[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ Server roles page is broken too, or at least it looks weird, probably server names are missing """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-267114366 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ NACK: DNS records page is broken """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-267106705 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][closed] [4.3] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/342/head:pr342 git checkout pr342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][comment] [4.3] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/42263a5a729096135702c0b974f255a058c0cdaf """ See the full comment at https://github.com/freeipa/freeipa/pull/342#issuecomment-267095446 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][+pushed] [4.3] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][+ack] [4.3] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][closed] [4.4] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/344/head:pr344 git checkout pr344 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][+pushed] [4.4] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][comment] [4.4] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/08e7af9f0f8acac3dcd8dde1eee53261e5d25f1f https://fedorahosted.org/freeipa/changeset/171bc3e6853f905184584e414cefa4f7296c02ea """ See the full comment at https://github.com/freeipa/freeipa/pull/344#issuecomment-267094656 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#343][comment] [4.3] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update mbasti-rh commented: """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/278d7cf4708f1c6ac05d5fcb21db582d9aa7bab3 """ See the full comment at https://github.com/freeipa/freeipa/pull/343#issuecomment-267093601 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#343][+ack] [4.3] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#343][closed] [4.3] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/343 Author: mbasti-rh Title: #343: [4.3] certprofile-mod: correctly authorise config update Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/343/head:pr343 git checkout pr343 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#343][+pushed] [4.3] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][synchronized] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Author: dkupka Title: #340: schema_cache: Make handling of string compatible with python3 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/340/head:pr340 git checkout pr340 From 2f4982ed1255ce56fb56cf23671d85ce0b28cc6b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 14 Dec 2016 17:19:52 +0100 Subject: [PATCH] schema_cache: Make handling of string compatible with python3 https://fedorahosted.org/freeipa/ticket/6559 --- ipaclient/remote_plugins/schema.py | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py index 02364ca..15c03f4 100644 --- a/ipaclient/remote_plugins/schema.py +++ b/ipaclient/remote_plugins/schema.py @@ -6,6 +6,7 @@ import contextlib import errno import fcntl +import io import json import os import sys @@ -373,7 +374,7 @@ def __init__(self, client, fingerprint=None): self._dict = {} self._namespaces = {} self._help = None -self._file = six.StringIO() +self._file = six.BytesIO() for ns in self.namespaces: self._dict[ns] = {} @@ -407,7 +408,7 @@ def __init__(self, client, fingerprint=None): def _open(self, filename, mode): path = os.path.join(self._DIR, filename) -with open(path, mode) as f: +with io.open(path, mode) as f: if mode.startswith('r'): fcntl.flock(f, fcntl.LOCK_SH) else: @@ -454,7 +455,7 @@ def _fetch(self, client, ignore_cache=False): def _read_schema(self, fingerprint): self._file.truncate(0) -with self._open(fingerprint, 'r') as f: +with self._open(fingerprint, 'rb') as f: self._file.write(f.read()) with zipfile.ZipFile(self._file, 'r') as schema: @@ -504,21 +505,24 @@ def _write_schema(self, fingerprint): ns = value for member in ns: path = '{}/{}'.format(key, member) -schema.writestr(path, json.dumps(ns[member])) +schema.writestr(path, +json.dumps(ns[member]).encode('utf-8')) else: -schema.writestr(key, json.dumps(value)) +schema.writestr(key, json.dumps(value).encode('utf-8')) -schema.writestr('_help', -json.dumps(self._generate_help(self._dict))) +schema.writestr( +'_help', +json.dumps(self._generate_help(self._dict)).encode('utf-8') +) self._file.seek(0) -with self._open(fingerprint, 'w') as f: +with self._open(fingerprint, 'wb') as f: f.truncate(0) f.write(self._file.read()) def _read(self, path): with zipfile.ZipFile(self._file, 'r') as zf: -return json.loads(zf.read(path)) +return json.loads(zf.read(path).decode('utf-8')) def read_namespace_member(self, namespace, member): value = self._dict[namespace][member] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#341][+pushed] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#341][comment] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fec4c32ff15a96736740cf7d2f713a21af0b227e ipa-4-4: https://fedorahosted.org/freeipa/changeset/c12a52f0d78b30931713a3548b22e799d41f3622 """ See the full comment at https://github.com/freeipa/freeipa/pull/341#issuecomment-267093122 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#341][closed] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/341 Author: mbasti-rh Title: #341: certprofile-mod: correctly authorise config update Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/341/head:pr341 git checkout pr341 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#341][+ack] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][+ack] [4.4] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][edited] [4.4] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Action: edited Changed field: title Original value: """ password policy: Add explicit default password policy for hosts and services """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#344][opened] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/344/head:pr344 git checkout pr344 From 2d0333dace7884e7050bb99cd682d3cc1d401482 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 29 Sep 2016 15:59:34 +0200 Subject: [PATCH 1/2] password policy: Add explicit default password policy for hosts and services Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. https://fedorahosted.org/freeipa/ticket/6561 --- install/updates/20-default_password_policy.update | 133 ++ install/updates/Makefile.am | 1 + ipaserver/install/service.py | 1 + 3 files changed, 135 insertions(+) create mode 100644 install/updates/20-default_password_policy.update diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000..b1f9754 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 100 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn:
[Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/397f2be9dfd6475127742c0b710b37b443d97d67 """ See the full comment at https://github.com/freeipa/freeipa/pull/335#issuecomment-267088796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#335][closed] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Author: simo5 Title: #335: Add compatibility code to retrieve headers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/335/head:pr335 git checkout pr335 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#335][+pushed] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#335][+ack] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#338][+pushed] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#338][closed] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/338 Author: dkupka Title: #338: password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/338/head:pr338 git checkout pr338 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#338][comment] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6f1d927467e7907fd1991f88388d96c67c9bff61 https://fedorahosted.org/freeipa/changeset/b1a20599c4f9fdcd208998694185b65460126703 """ See the full comment at https://github.com/freeipa/freeipa/pull/338#issuecomment-267086391 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][edited] [4.3] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Action: edited Changed field: title Original value: """ password policy: Add explicit default password policy for hosts and services """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#343][opened] [4.3] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/343 Author: mbasti-rh Title: #343: [4.3] certprofile-mod: correctly authorise config update Action: opened PR body: """ Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/343/head:pr343 git checkout pr343 From 2b5ce7bd98585a76ce745a027ea8226d34be940b Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 15 Nov 2016 14:02:54 +1000 Subject: [PATCH] certprofile-mod: correctly authorise config update Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 --- ipalib/plugins/certprofile.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py index ce56ec2..3afcb18 100644 --- a/ipalib/plugins/certprofile.py +++ b/ipalib/plugins/certprofile.py @@ -326,6 +326,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): raise errors.ProtectedEntryError(label='certprofile', key=keys[0], reason=_('Certificate profiles cannot be renamed')) if 'file' in options: +# ensure operator has permission to update a certprofile +if not ldap.can_write(dn, 'ipacertprofilestoreissued'): +raise errors.ACIError(info=_( +"Insufficient privilege to modify a certificate profile.")) + with self.api.Backend.ra_certprofile as profile_api: profile_api.disable_profile(keys[0]) try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#339][comment] freeipa-4.4.3: update translations
URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/2a2652187eaddec5d2a9cd757cec5874597213bc """ See the full comment at https://github.com/freeipa/freeipa/pull/339#issuecomment-267084622 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#339][+pushed] freeipa-4.4.3: update translations
URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#339][closed] freeipa-4.4.3: update translations
URL: https://github.com/freeipa/freeipa/pull/339 Author: mbasti-rh Title: #339: freeipa-4.4.3: update translations Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/339/head:pr339 git checkout pr339 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#339][+ack] freeipa-4.4.3: update translations
URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#338][+ack] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#342][opened] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/342/head:pr342 git checkout pr342 From 3d98a72cbccb182b745c05ece6ed9802370c782b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 29 Sep 2016 15:59:34 +0200 Subject: [PATCH] password policy: Add explicit default password policy for hosts and services Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. https://fedorahosted.org/freeipa/ticket/6561 --- install/updates/20-default_password_policy.update | 133 ++ install/updates/Makefile.am | 1 + ipaserver/install/service.py | 1 + 3 files changed, 135 insertions(+) create mode 100644 install/updates/20-default_password_policy.update diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000..b1f9754 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 100 +default:krbPwdPolicyReference: cn=Default Host Password
[Freeipa-devel] [freeipa PR#341][opened] certprofile-mod: correctly authorise config update
URL: https://github.com/freeipa/freeipa/pull/341 Author: mbasti-rh Title: #341: certprofile-mod: correctly authorise config update Action: opened PR body: """ Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/341/head:pr341 git checkout pr341 From 3b64673de8309bdd98171c4e23d1b177e855e033 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Tue, 15 Nov 2016 14:02:54 +1000 Subject: [PATCH] certprofile-mod: correctly authorise config update Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 --- ipaserver/plugins/certprofile.py | 5 + 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py index f446607..2bd3311 100644 --- a/ipaserver/plugins/certprofile.py +++ b/ipaserver/plugins/certprofile.py @@ -310,6 +310,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): raise errors.ProtectedEntryError(label='certprofile', key=keys[0], reason=_('Certificate profiles cannot be renamed')) if 'file' in options: +# ensure operator has permission to update a certprofile +if not ldap.can_write(dn, 'ipacertprofilestoreissued'): +raise errors.ACIError(info=_( +"Insufficient privilege to modify a certificate profile.")) + with self.api.Backend.ra_certprofile as profile_api: profile_api.disable_profile(keys[0]) try: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][opened] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Author: dkupka Title: #340: schema_cache: Make handling of string compatible with python3 Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6559 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/340/head:pr340 git checkout pr340 From 0ca08b5a65c3985ed1288029042fcf15bde7e513 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 14 Dec 2016 17:19:52 +0100 Subject: [PATCH] schema_cache: Make handling of string compatible with python3 https://fedorahosted.org/freeipa/ticket/6559 --- ipaclient/remote_plugins/schema.py | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py index 02364ca..7b0d2ec 100644 --- a/ipaclient/remote_plugins/schema.py +++ b/ipaclient/remote_plugins/schema.py @@ -6,6 +6,7 @@ import contextlib import errno import fcntl +import io import json import os import sys @@ -373,7 +374,7 @@ def __init__(self, client, fingerprint=None): self._dict = {} self._namespaces = {} self._help = None -self._file = six.StringIO() +self._file = six.BytesIO() for ns in self.namespaces: self._dict[ns] = {} @@ -407,7 +408,7 @@ def __init__(self, client, fingerprint=None): def _open(self, filename, mode): path = os.path.join(self._DIR, filename) -with open(path, mode) as f: +with io.open(path, mode) as f: if mode.startswith('r'): fcntl.flock(f, fcntl.LOCK_SH) else: @@ -454,7 +455,7 @@ def _fetch(self, client, ignore_cache=False): def _read_schema(self, fingerprint): self._file.truncate(0) -with self._open(fingerprint, 'r') as f: +with self._open(fingerprint, 'rb') as f: self._file.write(f.read()) with zipfile.ZipFile(self._file, 'r') as schema: @@ -504,21 +505,21 @@ def _write_schema(self, fingerprint): ns = value for member in ns: path = '{}/{}'.format(key, member) -schema.writestr(path, json.dumps(ns[member])) +schema.writestr(path, json.dumps(ns[member]).encode('utf-8')) else: -schema.writestr(key, json.dumps(value)) +schema.writestr(key, json.dumps(value).encode('utf-8')) schema.writestr('_help', -json.dumps(self._generate_help(self._dict))) +json.dumps(self._generate_help(self._dict)).encode('utf-8')) self._file.seek(0) -with self._open(fingerprint, 'w') as f: +with self._open(fingerprint, 'wb') as f: f.truncate(0) f.write(self._file.read()) def _read(self, path): with zipfile.ZipFile(self._file, 'r') as zf: -return json.loads(zf.read(path)) +return json.loads(zf.read(path).decode('utf-8')) def read_namespace_member(self, namespace, member): value = self._dict[namespace][member] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#339][edited] freeipa-4.4.3: update translations
URL: https://github.com/freeipa/freeipa/pull/339 Author: mbasti-rh Title: #339: freeipa-4.4.3: update translations Action: edited Changed field: body Original value: """ """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#338][opened] password policy: Add explicit default password policy for hosts and services
URL: https://github.com/freeipa/freeipa/pull/338 Author: dkupka Title: #338: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/338/head:pr338 git checkout pr338 From 03f68b4829442ec734f04755c3426c76e3b9661d Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 29 Sep 2016 15:59:34 +0200 Subject: [PATCH 1/2] password policy: Add explicit default password policy for hosts and services Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. https://fedorahosted.org/freeipa/ticket/6561 --- install/updates/20-default_password_policy.update | 133 ++ install/updates/Makefile.am | 1 + ipaserver/install/service.py | 1 + 3 files changed, 135 insertions(+) create mode 100644 install/updates/20-default_password_policy.update diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update new file mode 100644 index 000..b1f9754 --- /dev/null +++ b/install/updates/20-default_password_policy.update @@ -0,0 +1,133 @@ +# Default password policies for hosts, services and Kerberos services +# Setting all attributes to zero effectively disables any password policy +# We can do this because hosts and services uses keytabs instead of passwords + +# hosts +dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Host Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# services +dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# kerberos policy container +# this is necessary to avoid mixing the Kerberos sevice password policy +# with group-membership based user password policies +dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: nsContainer +default:objectClass: top +default:cn: Kerberos Service Password Policy + +# kerberos services +dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX +default:objectClass: krbPwdPolicy +default:objectClass: nsContainer +default:objectClass: top +default:cn: Default Kerberos Service Password Policy +default:krbMinPwdLife: 0 +default:krbPwdMinDiffChars: 0 +default:krbPwdMinLength: 0 +default:krbPwdHistoryLength: 0 +default:krbMaxPwdLife: 0 +default:krbPwdMaxFailure: 0 +default:krbPwdFailureCountInterval: 0 +default:krbPwdLockoutDuration: 0 + +# default password policies for hosts, services and kerberos services +# cosPriority is set intentionally to higher number than FreeIPA API allows +# to set to ensure that these password policies have always lower priority +# than any defined by user. + +# hosts +dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: nsContainer +default:cn: cosTemplates + +dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:objectclass: top +default:objectclass: cosTemplate +default:objectclass: extensibleObject +default:objectclass: krbContainer +default:cn: Default Password Policy +default:cosPriority: 100 +default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX + +dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX +default:description: Default Password Policy for Hosts +default:objectClass: top +default:objectClass: ldapsubentry +default:objectClass: cosSuperDefinition +default:objectClass: cosPointerDefinition +default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX +default:cosAttribute: krbPwdPolicyReference default + +# services +dn:
[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)
URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2) martbab commented: """ From Travis CI logs it looks like a correct branch was fetched this time. """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-267069024 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][opened] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Author: mbasti-rh Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: opened PR body: """ FreeIPA server modules requires pki module https://fedorahosted.org/freeipa/ticket/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 From 34c9eb22938c82f20f2faa40d2c5e4ff8ac853b7 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 14 Dec 2016 12:28:25 +0100 Subject: [PATCH] [py3]pki: add missing depedency pki-base[-python3] FreeIPA server modules requires pki module https://fedorahosted.org/freeipa/ticket/4985 --- freeipa.spec.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbb3945..cacab43 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -297,6 +297,7 @@ Requires: dbus-python Requires: python-dns >= 1.13 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs +Requires: pki-base >= 10.3.5-6 %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -326,6 +327,7 @@ Requires: python3-dbus Requires: python3-dns >= 1.11.1 Requires: python3-kdcproxy >= 0.3 Requires: rpm-libs +Requires: pki-base-python3 >= 10.3.5-6 %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers mbasti-rh commented: """ Works for me, just waiting for travis :) """ See the full comment at https://github.com/freeipa/freeipa/pull/335#issuecomment-267055413 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#335][opened] Add compatibility code to retrieve headers
URL: https://github.com/freeipa/freeipa/pull/335 Author: simo5 Title: #335: Add compatibility code to retrieve headers Action: opened PR body: """ The recent fixes for getting cookies from headers broken python3. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/335/head:pr335 git checkout pr335 From a118d6f3dcd31102e0f5e5b6a0c962b811290bfb Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Wed, 14 Dec 2016 06:20:15 -0500 Subject: [PATCH] Add compatibility code to retrieve headers Python3 removed the getheaders() function and replaced it with a get_all() one. Add compat code. https://fedorahosted.org/freeipa/ticket/6558 Signed-off-by: Simo Sorce --- ipalib/rpc.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index bd25e6f..921f5cb 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -729,7 +729,11 @@ def store_session_cookie(self, cookie_header): pass def parse_response(self, response): -self.store_session_cookie(response.msg.getheaders('Set-Cookie')) +if six.PY2: +header = response.msg.getheaders('Set-Cookie') +else: +header = response.msg.get_all('Set-Cookie') +self.store_session_cookie(header) return SSLTransport.parse_response(self, response) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 From e5825f44dafc4fb96965fb90d2f0442846970a71 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 14 Dec 2016 10:12:05 +0100 Subject: [PATCH 1/2] Py3: Fix ToASCII method in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5935 --- freeipa.spec.in | 20 ++-- ipapython/dnsutil.py | 5 - ipasetup.py.in | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbb3945..73210b7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -126,8 +126,8 @@ BuildRequires: python-memcached BuildRequires: python-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python-dns >= 1.15 BuildRequires: jsl BuildRequires: python-yubico # pki Python package @@ -163,8 +163,8 @@ BuildRequires: python3-memcached BuildRequires: python3-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python3-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python3-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package # 10.2.1: crypto.NSSCryptoProvider(password_file) @@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs @@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig Requires: python3-pyasn1 Requires: python3-dbus -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: rpm-libs @@ -482,7 +482,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -504,7 +504,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -598,7 +598,7 @@ Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests Requires: python-custodia -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -648,7 +648,7 @@ Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 Requires: python3-custodia Requires: python3-requests -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 Requires: python3-pyusb diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 16549c8..ba0f0aa 100644 --- a/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py @@ -71,7 +71,10 @@ def __str__(self): def ToASCII(self): #method named by RFC 3490 and python standard library -return self.to_text().decode('ascii') # must be unicode string +res = self.to_text() +if six.PY2: +return res.decode('ascii') # must be unicode string in Python 2 +return res def canonicalize(self): return DNSName(super(DNSName, self).canonicalize()) diff --git a/ipasetup.py.in b/ipasetup.py.in index 6a33fb8..c221e0d 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0): PACKAGE_VERSION = { 'cryptography': 'cryptography >= 1.3.1', -'dnspython': 'dnspython >= 1.13', +'dnspython': 'dnspython >= 1.15', 'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == {}'.format(VERSION), 'ipalib': 'ipalib == {}'.format(VERSION), From d110bd8fd42e1546f8c8de2fe755b482d1b2cfdd Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 14 Dec 2016 12:09:34 +0100 Subject: [PATCH 2/2] zonemgr_callback: py3 fix str and bytes cannot be concatenated in Py3 https://fedorahosted.org/freeipa/ticket/5990 --- ipapython/dnsutil.py | 4 +++- ipaserver/install/bindinstance.py | 4 ++-- 2 files
[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method tiran commented: """ I left a comment """ See the full comment at https://github.com/freeipa/freeipa/pull/334#issuecomment-267039776 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#333][synchronized] Remove named-pkcs11 workarounds from DNSSEC tests.
URL: https://github.com/freeipa/freeipa/pull/333 Author: pspacek Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/333/head:pr333 git checkout pr333 From c433291234be6f1d51197b94bdaf8202c342b663 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Tue, 13 Dec 2016 16:43:52 +0100 Subject: [PATCH] Remove named-pkcs11 workarounds from DNSSEC tests. As far as I can tell the tests are passing for some time in Jenkins so maybe a bug in some underlying component was fixed. Let's remove workarounds to make tests actually test real setups. https://fedorahosted.org/freeipa/ticket/5348 --- ipatests/test_integration/test_dnssec.py | 82 1 file changed, 82 deletions(-) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 56380dd..1ffa268 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -6,7 +6,6 @@ import dns.resolver import dns.name import time -import pytest from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks @@ -106,7 +105,6 @@ def test_if_zone_is_signed_master(self): ] self.master.run_command(args) -tasks.restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -127,7 +125,6 @@ def test_if_zone_is_signed_replica(self): ] self.replicas[0].run_command(args) -tasks.restart_named(self.replicas[0]) # test replica assert wait_until_record_is_signed( self.replicas[0].ip, test_zone_repl, self.log, timeout=300 @@ -173,7 +170,6 @@ def test_disable_reenable_signing_master(self): ] self.master.run_command(args) -tasks.restart_named(self.master) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -221,8 +217,6 @@ def test_disable_reenable_signing_replica(self): ] self.master.run_command(args) -tasks.restart_named(self.master, self.replicas[0]) - # test master assert wait_until_record_is_signed( self.master.ip, test_zone_repl, self.log, timeout=100 @@ -238,77 +232,6 @@ def test_disable_reenable_signing_replica(self): assert dnskey_old != dnskey_new, "DNSKEY should be different" -class TestZoneSigningWithoutNamedRestart(IntegrationTest): -"""Test whether https://fedorahosted.org/freeipa/ticket/5348 is already -fixed. If the issue is not fixed, the test will expectedly fail. When -fixed, it will pass, which will cause the whole run to become "red" -""" -num_replicas = 1 -topology = 'star' - -@classmethod -def install(cls, mh): -tasks.install_master(cls.master, setup_dns=False) -args = [ -"ipa-dns-install", -"--dnssec-master", -"--forwarder", cls.master.config.dns_forwarder, -"-U", -] -cls.master.run_command(args) - -tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) - -# backup trusted key -tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) -tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY) - -@classmethod -def uninstall(cls, mh): -# restore trusted key -tasks.restore_files(cls.master) -tasks.restore_files(cls.replicas[0]) - -super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh) - -@pytest.mark.xfail(strict=True) -def test_sign_root_zone_no_named_restart(self): -args = [ -"ipa", "dnszone-add", root_zone, "--dnssec", "true", -"--skip-overlap-check", -] -self.master.run_command(args) - -# make BIND happy: add the glue record and delegate zone -args = [ -"ipa", "dnsrecord-add", root_zone, self.master.hostname, -"--a-rec=" + self.master.ip -] -self.master.run_command(args) -args = [ -"ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname, -"--a-rec=" + self.replicas[0].ip -] -self.master.run_command(args) - -time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap - -args = [ -"ipa", "dnsrecord-add", root_zone, self.master.domain.name, -"--ns-rec=" + self.master.hostname -] -self.master.run_command(args) -# test master -assert wait_until_record_is_signed( -self.master.ip, root_zone, self.log, timeout=100 -), "Zone %s is not signed (master)" % root_zone - -# test replica -assert
[Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d841a79dc104521f736469eff7154c2f4266082b ipa-4-4: https://fedorahosted.org/freeipa/changeset/6ef666ed12fd73026f0f1d49faba152ae27d6082 """ See the full comment at https://github.com/freeipa/freeipa/pull/313#issuecomment-267003891 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#313][+pushed] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#313][closed] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Author: dkupka Title: #313: ipaclient.plugins: Use api_version from internally called commands Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/313/head:pr313 git checkout pr313 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][+rejected] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Title: #329: experiment: did pull/177 break ci? Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][edited] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: edited Changed field: body Original value: """ in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5887 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 From e5825f44dafc4fb96965fb90d2f0442846970a71 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 14 Dec 2016 10:12:05 +0100 Subject: [PATCH] Py3: Fix ToASCII method in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5935 --- freeipa.spec.in | 20 ++-- ipapython/dnsutil.py | 5 - ipasetup.py.in | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbb3945..73210b7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -126,8 +126,8 @@ BuildRequires: python-memcached BuildRequires: python-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python-dns >= 1.15 BuildRequires: jsl BuildRequires: python-yubico # pki Python package @@ -163,8 +163,8 @@ BuildRequires: python3-memcached BuildRequires: python3-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python3-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python3-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package # 10.2.1: crypto.NSSCryptoProvider(password_file) @@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs @@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig Requires: python3-pyasn1 Requires: python3-dbus -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: rpm-libs @@ -482,7 +482,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -504,7 +504,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -598,7 +598,7 @@ Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests Requires: python-custodia -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -648,7 +648,7 @@ Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 Requires: python3-custodia Requires: python3-requests -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 Requires: python3-pyusb diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 16549c8..ba0f0aa 100644 --- a/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py @@ -71,7 +71,10 @@ def __str__(self): def ToASCII(self): #method named by RFC 3490 and python standard library -return self.to_text().decode('ascii') # must be unicode string +res = self.to_text() +if six.PY2: +return res.decode('ascii') # must be unicode string in Python 2 +return res def canonicalize(self): return DNSName(super(DNSName, self).canonicalize()) diff --git a/ipasetup.py.in b/ipasetup.py.in index 6a33fb8..c221e0d 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0): PACKAGE_VERSION = { 'cryptography': 'cryptography >= 1.3.1', -'dnspython': 'dnspython >= 1.13', +'dnspython': 'dnspython >= 1.15', 'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == {}'.format(VERSION), 'ipalib': 'ipalib == {}'.format(VERSION), -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#333][comment] Remove named-pkcs11 workarounds from DNSSEC tests.
URL: https://github.com/freeipa/freeipa/pull/333 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. mbasti-rh commented: """ Please fix the issue reported by pylint ``` * Module ipatests.test_integration.test_dnssec ipatests/test_integration/test_dnssec.py:9: [W0611(unused-import), ] Unused import pytest) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/333#issuecomment-267000804 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#334][opened] Py3: Fix ToASCII method
URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: opened PR body: """ in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5887 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 From 17c866c4b170f45a414a65a2dfc3bc85dbf3281c Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Wed, 14 Dec 2016 10:12:05 +0100 Subject: [PATCH] Py3: Fix ToASCII method in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5887 --- freeipa.spec.in | 20 ++-- ipapython/dnsutil.py | 5 - ipasetup.py.in | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbb3945..73210b7 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -126,8 +126,8 @@ BuildRequires: python-memcached BuildRequires: python-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python-dns >= 1.15 BuildRequires: jsl BuildRequires: python-yubico # pki Python package @@ -163,8 +163,8 @@ BuildRequires: python3-memcached BuildRequires: python3-lxml # 5.0.0: QRCode.print_ascii BuildRequires: python3-qrcode-core >= 5.0.0 -# 1.13: python-dns URI record support -BuildRequires: python3-dns >= 1.13 +# 1.15: python-dns PY3 support (many improvements) +BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package # 10.2.1: crypto.NSSCryptoProvider(password_file) @@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0 Requires: python-sssdconfig Requires: python-pyasn1 Requires: dbus-python -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-kdcproxy >= 0.3 Requires: rpm-libs @@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0 Requires: python3-sssdconfig Requires: python3-pyasn1 Requires: python3-dbus -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: rpm-libs @@ -482,7 +482,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -504,7 +504,7 @@ BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -598,7 +598,7 @@ Requires: python-cffi Requires: python-ldap >= 2.4.15 Requires: python-requests Requires: python-custodia -Requires: python-dns >= 1.13 +Requires: python-dns >= 1.15 Requires: python-enum34 Requires: python-netifaces >= 0.10.4 Requires: pyusb @@ -648,7 +648,7 @@ Requires: python3-cffi Requires: python3-pyldap >= 2.4.15 Requires: python3-custodia Requires: python3-requests -Requires: python3-dns >= 1.11.1 +Requires: python3-dns >= 1.15 Requires: python3-netifaces >= 0.10.4 Requires: python3-pyusb diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py index 16549c8..ba0f0aa 100644 --- a/ipapython/dnsutil.py +++ b/ipapython/dnsutil.py @@ -71,7 +71,10 @@ def __str__(self): def ToASCII(self): #method named by RFC 3490 and python standard library -return self.to_text().decode('ascii') # must be unicode string +res = self.to_text() +if six.PY2: +return res.decode('ascii') # must be unicode string in Python 2 +return res def canonicalize(self): return DNSName(super(DNSName, self).canonicalize()) diff --git a/ipasetup.py.in b/ipasetup.py.in index 6a33fb8..c221e0d 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0): PACKAGE_VERSION = { 'cryptography': 'cryptography >= 1.3.1', -'dnspython': 'dnspython >= 1.13', +'dnspython': 'dnspython >= 1.15', 'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == {}'.format(VERSION), 'ipalib': 'ipalib == {}'.format(VERSION), -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:
[Freeipa-devel] [freeipa PR#330][closed] Build: forbid builds in working directories containing white spaces
URL: https://github.com/freeipa/freeipa/pull/330 Author: pspacek Title: #330: Build: forbid builds in working directories containing white spaces Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/330/head:pr330 git checkout pr330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces
URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/19aba7c555edf065b9f2fa95142da81b92396264 """ See the full comment at https://github.com/freeipa/freeipa/pull/330#issuecomment-266981513 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#330][+pushed] Build: forbid builds in working directories containing white spaces
URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces
URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces martbab commented: """ I agree that a safeguard that fails early is sufficient for this corner-case unless someone proves us otherwise. PRs are welcome in that case. """ See the full comment at https://github.com/freeipa/freeipa/pull/330#issuecomment-266981383 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#330][+ack] Build: forbid builds in working directories containing white spaces
URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Travis CI unexpected PEP8 errors
On 12/14/2016 09:00 AM, Standa Laznicka wrote: On 12/14/2016 02:53 AM, Ben Lipton wrote: Hi all, I'm pretty sure this is unrelated to the CI issues discussed in other threads recently, but they reminded me that I've been having this odd issue. https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most recent run on my pull request, https://github.com/freeipa/freeipa/pull/10. For a while now, every time the CI runs on my PR, it fails due to several PEP8 errors that are not detected when I run `git diff master -U0 | pep8 --diff` on my local copy. In fact, the errors are all in files not touched by my PR, which doesn't make much sense to me based on the behavior of `git diff`. I noticed that the top of the travis build says: - Commit 1f50550 - #10: Client-side CSR autogeneration - Branch master I'm not sure what the "commit" link actually means, but that commit seems to have nothing to do with my PR nor the current master. Could Travis be diffing against the wrong code? Or if not, do you have any idea what might be causing these failures? Thanks, Ben Hi Ben, I was going through the Travis CI log of and noticed what might have caused the issue: $ cd freeipa/freeipa $ git fetch origin +refs/pull/109/merge: It seems that for your pull request #10 (and for some reason for your pull request only), Travis fetched a different (old) pull request which it then tried to merge with current master, hence the errors. I don't think it was testing your code at all. I do not have an explanation for this other than it might be a Travis bug, CCing Martin for a better answer. Standa Yes indeed for some reason Travis fetches completely wrong PR for tests. I have no idea why it does this. I have tried to restart the build with the same results. We will probably have to contact Travis support for this issue. In the meanwhile, can you prepare a separate PR from completely new branch with the same commits so that we can see if it catches up this time? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code