Re: [Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome
On 27/07/15 12:06, Martin Basti wrote: On 22/07/15 14:00, Petr Vobornik wrote: * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 ACK -- Martin Basti Pushed to: master: a4be844809179ff0a05286606df1487d81a70022 ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] C coding style guide update
On 07/26/2015 10:09 PM, Jakub Hrozek wrote: On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal Židek wrote: Hi, in SSSD we use the freeipa coding guidelines which are located here: http://www.freeipa.org/page/Coding_Style However this coding style guide is already dated and there are some rules we follow in SSSD which are not mentioned in the guide and also there are some C language features that we would like to start using in certain way but their usage should be covered in the coding style guide. So, update is needed (at least for SSSD). I would like to start discussion about what to add to the coding guide (and maybe what to remove), but before that, I would like propose to move the coding style guide to SSSD wiki and just add link to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the SSSD code is written in C and SSSD team will more likely update and modify the guide according to new practices used in upstream development, where FreeIPA is mostly Python project and C coding style probably does not need revision as often. So SSSD wiki seems like more appropriate place. Another possibility would be to fork the FreeIPA style and maintain SSSD coding style guide separately. But I think linking the two is better option, because the two projects are closely related and it makes sense to share the coding style guidelines. So, my first question is, Is someone against moving the C coding style guide to SSSD wiki and adding link to it on FreeIPA wiki? I don't really mind where the coding style is located as long as it's on one place (no forks please) and the existing link points to a new version (if any). Ok. I will start crafting the new SSSD wiki after we come to some conclusion in this thread. As per updating the coding standards, I would like to propose to: - explicitly say that C99 is fine to use. It's 2015 and any compiler that doesn't support C99 at this point is probably dead and should be avoided (Hello, MSVC!). We use stdbool.h and variadic macros already anyway. +1 - Line-comments (//, aka C++ comments) should be still avoided, though I really do not know what people have against line comments, but this is not the first time I see someone resisting them, so I guess there is some hidden evil in this way of commenting the code. But I am OK if they stay forbidden. - Variable Length arrays are very helpful, but explicitly mention they should be used with caution, especially if array size might come from the user +1 We overuse talloc for very small allocations that can be done automatically on stack. - Also, I would warn about interleaved variable declarations. I think it's fine to declare some helper variable inside a for loop for example, but generally it might be better to refactor the function if we find out there's so many variables that the code author ends up declaring them inside blocks. It is good practice to declare variables at the begging of the block that covers all blocks where the variable is used. And it is one of the things I would like to put in the coding style. I am not sure about loops however. it could lead us to hard to debug bugs if someone forgets to put static keyword in variable declaration. Personally, I would even go as far as to allow the __cleanup__ attribute. I really like how the systemd codebase uses it to define helper destructors like: int closep(int fd) { if (fd = 0) { close(fd); } } #define _cleanup_close_ _cleanup_(closep) Then safely declare a file descriptor as: _cleanup_close_ int fdf = -1; ..and stop worrying about closing the fd in all branches. Looks like a good thing to me as well for the cases when we *always* want to destroy the resource before leaving the function. For the rest of the cases we would still have to use goto labels. It's not portable, but seriously...are there any compilers except gcc and clang that are used at all these days?? GCC and Clang are the most widely used compilers on platforms we care about. We do not need to make SSSD compile on anything else. We could also add few tips and 'rules of thumb' to the coding style as well. For example isolating the untrusted value on the left side when doing comparisons in ifs ( see ticket https://fedorahosted.org/sssd/ticket/1697 ). Michal -- Senior Principal Intern -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module
On 22/07/15 10:38, Martin Basti wrote: On 07/07/15 18:40, Christian Heimes wrote: Hello, the patch removes the dependency on Python's ssl module and python-backports-ssl_match_hostname. https://fedorahosted.org/freeipa/ticket/5068 Open question - Is paths.IPA_NSSDB_DIR the correct NSSDB? Should be. Christian Works for me, ACK. -- Martin Basti Pushed to: master: 3c974c157f332bd8f4db48eba52d2b760c0c1e77 ipa-4-2: 4fe3bd107a066aeb2d628f50584f979e2026398f -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged
On 23/07/15 14:43, Martin Basti wrote: Hello, I tried to fix #5145 and I partially succeeded. However, I cannot fix this part of ticket, where user is prompted to write name and surname. $ ipa stageuser-add tuser --from-delete First name: this will be ignored Last name: this will be also ignored Added stage user tuser As the first name and last name are mandatory attributes of stageuser-add command, but they are not needed by when the --from-delete option is used. I would like to ask how to fix this issue, IMO this will be huge hack in internal API. Or should we just document this bug as known issue (thierry wrote that this is not use case that should be used often)? The best solution would be separate command, but this idea was rejected in thread [Freeipa-devel] User life cycle: question regarding the design Regards Martin^2 Hello, as was mentioned before, we have issue with current internal API and the stageuser-add --from-delete command. We discussed this today, and we did not find a nice way how to fix it, so we propose this (which is IMO the best solution): * stageuser-add --from-delete should be deprecated * create new option for user-undel: used-undel --to-staged (or create new command) that will handle moving deleted users to staged area as --from-delete did. Instead of stageuser-add and option --from-delete, which work totally different, the command user-undel does similar operation than stage-user --from-delete, it just uses different container. We need to do this in 4.2.1 to affect as least as possible users. If you have any objections, please speak/write :) Martin^2 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.
On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4249 Thank you for patch: 1) -root_logger.error(Cannot update DNS records! - Failed to connect to server '%s'., server) +ips = get_local_ipaddresses() +except CalledProcessError as e: +root_logger.error(Cannot update DNS records. %s % e) IMO the error message should be more specific, add there something like Unable to get local IP addresses. at least in log.debug() 2) +lines = ipresult[0].replace('\\', '').split('\n') .replace() is not needed 3) +if len(ips) == 0: if not ips: is more pythonic by PEP8 Thanks for catching these. Updated patch attached. merciful NACK Thank you for the patch, unfortunately I hit one issue which needs to be resolved. If sync PTR is activated in zone settings, and reverse zone doesn't exists, nsupdate/BIND returns SERVFAIL and ipa-client-install print Error message, 'DNS update failed'. In fact, all A/ records was succesfully updated, only PTR records failed. Bind log: named-pkcs11[28652]: updating zone 'example.com/IN': adding an RR at 'vm-101.example.com' named-pkcs11[28652]: PTR record synchronization (addition) for A/ 'vm-101.example.com.' refused: unable to find active reverse zone for IP address '2620:52:0:104c:21a:4aff:fe10:4eaa': not found With IPv6 we have several addresses from different reverse zones and this situation may happen often. I suggest following: 1) Print list of addresses which will be updated. (Now if update fails, user needs to read log, which addresses installer tried to update) 2) Split nsupdates per A/ record. 3a) If failed, check with DNS query if A/ and PTR record are there and print proper error message 3b) Just print A/ (or PTR) record may not be updated for particular IP address. Any other suggestions are welcome. After long discussion with DNS and UX guru I've implemented it this way: 1. Call nsupdate only once with all updates. 2. Verify that the expected records are resolvable. 3. If no print list of missing A/, list of missing PTR records and list to mismatched PTR record. As this is running inside client we can't much more and it's up to user to check what's rotten in his DNS setup. Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel One more change to behave well in -crazy- exotic environments that resolves more PTR records for single IP. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Yet another change to make language nerds and our UX guru happy :-) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Rebased patch attached. -- David Kupka From 3ae6959cfd08c34cfcb0eaf29d057b5ea4ebbac4 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Sun, 4 Jan 2015 15:04:18 -0500 Subject: [PATCH] client: Update DNS with all available local IP addresses. Detect all usable IP addresses assigned to any interface and create coresponding DNS records on server. https://fedorahosted.org/freeipa/ticket/4249 --- ipa-client/ipa-install/ipa-client-install | 173 +++--- 1 file changed, 112 insertions(+), 61 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 91323ae115a27d221bcbc43fee887c56d99c8635..eab20e6c44954834b736d3477db88c7708912002 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -32,6 +32,7 @@ try: from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError import shutil from krbV import Krb5Error +import dns import nss.nss as nss import SSSDConfig @@ -1500,40 +1501,22 @@ def unconfigure_nisdomain(): if not enabled: services.knownservices.domainname.disable() - -def resolve_ipaddress(server): - Connect to the server's LDAP port in order to determine what ip -address this machine uses as public ip (relative to the server). - -Returns a tuple with the IP address and address family when -connection was successful. Socket error is raised otherwise. - -last_socket_error = None - -for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, -socket.SOCK_STREAM): -af, socktype, proto, canonname, sa = res -try: -s = socket.socket(af, socktype, proto) -except socket.error,
Re: [Freeipa-devel] [PATCH 0050] ACI plugin: correctly parse bind rules enclosed in parentheses
On 23/07/15 16:06, Martin Babinsky wrote: This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037 NACK I do not like your change in first regexp too much. Can you try this instead? PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) This just removes '(' and ') ' from pattern and accept all other characters. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0001] Test Topology plugin is listed among DS plugins
On 23/07/15 16:27, Martin Basti wrote: On 23/07/15 11:42, Oleg Fayans wrote: Forgot to attach the new version, sorry! On 07/23/2015 10:32 AM, Oleg Fayans wrote: Hi Martin, On 07/22/2015 05:48 PM, Martin Basti wrote: On 22/07/15 15:19, Oleg Fayans wrote: Hi Martin, Fixed. On 07/22/2015 09:26 AM, Martin Basti wrote: On 22/07/15 09:23, Oleg Fayans wrote: Hi Martin, Patch updated. Thank you for the review! On 07/21/2015 05:45 PM, Martin Basti wrote: On 20/07/15 14:07, Oleg Fayans wrote: Hi Martin, Updated. On 07/20/2015 12:46 PM, Martin Basti wrote: On 20/07/15 11:57, Oleg Fayans wrote: +pwfile = api.env.dot_ipa + os.sep + .dmpw +if ipautil.file_exists(pwfile): +fp = open(pwfile, r) +dm_password = fp.read().rstrip() +fp.close() +else: Hello, 1) Can you use os.path.join() instead of + os.sep + please 2) Can you use with statement with file? with open(pwfile, r) as f: dm_password = f.read().rstrip() 3) Please keep PEP8 in new code ./ipatests/test_ipaserver/test_topology_plugin.py:30:80: E501 line too long (102 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:33:80: E501 line too long (92 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:39:80: E501 line too long (124 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:44:80: E501 line too long (92 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:45:48: E128 continuation line under-indented for visual indent ./ipatests/test_ipaserver/test_topology_plugin.py:45:80: E501 line too long (89 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:46:48: E128 continuation line under-indented for visual indent ./ipatests/test_ipaserver/test_topology_plugin.py:46:80: E501 line too long (89 79 characters) ./ipatests/test_ipaserver/test_topology_plugin.py:58:80: E501 line too long (87 79 characters) 4) Missing nose import raise nose.SkipTest(No directory manager password in %s % pwfile) 5) Can you use sets here instead of sorted lists? assert(sorted(entry.keys()) == sorted(pluginattrs.keys())) Martin^2 1) Sorry, I didn't notice before, but there is missing header in that file. 2) You don't need to specify ldap_uri, you just need to call ldap2(api), by default api.env.ldap_uri is used, which is the same as you specified 3) Can you indent values of dict which are on newline? It is readable better. u'nsslapd-topo-plugin-shared-config-base': [u'cn=ipa,cn=etc,dc=example,dc=com'], u'nsslapd-pluginDescription': [u'ipa-topology-plugin'], 4) Please use lower F as variable, in python we use capital letters for class definitions with open(pwfile, r) as F: dm_password = F.read().rstrip() Otherwise it works as expected. Martin^2 Sorry. You added there old license format, we now use in new files new format # # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # I cannot apply the last patch $ git am freeipa-ofayans-0001.3-test-topologyplugin-is-listed-among-DS-plugins.patch -3 Applying: Added test - topology plugin is listed among DS plugins fatal: corrupt patch at line 83 Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Fixed. Tested it locally, it applies Thank you ACK -- Martin Basti Pushed to master: e5acd01ed2971be779e788937493844a9926bb96 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] C coding style guide update
On Mon, Jul 27, 2015 at 03:54:22PM +0200, Michal Židek wrote: - Line-comments (//, aka C++ comments) should be still avoided, though I really do not know what people have against line comments, but this is not the first time I see someone resisting them, so I guess there is some hidden evil in this way of commenting the code. But I am OK if they stay forbidden. This is only personal preference, no technical reason :-) I mostly don't like how they look -- for some reason they are much easier for me to skip visually, even with syntax highlighting. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert
On 22/07/15 10:41, Martin Basti wrote: On 13/07/15 17:55, Martin Basti wrote: On 08/07/15 16:09, Gabe Alford wrote: Thanks, Martin. Update patch attached. I was getting an 'No newline at the end of file' in my environment hence an extra '\n' at the end. Please let me know if you see the same thing. Thanks, Gabe On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 01/07/15 09:05, Martin Basti wrote: On 30/06/15 17:31, Gabe Alford wrote: On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote: On 16/06/15 16:58, Gabe Alford wrote: I know you guys are busy. Bump for review. Thanks, Gabe On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/3809 Thanks, Gabe I'm getting certificate on server without extra '\n' at the end. So certificate files are not the same. I assume you did a diff of the server /etc/ipa/ca.crt and the client /etc/ipa/ca.crt, right? Did you setup a server and then connect a client (just wonder what your steps were so that I can also reproduce)? Yes. I did that. I will retest it today. Retested and ca.cert on client has extra '\n' at the end. -- Martin Basti -- Martin Basti -- Martin Basti Thank you! ACK -- Martin Basti This patch has not been pushed yet. -- Martin Basti Pushed to master: f7dbaa6382caac118acd6f5379cc7ec691f39b28 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 905, 295 webui: add Kerberos configuration instructions for Chrome
On 27/07/15 13:52, Martin Basti wrote: On 27/07/15 12:06, Martin Basti wrote: On 22/07/15 14:00, Petr Vobornik wrote: * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 ACK -- Martin Basti Pushed to: master: a4be844809179ff0a05286606df1487d81a70022 ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d -- Martin Basti Patch fixes Makefile. -- Martin Basti From fceb61415690b736ae7c38aeacaf1867b1c8c3af Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Mon, 27 Jul 2015 16:06:39 +0200 Subject: [PATCH] Remove ico files from Makefile Icons were removed in a4be844809179ff0a05286606df1487d81a70022 but still persist in Makefile. This patch fixes Makefile. https://fedorahosted.org/freeipa/ticket/823 --- install/ui/images/Makefile.am | 2 -- 1 file changed, 2 deletions(-) diff --git a/install/ui/images/Makefile.am b/install/ui/images/Makefile.am index e74d747b79ad14ef2f5b9e539c348670796fec8a..7d85d7e8203ca54f5b8fddeb55d86e106f077140 100644 --- a/install/ui/images/Makefile.am +++ b/install/ui/images/Makefile.am @@ -4,9 +4,7 @@ appdir = $(IPA_DATA_DIR)/ui/images app_DATA = \ facet-tab-off.png \ facet-tab-on.png \ - firefox-icon.png \ header-logo.png \ - ie-icon.png \ login-screen-background.jpg \ login-screen-logo.png \ product-name.png \ -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 905, 295 webui: add Kerberos configuration instructions for Chrome
On 07/27/2015 04:12 PM, Martin Basti wrote: On 27/07/15 13:52, Martin Basti wrote: On 27/07/15 12:06, Martin Basti wrote: On 22/07/15 14:00, Petr Vobornik wrote: * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 ACK -- Martin Basti Pushed to: master: a4be844809179ff0a05286606df1487d81a70022 ipa-4-2: 8e528db8a33938d6954e0d94714b3492a79b3b6d -- Martin Basti Patch fixes Makefile. -- Martin Basti fixes build, ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0002] TEST: Stageuser plugin
Hi, I'm attaching a patch with automated tests for stageuser plugin (https://fedorahosted.org/freeipa/ticket/3813). The user plugin test is affected as well (one class was added). The tests seem a bit of a mess even to myself, but what with the way freeipa behaves I didn't know how else to implement them, but I'm eager to learn how to do it in a nicer way, if someone has a better idea. Lenka From c7b677696ed56649debac01090fe40389bb1d372 Mon Sep 17 00:00:00 2001 From: Lenka Ryznarova lenka.ryznar...@gmail.com Date: Mon, 27 Jul 2015 14:17:58 +0200 Subject: [PATCH] Automated test for stageuser plugin Ticket: https://fedorahosted.org/freeipa/ticket/3813 Test plan: http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 753 ++ ipatests/test_xmlrpc/test_user_plugin.py | 255 - 2 files changed, 1002 insertions(+), 6 deletions(-) create mode 100644 ipatests/test_xmlrpc/test_stageuser_plugin.py diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py new file mode 100644 index ..66b61d5c38807c6a771e0532f73b163b67b902f5 --- /dev/null +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -0,0 +1,753 @@ +# Authors: +# ldoudova ldoud...@redhat.com +# +# Copyright (C) 2008, 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + + +Test the `ipalib/plugins/stageuser.py` module. + + + +import datetime +import ldap +import re +import functools +import pytest + +from ipalib import api, errors + +from ipatests.test_xmlrpc.ldaptracker import Tracker +from ipatests.test_xmlrpc import objectclasses +from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_digits, fuzzy_uuid, + fuzzy_password, fuzzy_string, fuzzy_dergeneralizedtime, + add_sid, add_oc, raises_exact) + +from ipatests.util import assert_equal, assert_deepequal, assert_not_equal, raises +from ipapython.dn import DN +from ipatests.test_xmlrpc.test_user_plugin import UserTracker, get_user_dn + +user1 = u'tuser1' +user2 = u'tuser2' +renameduser1 = u'ruser' +group1 = u'group1' +admins_group = u'admins' + +uid = u'123' +gid = u'456' +invalidrealm1 = u'sus...@notfound.org' +invalidrealm2 = u'suser1@b...@notfound.org' + +invaliduser1 = u'+tuser1' +invaliduser2 = u'tuser1234567890123456789012345678901234567890' + +sshpubkey = (u'ssh-rsa B3NzaC1yc2EDAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X' + 'HBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGI' + 'wA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2' + 'No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNm' + 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' + '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' + '0L public key test') +sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +'public key test (ssh-rsa)') + +options_ok = [ +{u'cn': u'name'}, +{u'initials': u'in'}, +{u'displayname': u'display'}, +{u'homedirectory': u'/home/homedir'}, +{u'gecos': u'gecos'}, +{u'loginshell': u'/bin/shell'}, +{u'mail': u'email@email.email'}, +{u'title': u'newbie'}, +{u'krbprincipalname': u'kerberos@%s' % api.env.realm}, +{u'krbprincipalname': u'KERBEROS@%s' % api.env.realm}, +{u'street': u'first street'}, +{u'l': u'prague'}, +{u'st': u'czech'}, +{u'postalcode': u'12345'}, +{u'telephonenumber': u'123456789'}, +{u'facsimiletelephonenumber': u'123456789'}, +{u'mobile': u'123456789'}, +{u'pager': u'123456789'}, +{u'ou': u'engineering'}, +{u'carlicense': u'abc1234'}, +{u'ipasshpubkey': sshpubkey}, +{u'manager': u'auser1'}, +{u'uidnumber': uid}, +{u'gidnumber': gid}, +{u'uidnumber': uid, u'gidnumber': gid}, +{u'userpassword': u'Secret123'}, +{u'random': True}, +] + +class StageUserTracker(Tracker): + Tracker class for staged user LDAP object + +Implements helper functions for host plugin. +StageUserTracker object stores information about the user. + + +retrieve_keys = {u'uid', u'givenname', u'sn', u'homedirectory',
Re: [Freeipa-devel] [PATCH 018] certprofile-import: improve profile format documentation
On 24/07/15 04:06, Fraser Tweedale wrote: On Thu, Jul 23, 2015 at 06:25:25PM +0200, Christian Heimes wrote: The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 ACK, but IMO this does not complete 5089. I will add more commentary to the plugin documentation in a separate patch. Thanks, Fraser Pushed to: master: 2596adb312700a6133a4405851af9aec62941cd9 ipa-4-2: b4722beb78cafcb196c10392a48b22022a425e8e From 1344425af2886797ec9cef40a325e56a8d1752eb Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 23 Jul 2015 18:22:19 +0200 Subject: [PATCH] certprofile-import: improve profile format documentation The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 --- ipalib/plugins/certprofile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index 5550ed942521dbab2e783fba1570520268f9b378..ae75d43d7412d0df7c09a33c16c833995d9a3fe4 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -220,7 +220,7 @@ class certprofile_import(LDAPCreate): msg_summary = _('Imported profile %(value)s') takes_options = ( File('file', -label=_('Filename'), +label=_('Filename of a raw profile. The XML format is not supported.'), cli_name='file', flags=('virtual_attribute',), ), -- 2.4.3 -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Use Exception class instead of StandardError
On 29/06/15 08:41, Niranjan wrote: Martin Basti wrote: On 10/06/15 00:59, Niranjan wrote: Niranjan wrote: Greetings, Please find the modified patch for ipapython/adminutil.py. I have run few tests manually like running ipa-server-install as non-root user or provide --quiet and --verbose to see if it raises ScriptError properly. Also i checked by running ipa-server-install and using CTRL-C to break and see if the KeyboardInterrupt is properly caught. Please let me know your views on this. Regards Niranjan ACK for IPA 4.3, I don't feel brave enough to push it into IPA 4.2. Also, would be nice to have migrated all occurrences of StandardError to Exception, before push. I actually intend to do that, but i thought i will start small and do this from one file before i proceed further, I can send patch which migrates all occurance of standardError to Exception. Pushed to master: 7d2823040593a4207cfce834a5c6840464fab64b Martin^2 Niranjan wrote: Greetings, I would like to present patch for replacing StandardError exception with Exception class in ipapython/adminutil.py. Also replacing BaseException class with Exception class. Though the use of StandardError is many places. I would like to start with ipapython/adminutil.py This is my first patch. Please let me know if my approach on this is correct. Could anyone have a look at this please. Regards Niranjan From 018312f76952ea86c8c6e2396657e0531d2d61ba Mon Sep 17 00:00:00 2001 From: Niranjan Mallapadi mrniran...@redhat.com Date: Mon, 1 Jun 2015 09:41:05 +0530 Subject: [PATCH] Use Exception class instead of BaseException 1. Replace BaseException with Exception class. 2. Remove StandardError and use Exception class. StandError is deprecated (Python3) 3 .From python3.0 use of , is not recommended, instead use as keyword (PEP 3110) Signed-off-by: Niranjan Mallapadi mrniran...@redhat.com --- ipapython/admintool.py | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ipapython/admintool.py b/ipapython/admintool.py index d55bd18499ac427db8adc0c04096bc2aabdc2bbd..891232b9f387182ac5dbfb279a6f666805261ba1 100644 --- a/ipapython/admintool.py +++ b/ipapython/admintool.py @@ -32,7 +32,7 @@ from ipapython import config from ipapython import ipa_log_manager -class ScriptError(StandardError): +class ScriptError(Exception): An exception that records an error message and a return value def __init__(self, msg='', rval=1): @@ -169,13 +169,20 @@ class AdminTool(object): self.ask_for_options() self.setup_logging() return_value = self.run() -except BaseException, exception: +except Exception as exception: traceback = sys.exc_info()[2] error_message, return_value = self.handle_error(exception) if return_value: self.log_failure(error_message, return_value, exception, traceback) return return_value +except SystemExit as exception: +traceback = sys.exc_info()[2] +error_message, return_value = self.handle_error(exception) +if return_value: +self.log_failure(error_message, return_value, exception, +traceback) +return return_value self.log_success() return return_value -- 1.9.3 Removed an attachment of 322 bytes with the following headers: Content-Type: application/pgp-signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] C coding style guide update
On 07/26/2015 10:09 PM, Jakub Hrozek wrote: On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal Židek wrote: Hi, in SSSD we use the freeipa coding guidelines which are located here: http://www.freeipa.org/page/Coding_Style However this coding style guide is already dated and there are some rules we follow in SSSD which are not mentioned in the guide and also there are some C language features that we would like to start using in certain way but their usage should be covered in the coding style guide. So, update is needed (at least for SSSD). I would like to start discussion about what to add to the coding guide (and maybe what to remove), but before that, I would like propose to move the coding style guide to SSSD wiki and just add link to it to FreeIPA wiki. The reason is that unlike FreeIPA, most of the SSSD code is written in C and SSSD team will more likely update and modify the guide according to new practices used in upstream development, where FreeIPA is mostly Python project and C coding style probably does not need revision as often. So SSSD wiki seems like more appropriate place. Another possibility would be to fork the FreeIPA style and maintain SSSD coding style guide separately. But I think linking the two is better option, because the two projects are closely related and it makes sense to share the coding style guidelines. So, my first question is, Is someone against moving the C coding style guide to SSSD wiki and adding link to it on FreeIPA wiki? I don't really mind where the coding style is located as long as it's on one place (no forks please) and the existing link points to a new version (if any). As per updating the coding standards, I would like to propose to: - explicitly say that C99 is fine to use. It's 2015 and any compiler that doesn't support C99 at this point is probably dead and should be avoided (Hello, MSVC!). We use stdbool.h and variadic macros already anyway. - Line-comments (//, aka C++ comments) should be still avoided, though - Variable Length arrays are very helpful, but explicitly mention they should be used with caution, especially if array size might come from the user - Also, I would warn about interleaved variable declarations. I think it's fine to declare some helper variable inside a for loop for example, but generally it might be better to refactor the function if we find out there's so many variables that the code author ends up declaring them inside blocks. Personally, I would even go as far as to allow the __cleanup__ attribute. I really like how the systemd codebase uses it to define helper destructors like: int closep(int fd) { if (fd = 0) { close(fd); } } #define _cleanup_close_ _cleanup_(closep) Then safely declare a file descriptor as: _cleanup_close_ int fdf = -1; ..and stop worrying about closing the fd in all branches. It's not portable, but seriously...are there any compilers except gcc and clang that are used at all these days?? Location of the C coding style guide was discussed on FreeIPA dev call. Conclusion was the same as Jakub's opinion: no fork, link from the other, it doesn't matter if it is in SSSD or FreeIPA wiki. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 905 webui: add Kerberos configuration instructions for Chrome
On 22/07/15 14:00, Petr Vobornik wrote: * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [patch 0007] tests: Allow Tracker.dn be an instance of Fuzzy
Hi, the patch changes the check on the Tracker.dn setter, allowing to use an instance of ipatests.util.Fuzzy to ease writing Trackers for plugins like CA ACL, which use ipaUniqueID as their primary key. Thanks, Milan From 0d586dffbb424f8292faa90ea92021b075b34926 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= mku...@redhat.com Date: Mon, 27 Jul 2015 11:08:46 +0200 Subject: [PATCH] tests: Allow Tracker.dn be an instance of Fuzzy Some of the IPA LDAP entries are using ipaUniqueID as the primary key. To match this UUID based attribute in assert_deepequal, an instance of Fuzzy class must be used. This change adds the possibility to assign the Fuzzy object as the DN for the tracked entry. The user may need to override the rdn and name properties for the class using the Fuzzy DN. --- ipatests/test_xmlrpc/ldaptracker.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/ldaptracker.py b/ipatests/test_xmlrpc/ldaptracker.py index d9763e116d43daa16fa21cc808968bb8d8b1dcc3..9cc44f8a6ba688a1b76c385498b0893d434ae60f 100644 --- a/ipatests/test_xmlrpc/ldaptracker.py +++ b/ipatests/test_xmlrpc/ldaptracker.py @@ -11,6 +11,7 @@ import functools from ipalib import api, errors from ipapython.dn import DN from ipapython.version import API_VERSION +from ipatests.util import Fuzzy class Tracker(object): @@ -88,8 +89,8 @@ class Tracker(object): @dn.setter def dn(self, value): -if not isinstance(value, DN): -raise ValueError('The value must be an instance of DN.') +if not (isinstance(value, DN) or isinstance(value, Fuzzy)): +raise ValueError('The value must be an instance of DN or Fuzzy.') self._dn = value @property -- 2.4.6 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
On Sun, 2015-07-26 at 21:51 +0200, Michael Šimáček wrote: It would probably be nicer to do the full cycle, but I'd like to avoid changes in behavior when porting from one library to another. And the code above doesn't actually hold any connection, so it would require more refactoring to make that happen. For now I would follow what the original code was doing. As for the exceptions, I think it would actually be justifiable to use the raw api's init_sec_context, because the high level api would just do the same call + the exception handling magic, which we want to avoid for now. Please let me know what do you think. Attaching updated patch that uses 'unicode' instead of raw.display_name and reverts back to using init_sec_context. Sorry, but we should really not use the raw API here. If it means more changes to the code, so be it, please us the high level API as recommended by Robbie, we wrote a better API so that people would use it, and we want to apply best practices when changing code in IPA. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code