,7 +243,7 @@ def read_ip_addresses(host_name, fstore): except Exception, e: print Error: Invalid IP Address %s: %s % (ip, e) continue -ips.append(ip) +ips.append(ip_parsed) return ips -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0081] Add initial tests for OTP
On Thu, 2014-11-20 at 17:32 +0100, Petr Viktorin wrote: On 11/20/2014 05:13 PM, Nathaniel McCallum wrote: This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Things not yet tested: * ipa-kdb * ipa-otpd * otptoken-sync * RADIUS proxy * token self-management * type specific attributes Hello, This reimplements functionality that I'm changing in the pytest patches. I'd like to rewrite these tests to use pytest best practices, both to make them work after the switch and as an example of pytest usage. Would that work for you? If you're volunteering, have at it! Is there any planned functionality around parallelizing the tests? We could get a big speed boost, at least for these tests, by running token tests in parallel. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter
Use new capability in python-nss-0.16 to use the NSS protocol range setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections. I made this configurable via tls_protocol_range in case somebody wants to override it. There isn't a whole ton of error handling on bad input but there is enough, I think, to point the user in the the right direction. Added a couple more lines of debug output to include the negotiated protocol and cipher. rob From 599ff6072d4775becc49f2bbe3fd65e171f6db65 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Thu, 30 Oct 2014 11:52:14 -0400 Subject: [PATCH] Use NSS protocol range API to set available TLS protocols Protocols are configured as an inclusive range from SSLv3 through TLSv1.2. The allowed values in the range are ssl3, tls1.0, tls1.1 and tls1.2. If only a single value is provided then it represents both the min and max. This is overridable per client by setting tls_protocol_range. https://fedorahosted.org/freeipa/ticket/4653 --- freeipa.spec.in | 2 +- ipalib/constants.py | 2 ++ ipalib/rpc.py | 4 +++- ipapython/dogtag.py | 3 ++- ipapython/nsslib.py | 18 -- 5 files changed, 24 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 703ef9e1988c2171b815a680ad126793b2fef82d..7149066b8b6c55424843fe5a3515c92cfc92c850 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -279,7 +279,7 @@ Requires: gnupg Requires: iproute Requires: keyutils Requires: pyOpenSSL -Requires: python-nss = 0.15 +Requires: python-nss = 0.16 Requires: python-lxml Requires: python-netaddr Requires: libipa_hbac-python diff --git a/ipalib/constants.py b/ipalib/constants.py index 325414b64fdacd4d8df261588cfc9b7481923be1..c50a806b4a0d275525a2bc2850116a05dd01d97e 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,8 @@ DEFAULT_CONFIG = ( ('rpc_protocol', 'jsonrpc'), +('tls_protocol_range', 'tls1.0,tls1.2'), + # Time to wait for a service to start, in seconds ('startup_timeout', 300), diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 001b7f1ca06edadfc7aad635d9d564e517008a63..5e1eaf1db1f6d5539c604b748a876a7a33c0e009 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -69,6 +69,7 @@ from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE from ipapython.dn import DN from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES +from ipalib import api COOKIE_NAME = 'ipa_session' KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME @@ -492,7 +493,8 @@ class SSLTransport(LanguageAwareTransport): if sys.version_info (2, 7): conn = NSSHTTPS(host, 443, dbdir=dbdir, no_init=no_init) else: -conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init) +conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init, + protocol_range=api.env.tls_protocol_range) self.dbdir=dbdir conn.connect() diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index bd92fe65c7780e4f73a6f3c0edfb5dd46e704a4f..e6a0f5d8498d5c785bfcb3e1d2782814e2a7256e 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -236,7 +236,8 @@ def https_request(host, port, url, secdir, password, nickname, **kw): def connection_factory(host, port): -conn = nsslib.NSSConnection(host, port, dbdir=secdir) +conn = nsslib.NSSConnection(host, port, dbdir=secdir, +protocol_range=api.env.tls_protocol_range) conn.set_debuglevel(0) conn.connect() conn.sock.set_client_auth_data_callback( diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 1452a2a5844a5fb017d4408aadf56f7fcfc7fa25..f874ac425b0c5ab201b6661c012c142c7510d345 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -174,7 +174,8 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port def __init__(self, host, port=None, strict=None, - dbdir=None, family=socket.AF_UNSPEC, no_init=False): + dbdir=None, family=socket.AF_UNSPEC, no_init=False, + protocol_range='tls1.1,tls1.2'): :param host: the server to connect to :param port: the port to use (default is set in HTTPConnection) @@ -183,6 +184,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): :param no_init: do not initialize the NSS database. This requires that the database has already been initialized or the request will fail. +:param protocol_range: min and max SSL/TLS protocol range supported. httplib.HTTPConnection.__init__(self, host, port, strict) NSSAddressFamilyFallback.__init__(self, family) @@
Re: [Freeipa-devel] [PATCH 0081] Add initial tests for OTP
On Thu, 2014-11-20 at 13:03 -0500, Nathaniel McCallum wrote: On Thu, 2014-11-20 at 17:32 +0100, Petr Viktorin wrote: On 11/20/2014 05:13 PM, Nathaniel McCallum wrote: This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Things not yet tested: * ipa-kdb * ipa-otpd * otptoken-sync * RADIUS proxy * token self-management * type specific attributes Hello, This reimplements functionality that I'm changing in the pytest patches. I'd like to rewrite these tests to use pytest best practices, both to make them work after the switch and as an example of pytest usage. Would that work for you? If you're volunteering, have at it! Is there any planned functionality around parallelizing the tests? We could get a big speed boost, at least for these tests, by running token tests in parallel. FYI, I fixed a bug with pyotp which caused failures with non-sha1 digests. https://github.com/nathforge/pyotp/pull/9 With this change, I did another run: 3.25 hours. Aside from some spurious LimitsExceeded errors (which I get occasionally on my system; it might be me), all tests passed. Nathaniel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0081] Add initial tests for OTP
On 11/20/2014 05:13 PM, Nathaniel McCallum wrote: This tests the general workflow for OTP including most possible token combinations. This includes 5872 tests. Further optimization is possible to reduce the number of duplicate tests run. Good job! Yup, heavy optimization will be needed later. Things not yet tested: * ipa-kdb Here you would just call kinit instead if LDAP BIND, right? * ipa-otpd How would ipa-otpd tested? Wouldn't it be tested if simple kinit is made instead of direct LDAP BIND? * otptoken-sync Petr1 can help to provide a Web UI test for this area. Or alternatively for the test we could use the LDAP extended operation directly, right? * RADIUS proxy * token self-management * type specific attributes +1 What about password changes with OTP, can it be also covered? Also, note that the freeipa-tests would suddenly grow a python-pyotp dependency, this should be considered. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel