Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 10/20/2015 06:21 PM, Martin Basti wrote: On 20.10.2015 15:53, Martin Basti wrote: On 19.10.2015 14:16, Martin Basti wrote: On 19.10.2015 12:30, Martin Basti wrote: Attribute nsaccountlock has not been processed correctly Patch attached. Self-NACK, more fixes required Updated patch attached, but it still needs to improve because tests in my patch 331 are still failing. Eternal self-NACK for this patch I'm not able to fix UserTracker, I need help from somebody with higher view of how this tracker is supposed to work. Follow my patch 0331 Hi, I'll take a look at it today. Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 20/10/15 06:32, Martin Babinsky wrote: On 10/15/2015 08:14 PM, Simo Sorce wrote: On 15/10/15 11:39, Martin Basti wrote: Without this patch the ipa-ca-install is broken in current master. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'promote' Should be fixed with the attached patches. NACK, in patch 551 you add a test for non-existent CLI option into main method: @@ -198,10 +251,20 @@ def main(): if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") -if filename is not None: -install_replica(safe_options, options, filename) -else: -install_master(safe_options, options) +try: +if options.replica or filename is not None: +install_replica(safe_options, options, filename) +else: +install_master(safe_options, options) + +finally: +# Clean up if we created custom credentials +created_ccache_file = getattr(options, 'created_ccache_file', None) +if created_ccache_file is not None: +try: +os.unlink(created_ccache_file) +except OSError: +pass I guess you wanted to add '--replica' option to the CA installer but since it was not added to option parser the installer explodes. # ipa-ca-install Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'replica' The attached patch should address this problem now. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 5d5de8c3e1c6d5ce24dd9860e112547bb8705612 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 20 Aug 2015 17:10:23 -0400 Subject: [PATCH] Allow ipa-ca-install to use the new promotion code This makes it possible to install a CA after-the-fact on a server that has been promoted (and has no replica file available). Signed-off-by: Simo Sorce --- install/tools/ipa-ca-install | 132 ++- ipaserver/install/ca.py | 2 - 2 files changed, 92 insertions(+), 42 deletions(-) diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 6564e4d0304d4e189b133c495b75f200b04e2988..0a76b3dd32a7673a2bbe81c1659d38a700be13da 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -21,12 +21,16 @@ import sys import os import shutil +import tempfile from ipapython import ipautil from ipaserver.install import installutils from ipaserver.install import certs from ipaserver.install.installutils import create_replica_config +from ipaserver.install.installutils import check_creds, ReplicaConfig from ipaserver.install import dsinstance, ca +from ipaserver.install import cainstance, custodiainstance +from ipapython import dogtag from ipapython import version from ipalib import api from ipapython.dn import DN @@ -67,6 +71,8 @@ def parse_options(): type="choice", choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'), help="Signing algorithm of the IPA CA certificate") +parser.add_option("-P", "--principal", dest="principal", sensitive=True, + default=None, help="User allowed to manage replicas") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) @@ -101,20 +107,16 @@ def get_dirman_password(): def install_replica(safe_options, options, filename): -standard_logging_setup(log_file_name, debug=options.debug) - -root_logger.debug('%s was invoked with argument "%s" and options: %s', -sys.argv[0], filename, safe_options) -root_logger.debug('IPA version %s', version.VENDOR_VERSION) - -if not ipautil.file_exists(filename): -sys.exit("Replica file %s does not exist" % filename) - -if not dsinstance.DsInstance().is_configured(): -sys.exit("IPA server is not configured on this system.\n") - -api.bootstrap(in_server=True) -api.finalize() +domain_level = dsinstance.get_domain_level(api) +if domain_level > 0: +options.promote = True +else: +options.promote = False +if not ipautil.file_exists(filename): +sys.exit("Replica file %s does not exist" % filename) + +# Check if we have admin creds already, otherwise acquire them +check_creds(options, api.env.realm) # get the directory manager password dirman_password = options.password @@ -132,13 +134,36 @@ def install_replica(safe_options, options, filename): options.unattended: sys.exit('admin password required') -config = create_replica_config(dirman_password, filename, options) +if options.promote: +config = ReplicaConfig() +config.master_host_name = None +config.realm_name = api.env.realm +config
Re: [Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
On 20.10.2015 16:07, Martin Basti wrote: On 20.10.2015 15:57, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5344 Patch attached. Test are failing, a fix in UserTracker has to be done (partially in my patch 329) SelfNACK, I forgot to add stageuser tests Updated patch attached. I extracted tests to the separate patch, tests do not work, I had issues with user and stageuser trackers. From 250c5d3f2f5e47b19c628115ecd9df8a71d357dc Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 20 Oct 2015 18:39:57 +0200 Subject: [PATCH] Allow multiple managers per user - CLI part https://fedorahosted.org/freeipa/ticket/5344 --- API.txt| 12 ++-- VERSION| 4 ++-- ipalib/plugins/baseuser.py | 7 +-- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index 873c6d54221a0c1657b5457bd9dceedb4adf06b3..896df430aaa1952c0fe4af4672b78f1ad11da45e 100644 --- a/API.txt +++ b/API.txt @@ -4225,7 +4225,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) @@ -4285,7 +4285,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, query=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, query=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('not_in_group*', cli_name='not_in_groups', csv=True) @@ -4342,7 +4342,7 @@ option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_n option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False) @@ -5172,7 +5172,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) @@ -5261,7 +5261,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False) -option: Str('manager', attribute=True, autofill=Fals
[Freeipa-devel] [PATCHES] 737-742 More Python3 porting
Yet another batch of py3 patches. We're getting closer: if this was merged, my WIP branch that passes ipapython & ipalib tests under py3 would currently be down to: 8 files changed, 73 insertions(+), 23 deletions(-) -- Petr Viktorin From d2689e85c3f5ffcf30d3524740c45a648d134110 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 6 Oct 2015 13:54:33 +0200 Subject: [PATCH] Handle binascii.Error from base64.b64decode() In Python 3, the base64.b64decode function raises binascii.Error (a ValueError subclass) when it finds incorrect padding. In Python 2 it raises TypeError. Callers should usually handle ValueError; unless they are specifically concerned with handling base64 padding issues). In some cases, callers should handle ValueError: - ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should handle ValueError - ipalib.x509 (load_certificate*, get_*): callers should handle ValueError In other cases ValueError is handled: - ipalib.parameters - ipapython.ssh - ipalib.rpc (json_decode_binary - callers already expect ValueError) - ipaserver.install.ldapupdate Elsewhere no error handling is done, because values come from trusted sources, or are pre-validated: - vault plugin - ipaserver.install.cainstance - ipaserver.install.certs - ipaserver.install.ipa_otptoken_import --- ipalib/parameters.py | 2 +- ipalib/plugins/cert.py | 6 -- ipaplatform/redhat/tasks.py| 2 +- ipapython/ssh.py | 2 +- ipaserver/install/ipa_cacert_manage.py | 2 +- ipaserver/install/ldapupdate.py| 2 +- ipatests/test_pkcs10/test_pkcs10.py| 7 +++ 7 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index ef8814eeb68c4461c8ffc341a897f9322aababd3..dadd87d6a328bdb4297f9b6bd51602b24b8d300a 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -1383,7 +1383,7 @@ def _convert_scalar(self, value, index=None): if isinstance(value, unicode): try: value = base64.b64decode(value) -except TypeError as e: +except (TypeError, ValueError) as e: raise Base64DecodeError(reason=str(e)) return super(Bytes, self)._convert_scalar(value, index) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index e4593200e01addea31c8fcda981fbe1d65058c27..b4ea2feae5de9ffc020709092f79791d99472ffc 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -21,6 +21,8 @@ import os import time +import binascii + from ipalib import Command, Str, Int, Bytes, Flag, File from ipalib import api from ipalib import errors @@ -156,7 +158,7 @@ def validate_csr(ugettext, csr): return try: request = pkcs10.load_certificate_request(csr) -except TypeError as e: +except (TypeError, binascii.Error) as e: raise errors.Base64DecodeError(reason=str(e)) except Exception as e: raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % e) @@ -368,7 +370,7 @@ def execute(self, csr, **kw): subject = pkcs10.get_subject(csr) extensions = pkcs10.get_extensions(csr) subjectaltname = pkcs10.get_subjectaltname(csr) or () -except (NSPRError, PyAsn1Error) as e: +except (NSPRError, PyAsn1Error, ValueError) as e: raise errors.CertificateOperationError( error=_("Failure decoding Certificate Signing Request: %s") % e) diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 446e2886eedca11e66c9e7e6a3d778cd35af0cb6..94d2cb4e906965a20bcfdd55f38854005091c26f 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -210,7 +210,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): issuer = x509.get_der_issuer(cert, x509.DER) serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) -except (NSPRError, PyAsn1Error) as e: +except (NSPRError, PyAsn1Error, ValueError) as e: root_logger.warning( "Failed to decode certificate \"%s\": %s", nickname, e) continue diff --git a/ipapython/ssh.py b/ipapython/ssh.py index 02f577e8b3228c528d474c9468ad4b640dbf682b..a625c422c49a3b0e9082f4351fde7450a4c839d7 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -102,7 +102,7 @@ def _parse_base64(self, key): try: key = base64.b64decode(key) -except (TypeError, binascii.Error): +except (TypeError, ValueError): return False return self._parse_raw(key) diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index a2242fd3df383af9b8aed2aed142ea8cc8a4ef90..66cba891fad4b679ae51a4a11a094de341c24e88 100644 --- a/ipaserv
Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 20.10.2015 15:53, Martin Basti wrote: On 19.10.2015 14:16, Martin Basti wrote: On 19.10.2015 12:30, Martin Basti wrote: Attribute nsaccountlock has not been processed correctly Patch attached. Self-NACK, more fixes required Updated patch attached, but it still needs to improve because tests in my patch 331 are still failing. Eternal self-NACK for this patch I'm not able to fix UserTracker, I need help from somebody with higher view of how this tracker is supposed to work. Follow my patch 0331 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/20/2015 04:27 PM, Martin Babinsky wrote: On 10/19/2015 04:51 PM, Martin Babinsky wrote: On 10/19/2015 02:47 PM, Martin Basti wrote: On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this. Reworked patch attached which used existing function in dsinstance.py to check domain level. However, note that it may require my patch 0088 to function correctly. Attaching updated patch. -- Martin^3 Babinsky From b5bcfdc951c7072a0f70d71f26e9a3ce87bbe3ce Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH 1/2] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 28 +++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..c573428ed59147cbfe22944787726fc817284680 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,21 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{command_name}' to generate replica file +is supported only in {min_domain_level}-level IPA domain. + +The current IPA domain level is {curr_domain_level} and thus the replica must +be created by promoting an existing IPA client. + +To set up a replica use the following procedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install' +*without* replica file specified +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +689,13 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +domain_level = dsinstance.get_domain_level(api) +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +command_name=self.command_name, +min_domain_level=MIN_DOMAIN_LEVEL, +curr_domain_level=domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0088] fix dsinstance.py:get_domain_level function
On 20.10.2015 12:49, Martin Babinsky wrote: During review of Simo's patches I have found some inconsistencies between 'get_domain_level' function definition and its usage. This little patch fixes them. ACK Pushed to master: 98bf90e4cecb38fc72a0b598a6e6a50fee284f31 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 20/10/15 06:32, Martin Babinsky wrote: On 10/15/2015 08:14 PM, Simo Sorce wrote: On 15/10/15 11:39, Martin Basti wrote: Without this patch the ipa-ca-install is broken in current master. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'promote' Should be fixed with the attached patches. NACK, in patch 551 you add a test for non-existent CLI option into main method: @@ -198,10 +251,20 @@ def main(): if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") -if filename is not None: -install_replica(safe_options, options, filename) -else: -install_master(safe_options, options) +try: +if options.replica or filename is not None: +install_replica(safe_options, options, filename) +else: +install_master(safe_options, options) + +finally: +# Clean up if we created custom credentials +created_ccache_file = getattr(options, 'created_ccache_file', None) +if created_ccache_file is not None: +try: +os.unlink(created_ccache_file) +except OSError: +pass I guess you wanted to add '--replica' option to the CA installer but since it was not added to option parser the installer explodes. # ipa-ca-install Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'replica' Argh! Sorry, this use was exactly one of the reason I had to introduce the --replica switch, I will have to rework a bunch of code to detect if we are a replica or a master, I will hopefully have a revised patch in a few hours. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/19/2015 04:51 PM, Martin Babinsky wrote: On 10/19/2015 02:47 PM, Martin Basti wrote: On 15.10.2015 16:29, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5175 NACK with domain level 0 ipa-replica-prepare ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 215, in ask_for_options bind_pw=self.dirman_password) File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61, in connect self.id, threading.currentThread().getName() ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: Exception: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: connect: 'context.ldap2_140616703529424' already exists in thread 'MainThread' ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The ipa-replica-prepare command failed. without your patch it works Martin^2 The function was leaking opened backend connection due to incorrect disconnect logic. Updated patch should fix this. Reworked patch attached which used existing function in dsinstance.py to check domain level. However, note that it may require my patch 0088 to function correctly. -- Martin^3 Babinsky From ff54c17fdd39cc06e5cc0241a12edb0a22f7caac Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 15 Oct 2015 16:07:48 +0200 Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level the original replica installation path (ipa-replica-prepare + ipa-replica-install) remains valid only when IPA domain level is zero. When this is not the case, ipa-replica-prepare will print out an error message which instructs the user to use the new replica promotion machinery to setup replicas. https://fedorahosted.org/freeipa/ticket/5175 --- ipaserver/install/ipa_replica_prepare.py | 26 +- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..df79bdfcee71ea9675007d6f80d97f29106624bf 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -41,7 +41,21 @@ from ipapython import version from ipalib import api from ipalib import errors from ipaplatform.paths import paths -from ipalib.constants import CACERT +from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL + + +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """ +Replica creation using '{}' to generate replica file is supported only +in {}-level IPA domain. + +The current IPA domain level is {} and thus the replica must be created by +promoting an existing IPA client. + +To set up a replica use the following procedure: +1.) set up a client on the host using 'ipa-client-install' +2.) promote the client to replica running 'ipa-replica-install' *without* +replica file specified +""" class ReplicaPrepare(admintool.AdminTool): @@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool): api.bootstrap(in_server=True) api.finalize() +self.check_domainlevel(api) + if api.env.host == self.replica_fqdn: raise admintool.ScriptError("You can't create a replica on itself") @@ -673,3 +689,11 @@ class ReplicaPrepare(admintool.AdminTool): '-w', dm_pwd_fd.name, '-o', ca_file ]) + +def check_domainlevel(self, api): +domain_level = dsinstance.get_domain_level(api) +if domain_level > MIN_DOMAIN_LEVEL: +raise RuntimeError( +UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format( +self.command_name, MIN_DOMAIN_LEVEL, domain_level) +) -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
On 20.10.2015 15:57, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5344 Patch attached. Test are failing, a fix in UserTracker has to be done (partially in my patch 329) SelfNACK, I forgot to add stageuser tests -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
Verified. works as expected On 10/20/2015 03:33 PM, Petr Vobornik wrote: On 10/20/2015 01:32 PM, Martin Babinsky wrote: On 10/20/2015 01:05 PM, Petr Vobornik wrote: On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. Yes the commit message was confusing. I have rewritten it completely. Attaching updated patch. ACK Pushed to master: e0d9a1b47ce6144d57345744d895b63e5b0ea413 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
https://fedorahosted.org/freeipa/ticket/5344 Patch attached. Test are failing, a fix in UserTracker has to be done (partially in my patch 329) From 48cc0be0a83a0a5e24b9753a94f3fee1a7e25bc3 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 16 Oct 2015 16:45:39 +0200 Subject: [PATCH] Allow multiple managers per user - CLI part https://fedorahosted.org/freeipa/ticket/5344 --- API.txt | 12 +-- VERSION | 4 ++-- ipalib/plugins/baseuser.py | 7 +-- ipatests/test_xmlrpc/test_user_plugin.py | 35 4 files changed, 48 insertions(+), 10 deletions(-) diff --git a/API.txt b/API.txt index cf5446114a9ccffad8d87421b4cd75c92ff267ee..19e00516921c78531eb2101d2148bbe614581add 100644 --- a/API.txt +++ b/API.txt @@ -4225,7 +4225,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False) @@ -4285,7 +4285,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, query=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, query=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('not_in_group*', cli_name='not_in_groups', csv=True) @@ -4342,7 +4342,7 @@ option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_n option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False) @@ -5172,7 +5172,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False) option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False) option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False) -option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False) +option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False) option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False) @@ -5261,7 +5261,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False) option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False) option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False) -option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False) +option: Str('manager', attribute=True, autofill=False, cli_name='manager', multiv
Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 19.10.2015 14:16, Martin Basti wrote: On 19.10.2015 12:30, Martin Basti wrote: Attribute nsaccountlock has not been processed correctly Patch attached. Self-NACK, more fixes required Updated patch attached, but it still needs to improve because tests in my patch 331 are still failing. From 7b1fa0d7b9ad8782d2dbb8e98becb6c016183e07 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 19 Oct 2015 12:21:07 +0200 Subject: [PATCH] Tests: Fix user tracker --- ipatests/test_xmlrpc/test_user_plugin.py | 42 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 18305ad02906a63baafcdf49bd2c93fa39dc4584..a7f2584e986e262ecddd669167e6a684d545d6c9 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -1649,7 +1649,7 @@ class test_denied_bind_with_expired_principal(XMLRPC_test): class UserTracker(Tracker): -""" Class for host plugin like tests """ +""" Class for user plugin like tests """ retrieve_keys = { u'uid', u'givenname', u'sn', u'homedirectory', @@ -1671,7 +1671,7 @@ class UserTracker(Tracker): retrieve_preserved_keys = retrieve_keys - {u'memberof_group'} retrieve_preserved_all_keys = retrieve_all_keys - {u'memberof_group'} -create_keys = retrieve_all_keys | { +create_keys = (retrieve_all_keys - {u'nsaccountlock'}) | { u'randompassword', u'mepmanagedentry', u'krbextradata', u'krbpasswordexpiration', u'krblastpwdchange', u'krbprincipalkey', u'randompassword', u'userpassword' @@ -1680,7 +1680,8 @@ class UserTracker(Tracker): activate_keys = retrieve_all_keys - {u'has_keytab', u'has_password', u'nsaccountlock', u'sshpubkeyfp'} -find_keys = retrieve_keys - {u'mepmanagedentry', u'memberof_group'} +find_keys = retrieve_keys - {u'mepmanagedentry', u'memberof_group', + u'manager'} find_all_keys = retrieve_all_keys - {u'mepmanagedentry', u'memberof_group'} def __init__(self, name, givenname, sn, **kwargs): @@ -1692,6 +1693,17 @@ class UserTracker(Tracker): self.kwargs = kwargs +def _fix_nsaccountlock_attr(self, result): +# small override because user-* commands returns different type +# of nsaccountlock value than DS, but overall the value fits +# expected result +if u'nsaccountlock' in result: +if result[u'nsaccountlock'] == [u'true']: +result[u'nsaccountlock'] = True +elif result[u'nsaccountlock'] == [u'false']: +result[u'nsaccountlock'] = False + + def make_create_command(self, force=None): """ Make function that crates a user using user-add """ return self.make_command( @@ -1768,6 +1780,8 @@ class UserTracker(Tracker): has_password=False, mepmanagedentry=[get_group_dn(self.uid)], memberof_group=[u'ipausers'], +nsaccountlock=[u'false'], +preserved=[u'false'] ) for key in self.kwargs: @@ -1811,14 +1825,7 @@ class UserTracker(Tracker): else: expected = self.filter_attrs(self.retrieve_keys) -# small override because stageuser-find returns different type -# of nsaccountlock value than DS, but overall the value fits -# expected result -if u'nsaccountlock' in expected: -if expected[u'nsaccountlock'] == [u'true']: -expected[u'nsaccountlock'] = True -elif expected[u'nsaccountlock'] == [u'false']: -expected[u'nsaccountlock'] = False +self._fix_nsaccountlock_attr(expected) assert_deepequal(dict( value=self.uid, @@ -1828,14 +1835,13 @@ class UserTracker(Tracker): def check_find(self, result, all=False, raw=False): """ Check 'user-find' command result """ -self.attrs[u'nsaccountlock'] = True -self.attrs[u'preserved'] = True - if all: expected = self.filter_attrs(self.find_all_keys) else: expected = self.filter_attrs(self.find_keys) +self._fix_nsaccountlock_attr(expected) + assert_deepequal(dict( count=1, truncated=False, @@ -1854,10 +1860,14 @@ class UserTracker(Tracker): def check_update(self, result, extra_keys=()): """ Check 'user-mod' command result """ +expected = self.filter_attrs(self.update_keys | set(extra_keys)) + +self._fix_nsaccountlock_attr(expected) + assert_deepequal(dict( value=self.uid, summary=u'Modified user "%s"' % self.uid, -result=self.filter_attrs(self.update_keys | set(extra_keys)) +result=expected, ), result) def create_from_staged(self, stageduser): @@ -1
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 01:32 PM, Martin Babinsky wrote: On 10/20/2015 01:05 PM, Petr Vobornik wrote: On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. Yes the commit message was confusing. I have rewritten it completely. Attaching updated patch. ACK Pushed to master: e0d9a1b47ce6144d57345744d895b63e5b0ea413 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0019] CA ACL tracker and functional test
On 20.10.2015 10:00, Milan Kubík wrote: On 10/19/2015 01:38 PM, Martin Basti wrote: On 16.10.2015 15:43, Milan Kubík wrote: On 09/30/2015 02:47 PM, Martin Basti wrote: On 09/24/2015 02:49 PM, Milan Kubík wrote: Hi all, an update for CA ACL tests! I, with help from M. Babinsky, managed to find a way how to change the identity during acceptance cest run, which allows to test CA ACLs (and perhaps other areas with some form of access controll). This allowed me to write a test for CA ACLs and certificate profiles that checks if the ACL/profile is being used and enforced. The first several tests are based on Fraser's blogpost using SMIME profile [1]. The master and ipa-4-2 branches diverged a bit, so I had to change two commits when rebasing to ipa-4-2 branch. Commits should be applied in the order (including rebased patches I sent in an earlier email): master: * 12 - 17 ipa-4-2: * 18, 13 - 15, 19, 17 For convenience: patches on top of master: https://github.com/apophys/freeipa/tree/acl-profile-functional patches on top of ipa-4-2: https://github.com/apophys/freeipa/tree/acl-42 [1]: https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ Cheers, Milan NACK 0) rpm file does not contain test_xmlrpc/data directory, please modify setup.py.in. 1) Code contains to much todo for my taste. 2) Please do not use filter function, use dict comprehension. Hi, updated patches and the numbering mess somehow curbed. The patches are rebased on top of current master and ipa-4-2. 0) fixed by 0021 1) docs for tracker extended, added more test cases 2) changed -- Milan Kubik I have a few comments: 1) +# TODO: rewrite these into Tracker instances +@pytest.fixture(scope='class') +def smime_user(request): +api.Command.user_add(uid=u'alice', givenname=u'Alice', sn=u'SMIME', + userpassword=u'Change123') + +unlock_principal_password('alice', 'Change123', 'Secret123') + +def fin(): +api.Command.user_del(u'alice') +request.addfinalizer(fin) + +return u'alice' I do not like hardcoded password value, as this password is used in many places in the test, I sugest to use a module variable Done 2) +class TestSignWithChangedProfile(XMLRPC_test): +""" Test to verify that the updated profile is used.""" +pass # import invalid profile, try to sign, expect fail IMO something is missing here, a test maybe? Done by using profile with constraint that CSR cannot meet. 3) # noqa Please remove "# noqa" commets from commits Done. -- Milan Kubik NACK 1) I still see many hardcoded passwords in the code with change_principal(smime_user, "Secret123"): 2) Also the 'alice' username can be extracted to module variable instead hardcoding 3) File alice.conf.tmpl can be generalized to be used for more users, replace alice in template to {username} and in code replace this variable with alice, also do not forgot rename template to something more general -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 01:05 PM, Petr Vobornik wrote: On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. Yes the commit message was confusing. I have rewritten it completely. Attaching updated patch. -- Martin^3 Babinsky From e35b708c67ae83dad8f0f6d794339eff271ebefc Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 12 Oct 2015 17:49:50 +0200 Subject: [PATCH] do not ask for segment direction when running topology commands https://fedorahosted.org/freeipa/ticket/5222 --- API.txt| 2 +- VERSION| 4 ++-- ipalib/plugins/topology.py | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index cf5446114a9ccffad8d87421b4cd75c92ff267ee..873c6d54221a0c1657b5457bd9dceedb4adf06b3 100644 --- a/API.txt +++ b/API.txt @@ -4804,7 +4804,7 @@ arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primar arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') -option: StrEnum('iparepltoposegmentdirection', attribute=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left')) +option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left')) option: Str('iparepltoposegmentleftnode', attribute=True, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True) option: Str('iparepltoposegmentrightnode', attribute=True, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True) option: StrEnum('nsds5replicaenabled', attribute=True, cli_name='enabled', multivalue=False, required=False, values=(u'on', u'off')) diff --git a/VERSION b/VERSION index a14b89f289f7d859f381cf78a742a5a5d038d491..cdda198c6ce3148dcf785149dc3ce050782e8caa 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=156 -# Last change: pvoborni - add vault container commands +IPA_API_VERSION_MINOR=157 +# Last change: mbabinsk - hide segment direction from topology commands diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py index c6b86b5909cf5ef2c02515f7a6cbe4e987a927a9..2b82215e273d959fdb207801ed146b843460bae5 100644 --- a/ipalib/plugins/topology.py +++ b/ipalib/plugins/topology.py @@ -105,6 +105,7 @@ class topologysegment(LDAPObject): label=_('Connectivity'), values=(u'both', u'left-right', u'right-left'), default=u'both', +autofill=True, doc=_('Direction of replication between left and right replication ' 'node'), flags={'no_option', 'no_update'}, -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [0089] fix class teardown in user plugin tests
fixes https://fedorahosted.org/freeipa/ticket/5368 -- Martin^3 Babinsky From a13e6204f3941efb2138bf7a4767b4115d99dbce Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 14 Oct 2015 08:59:08 +0200 Subject: [PATCH] fix class teardown in user plugin tests https://fedorahosted.org/freeipa/ticket/5368 --- ipatests/test_xmlrpc/test_user_plugin.py | 5 + ipatests/test_xmlrpc/xmlrpc_test.py | 11 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 18305ad02906a63baafcdf49bd2c93fa39dc4584..3d7b5e6ba14e3ccb144575f52e4e503e6638037d 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -1619,6 +1619,11 @@ class test_denied_bind_with_expired_principal(XMLRPC_test): cls.connection = ldap.initialize('ldap://{host}' .format(host=api.env.host)) +@classmethod +def teardown_class(cls): +cls.failsafe_del(api.Object.user, user1) +super(test_denied_bind_with_expired_principal, cls).teardown_class() + def test_1_bind_as_test_user(self): self.failsafe_add( api.Object.user, diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py index 80638e2efdd9d7ff07fd89688397acb7d44654cd..a7251f695bf6cd44d0e472234a7120a800ad6543 100644 --- a/ipatests/test_xmlrpc/xmlrpc_test.py +++ b/ipatests/test_xmlrpc/xmlrpc_test.py @@ -195,11 +195,20 @@ class XMLRPC_test(object): :param pk: The primary key of the entry to be created :param options: Kwargs to be passed to obj.add() """ +self.failsafe_del(obj, pk) +return obj.methods['add'](pk, **options) + +@classmethod +def failsafe_del(cls, obj, pk): +""" +Delete an entry if it exists +:param obj: An Object like api.Object.user +:param pk: The primary key of the entry to be deleted +""" try: obj.methods['del'](pk) except errors.NotFound: pass -return obj.methods['add'](pk, **options) IGNORE = """Command %r is missing attribute %r in output entry. -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0088] fix dsinstance.py:get_domain_level function
During review of Simo's patches I have found some inconsistencies between 'get_domain_level' function definition and its usage. This little patch fixes them. -- Martin^3 Babinsky From 745231f2cf3b3bd4c1d113052c81387e84339de0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Oct 2015 10:22:36 +0200 Subject: [PATCH] fix dsinstance.py:get_domain_level function This patch cleans up an unused parameter and fixes the return value when 'ipaDomainLevel' is found: instead of a dict we should return an integer. --- ipaserver/install/dsinstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 4c3203e447571e3beb1e7ca9b3e5dfecebb7333e..b1ad2d8902788b7bf8c5bfdbcd8a0c1b1f236998 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -165,7 +165,7 @@ def create_ds_user(): ) -def get_domain_level(self, api=api): +def get_domain_level(api=api): conn = ipaldap.IPAdmin(ldapi=True, realm=api.env.realm) conn.do_external_bind('root') @@ -176,7 +176,7 @@ def get_domain_level(self, api=api): entry = conn.get_entry(dn, ['ipaDomainLevel']) except errors.NotFound: return 0 -return {'result': int(entry.single_value['ipaDomainLevel'])} +return int(entry.single_value['ipaDomainLevel']) INF_TEMPLATE = """ -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 10/15/2015 08:14 PM, Simo Sorce wrote: On 15/10/15 11:39, Martin Basti wrote: Without this patch the ipa-ca-install is broken in current master. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'promote' Should be fixed with the attached patches. NACK, in patch 551 you add a test for non-existent CLI option into main method: @@ -198,10 +251,20 @@ def main(): if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") -if filename is not None: -install_replica(safe_options, options, filename) -else: -install_master(safe_options, options) +try: +if options.replica or filename is not None: +install_replica(safe_options, options, filename) +else: +install_master(safe_options, options) + +finally: +# Clean up if we created custom credentials +created_ccache_file = getattr(options, 'created_ccache_file', None) +if created_ccache_file is not None: +try: +os.unlink(created_ccache_file) +except OSError: +pass I guess you wanted to add '--replica' option to the CA installer but since it was not added to option parser the installer explodes. # ipa-ca-install Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-ca-install.log for details: AttributeError: Values instance has no attribute 'replica' -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
Hi Martin, On 10/20/2015 10:26 AM, Martin Basti wrote: On 20.10.2015 10:17, Oleg Fayans wrote: On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that dnsrecord-add and host-add works for me, A records is resolvable. Do you have configured /etc/resolv.conf properly on host? (or network manager DNS configuration)? Yes, I did. In fact, I just upgraded the server to the latest version from upstream, and the issue is gone. Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 20.10.2015 10:17, Oleg Fayans wrote: On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that dnsrecord-add and host-add works for me, A records is resolvable. Do you have configured /etc/resolv.conf properly on host? (or network manager DNS configuration)? Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] freshly added service is disabled
On 10/20/2015 10:12 AM, Oleg Fayans wrote: Hi all, While running the caless tests I've encountered a strange behavior of the service module: when I add a new service and then try to disable it, it says, it has been already disabled: ofayans@f22master:~]$ ipa service-add --force Principal: totest/trololo.pesen.net -- Added service "totest/trololo.pesen@pesen.net" -- Principal: totest/trololo.pesen@pesen.net Managed by: trololo.pesen.net ofayans@f22master:~]$ ipa service-disable Principal: totest/trololo.pesen@pesen.net ipa: ERROR: This entry is already disabled ipa help service shows there is no service-enable subcommand. So I have 2 questions: 1. How do I enable previously disabled service? 2. Why is a freshly-created service disabled by default? Service disable revokes existing certificate, removes it from the service entry and also removes Kerberos principal key. When you create a new service, it does not contain principal key nor a certificate therefore there is no work to do in disable command and therefore the message. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] freshly added service is disabled
Hi all, While running the caless tests I've encountered a strange behavior of the service module: when I add a new service and then try to disable it, it says, it has been already disabled: ofayans@f22master:~]$ ipa service-add --force Principal: totest/trololo.pesen.net -- Added service "totest/trololo.pesen@pesen.net" -- Principal: totest/trololo.pesen@pesen.net Managed by: trololo.pesen.net ofayans@f22master:~]$ ipa service-disable Principal: totest/trololo.pesen@pesen.net ipa: ERROR: This entry is already disabled ipa help service shows there is no service-enable subcommand. So I have 2 questions: 1. How do I enable previously disabled service? 2. Why is a freshly-created service disabled by default? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0019] CA ACL tracker and functional test
On 10/19/2015 01:38 PM, Martin Basti wrote: On 16.10.2015 15:43, Milan Kubík wrote: On 09/30/2015 02:47 PM, Martin Basti wrote: On 09/24/2015 02:49 PM, Milan Kubík wrote: Hi all, an update for CA ACL tests! I, with help from M. Babinsky, managed to find a way how to change the identity during acceptance cest run, which allows to test CA ACLs (and perhaps other areas with some form of access controll). This allowed me to write a test for CA ACLs and certificate profiles that checks if the ACL/profile is being used and enforced. The first several tests are based on Fraser's blogpost using SMIME profile [1]. The master and ipa-4-2 branches diverged a bit, so I had to change two commits when rebasing to ipa-4-2 branch. Commits should be applied in the order (including rebased patches I sent in an earlier email): master: * 12 - 17 ipa-4-2: * 18, 13 - 15, 19, 17 For convenience: patches on top of master: https://github.com/apophys/freeipa/tree/acl-profile-functional patches on top of ipa-4-2: https://github.com/apophys/freeipa/tree/acl-42 [1]: https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ Cheers, Milan NACK 0) rpm file does not contain test_xmlrpc/data directory, please modify setup.py.in. 1) Code contains to much todo for my taste. 2) Please do not use filter function, use dict comprehension. Hi, updated patches and the numbering mess somehow curbed. The patches are rebased on top of current master and ipa-4-2. 0) fixed by 0021 1) docs for tracker extended, added more test cases 2) changed -- Milan Kubik I have a few comments: 1) +# TODO: rewrite these into Tracker instances +@pytest.fixture(scope='class') +def smime_user(request): +api.Command.user_add(uid=u'alice', givenname=u'Alice', sn=u'SMIME', + userpassword=u'Change123') + +unlock_principal_password('alice', 'Change123', 'Secret123') + +def fin(): +api.Command.user_del(u'alice') +request.addfinalizer(fin) + +return u'alice' I do not like hardcoded password value, as this password is used in many places in the test, I sugest to use a module variable Done 2) +class TestSignWithChangedProfile(XMLRPC_test): +""" Test to verify that the updated profile is used.""" +pass # import invalid profile, try to sign, expect fail IMO something is missing here, a test maybe? Done by using profile with constraint that CSR cannot meet. 3) # noqa Please remove "# noqa" commets from commits Done. -- Milan Kubik From d3599a45ecb7d3bc8e5364fde239769291672ca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= Date: Fri, 7 Aug 2015 15:54:18 +0200 Subject: [PATCH 3/6] tests: add test to check the default ACL Also includes basic ACL manipulation and adding and removing members to/from the acl. https://fedorahosted.org/freeipa/ticket/57 --- ipatests/test_xmlrpc/test_caacl_plugin.py | 135 -- 1 file changed, 128 insertions(+), 7 deletions(-) diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py index 6cf835b229f70797e32bcfd2309cfa7be5732f51..33268d6dde115ce040e55eaae08a7fe1299ad112 100644 --- a/ipatests/test_xmlrpc/test_caacl_plugin.py +++ b/ipatests/test_xmlrpc/test_caacl_plugin.py @@ -6,20 +6,20 @@ Test the `ipalib.plugins.caacl` module. """ -import os - import pytest -from ipapython import ipautil -from ipalib import errors, x509 -from ipapython.dn import DN +from ipalib import errors from ipatests.test_xmlrpc.ldaptracker import Tracker from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_caacldn, - fuzzy_uuid, fuzzy_ipauniqueid, - raises_exact) + fuzzy_uuid, fuzzy_ipauniqueid) + from ipatests.test_xmlrpc import objectclasses from ipatests.util import assert_deepequal +# reuse the fixture +from ipatests.test_xmlrpc.test_certprofile_plugin import default_profile +from ipatests.test_xmlrpc.test_stageuser_plugin import StageUserTracker + class CAACLTracker(Tracker): """Tracker class for CA ACL LDAP object. @@ -376,3 +376,124 @@ class CAACLTracker(Tracker): command = self.make_command(u'caacl_disable', self.name) self.attrs.update({u'ipaenabledflag': [u'FALSE']}) command() + + +@pytest.fixture(scope='class') +def default_acl(request): +name = u'hosts_services_caIPAserviceCert' +tracker = CAACLTracker(name, service_category=u'all', host_category=u'all') +tracker.track_create() +tracker.attrs.update( +{u'ipamembercertprofile_certprofile': [u'caIPAserviceCert']}) +return tracker + + +@pytest.fixture(scope='class') +def crud_acl(request): +name = u'crud-acl' +tracker = CAACLTracker(name) + +return tracker.make_fixture(reques
[Freeipa-devel] Host does not have corresponding DNS A/AAAA record
Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code