[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran IMO you need check `length > uppercase + lowercase + num + special`, otherwise infinity loop but generally LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265954172 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code
On 08.12.2016 22:47, Simo Sorce wrote: On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: edited Changed field: body Original value: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code There seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo. It is expected, Changed field: body Original value: I just haven't had time to implement sending a new values (because of format, of github messages it is not so simple) I may try to finish github notification RFEs today Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From ab5bf9168c5d76f69527429092a31f676d4b3e23 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 63 ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 36 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 327 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint
Re: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code
On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: >URL: https://github.com/freeipa/freeipa/pull/314 > Author: simo5 > Title: #314: RFC: privilege separation for ipa framework code > Action: edited > > Changed field: body > Original value: > """ > As part of the External Authentication work this PR implements the privilege > separation portion of the design available here: > https://www.freeipa.org/page/V4/External_Authentication and implements > tickets: https://fedorahosted.org/freeipa/ticket/5959 and > https://fedorahosted.org/freeipa/ticket/4189 > > The update process from an old server has not been implemented yet, so this > is just an RFC request at this stage. Please look at the code and let me know > if you notice any major issue with it so we can correct mistakes early. > > This PR depends on improvements and fixes to two dependencies: > mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet > (all PRs filed, and will be available soon). > In order to allow trying the code, I made two copr repos with the necessary > changes available here: > - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ > - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ > > I tested a new install and both gssapi as well as password authentication > work (via command line and web browser). I have not tested OTP authentication > yet. > > There are 2 fundamental changes in this code: > - the session handling code has been dropped in favor of deferring session > handling to mod_auth_gssapi, simplifying the code greatly. As part of this > change we stop using memcached. > - the framework configuration is changed to work as a different user from the > Apache framework and depends on gssproxy in order to be able to access > necessary credentials. (Apache itself is also using gssproxy and does not > have direct access to the HTTP keytab.) > This required two changes in the form-based authentication workflow: > * The armor cache is obtained via anonymous pkinit as we do not have access > anymore to the HTTP keytab. This means this PR depends on #62 (until it is > accepted commits from that PR are in this PR) > * The actual authentication is done via a loopback HTTP request to apache > after we obtain a TGT, this is done in order to obtain a session cookie from > mod_auth_gssapi as well as to be able to immediately discard the TGT and just > keep the HTTP ticket instead. > > @jcholast @pvoborni Please provide comments on the framework changes. > @rcritten @abbra do you have ideas on how to deal with dropping a service > (memcached) on upgrade ? > """ > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code There seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: edited Changed field: body Original value: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update
URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update mbasti-rh commented: """ IMO #322 this might be related, @martbab can you please check it? """ See the full comment at https://github.com/freeipa/freeipa/pull/320#issuecomment-265823807 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 13caff83b412cbc68073908f7a35214b9789f5e7 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 53 + ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 20 + ipaserver/plugins/cert.py| 81 +++- ipaserver/plugins/dogtag.py | 2 + 18 files changed, 296 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
[Freeipa-devel] [freeipa PR#322][opened] masters DS<1.3.3 do not support bind group
URL: https://github.com/freeipa/freeipa/pull/322 Author: tbordaz Title: #322: masters DS<1.3.3 do not support bind group Action: opened PR body: """ Check the instance version before setting nsds5replicabbinddngroup and nsds5replicabinddngroupcheckinterval https://fedorahosted.org/freeipa/ticket/6532 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/322/head:pr322 git checkout pr322 From f7f759a86cf33a1fe5a04f5bc209a934cacc7cea Mon Sep 17 00:00:00 2001 From: Thierry BordazDate: Thu, 8 Dec 2016 18:21:03 +0100 Subject: [PATCH] masters DS<1.3.3 do not support bind group Check the instance version before setting nsds5replicabbinddngroup and nsds5replicabinddngroupcheckinterval https://fedorahosted.org/freeipa/ticket/6532 --- ipaserver/install/replication.py | 44 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index ddae08e..2221b5e 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -24,6 +24,7 @@ import datetime import sys import os +import re from random import randint import ldap @@ -441,6 +442,32 @@ def replica_config(self, conn, replica_id, replica_binddn): dn = self.replica_dn() assert isinstance(dn, DN) +support_binddngroup = False +try: +# check that the replica version is > 1.3.3 to support bind group +entry = conn.get_entry(DN(""), attrs_list=['vendorVersion']) +vendor_version = entry.get('vendorVersion')[0] +if vendor_version: +replica_version = re.search('389-Directory/(.+?) .*', vendor_version) +root_logger.info("Replica version: %s" % replica_version.group(1)) +version_num = [int(s) for s in replica_version.group(1).split('.') if s.isdigit()] +if version_num[0] > 1: +support_binddngroup = True +elif version_num[0] == 1: +# version 1.x +if version_num[1] > 3: +support_binddngroup = True +elif version_num[1] == 3: +# version 1.3.x +if version_num[2] >= 3: +support_binddngroup = True +except Exception as e: +root_logger.info("Unable to check replica version: %s" % str(e)) +raise +root_logger.info("Bind DN group support: %s" % support_binddngroup) + + + try: entry = conn.get_entry(dn) managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} @@ -453,15 +480,16 @@ def replica_config(self, conn, replica_id, replica_binddn): mod.append((ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn)) -if self.repl_man_group_dn not in binddn_groups: -mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', -self.repl_man_group_dn)) +if support_binddngroup: +if self.repl_man_group_dn not in binddn_groups: +mod.append((ldap.MOD_ADD, 'nsds5replicabinddngroup', +self.repl_man_group_dn)) -if 'nsds5replicabinddngroupcheckinterval' not in entry: -mod.append( -(ldap.MOD_ADD, - 'nsds5replicabinddngroupcheckinterval', - '60')) +if 'nsds5replicabinddngroupcheckinterval' not in entry: +mod.append( +(ldap.MOD_ADD, + 'nsds5replicabinddngroupcheckinterval', + '60')) if mod: conn.modify_s(dn, mod) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ ``` #!/usr/bin/python3 import math import random import string class TokenGenerator(object): """Simple, tunable token generator TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None) At least 3 upper and 3 lower case ASCII chars, may contain digits, no special chars. 128 bits entropy: secure 256 bits of entropy: secure enough if you care about quantum computers """ uppercase = frozenset(string.ascii_uppercase) lowercase = frozenset(string.ascii_lowercase) digits = frozenset(string.digits) # without: = # ' " \ ` special = frozenset('!$%&()*+,-./:;<>?@[]^_{|}~') def __init__(self, uppercase=1, lowercase=1, digits=1, special=1): self.rng = random.SystemRandom() self.requirements = dict( uppercase=uppercase, lowercase=lowercase, digits=digits, special=special ) chars = set() for symclass, req in self.requirements.items(): if req is not None: chars.update(getattr(self, symclass)) self.chars = tuple(chars) def __call__(self, entropy_bits=128): length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))) while True: token = ''.join(self.rng.choice(self.chars) for _ in range(length)) tokenset = set(token) token_ok = True for symclass, req in self.requirements.items(): if req is None or req <= 0: continue reqchars = getattr(self, symclass) if len(tokenset.intersection(reqchars)) < req: token_ok = False break if token_ok: return token if __name__ == '__main__': pwgen = TokenGenerator(special=None) for i in range(100): print(pwgen()) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265803218 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From 641691caf4ed92cec0bd076f3245c9456b8e9445 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 52 + ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 20 + ipaserver/plugins/cert.py| 80 +++- ipaserver/plugins/dogtag.py | 2 + 18 files changed, 294 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @abbra I have an idea of what it might be """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795485 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @martbab sometimes you are blind to your own code ... """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ @mbasti-rh I probably misunderstood your intention. I read your comment as "Replace it with something sane, the sane thing is sha1". By the way I'm currently tangled up in a twitter discussion about Python's new secrets module and entropy. The module doc has a nice recipe to generate passwords with special properties https://docs.python.org/3.6/library/secrets.html#recipes-and-best-practices . I asked a friend of mine and real (tm) cryptographer about entropy for black box tokens. He told me > 128 if you don't care about quantum computing; 256 if you do """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265789981 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran @simo5 If you read my comments properly I was happy with removing sha1() and I pointed out that ipa_generate_password() must generate entropy 160bits as was probably originally aimed by using sha1() @simo5 I'm fine with removing space then @simo5 Standa found out that when FIPS is enabled NSS is not willing to accept some password, it requires some special chars AFAIK @stlaz knows details @tiran I'm afraid we need to keep special chracters there as I mentioned above ^ @tiran thank you for nice code snippet @tiran AFAIK you misunderstood my comment, I wanted to "replace sha1 with something sane" or I don't understand what is wrong with my comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265786411 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#270][closed] Test: uniqueness of certificate renewal master
URL: https://github.com/freeipa/freeipa/pull/270 Author: ofayans Title: #270: Test: uniqueness of certificate renewal master Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/270/head:pr270 git checkout pr270 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#270][+pushed] Test: uniqueness of certificate renewal master
URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master
URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fad87a9962ee33cfebc4fa59aba589e98b076cea """ See the full comment at https://github.com/freeipa/freeipa/pull/270#issuecomment-265783934 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#270][+ack] Test: uniqueness of certificate renewal master
URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ @simo5 I highlighted the code givin pylint issues, basically you forgot to update ca_kdc_check signature. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265783165 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 I tried to run the branch as an upgrade against Fedora 25 version (4.4.2-1.fc25) and it failed at first because I was running in SELinux enforcing: Unexpected error - see /var/log/ipaupgrade.log for details: DBusException: org.fedorahosted.certmonger.bad_arg: The parent of location "/var/kerberos/krb5kdc/kdc.crt" could not be accessed due to insufficient permissions. The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Re-running `ipa-server-upgrade` with 'setenforce 0', I get different error: 2016-12-08T15:52:28Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-12-08T15:52:28Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in runserver.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1820, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1755, in upgrade_configuration enable_anonymous_principal(krb) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1498, in enable_anonymous_principal dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix()) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 74, in get_realm_suffix return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in __init__ self.rdns = self._rdns_from_sequence(args) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in _rdns_from_sequence rdn = self._rdns_from_value(item) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in _rdns_from_value % type(value)) 2016-12-08T15:52:28Z DEBUG The ipa-server-upgrade command failed, exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got instead 2016-12-08T15:52:28Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: TypeError: must be str, unicode, tuple, Name, RDN or DN, got instead """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265775539 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ @stlaz Your patch looks good. My comment regarding SHA1 was aimed at comment https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651 . The suggestion of SHA1 is a *Verschlimmbesserung* (improvement for the worse) of the current code. I studied the implementation ```ipa_generate_password```. The special cases for white space makes it more complicated. If you combine @simo5 's suggestion and my function, you can write the function in like 6 to 7 lines of simple code. It might be good idea to use only alpha numeric chars, too. ```#!='"%${}.?*``` have special meaning in bash, C, ini files etc. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265766597 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ We may need a max length argument if we are dealing with some stuff that has issues with more then max length caracters ... In that case we can warn (or raise, we'll have to decide) not enough entropy will be available is max length is not sufficient to hold the desired entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265762543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ @simo5 I was actually trying to get rid of SHA-1 and I am aware that entropy will not be raised, that part of the code draw a smile on some of our faces here, really :) As for the spaces, I did not encounter issues with them in password.conf files which is awesome but I agree they're potentially dangerous. However, removing them from default set of password chars would not make our life easier as the check would have to stay there in case someone passes them as a possible character as an argument to ipa_generate_password (although they should probably know what they're doing, right?). We may be able to get rid off the `characters` argument should the cases where it's used are found invalid though (currently in `host`, `user` passwords and in `dnskeysync`). @tiran Regarding sha1 - did you see the patch? ;) However I agree that the length is not a good argument for password-generating function, I will have a look at transforming it to entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265761543 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ Please don't use a hack like sha1() to turn a random byte sequence into a hex value. At best sha1 keeps the entropy of the input. I also don't like the fact that the function only cares about the length of the output. The actual length is irrelevant. We care about the entropy of the output. Let's drop pwd_len and apply proper math instead: ``` import math import random import string alnum = string.ascii_letters + string.digits sysrandom = random.SystemRandom() # uses os.urandom() as RNG def mkpasswd(entropy_bits=128, symbols=alnum): length = int(math.ceil(entropy_bits / math.log(len(symbols), 2))) return ''.join(sysrandom.choice(symbols) for _ in range(length)) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265760379 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stlaz spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stiaz, spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From a7bad23f12b5c6227e1e5f1d976883dc2edf9146 Mon Sep 17 00:00:00 2001 From: Ganna KaihorodovaDate: Thu, 8 Dec 2016 15:06:36 +0100 Subject: [PATCH 1/2] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 40 + 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 4485fd9..ca28e7e 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,22 +62,40 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes + in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError("Invalid first name provided: %r" % givenname) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: %r" % sn) + super(UserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn) self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): + +""" Make function that creates a user using user-add +with all set of attributes and with minimal values, +where uid is not specified """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del """ From b0d51d7f9460064479c2dc49541c4ce6f0408371 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:08:41 +0100 Subject: [PATCH 2/2] User Tracker: Test to create user with minimal values Test to create user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/test_user_plugin.py | 13 + 1 file changed, 13 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..b90363e 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -79,6 +79,13 @@ @pytest.fixture(scope='class') +def user_min(request): +""" User tracker fixture for testing user with uid no specified """ +tracker = UserTracker(givenname=u'Testmin', sn=u'Usermin') +return tracker.make_fixture(request) + + +@pytest.fixture(scope='class') def user(request): tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1') return tracker.make_fixture(request) @@ -405,6 +412,12 @@ def test_rename_to_invalid_login(self, user): @pytest.mark.tier1 class TestCreate(XMLRPC_test): +def test_create_user_with_min_values(self, user_min): +""" Create user with uid not specified """ +user_min.ensure_missing() +command = user_min.make_create_command() +command() + def test_create_with_krb_ticket_policy(self): """ Try to create user with krbmaxticketlife set """ testuser = UserTracker( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Apparently, spaces are ok even in HTTP password.conf so I guess we can leave it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265739766 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][synchronized] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 From 1c49b0d070044b05bb15a17c23c47b18b952d6ff Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Wed, 7 Dec 2016 12:16:56 +0100 Subject: [PATCH] Lowered the version of gettext The lower version is needed while building on RHEL. Also po/Rules-quot file is deleted and added to .gitignore. https://fedorahosted.org/freeipa/ticket/6418 --- .gitignore| 1 + configure.ac | 2 +- po/Rules-quot | 58 -- 3 files changed, 2 insertions(+), 59 deletions(-) delete mode 100644 po/Rules-quot diff --git a/.gitignore b/.gitignore index a9c71e4..6dcda76 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ /po/POTFILES /po/POTFILES.in /po/remove-potcdate.sed +/po/Rules-quot /po/stamp-po # In-tree build files diff --git a/configure.ac b/configure.ac index 6e31b29..c02a672 100644 --- a/configure.ac +++ b/configure.ac @@ -299,7 +299,7 @@ AC_CONFIG_COMMANDS([po/POTFILES.in], > po/POTFILES.in && dnl cd "${find_start_pwd}"]) AC_SUBST(GETTEXT_DOMAIN, [ipa]) -AM_GNU_GETTEXT_VERSION([0.19.8]) +AM_GNU_GETTEXT_VERSION([0.18.2]) AM_GNU_GETTEXT([external]) dnl integrate our custom hacks into gettextize infrastructure diff --git a/po/Rules-quot b/po/Rules-quot deleted file mode 100644 index baf6528..000 --- a/po/Rules-quot +++ /dev/null @@ -1,58 +0,0 @@ -# This file, Rules-quot, can be copied and used freely without restrictions. -# Special Makefile rules for English message catalogs with quotation marks. - -DISTFILES.common.extra1 = quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot - -.SUFFIXES: .insert-header .po-update-en - -e...@quot.po-create: - $(MAKE) e...@quot.po-update -e...@boldquot.po-create: - $(MAKE) e...@boldquot.po-update - -e...@quot.po-update: e...@quot.po-update-en -e...@boldquot.po-update: e...@boldquot.po-update-en - -.insert-header.po-update-en: - @lang=`echo $@ | sed -e 's/\.po-update-en$$//'`; \ - if test "$(PACKAGE)" = "gettext-tools" && test "$(CROSS_COMPILING)" != "yes"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \ - tmpdir=`pwd`; \ - echo "$$lang:"; \ - ll=`echo $$lang | sed -e 's/@.*//'`; \ - LC_ALL=C; export LC_ALL; \ - cd $(srcdir); \ - if $(MSGINIT) $(MSGINIT_OPTIONS) -i $(DOMAIN).pot --no-translator -l $$lang -o - 2>/dev/null \ - | $(SED) -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | \ - { case `$(MSGFILTER) --version | sed 1q | sed -e 's,^[^0-9]*,,'` in \ - '' | 0.[0-9] | 0.[0-9].* | 0.1[0-8] | 0.1[0-8].*) \ - $(MSGFILTER) $(SED) -f `echo $$lang | sed -e 's/.*@//'`.sed \ - ;; \ - *) \ - $(MSGFILTER) `echo $$lang | sed -e 's/.*@//'` \ - ;; \ - esac } 2>/dev/null > $$tmpdir/$$lang.new.po \ - ; then \ - if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \ - rm -f $$tmpdir/$$lang.new.po; \ - else \ - if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \ - :; \ - else \ - echo "creation of $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \ - exit 1; \ - fi; \ - fi; \ - else \ - echo "creation of $$lang.po failed!" 1>&2; \ - rm -f $$tmpdir/$$lang.new.po; \ - fi - -en@quot.insert-header: insert-header.sin - sed -e '/^#/d' -e 's/HEADER/en@quot.header/g' $(srcdir)/insert-header.sin > en@quot.insert-header - -en@boldquot.insert-header: insert-header.sin - sed -e '/^#/d' -e 's/HEADER/en@boldquot.header/g' $(srcdir)/insert-header.sin > en@boldquot.insert-header - -mostlyclean: mostlyclean-quot -mostlyclean-quot: - rm -f *.insert-header -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @pspacek I added workflows to the Design page, please verify """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've synchronized `python-cryptography` and `python-gssapi` versions. Thank you for noticing. Let's see if CI tests pass or not. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265726303 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 From 684f4f5d4fbcfc62c555f7ef856dc2da467cd40c Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Thu, 24 Nov 2016 17:35:24 +0100 Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the same time Petr Viktorin recommended me to copy the whole build directory and run configure twice, with different values for PYTHON variable. After thinking a bit about that, it seems as cleanest approach. Building for two versions of Python at the same time should be temporary state so I decided not to complicate Autotools build system with conditional spagetti for two versions of Python. For proper Python2/3 distiction in the two separate builds, I added find/grep/sed combo which replaces shebangs with system-wide Python interpreter as necessary. This is workaround for the fact that FreeIPA does not use setuptools properly. Honza told me that proper use of setuptools is not trivial so we decided to go with this for now. https://fedorahosted.org/freeipa/ticket/157 --- freeipa.spec.in | 148 +--- 1 file changed, 97 insertions(+), 51 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index cba40c2..cdfb65e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -5,7 +5,7 @@ %if 0%{?rhel} %global with_python3 0 %else -%global with_python3 0 +%global with_python3 1 %endif # lint is not executed during rpmbuild @@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. +%if 0%{?with_python3} + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-pyldap >= 2.4.15 +Requires: python3-lxml +Requires: python3-gssapi >= 1.1.2 +Requires: python3-sssdconfig +Requires: python3-pyasn1 +Requires: python3-dbus +Requires: python3-dns >= 1.11.1 +Requires: python3-kdcproxy >= 0.3 +Requires: rpm-libs + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + +%endif # with_python3 + + %package server-common Summary: Common files used by IPA server Group: System Environment/Base @@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3. %prep %setup -n freeipa-%{version} -q +%if 0%{?with_python3} +# Workaround: We want to build Python things twice. To be sure we do not mess +# up something, do two separate builds in separate directories. +cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 +%endif # with_python3 %build @@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3. export JAVA_STACK_SIZE="8m" # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH +export PYTHON=%{__python2} +# Workaround: make sure all shebangs are pointing to Python 2 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; %configure --with-vendor-suffix=-%{release} # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 %make_build -Onone +%if 0%{?with_python3} +pushd %{_builddir}/freeipa-%{version}-python3 +export PYTHON=%{__python3} +# Workaround: make sure all shebangs are pointing to Python 3 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +%configure --with-vendor-suffix=-%{release} +popd +%endif # with_python3 %check %if ! %{ONLY_CLIENT} @@ -716,16 +775,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir} # All files and directories created by spec install should be marked as ghost. #
[Freeipa-devel] [freeipa PR#101][+rejected] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#101][closed] Improved vault-show error message
URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ * CI is failing: ```12-08 10:53 ipadocker.cli ERRORCommand echo Secret123 | kinit admin && ipa ping failed (exit code 1)```. I have kicked Travis. Let's see if the problem persists. * please sync the version requirements of python3-cryptography and python3-gssapi with Python 2 versions. * Regarding your workaround and setuptools comment: I have been meaning to move all scripts to setuptools' entry points for a while. Setuptools only supports one script directory, which defaults to PREFIX/bin. I need to come up with a workaround. But that's a topic for another PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265721361 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ NSS does support spaces in its passwords it seems. My hopes are that HTTP will be able to understand spaces in its password.conf file. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265720579 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#321][opened] certdb: fix PKCS#12 import with empty password
URL: https://github.com/freeipa/freeipa/pull/321 Author: jcholast Title: #321: certdb: fix PKCS#12 import with empty password Action: opened PR body: """ Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is used to give passwords to pk12util. When a password is empty, the temporary will be empty as well, which pk12util does not like. Add new line after the password in the temporary file to please pk12util. https://fedorahosted.org/freeipa/ticket/6541 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/321/head:pr321 git checkout pr321 From 5fdd380fce3ad6527a5a980f723f6552f0a70a9d Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Thu, 8 Dec 2016 12:26:06 +0100 Subject: [PATCH] certdb: fix PKCS#12 import with empty password Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is used to give passwords to pk12util. When a password is empty, the temporary will be empty as well, which pk12util does not like. Add new line after the password in the temporary file to please pk12util. https://fedorahosted.org/freeipa/ticket/6541 --- ipapython/certdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..4e05b78 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -168,7 +168,7 @@ def import_pkcs12(self, pkcs12_filename, db_password_filename, "-k", db_password_filename, '-v'] pkcs12_password_file = None if pkcs12_passwd is not None: -pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd) +pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd + '\n') args = args + ["-w", pkcs12_password_file.name] try: ipautil.run(args) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][+pushed] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][closed] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Author: jcholast Title: #318: server install: fix external CA install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/318/head:pr318 git checkout pr318 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4fff09978eab520d130d87c0112b5caac907e651 """ See the full comment at https://github.com/freeipa/freeipa/pull/318#issuecomment-265715262 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][closed] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][+pushed] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/560ab9e3176af8e59163155207cc2c1d631915dd https://fedorahosted.org/freeipa/changeset/f1678693713dc2a573493e325e93f6f557a5ad5a """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265714183 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][+ack] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ > The passwords should have around the same entropy now. SHA-1 actually > produces 160bit outputs (hence 40-characters long hexadecimal digests), so I > recounted it for 20-bytes entropy. Sure, my bad As we discussed offline, due NSS FIPS requirements, we should get rid off base64 encoding. I wouldn't remove space from there, can you check if NSS supports it? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265713667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext pspacek commented: """ @pvomacka Pavel, you did not remove the `po/Rules-quot` file. Adding it to `.gitignore` is not enough. NACK (sorry for messing with the label, too fat fingers) """ See the full comment at https://github.com/freeipa/freeipa/pull/307#issuecomment-265709221 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][-ack] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#307][+ack] Lowered the version of gettext
URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've implemented tiran's proposal and rebased the patchset. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265708628 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 From 6902563938127f550e50d2fe3ba36c525833f8ce Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Thu, 24 Nov 2016 17:35:24 +0100 Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the same time Petr Viktorin recommended me to copy the whole build directory and run configure twice, with different values for PYTHON variable. After thinking a bit about that, it seems as cleanest approach. Building for two versions of Python at the same time should be temporary state so I decided not to complicate Autotools build system with conditional spagetti for two versions of Python. For proper Python2/3 distiction in the two separate builds, I added find/grep/sed combo which replaces shebangs with system-wide Python interpreter as necessary. This is workaround for the fact that FreeIPA does not use setuptools properly. Honza told me that proper use of setuptools is not trivial so we decided to go with this for now. https://fedorahosted.org/freeipa/ticket/157 --- freeipa.spec.in | 148 +--- 1 file changed, 97 insertions(+), 51 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index cba40c2..cdfb65e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -5,7 +5,7 @@ %if 0%{?rhel} %global with_python3 0 %else -%global with_python3 0 +%global with_python3 1 %endif # lint is not executed during rpmbuild @@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. +%if 0%{?with_python3} + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-pyldap >= 2.4.15 +Requires: python3-lxml +Requires: python3-gssapi >= 1.1.2 +Requires: python3-sssdconfig +Requires: python3-pyasn1 +Requires: python3-dbus +Requires: python3-dns >= 1.11.1 +Requires: python3-kdcproxy >= 0.3 +Requires: rpm-libs + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + +%endif # with_python3 + + %package server-common Summary: Common files used by IPA server Group: System Environment/Base @@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3. %prep %setup -n freeipa-%{version} -q +%if 0%{?with_python3} +# Workaround: We want to build Python things twice. To be sure we do not mess +# up something, do two separate builds in separate directories. +cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 +%endif # with_python3 %build @@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3. export JAVA_STACK_SIZE="8m" # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH +export PYTHON=%{__python2} +# Workaround: make sure all shebangs are pointing to Python 2 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; %configure --with-vendor-suffix=-%{release} # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 %make_build -Onone +%if 0%{?with_python3} +pushd %{_builddir}/freeipa-%{version}-python3 +export PYTHON=%{__python3} +# Workaround: make sure all shebangs are pointing to Python 3 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +%configure --with-vendor-suffix=-%{release} +popd +%endif # with_python3 %check %if ! %{ONLY_CLIENT} @@ -716,16 +775,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir} # All files and directories created by spec install should be marked as ghost. #
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I'm fine with `make pylint PYTHON=python3` as long as you can agree on it :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265698399 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient
URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From 9f44fac9f07b727711809bbae0d27ebd149a855a Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Tue, 1 Nov 2016 14:59:12 -0400 Subject: [PATCH 1/2] Properly handle multiple cookies in rpcclient Signed-off-by: Simo Sorce --- ipalib/rpc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd13251..dc63dc3 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -721,7 +721,7 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.getheader('Set-Cookie')) +self.store_session_cookie(response.msg.getheaders('Set-Cookie')) return SSLTransport.parse_response(self, response) From 8bb4abb782a7e1e20332969a9f1a72dfc5187582 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 30 Sep 2016 16:17:31 -0400 Subject: [PATCH 2/2] Properly handle multiple cookies in rpc lib. Signed-off-by: Simo Sorce --- ipalib/rpc.py | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index dc63dc3..bd25e6f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -699,12 +699,20 @@ def store_session_cookie(self, cookie_header): principal = getattr(context, 'principal', None) request_url = getattr(context, 'request_url', None) -root_logger.debug("received Set-Cookie '%s'", cookie_header) +root_logger.debug("received Set-Cookie (%s)'%s'", type(cookie_header), + cookie_header) + +if not isinstance(cookie_header, list): +cookie_header = [cookie_header] # Search for the session cookie try: -session_cookie = Cookie.get_named_cookie_from_string(cookie_header, - COOKIE_NAME, request_url) +for cookie in cookie_header: +session_cookie = \ +Cookie.get_named_cookie_from_string(cookie, COOKIE_NAME, +request_url) +if session_cookie is not None: +break except Exception as e: root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e) return -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][+ack] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install flo-renaud commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/318#issuecomment-265688266 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ The passwords should have around the same entropy now. SHA-1 actually produces 160bit outputs (hence 40-characters long hexadecimal digests), so I recounted it for 20-bytes entropy. As ipa_generate_password creates passwords of only printable characters (and a space) by default, base64 should not be a requirement here. However, a space could be a problem somewhere I guess, should it be removed as well from the defaul behavior of the password generator? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265686352 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 From bfde1323888d15bd8aa975e9513fea829cb19de9 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Tue, 6 Dec 2016 09:05:42 +0100 Subject: [PATCH] Unify password generation across FreeIPA Also had to recalculate entropy of the passwords as originally, probability of generating each character was 1/256, however the default probability of each character in the ipa_generate_password is 1/95 (1/94 for first and last character). https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/certs.py | 8 ++-- ipaserver/install/dogtaginstance.py| 3 +-- ipaserver/install/dsinstance.py| 5 + ipaserver/install/httpinstance.py | 5 ++--- ipaserver/install/server/replicainstall.py | 3 +-- ipaserver/secrets/store.py | 2 +- 6 files changed, 8 insertions(+), 18 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 45602ba..198c43d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -25,7 +25,6 @@ import xml.dom.minidom import pwd import base64 -from hashlib import sha1 import fcntl import time import datetime @@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None): perms |= stat.S_IWUSR os.chmod(fname, perms) -def gen_password(self): -return sha1(ipautil.ipa_generate_password()).hexdigest() - def run_certutil(self, args, stdin=None, **kwargs): return self.nssdb.run_certutil(args, stdin, **kwargs) @@ -177,7 +173,7 @@ def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) f = open(self.noise_fname, "w") -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) self.set_perms(self.noise_fname) def create_passwd_file(self, passwd=None): @@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None): if passwd is not None: f.write("%s\n" % passwd) else: -f.write(self.gen_password()) +f.write(ipautil.ipa_generate_password(pwd_len=25)) f.close() self.set_perms(self.passwd_fname) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index f4856c7..dc4b5b0 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -18,7 +18,6 @@ # import base64 -import binascii import ldap import os import shutil @@ -428,7 +427,7 @@ def __add_admin_to_group(self, group): def setup_admin(self): self.admin_user = "admin-%s" % self.fqdn -self.admin_password = binascii.hexlify(os.urandom(16)) +self.admin_password = ipautil.ipa_generate_password(pwd_len=20) self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 1be5ac7..09708dc 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -506,7 +506,7 @@ def __setup_sub_dict(self): idrange_size = None self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, - RANDOM_PASSWORD=self.generate_random(), + RANDOM_PASSWORD=ipautil.ipa_generate_password(), SUFFIX=self.suffix, REALM=self.realm, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -773,9 +773,6 @@ def __host_nis_groups(self): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) -def generate_random(self): -return ipautil.ipa_generate_password() - def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 15c3107..9fdb5a8 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,7 +19,6 @@ from __future__ import print_function -import binascii import os import os.path import pwd @@ -314,9 +313,9 @@ def create_cert_db(self): ipautil.backup_file(nss_path) # Create the password file for this db -hex_str = binascii.hexlify(os.urandom(10)) +password = ipautil.ipa_generate_password(pwd_len=15) f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, hex_str) +
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 727acdf3948788dec389473a3bf0c940def84428 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 23 +- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..caf0ddc 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -48,7 +48,9 @@ from ipalib import api from ipalib import util from ipalib import errors +from ipaplatform.paths import paths from ipapython.dn import DN +from ipapython import ipautil if six.PY3: unicode = str @@ -56,7 +58,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +paths.OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..6599a69 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index bf79821..29acd7e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -749,44 +749,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -(_rdn, subject_dn) =
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast updated PR to include `certificate` and `certificate_chain` in `ca_find` output when `--all` is specified. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265684968 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code