Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > Question, do we need search-and-replace at all (or at this > stage)? Most of the interesting values from the SAN should be > directly map-able to LDAP attributes. And processing the string > representation of might be tricky as discussed below. > Nevertheless the following might be possible: > > * /regexp/replacement/ > * /regexp/replacement/ > > where "/regexp/replacement/" stands for optional sed-like > substitution rules. E.g. a rule like > >/^CN=\([^,]*\).*$/\1/ > > would take the subject string > 'CN=Certuser,CN=Users,DC=example,DC=com' from the certificate and > generate a LDAP search filter component > '(samAccountName=Certuser)' which can be included in a LDAP search > filter which includes additional components like e.g. an > objectClass. > A counter-proposal w.r.t. DN mapping: Where OID is either an actual OID or the corresponding string i.e. "CN", "O", etc. This would extract the "most specific" (leftmost in the LDAP sense, rightmost in the X.500 sense) attribute value of the specified type from the Subject DN. IMO this would cover most DN mapping use cases whilst avoiding regex or confusion about RDN order. Therefore your original example of: /^CN=\([^,]*\).*$/\1/ can be accomplished with: In the spirit of "make the simple things simple, and the hard things possible" it is probably necessary to retain the regex variant to handle more complex DN mapping use cases, e.g. where there are multiple occurrences of a single attribute type, a particular fixed RDN must be matched, etc. w.r.t. SAN mapping, I concur that search/replace is probably not needed. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
Sumit Bose wrote: On Thu, Oct 06, 2016 at 10:33:48AM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, Wow, this is really great. Hi Rob, thank you for the feedback. I think I'd pre-plan to support different configuration per issuer subject, with one named default. It shouldn't be a lot more work and will future-proof things for you, particularly in how the rules are stored in LDAP. I worry a bit about matching without comparing the certificate for the case where you don't examine issuer. Do I understand it correctly that you are looking for rules which will always and only match for certificate from a given issuer? E.g. if all matching rules will have the set like CN=ca,DC=abd,DC=comclientAuth CN=ca,DC=def,DC=commsScLogin certificates from the abc issue must have clientAuth set to be valid for authentication and certificates from issuer def must have msScLogin set. But you are right, if one rule does not have issuer set like CN=ca,DC=abd,DC=comclientAuth msScLogin then a certificate from issuer abc which does not have clientAuth set but msScLogin would be accepted as well. Do you think it would help to make a required field but allow that the lazy admin can just enter a '*' to match any issuer? Yes, that is basically what I was proposing, and mostly to ensure that the data is stored in such away that adding rules per issuer would be easy/possible in the future. It probably hits 80/20 by supporting only a single set of rules for the 1.0 release. You may want to have an option to require that the presented cert match the one stored in LDAP (off by default). I realize that you specifically mention this can be problematic, but it can also be quite useful. It can be used, for example, to disable a login by removing the certificate from the user's entry. It also ensures that some carefully crafted certificate doesn't allow a bad actor to map to a user account. This happens when no mapping rule is given. Then SSSD will fall back to search/map the user with the whole certificate. And if the certificate is removed from the LDAP entry of the user Smartcard authentication will fail as soon as the user entry in the cache of SSSD is expired. I wonder if some might want both at the same time. Match using rules and then also confirm the certificate matches, if it is available in the entry, with a require/optional setting to decide what to do in case the cert isn't in LDAP. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#108][comment] Bump pki min version and add commentary about sub-CA revocation on delete
URL: https://github.com/freeipa/freeipa/pull/108 Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6b3f4984296f3caff8f29490eae3ed1dca64b8c3 https://fedorahosted.org/freeipa/changeset/2b8163ab5dfcf28a9eba319ef685046ae9d8b5e8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/358e50b2e194d3ae3d0e8c22c774a24ab84d8be1 https://fedorahosted.org/freeipa/changeset/810c38efce6a3911b39e29b7aac010e467ef25a7 """ See the full comment at https://github.com/freeipa/freeipa/pull/108#issuecomment-252031461 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#108][+pushed] Bump pki min version and add commentary about sub-CA revocation on delete
URL: https://github.com/freeipa/freeipa/pull/108 Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#108][closed] Bump pki min version and add commentary about sub-CA revocation on delete
URL: https://github.com/freeipa/freeipa/pull/108 Author: frasertweedale Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/108/head:pr108 git checkout pr108 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#115][closed] Don't show traceback when ipa config file is not an absolute path
URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path
URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d7a2dfddbc2dc9ae4cea7d65e56d61a6a4d2b928 https://fedorahosted.org/freeipa/changeset/0dea726466b5971cf74b9e8b7e33af0618e5842c """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-252030530 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][comment] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/74e52e86867372365d1d63561f7d1ff961b89ee0 """ See the full comment at https://github.com/freeipa/freeipa/pull/123#issuecomment-252029305 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][+pushed] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ Yeah, and I forgot to write: 11) There should be an information in webUI, that secrets can be added/retrieved to vault only by using vault-archive and vault-retrieve from CLI """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-252018655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ 1) I created shared vault, but I cannot see it in 'Shared Vaults', it is show only in 'My Vaults' i.e. it was created ad user vault according CLI 2) 'My Vaults' I expected that it will show all vaults created by me, but it is not true, it shows only my user vaults. Can we set name to more explicit, like 'My User Vaults' or is it too much and only I'm dumb? 3) I broke it, I cannot add vault, adder dialog just show and instantly disappears Steps to reproduce: a. click on add vault b. click on vault user, mark empty line (dont click) c. press ESC (dialog should disappear) d. click on add Vault again, it should not work e. dialog suddenly shows when you click on My Vaults No errors in browser console. What could cause this? 4) Can you please add tests for this? 5) Nitpick If you add vault from Service vault, then predefined value should be service vault in adder dialog. Same for shared vault 6) Missing 'type' column in my vaults 7) For symmetric vault, there is 'salt' shown in CLI, and I can change this in CLI. IMO this should be supported in webUI too 8) For asymetric vault, public key is show in CLI, and user can also change this public key, IMO this should work in webUI too. 9) I would like to see big fat warning in adder dialog that content of 'standard' vaults can be seen by users with higher privileges (admins). This is the reason why we set symmetric vault as default in CLI. But because in webUI the standard vault is the only one vault that can be added, we should inform users to use rather CLI and create symmetric vault * IMO we should add this warning into CLI too 10) Vaultconfig-show shows transport certificate, should we shown this in webUI as well? """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-252016356 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On Thu, Oct 06, 2016 at 10:33:48AM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > > Hi, > > > > > > Wow, this is really great. Hi Rob, thank you for the feedback. > > I think I'd pre-plan to support different configuration per issuer subject, > with one named default. It shouldn't be a lot more work and will > future-proof things for you, particularly in how the rules are stored in > LDAP. > > I worry a bit about matching without comparing the certificate for the case > where you don't examine issuer. > Do I understand it correctly that you are looking for rules which will always and only match for certificate from a given issuer? E.g. if all matching rules will have the set like CN=ca,DC=abd,DC=comclientAuth CN=ca,DC=def,DC=commsScLogin certificates from the abc issue must have clientAuth set to be valid for authentication and certificates from issuer def must have msScLogin set. But you are right, if one rule does not have issuer set like CN=ca,DC=abd,DC=comclientAuth msScLogin then a certificate from issuer abc which does not have clientAuth set but msScLogin would be accepted as well. Do you think it would help to make a required field but allow that the lazy admin can just enter a '*' to match any issuer? > You may want to have an option to require that the presented cert match the > one stored in LDAP (off by default). I realize that you specifically mention > this can be problematic, but it can also be quite useful. It can be used, > for example, to disable a login by removing the certificate from the user's > entry. It also ensures that some carefully crafted certificate doesn't allow > a bad actor to map to a user account. This happens when no mapping rule is given. Then SSSD will fall back to search/map the user with the whole certificate. And if the certificate is removed from the LDAP entry of the user Smartcard authentication will fail as soon as the user entry in the cache of SSSD is expired. bye, Sumit > > rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvoborni commented: """ For other optional UIs like CA/Trusts or DNS, Web UI checks on UI start if the component is installed by batch command with: ```JavaScript {method: "env", params: [[], {}]} {method: "dns_is_enabled", params: [[], {}]} {method: "trustconfig_show", params: [[], {}]} {method: "domainlevel_get", params: [[], {}]} {method: "ca_is_enabled", params: [[], {}]} ``` For KRA, it can add kra_is_enabled command. Traditionally, UI is hidden if component is not installed. """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-251997063 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][opened] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Author: tiran Title: #143: Issue6386 nss dir Action: opened PR body: """ See https://fedorahosted.org/freeipa/ticket/6386 * use api.env.nss_dir in all ipaclient plugins * set api.env.nss_dir to confdir/nssdb """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/143/head:pr143 git checkout pr143 From bcef90d4a65f74f3ab34dabcbcffd7fcce05dcfb Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 6 Oct 2016 16:24:43 +0200 Subject: [PATCH 1/2] Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR ipaclient plugins are now using nss_dir from api.env instead of hard-coded paths.IPA_NSSDB_DIR. Closes: https://fedorahosted.org/freeipa/ticket/6386 Signed-off-by: Christian Heimes --- ipaclient/ipa_certupdate.py | 2 +- ipaclient/plugins/otptoken.py | 3 +-- ipaclient/plugins/vault.py| 7 ++- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index 2c6b94f..550bbb6 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -108,7 +108,7 @@ def run(self): def update_client(self, certs): self.update_file(paths.IPA_CA_CRT, certs) -ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) +ipa_db = certdb.NSSDatabase(api.env.nss_dir) # Remove old IPA certs from /etc/ipa/nssdb for nickname in ('IPA CA', 'External CA cert'): diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py index dd4a718..885a612 100644 --- a/ipaclient/plugins/otptoken.py +++ b/ipaclient/plugins/otptoken.py @@ -25,7 +25,6 @@ from ipalib.messages import add_message, ResultFormattingError from ipalib.plugable import Registry from ipalib.frontend import Local -from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.nsslib import NSSConnection from ipapython.version import API_VERSION @@ -174,7 +173,7 @@ def forward(self, *args, **kwargs): # Sync the token. # pylint: disable=E1101 -handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR, +handler = HTTPSHandler(dbdir=api.env.nss_dir, tls_version_min=api.env.tls_version_min, tls_version_max=api.env.tls_version_max) rsp = urllib.request.build_opener(handler).open(sync_uri, query) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index b8b4f29..c099e9e 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -43,7 +43,6 @@ from ipalib import Bytes, Flag, Str from ipalib.plugable import Registry from ipalib import _ -from ipaplatform.paths import paths def validated_read(argname, filename, mode='r', encoding=None): @@ -752,8 +751,7 @@ def forward(self, *args, **options): error=_('Invalid vault type')) # initialize NSS database -current_dbdir = paths.IPA_NSSDB_DIR -nss.nss_init(current_dbdir) +nss.nss_init(api.env.nss_dir) # retrieve transport certificate config = self.api.Command.vaultconfig_show()['result'] @@ -912,8 +910,7 @@ def forward(self, *args, **options): vault_type = vault['ipavaulttype'][0] # initialize NSS database -current_dbdir = paths.IPA_NSSDB_DIR -nss.nss_init(current_dbdir) +nss.nss_init(api.env.nss_dir) # retrieve transport certificate config = self.api.Command.vaultconfig_show()['result'] From 3739cb80b036fb72378a2115ec00cee32559fb96 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 6 Oct 2016 16:42:37 +0200 Subject: [PATCH 2/2] Set nss_dir to confdir/nssdb Closes: https://fedorahosted.org/freeipa/ticket/6386 Signed-off-by: Christian Heimes --- ipalib/config.py| 4 ipalib/constants.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/config.py b/ipalib/config.py index eb6c3ae..a3064da 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -531,6 +531,10 @@ def _finalize_core(self, **defaults): self._merge_from_file(self.conf) self._merge_from_file(self.conf_default) +# Set nss_dir to nssdb directory in confdir +if 'nss_dir' not in self: +self.nss_dir = self._join('confdir', 'nssdb') + # Determine if in_server: if 'in_server' not in self: self.in_server = (self.context == 'server') diff --git a/ipalib/constants.py b/ipalib/constants.py index c423117..3ef5ddf 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -133,7 +133,7 @@ ('rpc_protocol', 'jsonrpc'), -('nss_dir', paths.IPA_NSSDB_DIR), +('nss_dir', paths.IPA_NSSDB_DIR), # Set to confdir/nssdb in _finalize_core() # Define an inclusive range of SSL/TLS version support ('tls_version_min',
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
Sumit Bose wrote: Hi, I've started to write a SSSD design page about enhancing the current mapping of certificates to users and how to select/match a suitable certificate if multiple certificates are on a Smartcard. My currently thoughts and idea and be found at https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates and for your convenience below as well. Comments and suggestions are welcome. Please let me know about concerns, alternatives and missing use-cases/user-stories. bye, Sumit = Matching and Mapping Certificates = Related ticket(s): * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping === Problem statement === Mapping Currently it is required that a certificate used for authentication is either stored in the LDAP user entry or in a matching override. This might not always be applicable and other ways are needed to relate a user with a certificate. Matching Even if SSSD will support multiple certificates on a Smartcard in the context of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict (or relax) the current certificate selection in certain environments. === Use cases === Mapping In some environments it might not be possible or would cause unwanted effort to add certificates to the LDAP entry of the users to allow Smartcard based authentication. Reasons might be: * Certificates/Smartcards are issued externally * LDAP schema extension is not possible or not allowed Matching A user might have multiple certificate on a Smartcard which are suitable for authentication. But on some host in the environment only certificates from a specific CA (while all other CAs are trusted as well) or with some special extension should be valid for login. === Overview of the solution === To match a certificate a language/syntax has to be defined which allows to reference items from the certificate and compare the values with the expected data. To map the certificates to a user the language/syntax should allow to relate certificate items with LDAP attributes so that the value(s) from the certificate item can be used in a LDAP search filter. === Implementation details === Matching The pkinit plugin of MIT Kerberos must find a suitable certificate from a Smartcard as well and has defined the following syntax (see the pkinit_cert_match section of the krb5.conf man page or http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for details). The main components are * regular-expression * regular-expression * regular-expression * extended-key-usage-list * key-usage-list and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator ('&&' is the default). If multiple rules are given they are iterated with the order in the config file as long as a rule matches exactly one certificate. '''Question: MIT Kerberos use case-sensitive matching and POSIX Extended Regular Expression syntax, shall we do the same?''' While and are (imo) already quite flexible I can see some potential extensions for the other components. and in MIT Kerberos only accept certain string values related to some allowed values in those field as defined in https://www.ietf.org/rfc/rfc3280.txt . The selection is basically determined by what is supported on server side of the pkinit plugin of MIT Kerberos. Since we plan to extend pkinit and support local authentication without pkinit as well I would suggest to allow OID strings for those components as well (the comparison is done on the OID level nonetheless). The component in MIT Kerberos only checks the otherName SAN component for the id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME OID as mentioned in https://support.microsoft.com/en-us/kb/287547. While this is sufficient for the default pkinit user case of MIT Kerberos I would suggest to extend this component by allowing to specific an OID with Mapping Since different certificates, e.g. issued by different CAs, might have different mapping rule, a matching rule must be added if there are more than 1 mapping rule. A single mapping rule without a matching rule might be used as default/catch-all rule in this case. If multiple rules matches the derived LDAP filter components can be grouped with the or-operator "|". A mapping rule can use a similar syntax like the matching rule where the LDAP attribute can be added with a ':', e.g. * * Currently I see no usage for , and in mapping rules because they do not contain any user-specific data. If at some point we will have personal CAs we might consider to add based mappings. '''Question, do we need search-and-replace at all (or at this stage)? Most of the interesting values from the SAN should be directly map-able to LDAP attributes. And processing the string representation of might be tricky as discussed below.
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ I'm not sure if this is done on purpose, but Vault section is shown there even I have no KRA installed in topology, and I'm getting error ``` An error has occurred (IPA Error 3000: InvocationError) KRA service is not enabled ``` It is not nice, IMO some placeholder pointing to ipa-kra-install could be better """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-251978110 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#132][synchronized] Draft for a new setup.py (WIP)
URL: https://github.com/freeipa/freeipa/pull/132 Author: tiran Title: #132: Draft for a new setup.py (WIP) Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/132/head:pr132 git checkout pr132 From 0e2692dc1b26d57f9bd6809c9c2c44282d8d5f28 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Tue, 4 Oct 2016 13:23:22 +0200 Subject: [PATCH] Draft for a new setup.py Signed-off-by: Christian Heimes --- .gitignore | 10 +-- MANIFEST.in | 3 +- Makefile| 25 +++--- client/man/Makefile.am | 3 +- client/man/ipa.1| 204 ipa.1 | 204 ipaclient/setup.py | 38 + ipaclient/setup.py.in | 81 --- ipalib/Makefile | 2 +- ipalib/setup.py | 32 ipalib/setup.py.in | 71 - ipaplatform/setup.py| 36 + ipaplatform/setup.py.in | 79 --- ipapython/Makefile | 2 +- ipapython/setup.py | 35 + ipapython/setup.py.in | 79 --- ipasetup.py.in | 71 + ipatests/setup.py | 54 + ipatests/setup.py.in| 97 --- setup.py| 51 +--- 20 files changed, 496 insertions(+), 681 deletions(-) create mode 100644 client/man/ipa.1 delete mode 100644 ipa.1 create mode 100644 ipaclient/setup.py delete mode 100644 ipaclient/setup.py.in create mode 100644 ipalib/setup.py delete mode 100644 ipalib/setup.py.in create mode 100644 ipaplatform/setup.py delete mode 100644 ipaplatform/setup.py.in create mode 100755 ipapython/setup.py delete mode 100755 ipapython/setup.py.in create mode 100644 ipasetup.py.in create mode 100644 ipatests/setup.py delete mode 100644 ipatests/setup.py.in diff --git a/.gitignore b/.gitignore index 61054de..0e63640 100644 --- a/.gitignore +++ b/.gitignore @@ -41,6 +41,9 @@ freeipa2-dev-doc /dist/ /RELEASE /rpmbuild/ +# Build +ipasetup.py +*.egg-info # Subdirectories /daemons/ipa-otpd/ipa-otpd @@ -64,19 +67,12 @@ freeipa2-dev-doc /client/ipa-join /client/ipa-rmkeytab -/ipatests/setup.py - -/ipaclient/setup.py - -/ipalib/setup.py !/ipalib/Makefile -/ipapython/setup.py /ipapython/version.py !/ipapython/Makefile /ipaplatform/__init__.py -/ipaplatform/setup.py /ipaplatform/tasks.py /ipaplatform/services.py /ipaplatform/paths.py diff --git a/MANIFEST.in b/MANIFEST.in index dd76e10..f34cc7e 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,2 +1 @@ -include COPYING TODO lite-server.py -include tests/*/*.py +include COPYING lite-server.py diff --git a/Makefile b/Makefile index 6324308..794226c 100644 --- a/Makefile +++ b/Makefile @@ -161,23 +161,25 @@ test: release-update: if [ ! -e RELEASE ]; then echo 0 > RELEASE; fi -version-update: release-update +.PHONY: ipasetup +ipasetup: + sed -e s/__VERSION__/$(IPA_VERSION)/ ipasetup.py.in \ + > ipasetup.py + $(PYTHON) setup.py egg_info + for directory in ipaclient ipalib ipaplatform ipapython ipatests; do \ + pushd $${directory} ; \ + cp ../ipasetup.py . ; \ + $(PYTHON) setup.py egg_info ; \ + popd ; \ + done + +version-update: release-update ipasetup sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \ freeipa.spec.in > freeipa.spec sed -e s/__VERSION__/$(IPA_VERSION)/ version.m4.in \ > version.m4 - sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/setup.py.in \ - > ipapython/setup.py - sed -e s/__VERSION__/$(IPA_VERSION)/ ipaplatform/setup.py.in \ - > ipaplatform/setup.py - sed -e s/__VERSION__/$(IPA_VERSION)/ ipalib/setup.py.in \ - > ipalib/setup.py sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/version.py.in \ > ipapython/version.py - sed -e s/__VERSION__/$(IPA_VERSION)/ ipatests/setup.py.in \ - > ipatests/setup.py - sed -e s/__VERSION__/$(IPA_VERSION)/ ipaclient/setup.py.in \ - > ipaclient/setup.py sed -e s/__NUM_VERSION__/$(IPA_NUM_VERSION)/ install/ui/src/libs/loader.js.in \ > install/ui/src/libs/loader.js sed -i -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" install/ui/src/libs/loader.js @@ -301,6 +303,7 @@ clean: version-update @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ done + find . -name 'ipasetup.py' -or -name 'ipasetup.py[co]' | xargs rm -f rm -f *~ distclean: version-update diff --git a/client/man/Makefile.am b/client/man/Makefile.am index 9d8a9c0..1f067ab 100644 --- a/client/man/Makefile.am +++ b/client/man/Makefile.am @@ -10,7 +10,8 @@ man1_MANS = \ ipa-client-install.1 \ ipa-client-automount.1 \ ipa-certupdate.1 \ - ipa-join.1 + ipa-join.1 \ + ipa.1 man5_MANS =\ default.conf.5 diff --git a/client/man/ipa.1 b/client/man/ipa.1 new file mode 100644
[Freeipa-devel] [freeipa PR#132][comment] Draft for a new setup.py (WIP)
URL: https://github.com/freeipa/freeipa/pull/132 Title: #132: Draft for a new setup.py (WIP) tiran commented: """ @mbasti-rh I have removed more hacks and made each setup.py even simpler. """ See the full comment at https://github.com/freeipa/freeipa/pull/132#issuecomment-251963879 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests pvomacka commented: """ Hi alichbox, I agree with steps you are proposing, it does make sense. """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251962169 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Author: pspacek Title: #134: DNS URI support Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/134/head:pr134 git checkout pr134 From a35fe8f72d3c905d6338bce8a7f682b8f3e228e7 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 28 Sep 2016 15:20:43 +0200 Subject: [PATCH 1/3] DNS: Support URI resource record type https://fedorahosted.org/freeipa/ticket/6344 --- ACI.txt | 4 +- API.txt | 19 +-- install/share/60ipadns.ldif | 3 +- install/share/dns.ldif | 2 +- install/ui/src/freeipa/dns.js | 15 +- install/updates/40-dns.update | 3 +- ipaserver/plugins/dns.py| 50 -- ipatests/test_xmlrpc/test_dns_plugin.py | 89 + 8 files changed, 172 insertions(+), 13 deletions(-) diff --git a/ACI.txt b/ACI.txt index fddd598..0b47489 100644 --- a/ACI.txt +++ b/ACI.txt @@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke dn: dc=ipa,dc=example aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn:
Re: [Freeipa-devel] 4.4.2 release notes draft
On 10/05/2016 06:40 PM, Petr Vobornik wrote: > Hi, > > we planned to release 4.4.2 Today. I'd postpone it to tomorrow morning > so you have time to read the RN page. > > Almost completely auto-generated release notes page: > http://www.freeipa.org/page/Releases/4.4.2 > > Please help to to highlight important bug fixes. > > Notes: > - the only manual part is "Known Issues section" > - the script for generating RN will be shared > The release will be postponed because of regression introduced in 4.4.2: - https://fedorahosted.org/freeipa/ticket/6385 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][comment] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling mbasti-rh commented: """ IMO here (__init__ of CheckedIPAddress) is missing self._net = addr._net it may cause issues ``` if isinstance(addr, CheckedIPAddress): self.prefixlen = addr.prefixlen return ``` and self._net should be handled in parent class """ See the full comment at https://github.com/freeipa/freeipa/pull/142#issuecomment-251949631 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Author: pspacek Title: #134: DNS URI support Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/134/head:pr134 git checkout pr134 From 4b7b8cc128e6a1b1f7485550c65974ff9b952cdf Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 28 Sep 2016 15:20:43 +0200 Subject: [PATCH 1/3] DNS: Support URI resource record type https://fedorahosted.org/freeipa/ticket/6344 --- ACI.txt | 4 +- API.txt | 19 +-- install/share/60ipadns.ldif | 3 +- install/share/dns.ldif | 2 +- install/ui/src/freeipa/dns.js | 15 +- ipaserver/plugins/dns.py| 50 -- ipatests/test_xmlrpc/test_dns_plugin.py | 89 + 7 files changed, 170 insertions(+), 12 deletions(-) diff --git a/ACI.txt b/ACI.txt index fddd598..0b47489 100644 --- a/ACI.txt +++ b/ACI.txt @@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke dn: dc=ipa,dc=example aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record ||
[Freeipa-devel] [freeipa PR#134][comment] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Title: #134: DNS URI support pspacek commented: """ I was playing with an idea of automatic escaping but it cannot be done with current record format: There is no way to distinguish alredy escaped text from a text which needs escaping. This totally breaks web UI edit workflow because it reads text from LDAP, fills text field with it and then double-escapes it during save. For this reason I've given up attempts to automatically escape things, which is no different from e.g. TXT records. Call it consistency if you want ;-) """ See the full comment at https://github.com/freeipa/freeipa/pull/134#issuecomment-251949022 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Author: pspacek Title: #134: DNS URI support Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/134/head:pr134 git checkout pr134 From f0a86bd9885128a169834fcf9085dbc23727c1bf Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 28 Sep 2016 15:20:43 +0200 Subject: [PATCH 1/3] DNS: Support URI resource record type https://fedorahosted.org/freeipa/ticket/6344 --- ACI.txt | 4 +- API.txt | 19 +-- install/share/60ipadns.ldif | 3 +- install/share/dns.ldif | 2 +- install/ui/src/freeipa/dns.js | 15 +- ipaserver/plugins/dns.py| 51 +-- ipatests/test_xmlrpc/test_dns_plugin.py | 89 + 7 files changed, 171 insertions(+), 12 deletions(-) diff --git a/ACI.txt b/ACI.txt index fddd598..0b47489 100644 --- a/ACI.txt +++ b/ACI.txt @@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke dn: dc=ipa,dc=example aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record ||
[Freeipa-devel] [freeipa PR#142][opened] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Author: dkupka Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Action: opened PR body: """ Missing attributes in instance created by pickle.load cause AttributeError in second part of ipa-server-install --external-ca. https://fedorahosted.org/freeipa/ticket/6385 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/142/head:pr142 git checkout pr142 From 3f096edf847af84077fc0e04fd16437678afaf2f Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 6 Oct 2016 13:31:52 +0200 Subject: [PATCH] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Missing attributes in instance created by pickle.load cause AttributeError in second part of ipa-server-install --external-ca. https://fedorahosted.org/freeipa/ticket/6385 --- ipapython/ipautil.py | 25 + 1 file changed, 25 insertions(+) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 41544a1..f8badb0 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -205,6 +205,31 @@ def __init__(self, addr, match_local=False, parse_netmask=True, self.prefixlen = self._net.prefixlen +def __getstate__(self): +state = { +'_net': self._net, +'prefixlen': self.prefixlen +} +try: +state['super_state'] = super(CheckedIPAddress, self).__getstate__() +except AttributeError: +# none of base classes implements custom pickling +pass + +return state + +def __setstate__(self, state): +try: +super_state = state.pop('super_state') +except KeyError: +# no state saved for base classes +pass +else: +super(CheckedIPAddress, self).__setstate__(super_state) + +self._net = state['_net'] +self.prefixlen = state['prefixlen'] + def is_network_addr(self): return self == self._net.network -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#133][comment] Tests: print what was expected from exceptions and callables in xmlrpc_tests
URL: https://github.com/freeipa/freeipa/pull/133 Title: #133: Tests: print what was expected from exceptions and callables in xmlrpc_tests mbasti-rh commented: """ Please set proper patch author, otherwise LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/133#issuecomment-251944193 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Author: pspacek Title: #134: DNS URI support Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/134/head:pr134 git checkout pr134 From f0a86bd9885128a169834fcf9085dbc23727c1bf Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 28 Sep 2016 15:20:43 +0200 Subject: [PATCH 1/3] DNS: Support URI resource record type https://fedorahosted.org/freeipa/ticket/6344 --- ACI.txt | 4 +- API.txt | 19 +-- install/share/60ipadns.ldif | 3 +- install/share/dns.ldif | 2 +- install/ui/src/freeipa/dns.js | 15 +- ipaserver/plugins/dns.py| 51 +-- ipatests/test_xmlrpc/test_dns_plugin.py | 89 + 7 files changed, 171 insertions(+), 12 deletions(-) diff --git a/ACI.txt b/ACI.txt index fddd598..0b47489 100644 --- a/ACI.txt +++ b/ACI.txt @@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke dn: dc=ipa,dc=example aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record ||
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests mirielka commented: """ Ok, I will do it like Ales proposed and will sync this PR when new tests are ready. """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251934592 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests alichbox commented: """ Ok, I would vote for the new tests and when we have them merged we can safely delete this part of code that is not relevant anymore. The reason we would leave the current (not relevant tests) here is to not loose the information that we need to cover that part. So my proposal: 1) leave these tests here as they are; 2) write new test suite; 3) delete the old tests; Does it make sense? """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251933994 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#141][opened] Tests: Fix failing test_ipalib/test_parameters
URL: https://github.com/freeipa/freeipa/pull/141 Author: mirielka Title: #141: Tests: Fix failing test_ipalib/test_parameters Action: opened PR body: """ Parameters test fails because of KeyError caused by improper manipulation with kwargs in Param.__init__ method. During initialization, if kwargs['required'] or kwargs['multivalue'] is None, it is delete from dictionary and hence the missing key. Small change of the condition prevents this from happening. Partially fixes https://fedorahosted.org/freeipa/ticket/6292 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/141/head:pr141 git checkout pr141 From a6f076cac03e3672399abccf0639b0d6035147b6 Mon Sep 17 00:00:00 2001 From: Lenka DoudovaDate: Thu, 6 Oct 2016 10:54:07 +0200 Subject: [PATCH] Tests: Fix failing test_ipalib/test_parameters Parameters test fails because of KeyError caused by improper manipulation with kwargs in Param.__init__ method. During initialization, if kwargs['required'] or kwargs['multivalue'] is None, it is delete from dictionary and hence the missing key. Small change of the condition prevents this from happening. Partially fixes https://fedorahosted.org/freeipa/ticket/6292 --- ipalib/parameters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 77a6136..32ff9a8 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -473,7 +473,7 @@ def __init__(self, name, *rules, **kw): CALLABLE_ERROR % (key, value, type(value)) ) kw[key] = value -else: +elif key not in ('required', 'multivalue'): kw.pop(key, None) # We keep these values to use in __repr__(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][comment] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker apophys commented: """ Looks good, thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/123#issuecomment-251931803 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#123][+ack] Tests: Remove silent deleting and creating entries by tracker
URL: https://github.com/freeipa/freeipa/pull/123 Title: #123: Tests: Remove silent deleting and creating entries by tracker Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#134][comment] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Title: #134: DNS URI support mbasti-rh commented: """ I was able to add an invalid URI record ``` [root@vm-058-017 ~]# ipa dnsrecord-add test.zone. --uri-rec='0 0 trolo"lo' Record name: test2 Record name: test2 URI record: 0 0 "trolo"lo" [root@vm-058-017 ~]# dig +short test2.test.zone. URI [root@vm-058-017 ~]# journalctl output failed to parse RR entry: resource record DN 'idnsname=test2,idnsname=test.zone.,cn=dns,dc=blabla' data '0 0 "trolo"lo"': extra input text ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/134#issuecomment-251930458 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [RFC] Matching and Mapping Certificates
Hi, I've started to write a SSSD design page about enhancing the current mapping of certificates to users and how to select/match a suitable certificate if multiple certificates are on a Smartcard. My currently thoughts and idea and be found at https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates and for your convenience below as well. Comments and suggestions are welcome. Please let me know about concerns, alternatives and missing use-cases/user-stories. bye, Sumit = Matching and Mapping Certificates = Related ticket(s): * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping === Problem statement === Mapping Currently it is required that a certificate used for authentication is either stored in the LDAP user entry or in a matching override. This might not always be applicable and other ways are needed to relate a user with a certificate. Matching Even if SSSD will support multiple certificates on a Smartcard in the context of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict (or relax) the current certificate selection in certain environments. === Use cases === Mapping In some environments it might not be possible or would cause unwanted effort to add certificates to the LDAP entry of the users to allow Smartcard based authentication. Reasons might be: * Certificates/Smartcards are issued externally * LDAP schema extension is not possible or not allowed Matching A user might have multiple certificate on a Smartcard which are suitable for authentication. But on some host in the environment only certificates from a specific CA (while all other CAs are trusted as well) or with some special extension should be valid for login. === Overview of the solution === To match a certificate a language/syntax has to be defined which allows to reference items from the certificate and compare the values with the expected data. To map the certificates to a user the language/syntax should allow to relate certificate items with LDAP attributes so that the value(s) from the certificate item can be used in a LDAP search filter. === Implementation details === Matching The pkinit plugin of MIT Kerberos must find a suitable certificate from a Smartcard as well and has defined the following syntax (see the pkinit_cert_match section of the krb5.conf man page or http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for details). The main components are * regular-expression * regular-expression * regular-expression * extended-key-usage-list * key-usage-list and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator ('&&' is the default). If multiple rules are given they are iterated with the order in the config file as long as a rule matches exactly one certificate. '''Question: MIT Kerberos use case-sensitive matching and POSIX Extended Regular Expression syntax, shall we do the same?''' While and are (imo) already quite flexible I can see some potential extensions for the other components. and in MIT Kerberos only accept certain string values related to some allowed values in those field as defined in https://www.ietf.org/rfc/rfc3280.txt . The selection is basically determined by what is supported on server side of the pkinit plugin of MIT Kerberos. Since we plan to extend pkinit and support local authentication without pkinit as well I would suggest to allow OID strings for those components as well (the comparison is done on the OID level nonetheless). The component in MIT Kerberos only checks the otherName SAN component for the id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME OID as mentioned in https://support.microsoft.com/en-us/kb/287547. While this is sufficient for the default pkinit user case of MIT Kerberos I would suggest to extend this component by allowing to specific an OID with Mapping Since different certificates, e.g. issued by different CAs, might have different mapping rule, a matching rule must be added if there are more than 1 mapping rule. A single mapping rule without a matching rule might be used as default/catch-all rule in this case. If multiple rules matches the derived LDAP filter components can be grouped with the or-operator "|". A mapping rule can use a similar syntax like the matching rule where the LDAP attribute can be added with a ':', e.g. * * Currently I see no usage for , and in mapping rules because they do not contain any user-specific data. If at some point we will have personal CAs we might consider to add based mappings. '''Question, do we need search-and-replace at all (or at this stage)? Most of the interesting values from the SAN should be directly map-able to LDAP attributes. And processing the string representation of might be tricky as discussed below. Nevertheless the following
[Freeipa-devel] [freeipa PR#134][comment] DNS URI support
URL: https://github.com/freeipa/freeipa/pull/134 Title: #134: DNS URI support mbasti-rh commented: """ NACK, please see inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/134#issuecomment-251916849 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#108][+ack] Bump pki min version and add commentary about sub-CA revocation on delete
URL: https://github.com/freeipa/freeipa/pull/108 Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#115][+ack] Don't show traceback when ipa config file is not an absolute path
URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page
URL: https://github.com/freeipa/freeipa/pull/138 Title: #138: Fix ipa-cacert-manage man page flo-renaud commented: """ Hi, thanks for your comment. Yes, the IDM guide is currently being updated to describe this requirement. See [lastSuccessfulBuild](http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#manual-cert-install). """ See the full comment at https://github.com/freeipa/freeipa/pull/138#issuecomment-251902783 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#132][comment] Draft for a new setup.py (WIP)
URL: https://github.com/freeipa/freeipa/pull/132 Title: #132: Draft for a new setup.py (WIP) mbasti-rh commented: """ This WIP works for me, I like that we get rid of setup.py.in files. I'm looking forward to final version Please fix PEP8 reported error and my inline comments """ See the full comment at https://github.com/freeipa/freeipa/pull/132#issuecomment-251904240 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page
URL: https://github.com/freeipa/freeipa/pull/138 Title: #138: Fix ipa-cacert-manage man page flo-renaud commented: """ Hi, thanks for your comment. Yes, the IDM guide is currently being updated to describe this requirement. See [lastSuccessfulBuild](http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#manual-cert-install). """ See the full comment at https://github.com/freeipa/freeipa/pull/138#issuecomment-251902783 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#135][comment] Pylint: remove unused variables
URL: https://github.com/freeipa/freeipa/pull/135 Title: #135: Pylint: remove unused variables mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d9375881460d63cdd696bb0705da0ac205db9870 https://fedorahosted.org/freeipa/changeset/135047d03c1780d682998369aaa531585b39a069 """ See the full comment at https://github.com/freeipa/freeipa/pull/135#issuecomment-251902017 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#135][+pushed] Pylint: remove unused variables
URL: https://github.com/freeipa/freeipa/pull/135 Title: #135: Pylint: remove unused variables Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#135][closed] Pylint: remove unused variables
URL: https://github.com/freeipa/freeipa/pull/135 Author: mbasti-rh Title: #135: Pylint: remove unused variables Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/135/head:pr135 git checkout pr135 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#125][closed] Add iSecStore.span
URL: https://github.com/freeipa/freeipa/pull/125 Author: tiran Title: #125: Add iSecStore.span Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/125/head:pr125 git checkout pr125 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#125][+pushed] Add iSecStore.span
URL: https://github.com/freeipa/freeipa/pull/125 Title: #125: Add iSecStore.span Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#128][+pushed] Properly handle LDAP socket closures in ipa-otpd
URL: https://github.com/freeipa/freeipa/pull/128 Title: #128: Properly handle LDAP socket closures in ipa-otpd Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#128][closed] Properly handle LDAP socket closures in ipa-otpd
URL: https://github.com/freeipa/freeipa/pull/128 Author: npmccallum Title: #128: Properly handle LDAP socket closures in ipa-otpd Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/128/head:pr128 git checkout pr128 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page
URL: https://github.com/freeipa/freeipa/pull/138 Title: #138: Fix ipa-cacert-manage man page mbasti-rh commented: """ Is this written in IdM guide, if not IMO it would be nice to open doc bug in BZ and add this info there as well """ See the full comment at https://github.com/freeipa/freeipa/pull/138#issuecomment-251898208 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#135][comment] Pylint: remove unused variables
URL: https://github.com/freeipa/freeipa/pull/135 Title: #135: Pylint: remove unused variables stlaz commented: """ A refactoring ticket needs opening for the issues with find_entries mentioned here. Tests seem to pass, so ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/135#issuecomment-251896732 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#135][+ack] Pylint: remove unused variables
URL: https://github.com/freeipa/freeipa/pull/135 Title: #135: Pylint: remove unused variables Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri stlaz commented: """ NACK, please see the review comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-251895399 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 From bb58c35a0707e89e0518f6f950f61af9021566d5 Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Wed, 5 Oct 2016 09:54:24 +0200 Subject: [PATCH 01/10] Additional option to add and del operations can be set By setting the property 'additional_add_del_field' to the name of one of the fields which are on current details page, we choose field which value will be added to *_add_* and *_del_* commands in this format: {field_name: field_value} --field_name: field_value Part of: https://fedorahosted.org/freeipa/ticket/5426 --- install/ui/src/freeipa/association.js | 22 ++ 1 file changed, 22 insertions(+) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index 7579bb0..d44f8c8 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) { var that = IPA.table_widget(spec); +/** + * The value should be name of the field, which will be added to *_add_*, + * *_del_* commands as option: {fieldname: fieldvalue}. + * + * @property {String} fieldname + */ +that.additional_add_del_field = spec.additional_add_del_field; + that.other_entity = IPA.get_entity(spec.other_entity); that.attribute_member = spec.attribute_member; @@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) { }); command.set_option(that.other_entity.name, values); +that.join_additional_option(command); + command.execute(); }; +that.join_additional_option = function(command) { +var add_opt = that.additional_add_del_field; +if (add_opt && typeof add_opt === 'string') { +var opt_field = that.entity.facet.get_field(add_opt); +var value; +if (opt_field) value = opt_field.get_value()[0]; + +command.set_option(add_opt, value); +} +}; + that.show_remove_dialog = function() { var selected_values = that.get_selected_values(); @@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) { }); command.set_option(that.other_entity.name, values); +that.join_additional_option(command); command.execute(); }; From a571d178aaff29e1c8aa4982827ccb0b6ab019f9 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Wed, 5 Oct 2016 10:09:20 +0200 Subject: [PATCH 02/10] Allow to set another other_entity name Association table's add, del commands needs as option list of cn of other_entity, which is added or deleted. There is a case (currently in vaults) that the name of option is different than the name of other_entity. In this situation we can set 'other_option_name' and put there the option name. This option name will be used instead of 'other_entity' name. Part of: https://fedorahosted.org/freeipa/ticket/5426 --- install/ui/src/freeipa/association.js | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js index d44f8c8..63beeb8 100644 --- a/install/ui/src/freeipa/association.js +++ b/install/ui/src/freeipa/association.js @@ -429,6 +429,17 @@ IPA.association_table_widget = function (spec) { */ that.additional_add_del_field = spec.additional_add_del_field; +/** + * Can be used in situations when the *_add_member command needs entity + * as a parameter, but parameter has different name than entity. + * i.e. vault_add_member --services=[values] ... this needs values from service + * entity, but option is called services, that we can set by setting + * this option in spec to other_option_name: 'services' + * + * @property other_option_name {String} + */ +that.other_option_name = spec.other_option_name; + that.other_entity = IPA.get_entity(spec.other_entity); that.attribute_member = spec.attribute_member; @@ -683,9 +694,9 @@ IPA.association_table_widget = function (spec) { on_success: on_success, on_error: on_error }); -command.set_option(that.other_entity.name, values); that.join_additional_option(command); +that.handle_entity_option(command, values); command.execute(); }; @@ -701,6 +712,14 @@ IPA.association_table_widget = function (spec) { } }; +that.handle_entity_option = function(command, values) { +var option_name = that.other_option_name; +if (!option_name) { +option_name = that.other_entity.name; +} +
Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file
On 23.9.2016 05:29, Fraser Tweedale wrote: Bump for review. Rebased patches attached (there was a trivial conflict in imports). Thanks, Fraser On Tue, Sep 06, 2016 at 02:05:06AM +1000, Fraser Tweedale wrote: On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote: On 19.8.2016 13:11, Fraser Tweedale wrote: Bump for review. On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote: On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote: On 16.8.2016 07:24, Fraser Tweedale wrote: On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote: On 9.8.2016 16:47, Fraser Tweedale wrote: On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote: On 8.8.2016 09:06, Fraser Tweedale wrote: On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote: Hi, On 8.8.2016 06:34, Fraser Tweedale wrote: Please review the attached patch with adds --certificate-out and --certificate-chain-out options to `ca-show' command. Note that --certificate-chain-out currently writes a bogus file due to a bug in Dogtag that will be fixed in this week's build. https://fedorahosted.org/freeipa/ticket/6178 1) The client-side *-out options should be defined on the client side, not on the server side. Will option defined on client side be propagated to, and observable in the ipaserver plugin? The ipaserver plugin needs to observe that *-out has been requested and executes additional command(s) on that basis. Is there a reason not to *always* return the certs? We hit Dogtag to retrieve them. I don't think that's an issue in a -show command. cert_show is invoked by other commands (cert_find*, cert_show, cert_request, cert_status, ca_del) but these all hit Dogtag anyway so I suppose that's fine. I'll return the cert *and* the chain in separate attributes, unconditionally. 2) I don't think there should be additional information included in summary (and it definitely should not be multi-line). I would rather inform the user via an error message when unable to write the files. I was just following the pattern of other commands that write certs, profile config, etc. Apart from consistency with other commands I agree that there is no need to have it. So I will remove it. If you think there is an actual value in informing the user about successfully writing the files, please use ipalib.messages for the job. 3) IMO a better format for the certificate chain than PKCS#7 would be concatenated PEM, as that's the most commonly used format in IPA (in installers, there are no cert chains in API commands ATM). Sure, but the main use case isn't IPA. Other apps require PKCS #7 or concatenated PEMs, but sometimes they must be concatenated forward, and othertimes backwards. There is no one size fits all. True, which is exactly why I think we should at least be self-consistent and use concatenated PEM (and multi-value DER over the wire). Dogtag returns a PKCS7 (either DER or PEM, according to HTTP Accept header). If we want list-of-PEMs between server and client we have to convert on the server. Do we have a good way of doing this without exec'ing `openssl pkcs7' on the server? Is it acceptable to exec 'openssl' to do the conversion on the server? python-nss does not have PKCS7 functions and I am not keen on adding a pyasn1 PKCS7 parser just for the sake of pushing bits as list-of-PEMs. I'm afraid we can't avoid conversion to/from PKCS#7 one way or the other. For example, if we added a call to retrieve external CA chain using certs from cn=certificates,cn=ipa,cn=etc, we would have to convert the result to PKCS#7 if it was our cert chain format of choice. What we can avoid though is executing "openssl pkcs7" to do the conversion - we can use an approach similar to our DNSSEC code and use python-cffi to call libcrypto's PKCS#7 conversion routines instead. I had a look at the OpenSSL API for parsing PKCS #7; now I prefer to exec `openssl' to do the job :) I will transmit DER-encoded PKCS #7 object on the wire; we cannot used multi-valued DER attribute because order is important. Client will convert to PEMs. Well, my point was not to send PKCS#7 over the wire, so that clients (including 3rd party clients) do not have to convert from PKCS#7 themselves. In fact we can use multi-valued DER - whatever you send over the wire from the server will be received in the exact same order by the client. Even if it wasn't, you can easily restore the order by matching issuer and subject names of the certificates. Should have new patch on list this afternoon. Thanks, Fraser FWIW, man pages and code suggest that PKCS #7 is accepted in installer, etc. True, but that's a relatively new feature (since 4.1) and the installer internally executes "openssl pkcs7" to convert PKCS #7 to list of certs :-) We can add an option to control the format later, but for now, Dogtag returns a PKCS #7 (PEM or DER) so let's go with that. Worst case is an admin has to invoke `openssl pkcs7' and concat
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests pvomacka commented: """ Yes, that's true and I understand that these tests depend on previous actions. What I actually wanted to say is that I think that we should rather rewrite these tests right now instead of just removing them. """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251891416 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests mirielka commented: """ Hi, I discussed this with Rob who authored the tests and he said that these tests were there just as a kind of checking that no extra revoked certificates get in. Tests are cca 4 years old, revoked certificates do get in e.g. due to changes in Dogtag (they can be created by other tests and can't be deleted) and cert tests fail. Creating new tests as you described (create cert, revoke it and check it's in the database with correct info) could be separate task, since these tests didn't do such think, they just checked what's already in regardless of how it got there. """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251887928 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Remove invalid certplugin tests pvomacka commented: """ I think that it is not good idea to remove tests, because we are lowering coverage. Therefore NACK. Could we rather rewrite these tests? For example issue certain certificates, revoke them and then test whether there are revoked certs with correct revocation reason. I think that our Tracker could help with it. """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-251886076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][opened] Tests: Remove invalid certplugin tests
URL: https://github.com/freeipa/freeipa/pull/140 Author: mirielka Title: #140: Tests: Remove invalid certplugin tests Action: opened PR body: """ A bunch of certplugin tests were testing number of revoked certificates with various revocation reasons. Since existence of revoked certificates often depends on other parts of IdM than IPA, it is not really valid to check their presence unless creation of revoked certificate is intentionally tested. https://fedorahosted.org/freeipa/ticket/6349 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/140/head:pr140 git checkout pr140 From b6afcc5b56f471b06fdd64a0c1e0d996b4a07f08 Mon Sep 17 00:00:00 2001 From: Lenka DoudovaDate: Thu, 6 Oct 2016 08:51:03 +0200 Subject: [PATCH] Tests: Remove invalid certplugin tests A bunch of certplugin tests were testing number of revoked certificates with various revocation reasons. Since existence of revoked certificates often depends on other parts of IdM than IPA, it is not really valid to check their presence unless creation of revoked certificate is intentionally tested. https://fedorahosted.org/freeipa/ticket/6349 --- ipatests/test_xmlrpc/test_cert_plugin.py | 75 +--- 1 file changed, 1 insertion(+), 74 deletions(-) diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 4537002..e527886 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -292,80 +292,7 @@ def test_0006_find_this_short_host_exact(self): res = api.Command['cert_find'](subject=self.short, exactly=True) assert 'count' in res and res['count'] == 0 -def test_0007_find_revocation_reason_0(self): -""" -Find all certificates with revocation reason 0 -""" -res = api.Command['cert_find'](revocation_reason=0) -assert 'count' in res and res['count'] == 0 - -def test_0008_find_revocation_reason_1(self): -""" -Find all certificates with revocation reason 1 -""" -res = api.Command['cert_find'](revocation_reason=1) -assert 'count' in res and res['count'] == 0 - -def test_0009_find_revocation_reason_2(self): -""" -Find all certificates with revocation reason 2 -""" -res = api.Command['cert_find'](revocation_reason=2) -assert 'count' in res and res['count'] == 0 - -def test_0010_find_revocation_reason_3(self): -""" -Find all certificates with revocation reason 3 -""" -res = api.Command['cert_find'](revocation_reason=3) -assert 'count' in res and res['count'] == 0 - -def test_0011_find_revocation_reason_4(self): -""" -Find all certificates with revocation reason 4 - -There is no way to know in advance how many revoked certificates -we'll have but in the context of make-test we'll have at least one. -""" -res = api.Command['cert_find'](revocation_reason=4) -assert 'count' in res and res['count'] >= 1 - -def test_0012_find_revocation_reason_5(self): -""" -Find all certificates with revocation reason 5 -""" -res = api.Command['cert_find'](revocation_reason=5) -assert 'count' in res and res['count'] == 0 - -def test_0013_find_revocation_reason_6(self): -""" -Find all certificates with revocation reason 6 -""" -res = api.Command['cert_find'](revocation_reason=6) -assert 'count' in res and res['count'] == 0 - -# There is no revocation reason #7 - -def test_0014_find_revocation_reason_8(self): -""" -Find all certificates with revocation reason 8 -""" -res = api.Command['cert_find'](revocation_reason=8) -assert 'count' in res and res['count'] == 0 - -def test_0015_find_revocation_reason_9(self): -""" -Find all certificates with revocation reason 9 -""" -res = api.Command['cert_find'](revocation_reason=9) -assert 'count' in res and res['count'] == 0 - -def test_0016_find_revocation_reason_10(self): -""" -Find all certificates with revocation reason 10 -""" -res = api.Command['cert_find'](revocation_reason=10) -assert 'count' in res and res['count'] == 0 +# tests 0007 to 0016 removed def test_0017_find_by_issuedon(self): """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code