[Freeipa-devel] [freeipa PR#206][opened] Properly handle multiple cookies in rpcclient

2016-11-01 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: opened

PR body:
"""
The current code does not give a list of cookies, but a concatenated string 
separated by a comma. This is a format the Cookie class does not understand. 
msg.getheaders returns the wanted format.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From 2433c2b315e1526e9f8431c577625bf115673480 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7756eaf..b5f7e6f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -719,7 +719,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][comment] Support DAL version 5 and version 6

2016-11-01 Thread frozencemetery 
  URL: https://github.com/freeipa/freeipa/pull/205
Title: #205: Support DAL version 5 and version 6

frozencemetery commented:
"""
Thank you for fixing this, and futureproofing the next version bump.  Unless 
freeipa has a policy against it, I would prefer the use of designated 
initializers here for additional protection against breakage in the future, as 
you mention in the past this has occasionally been changed by accident without 
bumping the number.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/205#issuecomment-257692943
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread rcritten 
  URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

rcritten commented:
"""
This isn't about replacing existing binaries, it's about putting binaries into 
unexpected places that are in the default PATH (e.g. ~/bin or /usr/local/bin).

PATH cannot be overridden by an attacker without making code changes, in which 
case it's already game over (or it shouldn't, I didn't look for every execution 
of ipautil.run() where env is passed in.

I don't disagree on being platform dependent.

As for documentation, it just got missed. It's not an excuse, just the reality.

It is generally accepted best-practice to not trust user input, including 
environment variables. See 
https://www.securecoding.cert.org/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs

This isn't followed completely, but at least the environment by default is 
wiped and PATH is controlled for the most part.

Originally the commands were called explicitly, e.g. 
/usr/kerberos/sbin/kadmin.local, but because of the Fedora 14 issue we had to 
rely on PATH (see d0ea0bb63891babd1c5778df2e291b527c8e927c).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/204#issuecomment-257667140
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#205][opened] Support DAL version 5 and version 6

2016-11-01 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/205
Author: simo5
 Title: #205: Support DAL version 5 and version 6
Action: opened

PR body:
"""
Should fix bz#1389866
(untested)
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/205/head:pr205
git checkout pr205
From 9f71b4e01b9ef3040817437790c4756d31d3f404 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 15:13:14 -0400
Subject: [PATCH] Support DAL version 5 and version 6

See bz#1389866

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.c | 45 +
 1 file changed, 45 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..3d3365d 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,7 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
 KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
 0,  /* minor version number */
@@ -667,3 +668,47 @@ kdb_vftabl kdb_function_table = {
 ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
 };
 
+#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+kdb_vftabl kdb_function_table = {
+KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
+0,  /* minor version number */
+ipadb_init_library, /* init_library */
+ipadb_fini_library, /* fini_library */
+ipadb_init_module,  /* init_module */
+ipadb_fini_module,  /* fini_module */
+ipadb_create,   /* create */
+NULL,   /* destroy */
+ipadb_get_age,  /* get_age */
+NULL,   /* lock */
+NULL,   /* unlock */
+ipadb_get_principal,/* get_principal */
+ipadb_put_principal,/* put_principal */
+ipadb_delete_principal, /* delete_principal */
+NULL,   /* rename_principal */
+ipadb_iterate,  /* iterate */
+ipadb_create_pwd_policy,/* create_policy */
+ipadb_get_pwd_policy,   /* get_policy */
+ipadb_put_pwd_policy,   /* put_policy */
+ipadb_iterate_pwd_policy,   /* iter_policy */
+ipadb_delete_pwd_policy,/* delete_policy */
+ipadb_fetch_master_key, /* fetch_master_key */
+NULL,   /* fetch_master_key_list */
+ipadb_store_master_key_list,/* store_master_key_list */
+NULL,   /* dbe_search_enctype */
+ipadb_change_pwd,   /* change_pwd */
+NULL,   /* promote_db */
+NULL,   /* decrypt_key_data */
+NULL,   /* encrypt_key_data */
+ipadb_sign_authdata,/* sign_authdata */
+ipadb_check_transited_realms,   /* check_transited_realms */
+ipadb_check_policy_as,  /* check_policy_as */
+NULL,   /* check_policy_tgs */
+ipadb_audit_as_req, /* audit_as_req */
+NULL,   /* refresh_config */
+ipadb_check_allowed_to_delegate /* check_allowed_to_delegate */
+};
+
+#else
+#error unsupported DAL major version
+#endif
+
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

mbasti-rh commented:
"""
> PATH is untrustworthy because there is no knowing what is in it, or the 
> order. It could easily have /usr/local/bin first and some rogue version of a 
> program installed there, or it could have something in ~/bin. Calling exec() 
> is dangerous by its very nature so we opted to be paranoid.
> 

/usr/bin is untrostworthy in the same way, you dont know if an attacker changed 
some binary files, should we have fingerprints and check before exec?

AFAIK path is the standard way how to say programs where should check for 
binarries if they are installed in nonstandard directory

In case that enviroment variables are really considered to be an security risk 
in a way you are saying, then I have bad news:
- our custom path can be overriden by attacker
- this kind of attack can be currently done directly from python we don't need 
anything else in IPA, so our ipautil.run() cannot save users
- you can easily DOS a user of IPA

And this should be platform dependent, so we should move path to ipaplatform

> Your archaeology is right, this wasn't exactly documented. Perhaps it was 
> discussed on IRC in relation to the bug but I remember talking to Simo about 
> this.

It wasn't documented.
That is not nice if this is a security feature
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/204#issuecomment-257663432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread rcritten 
  URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

rcritten commented:
"""
PATH is untrustworthy because there is no knowing what is in it, or the order. 
It could easily have /usr/local/bin first and some rogue version of a program 
installed there, or it could have something in ~/bin. Calling exec() is 
dangerous by its very nature so we opted to be paranoid.

Your archaeology is right, this wasn't exactly documented. Perhaps it was 
discussed on IRC in relation to the bug but I remember talking to Simo about 
this.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/204#issuecomment-257655506
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

mbasti-rh commented:
"""
Can you elaborate more about that attack? Do you have any links to share?
If an attacker has permission to set a user environment variables, IMO the user 
has already lot of problems and it is too late to save that situation.

I did git archaeology and this was the commit where it was added, so it was 
hard to find reason why it was added.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/204#issuecomment-257640644
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management

2016-11-01 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/145
Title: #145: Refactoring: LDAP Connection Management

tomaskrizek commented:
"""
In an offline discussion we decided not to push temporary changes to master. 
Here's the final code for review. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/145#issuecomment-257638689
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][comment] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread rcritten 
  URL: https://github.com/freeipa/freeipa/pull/204
Title: #204: ipautil.run: Remove hardcoded environ PATH value

rcritten commented:
"""
NACK. I'd be fine with changing the PATH to remove cruft but the primary 
purpose is to prevent an attacker from providing their own PATH with unknown 
executables. For those few places where one must control PATH then env can be 
(and is) passed in.

No ticket?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/204#issuecomment-257628641
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][synchronized] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/204
Author: mbasti-rh
 Title: #204: ipautil.run: Remove hardcoded environ PATH value
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/204/head:pr204
git checkout pr204
From 078c05f6e2bb52f38d0b68a6b9a9e8429d977374 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 1 Nov 2016 17:32:13 +0100
Subject: [PATCH] ipautil.run: Remove hardcoded environ PATH value

This was introduced in commit d0ea0bb63891babd1c5778df2e291b527c8e927c
as F14 compatibility. We don't need to have F14 compatibility anymore.
PATH should be always inherited from os.environ and then amended
also this is platform specific and should not
be in core code
---
 ipapython/ipautil.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index f7d7537..c6e7c4a 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -409,7 +409,6 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
 if env is None:
 # copy default env
 env = copy.deepcopy(os.environ)
-env["PATH"] = "/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"
 if stdin:
 p_in = subprocess.PIPE
 if skip_output:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#204][opened] ipautil.run: Remove hardcoded environ PATH value

2016-11-01 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/204
Author: mbasti-rh
 Title: #204: ipautil.run: Remove hardcoded environ PATH value
Action: opened

PR body:
"""
This was introduced in commit d0ea0bb63891babd1c5778df2e291b527c8e927c
as F14 compatibility. PATH should be always inherited from from
os.environ and then amended also this is platform specific and should not
be in core code
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/204/head:pr204
git checkout pr204
From 1e5e694273751593e6fa4cb53556c32d17cb7f82 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 1 Nov 2016 17:32:13 +0100
Subject: [PATCH] ipautil.run: Remove hardcoded environ PATH value

This was introduced in commit d0ea0bb63891babd1c5778df2e291b527c8e927c
as F14 compatibility. PATH should be always inherited from from
os.environ and then amended also this is platform specific and should not
be in core code
---
 ipapython/ipautil.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index f7d7537..c6e7c4a 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -409,7 +409,6 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
 if env is None:
 # copy default env
 env = copy.deepcopy(os.environ)
-env["PATH"] = "/bin:/sbin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/bin:/usr/sbin"
 if stdin:
 p_in = subprocess.PIPE
 if skip_output:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#203][synchronized] Add sdist_list plugin to all setup.py

2016-11-01 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/203
Author: tiran
 Title: #203: Add sdist_list plugin to all setup.py
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/203/head:pr203
git checkout pr203
From 1426933295a9e83d29657d9eb8ae478b10e2ddc2 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 1 Nov 2016 12:53:30 +0100
Subject: [PATCH] Add sdist_list plugin to all setup.py

The sdist_list plugin creates a source distribution file list.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 68 ++
 1 file changed, 68 insertions(+)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index f291d22..0067037 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -15,9 +15,74 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 #
+from __future__ import print_function
+
 import os
+import re
 import sys
 
+from setuptools.command.sdist import sdist as setuptools_sdist
+
+# from Python 3.5's shlex module
+_find_unsafe = re.compile(r'[^\w@%+=:,./-]', getattr(re, 'ASCII', 0)).search
+
+
+def shlex_quote(s):
+"""Return a shell-escaped version of the string *s*."""
+if not s:
+return "''"
+if _find_unsafe(s) is None:
+return s
+
+# use single quotes, and put single quotes into double quotes
+# the string $'b is then quoted as '$'"'"'b'
+return "'" + s.replace("'", "'\"'\"'") + "'"
+
+
+class sdist_list(setuptools_sdist):
+"""Source distribution list plugin (based on standard sdist)
+"""
+description = "create source distributon file list"
+
+user_options = [
+('base-dir=', 'b', 'base directory for source files'),
+('source-list=', 's', 'source list file'),
+]
+help_options = []
+boolean_options = []
+
+separator = '\n'
+
+def initialize_options(self):
+setuptools_sdist.initialize_options(self)
+self.base_dir = None
+self.source_list = None
+
+def finalize_options(self):
+setuptools_sdist.finalize_options(self)
+if self.base_dir is None:
+self.base_dir = os.path.abspath(os.getcwd())
+
+def make_distribution(self):
+# Don't create any distribution
+self.archive_files = []
+
+def run(self):
+setuptools_sdist.run(self)
+self.filelist.sort()
+self.filelist.remove_duplicates()
+filenames = []
+for filename in self.filelist.files:
+filename = os.path.join(self.base_dir, filename)
+filenames.append(shlex_quote(filename))
+
+if self.source_list is not None:
+with open(self.source_list, 'w') as f:
+f.write(self.separator.join(filenames))
+else:
+print(self.separator.join(filenames))
+
+
 common_args = dict(
 version="__VERSION__",
 license="GPL",
@@ -28,6 +93,9 @@ common_args = dict(
 url="http://www.freeipa.org/";,
 download_url="http://www.freeipa.org/page/Downloads";,
 platforms=["Linux", "Solaris", "Unix"],
+cmdclass={
+'sdist_list': sdist_list,
+},
 classifiers=[
 "Development Status :: 5 - Production/Stable",
 ("Topic :: System :: Systems Administration :: "
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py

2016-11-01 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/203
Title: #203: Add sdist_list plugin to all setup.py

tiran commented:
"""
You have two options to work around the extra output
1. redirect stderr and use ```python setup.py --quiet sdist_list```. The order 
is import, ```python setup.py sdist_list --quiet``` only silences sdist_list 
command, not subcommands.
2. use the ```--source-list``` option to write the source list into a file

The content of ```SOURCES.txt``` is not necessarily the same as 
```sdist_list```. The ```sdist``` command may add additional files after 
```egg_info``` has creates the file.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/203#issuecomment-257565973
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#203][comment] Add sdist_list plugin to all setup.py

2016-11-01 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/203
Title: #203: Add sdist_list plugin to all setup.py

pspacek commented:
"""
Thanks for the propsal. It has several problems:
- It prints extra text at the beginning of output. This makes the output 
unsuitable for automated processing.
~~~
$ python setup.py sdist_list --quiet
running sdist_list
running egg_info
writing freeipa.egg-info/PKG-INFO
writing top-level names to freeipa.egg-info/top_level.txt
writing dependency_links to freeipa.egg-info/dependency_links.txt
reading manifest file 'freeipa.egg-info/SOURCES.txt'
writing manifest file 'freeipa.egg-info/SOURCES.txt'
warning: sdist_list: standard file not found: should have one of README, 
README.rst, README.txt

running check
/home/pspacek/pkg/ipa/git/ipaserver/__init__.py
~~~
- pylint is failing

I wonder if the printed list is always the same as *.egg-info/SOURCES.txt or 
not. If it is the same we may very well re-use that file. It seems that 
egg-info is generated during `sdist_list` processing anyway ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/203#issuecomment-257562968
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#203][opened] Add sdist_list plugin to all setup.py

2016-11-01 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/203
Author: tiran
 Title: #203: Add sdist_list plugin to all setup.py
Action: opened

PR body:
"""
The sdist_list plugin creates a source distribution file list.

Signed-off-by: Christian Heimes 

@pspacek here is your helper command for automake dist. 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/203/head:pr203
git checkout pr203
From c95ff322d8e87148c0b060926949f01861e7fe73 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 1 Nov 2016 12:53:30 +0100
Subject: [PATCH] Add sdist_list plugin to all setup.py

The sdist_list plugin creates a source distribution file list.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 66 ++
 1 file changed, 66 insertions(+)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index f291d22..76579d0 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -16,8 +16,71 @@
 # along with this program.  If not, see .
 #
 import os
+import re
 import sys
 
+from setuptools.command.sdist import sdist as setuptools_sdist
+
+# from Python 3.5's shlex module
+_find_unsafe = re.compile(r'[^\w@%+=:,./-]', getattr(re, 'ASCII', 0)).search
+
+
+def shlex_quote(s):
+"""Return a shell-escaped version of the string *s*."""
+if not s:
+return "''"
+if _find_unsafe(s) is None:
+return s
+
+# use single quotes, and put single quotes into double quotes
+# the string $'b is then quoted as '$'"'"'b'
+return "'" + s.replace("'", "'\"'\"'") + "'"
+
+
+class sdist_list(setuptools_sdist):
+"""Source distribution list plugin (based on standard sdist)
+"""
+description = "create source distributon file list"
+
+user_options = [
+('base-dir=', 'b', 'base directory for source files'),
+('source-list=', 's', 'source list file'),
+]
+help_options = []
+boolean_options = []
+
+separator = '\n'
+
+def initialize_options(self):
+setuptools_sdist.initialize_options(self)
+self.base_dir = None
+self.source_list = None
+
+def finalize_options(self):
+setuptools_sdist.finalize_options(self)
+if self.base_dir is None:
+self.base_dir = os.path.abspath(os.getcwd())
+
+def make_distribution(self):
+# Don't create any distribution
+self.archive_files = []
+
+def run(self):
+setuptools_sdist.run(self)
+self.filelist.sort()
+self.filelist.remove_duplicates()
+filenames = []
+for filename in self.filelist.files:
+filename = os.path.join(self.base_dir, filename)
+filenames.append(shlex_quote(filename))
+
+if self.source_list is not None:
+with open(self.source_list, 'w') as f:
+f.write(self.separator.join(filenames))
+else:
+print(self.separator.join(filenames))
+
+
 common_args = dict(
 version="__VERSION__",
 license="GPL",
@@ -28,6 +91,9 @@ common_args = dict(
 url="http://www.freeipa.org/";,
 download_url="http://www.freeipa.org/page/Downloads";,
 platforms=["Linux", "Solaris", "Unix"],
+cmdclass={
+'sdist_list': sdist_list,
+},
 classifiers=[
 "Development Status :: 5 - Production/Stable",
 ("Topic :: System :: Systems Administration :: "
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#202][opened] ipa-getkeytab enhancements

2016-11-01 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/202
Author: martbab
 Title: #202: ipa-getkeytab enhancements
Action: opened

PR body:
"""
This PR implements '-H' and '-Y' options mentioned in
https://fedorahosted.org/freeipa/ticket/6409 along with the ability to specify
CA cert on the command line (which proved useful during the work on installer
refactoring).

Since my C skills are not at the level I would like them to be it would be nice
if you point out even the tiniest mistakes, risky code or non-idiomatic usage.

Also the test case `test_retrieval_using_plain_ldap` fails due to unsuccesful
simple bind. I wanted to implement StartTLS for simple binds over ldap://, but
I get the following errors in dirsrv error log:

[01/Nov/2016:10:44:52.395126000 +] connection - conn=883 fd=135
Incoming BER Element was 3 bytes, max allowable is 209715200 bytes.
Change the nsslapd-maxbersize attribute in cn=config to increase.

I guess there is something fishy with the way I initialize the StartTLS
session. I would appreciate your help with it.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/202/head:pr202
git checkout pr202
From 463fea6370bee56ef445056146099051dcc0f7cd Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 27 Oct 2016 13:35:10 +0200
Subject: [PATCH 1/5] ipa-getkeytab: expose CA cert path as option

get rid of hardcoded CA cert path and allow the caller to use supplied custom
paths instead

https://fedorahosted.org/freeipa/ticket/6409
---
 client/ipa-getkeytab.c | 25 +++--
 client/man/ipa-getkeytab.1 |  6 +-
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 0f549a5..e46c78d 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -44,6 +44,8 @@
 #include "ipa_asn1.h"
 #include "ipa-client-common.h"
 
+#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
+
 static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
 {
 	sasl_interact_t *in = NULL;
@@ -152,10 +154,9 @@ static int ipa_ldap_init(LDAP ** ld, const char * scheme, const char * servernam
 	return rc;
 }
 
-const char *ca_cert_file = "/etc/ipa/ca.crt";
-
 static int ipa_ldap_bind(const char *server_name, krb5_principal bind_princ,
-			 const char *bind_dn, const char *bind_pw, LDAP **_ld)
+			 const char *bind_dn, const char *bind_pw,
+ const char *ca_cert_file, LDAP **_ld)
 {
 char *msg = NULL;
 struct berval bv;
@@ -343,6 +344,7 @@ static int ldap_set_keytab(krb5_context krbctx,
 			   krb5_principal princ,
 			   const char *binddn,
 			   const char *bindpw,
+   const char *ca_cert_file,
 			   struct keys_container *keys)
 {
 	LDAP *ld = NULL;
@@ -369,7 +371,7 @@ static int ldap_set_keytab(krb5_context krbctx,
 		goto error_out;
 	}
 
-ret = ipa_ldap_bind(servername, princ, binddn, bindpw, &ld);
+ret = ipa_ldap_bind(servername, princ, binddn, bindpw, ca_cert_file, &ld);
 if (ret != LDAP_SUCCESS) {
 fprintf(stderr, _("Failed to bind to server!\n"));
 goto error_out;
@@ -500,6 +502,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
const char *enctypes, const char *bind_server,
const char *svc_princ, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
+   const char *ca_cert_file,
struct keys_container *keys, int *kvno,
char **err_msg)
 {
@@ -529,7 +532,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
 goto done;
 }
 
-ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw, &ld);
+ret = ipa_ldap_bind(bind_server, bind_princ, bind_dn, bind_pw,
+ca_cert_file, &ld);
 if (ret != LDAP_SUCCESS) {
 *err_msg = _("Failed to bind to server!\n");
 goto done;
@@ -684,6 +688,7 @@ int main(int argc, const char *argv[])
 	static const char *enctypes_string = NULL;
 	static const char *binddn = NULL;
 	static const char *bindpw = NULL;
+	static const char *ca_cert_file = NULL;
 	int quiet = 0;
 	int askpass = 0;
 	int permitted_enctypes = 0;
@@ -712,6 +717,8 @@ int main(int argc, const char *argv[])
   _("LDAP DN"), _("DN to bind as if not using kerberos") },
 	{ "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0,
   _("LDAP password"), _("password to use if not using kerberos") },
+	{ "cacert", 'c', POPT_ARG_STRING, &ca_cert_file, 0,
+_("Path to the IPA CA certificate"), _("IPA CA certificate")},
 	{ "retrieve", 'r', POPT_ARG_NONE, &retrieve, 0,
   _("Retrieve current keys without changing them"), NULL },
 POPT_AUTOHELP
@@ -798,6 +805,10 @@ int main(int argc, const char *argv[])
 }

[Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible

2016-11-01 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/197
Author: tiran
 Title: #197: Make setup.py files PyPI compatible
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/197/head:pr197
git checkout pr197
From 5f36daaf5e83cb67210116cdbb2e0bfe06c22313 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 31 Oct 2016 09:19:15 +0100
Subject: [PATCH] Make setup.py files PyPI compatible

- Use PEP 440 compatible version schema
- Use correct classifiers

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 38 --
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index f291d22..0c6a914 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -1,5 +1,4 @@
-#!/usr/bin/python2
-# Copyright (C) 2014  Red Hat
+# Copyright (C) 2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,9 +17,21 @@
 import os
 import sys
 
+VERSION = "__VERSION__"
+
+if 'GIT' in VERSION:
+# Convert FreeIPA version scheme to PEP 440 version schema. Dev versions
+# must be monotonic increasing numbers. Git hashes act as additional
+# qualifiers.
+# FreeIPA schema: 4.4.90.201610281620GITd0c17b4
+# PEP 440 schema: 4.4.90.dev201610281620+gitd0c17b4
+prefix, suffix = VERSION.rsplit('.', 1)
+date, githash = suffix.split('GIT')
+VERSION = "{}.dev{}+git{}".format(prefix, date, githash)
+
 common_args = dict(
-version="__VERSION__",
-license="GPL",
+version=VERSION,
+license="GPLv3+",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
 maintainer="FreeIPA Developers",
@@ -30,14 +41,21 @@ common_args = dict(
 platforms=["Linux", "Solaris", "Unix"],
 classifiers=[
 "Development Status :: 5 - Production/Stable",
-("Topic :: System :: Systems Administration :: "
- "Authentication/Directory :: LDAP"),
-"Topic :: Internet :: Name Service (DNS)",
-"Intended Audience :: System Environment/Base",
-"License :: GPL",
-"Programming Language :: Python",
+"Intended Audience :: System Administrators",
+("License :: OSI Approved :: "
+ "GNU General Public License v3 or later (GPLv3+)"),
+"Programming Language :: C",
+"Programming Language :: Python :: 2",
+"Programming Language :: Python :: 2.7",
+"Programming Language :: Python :: 3",
+"Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
+"Operating System :: POSIX :: Linux",
 "Operating System :: Unix",
+"Topic :: Internet :: Name Service (DNS)",
+("Topic :: System :: Systems Administration :: "
+ "Authentication/Directory :: LDAP"),
 ],
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][closed] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/201
Author: jcholast
 Title: #201: spec file: bump minimal required version of 389-ds-base
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/201/head:pr201
git checkout pr201
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][+pushed] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/201
Title: #201: spec file: bump minimal required version of 389-ds-base

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][comment] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/201
Title: #201: spec file: bump minimal required version of 389-ds-base

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f12abfb852dfb1a7759928b05defde68d5d7a3df
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/0e2818d9aa1f2b8750e83e5eb4d6f91cafae76e8
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/201#issuecomment-257536165
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][+ack] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/201
Title: #201: spec file: bump minimal required version of 389-ds-base

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#187][synchronized] Register entry points of Custodia plugins

2016-11-01 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/187
Author: tiran
 Title: #187: Register entry points of Custodia plugins
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/187/head:pr187
git checkout pr187
From 2968eeae15ecb9ccecc24e22711bce3aa385c21f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 26 Oct 2016 11:14:06 +0200
Subject: [PATCH] Register entry points of Custodia plugins

With setuptools in place FreeIPA is able to register its Custodia
plugins. Custodia 0.1 ignores the plugins directives. Custodia 0.2 uses
the entry points to discover plugins.

Signed-off-by: Christian Heimes 
---
 ipapython/setup.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipapython/setup.py b/ipapython/setup.py
index 47acdd6..28937eb 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -38,4 +38,12 @@
 "ipapython.secrets",
 "ipapython.install"
 ],
+entry_points={
+'custodia.authorizers': [
+'IPAKEMKeys = ipapython.secrets.kem:IPAKEMKeys',
+],
+'custodia.stores': [
+'iSecStore = ipapython.secrets.store:iSecStore',
+],
+},
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][comment] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/201
Title: #201: spec file: bump minimal required version of 389-ds-base

stlaz commented:
"""
ACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/201#issuecomment-257535867
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#201][opened] spec file: bump minimal required version of 389-ds-base

2016-11-01 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/201
Author: jcholast
 Title: #201: spec file: bump minimal required version of 389-ds-base
Action: opened

PR body:
"""
Require 389-ds-base >= 1.3.5.14 for:
https://fedorahosted.org/389/ticket/48992

https://fedorahosted.org/freeipa/ticket/6369
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/201/head:pr201
git checkout pr201
From 37977d0aad0a358021b5bd24215b593885518556 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 1 Nov 2016 11:36:30 +0100
Subject: [PATCH] spec file: bump minimal required version of 389-ds-base

Require 389-ds-base >= 1.3.5.14 for:
https://fedorahosted.org/389/ticket/48992

https://fedorahosted.org/freeipa/ticket/6369
---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..8a8e3a5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -137,7 +137,7 @@ Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.5.6
+Requires: 389-ds-base >= 1.3.5.14
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -169,7 +169,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.5.6
+Requires(pre): 389-ds-base >= 1.3.5.14
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del

2016-11-01 Thread Martin Babinsky 

On 11/01/2016 09:42 AM, Alexander Bokovoy wrote:

On ti, 01 marras 2016, Martin Babinsky wrote:

On 10/31/2016 05:23 PM, Alexander Bokovoy wrote:

See description. This is a regression since FreeIPA 4.4.0.





Hi Alexander,

Please link upstream ticket[1] to the commit message, not BZ.

I have put on my Travis hat and found:

1.) pep8 error:

./ipaserver/plugins/trust.py:1623:25: E128 continuation line
under-indented for visual indent

I know that this is a piece of code that was only moved around but it
should conform to pep8 anyway.

2.) unused variable:

Pylint is running, please wait ...
* Module ipaserver.plugins.trust
ipaserver/plugins/trust.py:1619: [W0612(unused-variable),
trustdomain_del.execute] Unused variable 'entry')
Makefile:130: recipe for target 'pylint' failed
make: *** [pylint] Error 1

Also, if you just want to check if the domain exists, I think that you
can use `get_dn_if_exists` method of LDAPObject (you will get rid of
unused variable as a bonus):

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 3540742..2cd4722 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete):

for domain in keys[1]:
try:
-dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad')
-entry = ldap.get_entry(dn)
+self.obj.get_dn_if_exists(keys[0], domain,
trust_type=u'ad')
except errors.NotFound:
if keys[0].lower() == domain:
raise errors.ValidationError(name='domain'

[1] https://fedorahosted.org/freeipa/ticket/6445

Thanks, I've fixed these issues.

Updated patch is attached.



Thanks, ACK.

Pushed to master: e8b94ef352400f9045837ed69266686b6b117301

rebased and pushed to ipa-4-4: bd74150aa28f92b0980f5a803d3591a118628e8f

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

2016-11-01 Thread ofayans 
   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 52bb5ea80fa17d13c6baf453578e1374ddb74a9e Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 1/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 58 
 1 file changed, 58 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..fd4eb39
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import six
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+if six.PY3:
+unicode = str
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")

From 55bb64047079f080d33eb4168a5d2cd5fe974351 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 2/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..0d5e084 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][synchronized] Test: basic kerberos over http functionality

2016-11-01 Thread ofayans 
   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 00f3dcd33510e9c05ada63bf9b543e326ec1a274 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH 1/2] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 53 
 1 file changed, 53 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..bc1b800
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")

From 33ede80b5d83bddb0d27973b898e553be208db9c Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 1 Nov 2016 09:54:12 +0100
Subject: [PATCH 2/2] Test: made kinit_admin a returning function

In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
---
 ipatests/test_integration/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..0d5e084 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -662,8 +662,8 @@ def disconnect_replica(master, replica, domain_level=None):
 
 
 def kinit_admin(host, raiseonerr=True):
-host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
- stdin_text=host.config.admin_password)
+return host.run_command(['kinit', 'admin'], raiseonerr=raiseonerr,
+stdin_text=host.config.admin_password)
 
 
 def uninstall_master(host, ignore_topology_disconnect=True,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del

2016-11-01 Thread Alexander Bokovoy 

On ti, 01 marras 2016, Martin Babinsky wrote:

On 10/31/2016 05:23 PM, Alexander Bokovoy wrote:

See description. This is a regression since FreeIPA 4.4.0.





Hi Alexander,

Please link upstream ticket[1] to the commit message, not BZ.

I have put on my Travis hat and found:

1.) pep8 error:

./ipaserver/plugins/trust.py:1623:25: E128 continuation line 
under-indented for visual indent


I know that this is a piece of code that was only moved around but it 
should conform to pep8 anyway.


2.) unused variable:

Pylint is running, please wait ...
* Module ipaserver.plugins.trust
ipaserver/plugins/trust.py:1619: [W0612(unused-variable), 
trustdomain_del.execute] Unused variable 'entry')

Makefile:130: recipe for target 'pylint' failed
make: *** [pylint] Error 1

Also, if you just want to check if the domain exists, I think that you 
can use `get_dn_if_exists` method of LDAPObject (you will get rid of 
unused variable as a bonus):


diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 3540742..2cd4722 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete):

for domain in keys[1]:
try:
-dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad')
-entry = ldap.get_entry(dn)
+self.obj.get_dn_if_exists(keys[0], domain, 
trust_type=u'ad')

except errors.NotFound:
if keys[0].lower() == domain:
raise errors.ValidationError(name='domain'

[1] https://fedorahosted.org/freeipa/ticket/6445

Thanks, I've fixed these issues.

Updated patch is attached.

--
/ Alexander Bokovoy
From 2b7cb26a5e95ee6f780b3484ca673fdb5e8bd67e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 31 Oct 2016 18:17:35 +0200
Subject: [PATCH 2/2] trustdomain-del: fix the way how subdomain is searched

With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
Update 'ipa trustdomain-del' command to properly calculate DN to the
actual child domain and handle the case when it is missing correctly.

Fixes https://fedorahosted.org/freeipa/ticket/6445
---
 ipaserver/plugins/trust.py | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index c0c080d..c84b1aa 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1614,13 +1614,16 @@ class trustdomain_del(LDAPDelete):
 # to always receive empty keys. We need to catch the case when root 
domain is being deleted
 
 for domain in keys[1]:
-# Fetch the trust to verify that the entered domain is trusted
-self.api.Command.trust_show(domain)
+try:
+self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad')
+except errors.NotFound:
+if keys[0].lower() == domain:
+raise errors.ValidationError(
+name='domain',
+error=_("cannot delete root domain of the trust, "
+"use trust-del to delete the trust itself"))
+self.obj.handle_not_found(keys[0], domain)
 
-if keys[0].lower() == domain:
-raise errors.ValidationError(name='domain',
-error=_("cannot delete root domain of the trust, "
-"use trust-del to delete the trust itself"))
 try:
 self.api.Command.trustdomain_enable(keys[0], domain)
 except errors.AlreadyActive:
-- 
2.9.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][opened] Test: basic kerberos over http functionality

2016-11-01 Thread ofayans 
   URL: https://github.com/freeipa/freeipa/pull/200
Author: ofayans
 Title: #200: Test: basic kerberos over http functionality
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6446
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/200/head:pr200
git checkout pr200
From 00f3dcd33510e9c05ada63bf9b543e326ec1a274 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 1 Nov 2016 09:25:16 +0100
Subject: [PATCH] Test: basic kerberos over http functionality

https://fedorahosted.org/freeipa/ticket/6446
---
 ipatests/test_integration/test_http_kdc_proxy.py | 53 
 1 file changed, 53 insertions(+)
 create mode 100644 ipatests/test_integration/test_http_kdc_proxy.py

diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
new file mode 100644
index 000..bc1b800
--- /dev/null
+++ b/ipatests/test_integration/test_http_kdc_proxy.py
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import time
+import ipaddress
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestHttpKdcProxy(IntegrationTest):
+topology = "line"
+num_clients = 1
+
+@classmethod
+def install(cls, mh):
+super(TestHttpKdcProxy, cls).install(mh)
+# client ip version check
+client_ip = ipaddress.ip_address(unicode(cls.clients[0].ip))
+if isinstance(client_ip, ipaddress.IPv4Address):
+util = 'iptables'
+else:
+util = 'ip6tables'
+# Block access from client to master's port 88
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'tcp', '--dport', '88', '-j', 'DROP'])
+cls.master.run_command([
+util, '-A', 'INPUT', '-s', cls.clients[0].ip,
+'-p', 'udp', '--dport', '88', '-j', 'DROP'])
+# configure client
+cls.clients[0].run_command(
+"sed -i 's/ kdc = .*$/ kdc = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+cls.clients[0].run_command(
+"sed -i 's/master_kdc = .*$/master_kdc"
+" = https:\/\/%s\/KdcProxy/' %s" % (
+cls.master.hostname, paths.KRB5_CONF)
+)
+# Workaround for https://fedorahosted.org/freeipa/ticket/6443
+time.sleep(1200)
+# End of workaround
+
+@classmethod
+def uninstall(cls, mh):
+super(TestHttpKdcProxy, cls).uninstall(mh)
+cls.master.run_command(['iptables', '-F'])
+
+def test_http_kdc_proxy_works(self):
+result = tasks.kinit_admin(self.clients[0], raiseonerr=False)
+assert(result.returncode == 0), ("Unable to kinit using KdcProxy")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0221 fix trustdomain-del

2016-11-01 Thread Martin Babinsky 

On 10/31/2016 05:23 PM, Alexander Bokovoy wrote:

See description. This is a regression since FreeIPA 4.4.0.





Hi Alexander,

Please link upstream ticket[1] to the commit message, not BZ.

I have put on my Travis hat and found:

1.) pep8 error:

./ipaserver/plugins/trust.py:1623:25: E128 continuation line 
under-indented for visual indent


I know that this is a piece of code that was only moved around but it 
should conform to pep8 anyway.


2.) unused variable:

Pylint is running, please wait ...
* Module ipaserver.plugins.trust
ipaserver/plugins/trust.py:1619: [W0612(unused-variable), 
trustdomain_del.execute] Unused variable 'entry')

Makefile:130: recipe for target 'pylint' failed
make: *** [pylint] Error 1

Also, if you just want to check if the domain exists, I think that you 
can use `get_dn_if_exists` method of LDAPObject (you will get rid of 
unused variable as a bonus):


diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 3540742..2cd4722 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1615,8 +1615,7 @@ class trustdomain_del(LDAPDelete):

 for domain in keys[1]:
 try:
-dn = self.obj.get_dn(keys[0], domain, trust_type=u'ad')
-entry = ldap.get_entry(dn)
+self.obj.get_dn_if_exists(keys[0], domain, 
trust_type=u'ad')

 except errors.NotFound:
 if keys[0].lower() == domain:
 raise errors.ValidationError(name='domain'

[1] https://fedorahosted.org/freeipa/ticket/6445

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#199][comment] [ipa-4-4] Fix missing file that fails DL1 replica installation

2016-11-01 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/199
Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation

jcholast commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/19a32da65f792bc8f054c14edfcf704876e0257e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/199#issuecomment-257505602
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#199][closed] [ipa-4-4] Fix missing file that fails DL1 replica installation

2016-11-01 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/199
Author: stlaz
 Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/199/head:pr199
git checkout pr199
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#199][+pushed] [ipa-4-4] Fix missing file that fails DL1 replica installation

2016-11-01 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/199
Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#199][+ack] [ipa-4-4] Fix missing file that fails DL1 replica installation

2016-11-01 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/199
Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#199][opened] [ipa-4-4] Fix missing file that fails DL1 replica installation

2016-11-01 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/199
Author: stlaz
 Title: #199: [ipa-4-4] Fix missing file that fails DL1 replica installation
Action: opened

PR body:
"""
Replica installation on DL1 would fail to create a httpd instance
due to missing '/etc/httpd/alias/cacert.asc'. Create this file
in the setup_ssl step to avoid the error.

https://fedorahosted.org/freeipa/ticket/6393
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/199/head:pr199
git checkout pr199
From 35a53216b5230c8fab5ede0932f840ac5d884ef1 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 31 Oct 2016 16:51:49 +0100
Subject: [PATCH] Fix missing file that fails DL1 replica installation

Replica installation on DL1 would fail to create a httpd instance
due to missing '/etc/httpd/alias/cacert.asc'. Create this file
in the setup_ssl step to avoid the error.

https://fedorahosted.org/freeipa/ticket/6393
---
 ipaserver/install/httpinstance.py | 25 +
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7914f4c..726d5a4 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -345,14 +345,23 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
-elif not self.promote:
-db.create_password_conf()
-self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
- ca_db)
-db.track_server_cert(self.cert_nickname, self.principal,
- db.passwd_fname, 'restart_httpd')
-db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
-self.add_cert_to_service()
+else:
+if not self.promote:
+db.create_password_conf()
+self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
+ ca_db)
+db.track_server_cert(self.cert_nickname, self.principal,
+ db.passwd_fname, 'restart_httpd')
+db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
+self.add_cert_to_service()
+
+server_certs = db.find_server_certs()
+if not server_certs:
+raise RuntimeError("Could not find a suitable server cert.")
+
+# We only handle one server cert
+nickname = server_certs[0][0]
+db.export_ca_cert(nickname)
 
 # Fix the database permissions
 os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code