[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
@tiran  IMO you need check `length > uppercase + lowercase + num + special`, 
otherwise infinity loop
but generally LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265954172
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-08 Thread Martin Basti 



On 08.12.2016 22:47, Simo Sorce wrote:

On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:

URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
  Title: #314: RFC: privilege separation for ipa framework code
Action: edited

  Changed field: body
Original value:
"""
As part of the External Authentication work this PR implements the privilege 
separation portion of the design available here: 
https://www.freeipa.org/page/V4/External_Authentication and implements tickets: 
https://fedorahosted.org/freeipa/ticket/5959 and 
https://fedorahosted.org/freeipa/ticket/4189

The update process from an old server has not been implemented yet, so this is 
just an RFC request at this stage. Please look at the code and let me know if 
you notice any major issue with it so we can correct mistakes early.

This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi 
and gssproxy, which are not released/accepted upstream yet (all PRs filed, and 
will be available soon).
In order to allow trying the code, I made two copr repos with the necessary 
changes available here:
- https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
- https://copr.fedorainfracloud.org/coprs/simo/gssproxy/

I tested a new install and both gssapi as well as password authentication work 
(via command line and web browser). I have not tested OTP authentication yet.

There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session 
handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
change we stop using memcached.
- the framework configuration is changed to work as a different user from the 
Apache framework and depends on gssproxy in order to be able to access 
necessary credentials. (Apache itself is also using gssproxy and does not have 
direct access to the HTTP keytab.)
   This required two changes in the form-based authentication workflow:
   * The armor cache is obtained via anonymous pkinit as we do not have access 
anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
accepted commits from that PR are in this PR)
   * The actual authentication is done via a loopback HTTP request to apache 
after we obtain a TGT, this is done in order to obtain a session cookie from 
mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
keep the HTTP ticket instead.

@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service 
(memcached) on upgrade ?
"""

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

There seem to be a bug in the mailing list posting script when someone
edits a PR description, I see the original text here but not the new
text!

Simo.


It is expected,

 Changed field: body
Original value:

I just haven't had time to implement sending a new values (because of format, 
of github messages it is not so simple) I may try to finish github notification 
RFEs today

Martin


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From ab5bf9168c5d76f69527429092a31f676d4b3e23 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  63 
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  36 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 327 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint

Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-08 Thread Simo Sorce 
On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote:
>URL: https://github.com/freeipa/freeipa/pull/314
> Author: simo5
>  Title: #314: RFC: privilege separation for ipa framework code
> Action: edited
> 
>  Changed field: body
> Original value:
> """
> As part of the External Authentication work this PR implements the privilege 
> separation portion of the design available here: 
> https://www.freeipa.org/page/V4/External_Authentication and implements 
> tickets: https://fedorahosted.org/freeipa/ticket/5959 and 
> https://fedorahosted.org/freeipa/ticket/4189
> 
> The update process from an old server has not been implemented yet, so this 
> is just an RFC request at this stage. Please look at the code and let me know 
> if you notice any major issue with it so we can correct mistakes early.
> 
> This PR depends on improvements and fixes to two dependencies: 
> mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet 
> (all PRs filed, and will be available soon).
> In order to allow trying the code, I made two copr repos with the necessary 
> changes available here:
> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/
> 
> I tested a new install and both gssapi as well as password authentication 
> work (via command line and web browser). I have not tested OTP authentication 
> yet.
> 
> There are 2 fundamental changes in this code:
> - the session handling code has been dropped in favor of deferring session 
> handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
> change we stop using memcached.
> - the framework configuration is changed to work as a different user from the 
> Apache framework and depends on gssproxy in order to be able to access 
> necessary credentials. (Apache itself is also using gssproxy and does not 
> have direct access to the HTTP keytab.)
>   This required two changes in the form-based authentication workflow:
>   * The armor cache is obtained via anonymous pkinit as we do not have access 
> anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
> accepted commits from that PR are in this PR)
>   * The actual authentication is done via a loopback HTTP request to apache 
> after we obtain a TGT, this is done in order to obtain a session cookie from 
> mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
> keep the HTTP ticket instead.
> 
> @jcholast @pvoborni Please provide comments on the framework changes.
> @rcritten @abbra do you have ideas on how to deal with dropping a service 
> (memcached) on upgrade ?
> """
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

There seem to be a bug in the mailing list posting script when someone
edits a PR description, I see the original text here but not the new
text!

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code

2016-12-08 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
 Title: #314: RFC: privilege separation for ipa framework code
Action: edited

 Changed field: body
Original value:
"""
As part of the External Authentication work this PR implements the privilege 
separation portion of the design available here: 
https://www.freeipa.org/page/V4/External_Authentication and implements tickets: 
https://fedorahosted.org/freeipa/ticket/5959 and 
https://fedorahosted.org/freeipa/ticket/4189

The update process from an old server has not been implemented yet, so this is 
just an RFC request at this stage. Please look at the code and let me know if 
you notice any major issue with it so we can correct mistakes early.

This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi 
and gssproxy, which are not released/accepted upstream yet (all PRs filed, and 
will be available soon).
In order to allow trying the code, I made two copr repos with the necessary 
changes available here:
- https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/
- https://copr.fedorainfracloud.org/coprs/simo/gssproxy/

I tested a new install and both gssapi as well as password authentication work 
(via command line and web browser). I have not tested OTP authentication yet.

There are 2 fundamental changes in this code:
- the session handling code has been dropped in favor of deferring session 
handling to mod_auth_gssapi, simplifying the code greatly. As part of this 
change we stop using memcached.
- the framework configuration is changed to work as a different user from the 
Apache framework and depends on gssproxy in order to be able to access 
necessary credentials. (Apache itself is also using gssproxy and does not have 
direct access to the HTTP keytab.)
  This required two changes in the form-based authentication workflow:
  * The armor cache is obtained via anonymous pkinit as we do not have access 
anymore to the HTTP keytab. This means this PR depends on #62 (until it is 
accepted commits from that PR are in this PR)
  * The actual authentication is done via a loopback HTTP request to apache 
after we obtain a TGT, this is done in order to obtain a session cookie from 
mod_auth_gssapi as well as to be able to immediately discard the TGT and just 
keep the HTTP ticket instead.

@jcholast @pvoborni Please provide comments on the framework changes.
@rcritten @abbra do you have ideas on how to deal with dropping a service 
(memcached) on upgrade ?
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/320
Title: #320: add missing attribute to ipaca replica during CA topology update

mbasti-rh commented:
"""
IMO #322 this might be related, @martbab can you please check it?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/320#issuecomment-265823807
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 13caff83b412cbc68073908f7a35214b9789f5e7 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  53 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  20 +
 ipaserver/plugins/cert.py|  81 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 296 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

[Freeipa-devel] [freeipa PR#322][opened] masters DS<1.3.3 do not support bind group

2016-12-08 Thread tbordaz 
   URL: https://github.com/freeipa/freeipa/pull/322
Author: tbordaz
 Title: #322: masters DS<1.3.3 do not support bind group
Action: opened

PR body:
"""
Check the instance version before setting nsds5replicabbinddngroup and
nsds5replicabinddngroupcheckinterval

https://fedorahosted.org/freeipa/ticket/6532
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/322/head:pr322
git checkout pr322
From f7f759a86cf33a1fe5a04f5bc209a934cacc7cea Mon Sep 17 00:00:00 2001
From: Thierry Bordaz 
Date: Thu, 8 Dec 2016 18:21:03 +0100
Subject: [PATCH] masters DS<1.3.3 do not support bind group

Check the instance version before setting nsds5replicabbinddngroup and
nsds5replicabinddngroupcheckinterval

https://fedorahosted.org/freeipa/ticket/6532
---
 ipaserver/install/replication.py | 44 
 1 file changed, 36 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index ddae08e..2221b5e 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -24,6 +24,7 @@
 import datetime
 import sys
 import os
+import re
 from random import randint
 
 import ldap
@@ -441,6 +442,32 @@ def replica_config(self, conn, replica_id, replica_binddn):
 dn = self.replica_dn()
 assert isinstance(dn, DN)
 
+support_binddngroup = False
+try:
+# check that the replica version is > 1.3.3 to support bind group
+entry = conn.get_entry(DN(""), attrs_list=['vendorVersion'])
+vendor_version = entry.get('vendorVersion')[0]
+if vendor_version:
+replica_version = re.search('389-Directory/(.+?) .*', vendor_version)
+root_logger.info("Replica version: %s" % replica_version.group(1))
+version_num = [int(s) for s in replica_version.group(1).split('.') if s.isdigit()]
+if version_num[0] > 1:
+support_binddngroup = True
+elif version_num[0] == 1:
+# version 1.x
+if version_num[1] > 3:
+support_binddngroup = True
+elif version_num[1] == 3:
+# version 1.3.x
+if version_num[2] >= 3:
+support_binddngroup = True
+except Exception as e:
+root_logger.info("Unable to check replica version: %s" % str(e))
+raise
+root_logger.info("Bind DN group support: %s" % support_binddngroup)
+
+
+
 try:
 entry = conn.get_entry(dn)
 managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])}
@@ -453,15 +480,16 @@ def replica_config(self, conn, replica_id, replica_binddn):
 mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN',
 replica_binddn))
 
-if self.repl_man_group_dn not in binddn_groups:
-mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
-self.repl_man_group_dn))
+if support_binddngroup:
+if self.repl_man_group_dn not in binddn_groups:
+mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup',
+self.repl_man_group_dn))
 
-if 'nsds5replicabinddngroupcheckinterval' not in entry:
-mod.append(
-(ldap.MOD_ADD,
- 'nsds5replicabinddngroupcheckinterval',
- '60'))
+if 'nsds5replicabinddngroupcheckinterval' not in entry:
+mod.append(
+(ldap.MOD_ADD,
+ 'nsds5replicabinddngroupcheckinterval',
+ '60'))
 if mod:
 conn.modify_s(dn, mod)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

tiran commented:
"""
```
#!/usr/bin/python3
import math
import random
import string


class TokenGenerator(object):
"""Simple, tunable token generator

TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None)

At least 3 upper and 3 lower case ASCII chars, may contain digits, no
special chars.

128 bits entropy: secure
256 bits of entropy: secure enough if you care about quantum computers
"""
uppercase = frozenset(string.ascii_uppercase)
lowercase = frozenset(string.ascii_lowercase)
digits = frozenset(string.digits)
# without: = # ' " \ `
special = frozenset('!$%&()*+,-./:;<>?@[]^_{|}~')

def __init__(self, uppercase=1, lowercase=1, digits=1, special=1):
self.rng = random.SystemRandom()
self.requirements = dict(
uppercase=uppercase,
lowercase=lowercase,
digits=digits,
special=special
)
chars = set()
for symclass, req in self.requirements.items():
if req is not None:
chars.update(getattr(self, symclass))
self.chars = tuple(chars)

def __call__(self, entropy_bits=128):
length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2)))
while True:
token = ''.join(self.rng.choice(self.chars) for _ in range(length))
tokenset = set(token)
token_ok = True
for symclass, req in self.requirements.items():
if req is None or req <= 0:
continue
reqchars = getattr(self, symclass)
if len(tokenset.intersection(reqchars)) < req:
token_ok = False
break
if token_ok:
return token


if __name__ == '__main__':
pwgen = TokenGenerator(special=None)
for i in range(100):
print(pwgen())
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265803218
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 641691caf4ed92cec0bd076f3245c9456b8e9445 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  52 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  20 +
 ipaserver/plugins/cert.py|  80 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 294 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@abbra I have an idea of what it might be
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265795485
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@martbab sometimes you are blind to your own code ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265795306
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

tiran commented:
"""
@mbasti-rh I probably misunderstood your intention. I read your comment as 
"Replace it with something sane, the sane thing is sha1".

By the way I'm currently tangled up in a twitter discussion about Python's new 
secrets module and entropy. The module doc has a nice recipe to generate 
passwords with special properties 
https://docs.python.org/3.6/library/secrets.html#recipes-and-best-practices . I 
asked a friend of mine and real (tm) cryptographer about entropy for black box 
tokens. He told me

> 128 if you don't care about quantum computing; 256 if you do

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265789981
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
@tiran @simo5 If you read my comments properly I was happy with removing sha1() 
and I pointed out that ipa_generate_password() must generate entropy 160bits as 
was probably originally aimed by using sha1()

@simo5 I'm fine with removing space then

@simo5 Standa found out that when FIPS is enabled NSS is not willing to accept 
some password, it requires some special chars AFAIK @stlaz knows details

@tiran I'm afraid we need to keep special chracters there as I mentioned above ^

@tiran thank you for nice code snippet

@tiran AFAIK you misunderstood my comment, I wanted to "replace sha1 with 
something sane" or I don't understand what is wrong with my comment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265786411
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][closed] Test: uniqueness of certificate renewal master

2016-12-08 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/270
Author: ofayans
 Title: #270: Test: uniqueness of certificate renewal master
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/270/head:pr270
git checkout pr270
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][+pushed] Test: uniqueness of certificate renewal master

2016-12-08 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/270
Title: #270: Test: uniqueness of certificate renewal master

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master

2016-12-08 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/270
Title: #270: Test: uniqueness of certificate renewal master

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/fad87a9962ee33cfebc4fa59aba589e98b076cea
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/270#issuecomment-265783934
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][+ack] Test: uniqueness of certificate renewal master

2016-12-08 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/270
Title: #270: Test: uniqueness of certificate renewal master

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

martbab commented:
"""
@simo5 I highlighted the code givin pylint issues, basically you forgot to 
update ca_kdc_check signature.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265783165
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-08 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

abbra commented:
"""
@simo5 I tried to run the branch as an upgrade against Fedora 25 version 
(4.4.2-1.fc25) and it failed at first because I was running in SELinux 
enforcing:
 Unexpected error - see /var/log/ipaupgrade.log for details:
 DBusException: org.fedorahosted.certmonger.bad_arg: The parent of location 
"/var/kerberos/krb5kdc/kdc.crt" could not be accessed due to insufficient 
permissions.
 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for 
more information

Re-running `ipa-server-upgrade` with 'setenforce 0', I get different error:

2016-12-08T15:52:28Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-12-08T15:52:28Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in runserver.upgrade()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
1820, in upgrade upgrade_configuration()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
1755, in upgrade_configuration
enable_anonymous_principal(krb)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
1498, in enable_anonymous_principal
dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix())
  File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", 
line 74, in get_realm_suffix
return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in 
__init__
self.rdns = self._rdns_from_sequence(args)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in 
_rdns_from_sequence
rdn = self._rdns_from_value(item)
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in 
_rdns_from_value
% type(value))

2016-12-08T15:52:28Z DEBUG The ipa-server-upgrade command failed, 
exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got  instead
2016-12-08T15:52:28Z ERROR Unexpected error - see /var/log/ipaupgrade.log 
for details:
TypeError: must be str, unicode, tuple, Name, RDN or DN, got  
instead

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265775539
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

tiran commented:
"""
@stlaz Your patch looks good. My comment regarding SHA1 was aimed at comment 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651 . The 
suggestion of SHA1 is a *Verschlimmbesserung* (improvement for the worse) of 
the current code.

I studied the implementation ```ipa_generate_password```. The special cases for 
white space makes it more complicated. If you combine @simo5 's suggestion and 
my function, you can write the function in like 6 to 7 lines of simple code. It 
might be good idea to use only alpha numeric chars, too. ```#!='"%${}.?*``` 
have special meaning in bash, C, ini files etc.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265766597
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
We may need a max length argument if we are dealing with some stuff that has 
issues with more then max length caracters ... In that case we can warn (or 
raise, we'll have to decide) not enough entropy will be available is max length 
is not sufficient to hold the desired entropy.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265762543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
@simo5 I was actually trying to get rid of SHA-1 and I am aware that entropy 
will not be raised, that part of the code draw a smile on some of our faces 
here, really :)
As for the spaces, I did not encounter issues with them in password.conf files 
which is awesome but I agree they're potentially dangerous. However, removing 
them from default set of password chars would not make our life easier as the 
check would have to stay there in case someone passes them as a possible 
character as an argument to ipa_generate_password (although they should 
probably know what they're doing, right?).
We may be able to get rid off the `characters` argument should the cases where 
it's used are found invalid though (currently in `host`, `user` passwords and 
in `dnskeysync`).
@tiran Regarding sha1 - did you see the patch? ;) However I agree that the 
length is not a good argument for password-generating function, I will have a 
look at transforming it to entropy.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265761543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

tiran commented:
"""
Please don't use a hack like sha1() to turn a random byte sequence into a hex 
value. At best sha1 keeps the entropy of the input. I also don't like the fact 
that the function only cares about the length of the output. The actual length 
is irrelevant. We care about the entropy of the output.

Let's drop pwd_len and apply proper math instead:

```
import math
import random
import string

alnum = string.ascii_letters + string.digits
sysrandom = random.SystemRandom()  # uses os.urandom() as RNG

def mkpasswd(entropy_bits=128, symbols=alnum):
length = int(math.ceil(entropy_bits / math.log(len(symbols), 2)))
return ''.join(sysrandom.choice(symbols) for _ in range(length))
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265760379
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
@stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in 
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with base64 encoding ?
@stlaz  spaces may cause issues in some places where passwords are stored in 
files or passed (annoyingly) as shell arguments, soit is safer to avoid them in 
the final output, and given the way the code deal with space that would also 
simplify the random generator and avoid the bias on 1st and last charcter of 
the password.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

simo5 commented:
"""
@stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in 
INPUT for whatever trasformation you use.
@mbasti-rh in what way FIPS is incompatible with base64 encoding ?
@stiaz, spaces may cause issues in some places where passwords are stored in 
files or passed (annoyingly) as shell arguments, soit is safer to avoid them in 
the final output, and given the way the code deal with space that would also 
simplify the random generator and avoid the bias on 1st and last charcter of 
the password.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values

2016-12-08 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/181
Author: gkaihorodova
 Title: #181: Tests : User Tracker creation of user with minimal values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/181/head:pr181
git checkout pr181
From a7bad23f12b5c6227e1e5f1d976883dc2edf9146 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:06:36 +0100
Subject: [PATCH 1/2] User Tracker: creation of user with minimal values

Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/tracker/user_plugin.py | 40 +
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 4485fd9..ca28e7e 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -62,22 +62,40 @@ class UserTracker(KerberosAliasMixin, Tracker):
 
 primary_keys = {u'uid', u'dn'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+ in the init method """
+
+if not (isinstance(givenname, six.string_types) and givenname):
+raise ValueError("Invalid first name provided: %r" % givenname)
+if not (isinstance(sn, six.string_types) and sn):
+raise ValueError("Invalid second name provided: %r" % sn)
+
 super(UserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn)
 
 self.kwargs = kwargs
 
-def make_create_command(self):
-""" Make function that crates a user using user-add """
-return self.make_command(
-'user_add', self.uid,
-givenname=self.givenname,
-sn=self.sn, **self.kwargs
-)
+def make_create_command(self, force=None):
+
+""" Make function that creates a user using user-add
+with all set of attributes and with minimal values,
+where uid is not specified """
+
+if self.uid is not None:
+return self.make_command(
+'user_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'user_add', givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self, no_preserve=True, preserve=False):
 """ Make function that deletes a user using user-del """

From b0d51d7f9460064479c2dc49541c4ce6f0408371 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:08:41 +0100
Subject: [PATCH 2/2] User Tracker: Test to create user with minimal values

Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/test_user_plugin.py | 13 +
 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 7508578..b90363e 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -79,6 +79,13 @@
 
 
 @pytest.fixture(scope='class')
+def user_min(request):
+""" User tracker fixture for testing user with uid no specified """
+tracker = UserTracker(givenname=u'Testmin', sn=u'Usermin')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
 def user(request):
 tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1')
 return tracker.make_fixture(request)
@@ -405,6 +412,12 @@ def test_rename_to_invalid_login(self, user):
 
 @pytest.mark.tier1
 class TestCreate(XMLRPC_test):
+def test_create_user_with_min_values(self, user_min):
+""" Create user with uid not specified """
+user_min.ensure_missing()
+command = user_min.make_create_command()
+command()
+
 def test_create_with_krb_ticket_policy(self):
 """ Try to create user with krbmaxticketlife set """
 testuser = UserTracker(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
Apparently, spaces are ok even in HTTP password.conf so I guess we can leave it 
there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265739766
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][synchronized] Lowered the version of gettext

2016-12-08 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/307
Author: pvomacka
 Title: #307: Lowered the version of gettext
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/307/head:pr307
git checkout pr307
From 1c49b0d070044b05bb15a17c23c47b18b952d6ff Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 7 Dec 2016 12:16:56 +0100
Subject: [PATCH] Lowered the version of gettext

The lower version is needed while building on RHEL.
Also po/Rules-quot file is deleted and added to .gitignore.

https://fedorahosted.org/freeipa/ticket/6418
---
 .gitignore|  1 +
 configure.ac  |  2 +-
 po/Rules-quot | 58 --
 3 files changed, 2 insertions(+), 59 deletions(-)
 delete mode 100644 po/Rules-quot

diff --git a/.gitignore b/.gitignore
index a9c71e4..6dcda76 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@
 /po/POTFILES
 /po/POTFILES.in
 /po/remove-potcdate.sed
+/po/Rules-quot
 /po/stamp-po
 
 # In-tree build files
diff --git a/configure.ac b/configure.ac
index 6e31b29..c02a672 100644
--- a/configure.ac
+++ b/configure.ac
@@ -299,7 +299,7 @@ AC_CONFIG_COMMANDS([po/POTFILES.in],
 			> po/POTFILES.in && dnl
 			cd "${find_start_pwd}"])
 AC_SUBST(GETTEXT_DOMAIN, [ipa])
-AM_GNU_GETTEXT_VERSION([0.19.8])
+AM_GNU_GETTEXT_VERSION([0.18.2])
 AM_GNU_GETTEXT([external])
 
 dnl integrate our custom hacks into gettextize infrastructure
diff --git a/po/Rules-quot b/po/Rules-quot
deleted file mode 100644
index baf6528..000
--- a/po/Rules-quot
+++ /dev/null
@@ -1,58 +0,0 @@
-# This file, Rules-quot, can be copied and used freely without restrictions.
-# Special Makefile rules for English message catalogs with quotation marks.
-
-DISTFILES.common.extra1 = quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot
-
-.SUFFIXES: .insert-header .po-update-en
-
-e...@quot.po-create:
-	$(MAKE) e...@quot.po-update
-e...@boldquot.po-create:
-	$(MAKE) e...@boldquot.po-update
-
-e...@quot.po-update: e...@quot.po-update-en
-e...@boldquot.po-update: e...@boldquot.po-update-en
-
-.insert-header.po-update-en:
-	@lang=`echo $@ | sed -e 's/\.po-update-en$$//'`; \
-	if test "$(PACKAGE)" = "gettext-tools" && test "$(CROSS_COMPILING)" != "yes"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \
-	tmpdir=`pwd`; \
-	echo "$$lang:"; \
-	ll=`echo $$lang | sed -e 's/@.*//'`; \
-	LC_ALL=C; export LC_ALL; \
-	cd $(srcdir); \
-	if $(MSGINIT) $(MSGINIT_OPTIONS) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null \
-	   | $(SED) -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | \
-	   { case `$(MSGFILTER) --version | sed 1q | sed -e 's,^[^0-9]*,,'` in \
-	 '' | 0.[0-9] | 0.[0-9].* | 0.1[0-8] | 0.1[0-8].*) \
-	   $(MSGFILTER) $(SED) -f `echo $$lang | sed -e 's/.*@//'`.sed \
-	   ;; \
-	 *) \
-	   $(MSGFILTER) `echo $$lang | sed -e 's/.*@//'` \
-	   ;; \
-	 esac } 2>/dev/null > $$tmpdir/$$lang.new.po \
-	 ; then \
-	  if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \
-	rm -f $$tmpdir/$$lang.new.po; \
-	  else \
-	if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \
-	  :; \
-	else \
-	  echo "creation of $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \
-	  exit 1; \
-	fi; \
-	  fi; \
-	else \
-	  echo "creation of $$lang.po failed!" 1>&2; \
-	  rm -f $$tmpdir/$$lang.new.po; \
-	fi
-
-en@quot.insert-header: insert-header.sin
-	sed -e '/^#/d' -e 's/HEADER/en@quot.header/g' $(srcdir)/insert-header.sin > en@quot.insert-header
-
-en@boldquot.insert-header: insert-header.sin
-	sed -e '/^#/d' -e 's/HEADER/en@boldquot.header/g' $(srcdir)/insert-header.sin > en@boldquot.insert-header
-
-mostlyclean: mostlyclean-quot
-mostlyclean-quot:
-	rm -f *.insert-header
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-08 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
@pspacek I added workflows to the Design page, please verify
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
I've synchronized `python-cryptography` and `python-gssapi` versions. Thank you 
for noticing. Let's see if CI tests pass or not.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265726303
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From 684f4f5d4fbcfc62c555f7ef856dc2da467cd40c Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 148 +---
 1 file changed, 97 insertions(+), 51 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..cdfb65e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
 %make_build -Onone
 
+%if 0%{?with_python3}
+pushd %{_builddir}/freeipa-%{version}-python3
+export PYTHON=%{__python3}
+# Workaround: make sure all shebangs are pointing to Python 3
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+%configure --with-vendor-suffix=-%{release}
+popd
+%endif # with_python3
 
 %check
 %if ! %{ONLY_CLIENT}
@@ -716,16 +775,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 #

[Freeipa-devel] [freeipa PR#101][+rejected] Improved vault-show error message

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/101
Title: #101: Improved vault-show error message

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#101][closed] Improved vault-show error message

2016-12-08 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/101
Author: stlaz
 Title: #101: Improved vault-show error message
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/101/head:pr101
git checkout pr101
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
* CI is failing: ```12-08 10:53 ipadocker.cli ERRORCommand echo Secret123 | 
kinit admin && ipa ping failed (exit code 1)```. I have kicked Travis. Let's 
see if the problem persists.
* please sync the version requirements of python3-cryptography and 
python3-gssapi with Python 2 versions.
* Regarding your workaround and setuptools comment: I have been meaning to move 
all scripts to setuptools' entry points for a while. Setuptools only supports 
one script directory, which defaults to PREFIX/bin. I need to come up with a 
workaround. But that's a topic for another PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265721361
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
NSS does support spaces in its passwords it seems. My hopes are that HTTP will 
be able to understand spaces in its password.conf file.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265720579
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#321][opened] certdb: fix PKCS#12 import with empty password

2016-12-08 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/321
Author: jcholast
 Title: #321: certdb: fix PKCS#12 import with empty password
Action: opened

PR body:
"""
Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is
used to give passwords to pk12util. When a password is empty, the temporary
will be empty as well, which pk12util does not like.

Add new line after the password in the temporary file to please pk12util.

https://fedorahosted.org/freeipa/ticket/6541
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/321/head:pr321
git checkout pr321
From 5fdd380fce3ad6527a5a980f723f6552f0a70a9d Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 8 Dec 2016 12:26:06 +0100
Subject: [PATCH] certdb: fix PKCS#12 import with empty password

Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is
used to give passwords to pk12util. When a password is empty, the temporary
will be empty as well, which pk12util does not like.

Add new line after the password in the temporary file to please pk12util.

https://fedorahosted.org/freeipa/ticket/6541
---
 ipapython/certdb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index af98a77..4e05b78 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -168,7 +168,7 @@ def import_pkcs12(self, pkcs12_filename, db_password_filename,
 "-k", db_password_filename, '-v']
 pkcs12_password_file = None
 if pkcs12_passwd is not None:
-pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd)
+pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd + '\n')
 args = args + ["-w", pkcs12_password_file.name]
 try:
 ipautil.run(args)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][+pushed] server install: fix external CA install

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/318
Title: #318: server install: fix external CA install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][closed] server install: fix external CA install

2016-12-08 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/318
Author: jcholast
 Title: #318: server install: fix external CA install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/318/head:pr318
git checkout pr318
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/318
Title: #318: server install: fix external CA install

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/4fff09978eab520d130d87c0112b5caac907e651
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/318#issuecomment-265715262
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][closed] Properly handle multiple cookies in rpcclient

2016-12-08 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][+pushed] Properly handle multiple cookies in rpcclient

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/560ab9e3176af8e59163155207cc2c1d631915dd
https://fedorahosted.org/freeipa/changeset/f1678693713dc2a573493e325e93f6f557a5ad5a
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265714183
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][+ack] Properly handle multiple cookies in rpcclient

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
> The passwords should have around the same entropy now. SHA-1 actually 
> produces 160bit outputs (hence 40-characters long hexadecimal digests), so I 
> recounted it for 20-bytes entropy.

Sure, my bad

As we discussed offline, due NSS FIPS requirements, we should get rid off 
base64 encoding. I wouldn't remove space from there, can you check if NSS 
supports it?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265713667
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/307
Title: #307: Lowered the version of gettext

pspacek commented:
"""
@pvomacka Pavel, you did not remove the `po/Rules-quot` file. Adding it to 
`.gitignore` is not enough.

NACK (sorry for messing with the label, too fat fingers)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/307#issuecomment-265709221
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][-ack] Lowered the version of gettext

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/307
Title: #307: Lowered the version of gettext

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#307][+ack] Lowered the version of gettext

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/307
Title: #307: Lowered the version of gettext

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
I've implemented tiran's proposal and rebased the patchset.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265708628
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From 6902563938127f550e50d2fe3ba36c525833f8ce Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 148 +---
 1 file changed, 97 insertions(+), 51 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..cdfb65e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
 %make_build -Onone
 
+%if 0%{?with_python3}
+pushd %{_builddir}/freeipa-%{version}-python3
+export PYTHON=%{__python3}
+# Workaround: make sure all shebangs are pointing to Python 3
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+%configure --with-vendor-suffix=-%{release}
+popd
+%endif # with_python3
 
 %check
 %if ! %{ONLY_CLIENT}
@@ -716,16 +775,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 #

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-08 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
I'm fine with `make pylint PYTHON=python3` as long as you can agree on it :-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265698399
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient

2016-12-08 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/206
Author: simo5
 Title: #206: Properly handle multiple cookies in rpcclient
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/206/head:pr206
git checkout pr206
From 9f44fac9f07b727711809bbae0d27ebd149a855a Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 1 Nov 2016 14:59:12 -0400
Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd13251..dc63dc3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.getheader('Set-Cookie'))
+self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
 return SSLTransport.parse_response(self, response)
 
 

From 8bb4abb782a7e1e20332969a9f1a72dfc5187582 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 30 Sep 2016 16:17:31 -0400
Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib.

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dc63dc3..bd25e6f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header):
 
 principal = getattr(context, 'principal', None)
 request_url = getattr(context, 'request_url', None)
-root_logger.debug("received Set-Cookie '%s'", cookie_header)
+root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header),
+  cookie_header)
+
+if not isinstance(cookie_header, list):
+cookie_header = [cookie_header]
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+for cookie in cookie_header:
+session_cookie = \
+Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME,
+request_url)
+if session_cookie is not None:
+break
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][+ack] server install: fix external CA install

2016-12-08 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/318
Title: #318: server install: fix external CA install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install

2016-12-08 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/318
Title: #318: server install: fix external CA install

flo-renaud commented:
"""
Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/318#issuecomment-265688266
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-08 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

stlaz commented:
"""
 The passwords should have around the same entropy now. SHA-1 actually produces 
160bit outputs (hence 40-characters long hexadecimal digests), so I recounted 
it for 20-bytes entropy.

As ipa_generate_password creates passwords of only printable characters (and a 
space) by default, base64 should not be a requirement here. However, a space 
could be a problem somewhere I guess, should it be removed as well from the 
defaul behavior of the password generator?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265686352
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA

2016-12-08 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
 Title: #317: Unify password generation across FreeIPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH] Unify password generation across FreeIPA

Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 8 ++--
 ipaserver/install/dogtaginstance.py| 3 +--
 ipaserver/install/dsinstance.py| 5 +
 ipaserver/install/httpinstance.py  | 5 ++---
 ipaserver/install/server/replicainstall.py | 3 +--
 ipaserver/secrets/store.py | 2 +-
 6 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 45602ba..198c43d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
 import xml.dom.minidom
 import pwd
 import base64
-from hashlib import sha1
 import fcntl
 import time
 import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
 perms |= stat.S_IWUSR
 os.chmod(fname, perms)
 
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
 def run_certutil(self, args, stdin=None, **kwargs):
 return self.nssdb.run_certutil(args, stdin, **kwargs)
 
@@ -177,7 +173,7 @@ def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
 f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
 self.set_perms(self.noise_fname)
 
 def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
 if passwd is not None:
 f.write("%s\n" % passwd)
 else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password(pwd_len=25))
 f.close()
 self.set_perms(self.passwd_fname)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
 #
 
 import base64
-import binascii
 import ldap
 import os
 import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
 
 def setup_admin(self):
 self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
 self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1be5ac7..09708dc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -506,7 +506,7 @@ def __setup_sub_dict(self):
 idrange_size = None
 self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
  PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
  SUFFIX=self.suffix,
  REALM=self.realm, USER=DS_USER,
  SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -773,9 +773,6 @@ def __host_nis_groups(self):
 def __add_enrollment_module(self):
 self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
 def __enable_ssl(self):
 dirname = config_dirname(self.serverid)
 dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 15c3107..9fdb5a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
 
 from __future__ import print_function
 
-import binascii
 import os
 import os.path
 import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
 ipautil.backup_file(nss_path)
 
 # Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=15)
 f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, hex_str)
+

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

2016-12-08 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 727acdf3948788dec389473a3bf0c940def84428 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 23 +-
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..caf0ddc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -48,7 +48,9 @@
 from ipalib import api
 from ipalib import util
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython import ipautil
 
 if six.PY3:
 unicode = str
@@ -56,7 +58,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index af98a77..6599a69 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index bf79821..29acd7e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -749,44 +749,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) =

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-08 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

frasertweedale commented:
"""
@jcholast updated PR to include `certificate` and `certificate_chain` in 
`ca_find` output when `--all` is specified.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265684968
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code