[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-06 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

martbab commented:
"""
@tomaskrizek since you added a new key to the Env object, you will have to fix 
`test_ipalib/test_config.py` to account for this change, see 
https://travis-ci.org/freeipa/freeipa/jobs/198916106#L443
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-277924079
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] python-pyasn1 updated in rawhide and updates-testing for F-25

2017-02-06 Thread Rob Crittenden 
I updated the Fedora pyasn1 package to the latest release, 0.2.1. I did
some very basic testing against IPA 4.2 and it worked ok.

The build is already up in rawhide and is on the way to updates-testing
in Bohdi. It would be great to get some karma on it. I have auto-push
turned off so it won't go stable in a week automatically.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

MartinBasti commented:
"""
@tomaskrizek on current versions of RHEL and fedora IPA doesn't start in FIPS, 
but upgrading first and then enabling FIPS might be the way
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-28586
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#427][synchronized] [Py3] WSGI part 2

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/427
Author: MartinBasti
 Title: #427: [Py3] WSGI part 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/427/head:pr427
git checkout pr427
From 162cbe92129170f45267e38e14ebdb31e09ab4cd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 17:49:06 +0100
Subject: [PATCH 1/8] py3: base64 encoding/decoding returns always bytes don't
 mix it

Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/plugins/baseldap.py | 2 +-
 ipaserver/plugins/ca.py   | 4 +---
 ipaserver/plugins/cert.py | 2 +-
 ipaserver/secrets/client.py   | 6 --
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..24b6db7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1036,7 +1036,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 except ValueError:
 if isinstance(delval, bytes):
 # This is a Binary value, base64 encode it
-delval = unicode(base64.b64encode(delval))
+delval = base64.b64encode(delval).decode('ascii')
 raise errors.AttrValueNotFound(attr=attr, value=delval)
 
 # normalize all values
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 4f24278..3a052a1 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -4,8 +4,6 @@
 
 import base64
 
-import six
-
 from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
@@ -176,7 +174,7 @@ def set_certificate_attrs(entry, options, want_cert=True):
 with api.Backend.ra_lightweight_ca as ca_api:
 if want_cert or full:
 der = ca_api.read_ca_cert(ca_id)
-entry['certificate'] = six.text_type(base64.b64encode(der))
+entry['certificate'] = base64.b64encode(der).decode('ascii')
 
 if want_chain or full:
 pkcs7_der = ca_api.read_ca_chain(ca_id)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..6bf5c03 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1260,7 +1260,7 @@ def _get_cert_key(self, cert):
 return (DN(cert_obj.issuer), cert_obj.serial)
 
 def _get_cert_obj(self, cert, all, raw, pkey_only):
-obj = {'certificate': unicode(base64.b64encode(cert))}
+obj = {'certificate': base64.b64encode(cert).decode('ascii')}
 
 full = not pkey_only and all
 if not raw:
diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py
index a04b9a6..a945e01 100644
--- a/ipaserver/secrets/client.py
+++ b/ipaserver/secrets/client.py
@@ -70,7 +70,8 @@ def init_creds(self):
 name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
 store = {'client_keytab': self.keytab,
- 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
+ 'ccache': 'MEMORY:Custodia_%s' % b64encode(
+ os.urandom(8)).decode('ascii')}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
 def _auth_header(self):
@@ -78,7 +79,8 @@ def _auth_header(self):
 self.creds = self.init_creds()
 ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
 authtok = ctx.step()
-return {'Authorization': 'Negotiate %s' % b64encode(authtok)}
+return {'Authorization': 'Negotiate %s' % b64encode(
+authtok).decode('ascii')}
 
 def fetch_key(self, keyname, store=True):
 

From 29b280bf7e3c88de40647adc3b06bf84f4b827f1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 24 Jan 2017 18:31:50 +0100
Subject: [PATCH 2/8] py3: base64.b64encode requires bytes as param

Decimal must be changed to string first and then encoded to bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/rpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 356ec42..3dc7936 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -308,7 +308,7 @@ def json_encode_binary(val, version):
 encoded = encoded.decode('ascii')
 return {'__base64__': encoded}
 elif isinstance(val, Decimal):
-return {'__base64__': base64.b64encode(str(val))}
+return {'__base64__': base64.b64encode(str(val).encode('ascii'))}
 elif isinstance(val, DN):
 return str(val)
 elif isinstance(val, datetime.datetime):

From 91876550e768b362fdab729ee21dfe8187937c83

[Freeipa-devel] [freeipa PR#435][synchronized] py3: cert.py: create principal object from string

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
 Title: #435: py3: cert.py: create principal object from string
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/435/head:pr435
git checkout pr435
From aa2169f023287e308f6541bec56720865f54b331 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 6 Feb 2017 12:14:38 +0100
Subject: [PATCH] py3: x509.py: return principal as unicode string

X509 return principal as unicode string

https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
---
 ipalib/x509.py | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 87d46ae..60a947b 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -361,13 +361,13 @@ class _KRB5PrincipalName(univ.Sequence):
 
 def _decode_krb5principalname(data):
 principal = decoder.decode(data, asn1Spec=_KRB5PrincipalName())[0]
-realm = (str(principal['realm']).replace('\\', '')
-.replace('@', '\\@'))
+realm = (unicode(principal['realm']).replace('\\', '')
+.replace('@', '\\@'))
 name = principal['principalName']['name-string']
-name = '/'.join(str(n).replace('\\', '')
-  .replace('/', '\\/')
-  .replace('@', '\\@') for n in name)
-name = '%s@%s' % (name, realm)
+name = u'/'.join(unicode(n).replace('\\', '')
+   .replace('/', '\\/')
+   .replace('@', '\\@') for n in name)
+name = u'%s@%s' % (name, realm)
 return name
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][edited] py3: fix replica install regression

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
 Title: #435: py3: fix replica install regression
Action: edited

 Changed field: title
Original value:
"""
py3: cert.py: create principal object from string
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

2017-02-06 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From bef382c8b3039c39aafdad7203932d92e7670162 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+from ipaplatform.tasks import tasks
 
 if six.PY3:
 unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.

From cd8a3982dadc32fe65fc8b2e4d98c3c574a84f33 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string

Refactor function to use ScriptError exception and proper
string formatting.
---
 ipaserver/install/server/replicainstall.py | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..f9951b0 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -518,12 +518,15 @@ def check_remote_version(api):
 finally:
 client.disconnect()
 
+# Check version compatibility
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+"Cannot install replica of a server of higher version "
+"(%(remote_version)s) than the local version (%(api_version)s)"
+% dict(remote_version=remote_version, api_version=api_version))
+
 
 
 def common_check(no_ntp):

From 8b07c3bbedf1b873fd96604ea462965b08457f26 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/replicainstall.py | 25 ++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f9951b0..620c37c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""
+Perform a check to verify remote server's version and fips-mode
+
+:param api: remote api
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
 client.connect()
 try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
 finally:
 client.disconnect()
 
@@ -527,6 +534,18 @@ def check_remote_version(api):
 "(%(remote_version)s) than the local version (%(api_version)s)"
 % dict(remote_version=remote_version, api_version=api_version))
 
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+"Cannot join FIPS-enabled replica into existing topology: "
+"FIPS is not enabled on the master server.")
+else:
+raise ScriptError(
+"Cannot join replica into existing FIPS-enabled topology: "
+"FIPS has to be enabled locally first.")
 
 
 def common_check(no_ntp):
@@

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-06 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

tomaskrizek commented:
"""
@MartinBasti Since this check is performed only during installation, the user 
could simply install non-FIPS replica and then turn FIPS on afterwards. There 
might be issues with this approach and thus it is neither recommended nor 
supported, as stated in the 
[documentation](https://www.freeipa.org/page/V4/FreeIPA-on-FIPS#Multiple_servers_in_topology).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-277745754
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

MartinBasti commented:
"""
I'm still afraid that users may want to create a FIPS replica from the non-FIPS 
master, even if it is not recommended due security. How can be this achieved?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-277743511
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][+ack] ipatests: nested netgroups (intg)

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/409
Title: #409: ipatests: nested netgroups (intg)

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

2017-02-06 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variabl to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+from ipaplatform.tasks import tasks
 
 if six.PY3:
 unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.

From 2da87d402bdecffbb3004c87312605453edcb01e Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string

Refactor function to use i18n string and ScriptError exception.
---
 ipaserver/install/server/replicainstall.py | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..06af62a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -28,7 +28,7 @@
 from ipaplatform import services
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
-from ipalib import api, constants, create_api, errors, rpc, x509
+from ipalib import _, api, constants, create_api, errors, rpc, x509
 from ipalib.config import Env
 from ipalib.util import (
 network_ip_address_warning,
@@ -518,12 +518,15 @@ def check_remote_version(api):
 finally:
 client.disconnect()
 
+# Check version compatibility
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+_("Cannot install replica of a server of higher version "
+  "(%(remote_version)s) than the local version (%(api_version)s)")
+% dict(remote_version=remote_version, api_version=api_version))
+
 
 
 def common_check(no_ntp):

From 1dacf228b1bda1c4298203f8f80f3d4818eecb65 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/replicainstall.py | 25 ++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 06af62a..64ffb9a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""
+Perform a check to verify remote server's version and fips-mode
+
+:param api: remote api
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
 client.connect()
 try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
 finally:
 client.disconnect()
 
@@ -527,6 +534,18 @@ def check_remote_version(api):
   "(%(remote_version)s) than the local version (%(api_version)s)")
 % dict(remote_version=remote_version, api_version=api_version))
 
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+

[Freeipa-devel] [freeipa PR#422][+pushed] Fix reference before assignment

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/422
Title: #422: Fix reference before assignment

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#422][closed] Fix reference before assignment

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/422
Author: frasertweedale
 Title: #422: Fix reference before assignment
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/422/head:pr422
git checkout pr422
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#422][comment] Fix reference before assignment

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/422
Title: #422: Fix reference before assignment

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/924794f62b9d3d0f46ca18e4f9338eaed865c03e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/422#issuecomment-277734802
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-06 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/395
Author: flo-renaud
 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/395/head:pr395
git checkout pr395
From 9e33ca9cbac1837cf779673e5479f3718ef8e759 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"

When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575
---
 freeipa.spec.in | 4 ++--
 ipaserver/install/cainstance.py | 4 
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba2e294..29d652e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -246,8 +246,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.5-6
-Requires: pki-kra >= 10.3.5-6
+Requires: pki-ca >= 10.3.5-11
+Requires: pki-kra >= 10.3.5-11
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: policycoreutils >= 2.1.12-5
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a73a9c4..1cc74de 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -594,10 +594,6 @@ def __spawn_instance(self):
 config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
 config.set("CA", "pki_external_step_two", "True")
 
-# PKI IPv6 Configuration
-config.add_section("Tomcat")
-config.set("Tomcat", "pki_ajp_host", "::1")
-
 # Generate configuration file
 with open(cfg_file, "w") as f:
 config.write(f)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-06 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

flo-renaud commented:
"""
Hi,
PR updated with dependency on pki 10.3.5-11 (note that this package is 
currently available in fedora updates-testing only).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-277734364
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#432][+pushed] build: Add missing dependency on libxmlrpc{, _util}

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#432][closed] build: Add missing dependency on libxmlrpc{, _util}

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/432
Author: dkupka
 Title: #432: build: Add missing dependency on libxmlrpc{,_util}
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/432/head:pr432
git checkout pr432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util}

2017-02-06 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f4088b3a00b3cbd1a0133ac90cba85e501573f76
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/432#issuecomment-277732073
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][opened] FIPS: replica install check

2017-02-06 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: opened

PR body:
"""
PR depends on the rest of the FIPS patches.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/2] Add fips_mode variabl to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+from ipaplatform.tasks import tasks
 
 if six.PY3:
 unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
 
+# Set fips_mode:
+if 'fips_mode' not in self:
+self.fips_mode = tasks.is_fips_enabled()
+
 def _finalize_core(self, **defaults):
 """
 Complete initialization of standard IPA environment.

From b1eeace0fba4f36e20a4e2976cf3a4024aa57917 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 16:15:49 +0100
Subject: [PATCH 2/2] FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/replicainstall.py | 30 +++---
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..67f9e34 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -28,7 +28,7 @@
 from ipaplatform import services
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
-from ipalib import api, constants, create_api, errors, rpc, x509
+from ipalib import _, api, constants, create_api, errors, rpc, x509
 from ipalib.config import Env
 from ipalib.util import (
 network_ip_address_warning,
@@ -508,22 +508,38 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+def check_remote_compatibility(api):
+"""Perform a check to verify remote server's version and fips-mode."""
 client = rpc.jsonclient(api)
 client.finalize()
 
 client.connect()
 try:
-env = client.forward(u'env', u'version')['result']
+env = client.forward(u'env', u'version', u'fips_mode')['result']
 finally:
 client.disconnect()
 
+# Check version compatibility
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
-"Cannot install replica of a server of higher version ({}) than"
-"the local version ({})".format(remote_version, api_version))
+raise ScriptError(
+_("Cannot install replica of a server of higher version "
+  "(%(remote_version)s) than the local version (%(api_version)s)")
+% dict(remote_version=remote_version, api_version=api_version))
+
+# Check FIPS mode compatibility
+remote_fips_mode = env['fips_mode']
+fips_mode = tasks.is_fips_enabled()
+if fips_mode != remote_fips_mode:
+if fips_mode:
+raise ScriptError(
+_("Cannot join FIPS-enabled replica into existing topology: "
+  "FIPS is not enabled on the master server."))
+else:
+raise ScriptError(
+_("Cannot join replica into existing FIPS-enabled topology: "
+  "FIPS has to be enabled locally first."))
 
 
 def common_check(no_ntp):
@@ -1077,7 +1093,7 @@ def promote_check(installer):
 remote_api.finalize()
 installer._remote_api = remote_api
 
-check_remote_version(remote_api)
+check_remote_compatibility(remote_api)
 
 conn = remote_api.Backend.ldap2
 replman = None
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][closed] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/436
Author: HonzaCholasta
 Title: #436: x509: allow leading text in PEM files
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/436/head:pr436
git checkout pr436
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/89dfbab3ca076812590f371c21abcb51b350170b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/436#issuecomment-277687144
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][+pushed] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][synchronized] ipatests: nested netgroups (intg)

2017-02-06 Thread celestian 
   URL: https://github.com/freeipa/freeipa/pull/409
Author: celestian
 Title: #409: ipatests: nested netgroups (intg)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/409/head:pr409
git checkout pr409
From 580daa224ea990753ff90d8f25d094259ca13ff2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 23 Jan 2017 18:46:42 +0100
Subject: [PATCH] ipatests: nested netgroups (intg)

Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439
---
 Contributors.txt   |   1 +
 ipatests/test_integration/test_netgroup.py | 169 +
 2 files changed, 170 insertions(+)
 create mode 100644 ipatests/test_integration/test_netgroup.py

diff --git a/Contributors.txt b/Contributors.txt
index a003a3e..7a1913b 100644
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -24,6 +24,7 @@ Developers:
 	Brian Cook
 	Rob Crittenden
 	Frank Cusack
+	Petr Čech
 	Nalin Dahyabhai
 	Don Davis
 	John Dennis
diff --git a/ipatests/test_integration/test_netgroup.py b/ipatests/test_integration/test_netgroup.py
new file mode 100644
index 000..45f2f3f
--- /dev/null
+++ b/ipatests/test_integration/test_netgroup.py
@@ -0,0 +1,169 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import pytest
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import clear_sssd_cache
+
+
+test_data = []
+for i in range(3):
+data = {
+'user': {
+'login': 'testuser_{}'.format(i),
+'first': 'Test_{}'.format(i),
+'last': 'User_{}'.format(i),
+},
+'netgroup': 'testgroup_{}'.format(i),
+'nested_netgroup': 'testgroup_{}'.format(i-1) if i > 0 else None
+}
+test_data.append(data)
+members = [d['user']['login'] for d in test_data]
+test_data[-1]['netgroup_nested_members'] = members
+
+
+@pytest.fixture()
+def three_netgroups(request):
+"""Prepare basic netgroups with users"""
+
+for d in test_data:
+request.cls.master.run_command(['ipa', 'user-add', d['user']['login'],
+'--first', d['user']['first'],
+'--last', d['user']['last']],
+   raiseonerr=False)
+
+request.cls.master.run_command(['ipa', 'netgroup-add', d['netgroup']],
+   raiseonerr=False)
+
+user_opt = '--users={u[login]}'.format(u=d['user'])
+request.cls.master.run_command(['ipa', 'netgroup-add-member', user_opt,
+d['netgroup']], raiseonerr=False)
+
+def teardown_three_netgroups():
+"""Clean basic netgroups with users"""
+for d in test_data:
+request.cls.master.run_command(['ipa', 'user-del',
+d['user']['login']],
+   raiseonerr=False)
+
+request.cls.master.run_command(['ipa', 'netgroup-del',
+d['netgroup']],
+   raiseonerr=False)
+
+request.addfinalizer(teardown_three_netgroups)
+
+
+class TestNetgroups(IntegrationTest):
+"""
+Test Netgroups
+"""
+
+topology = 'line'
+
+def check_users_in_netgroups(self):
+"""Check if users are in groups, no nested things"""
+master = self.master
+clear_sssd_cache(master)
+
+for d in test_data:
+result = master.run_command(['getent', 'passwd',
+ d['user']['login']], raiseonerr=False)
+assert result.returncode == 0
+
+user = '{u[first]} {u[last]}'.format(u=d['user'])
+assert user in result.stdout_text
+
+result = master.run_command(['getent', 'netgroup',
+ d['netgroup']], raiseonerr=False)
+assert result.returncode == 0
+
+netgroup = '(-,{},{})'.format(d['user']['login'],
+  self.master.domain.name)
+assert netgroup in result.stdout_text
+
+def check_nested_netgroup_hierarchy(self):
+"""Check if nested netgroups hierarchy is complete"""
+master = self.master
+clear_sssd_cache(master)
+
+for d in test_data:
+result = master.run_command(['getent', 'netgroup', d['netgroup']],
+raiseonerr=False)
+assert result.returncode == 0
+
+for member in d['netgroup_nested_members']:
+if not member:
+continue
+
+netgroup = '(-,{},{})'.format(member,

[Freeipa-devel] [freeipa PR#436][+ack] x509: allow leading text in PEM files

2017-02-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-02-06 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
I split the tables into separate ones and also made independent #if/#endif 
blocks for them. Finally, I added a spec file guard to force using 1.15-5 or 
later version on Fedora 26 or later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-277669579
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-02-06 Thread abbra 
   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From 0972231c6637715684fb8c61c3bd6e4277988dbc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

https://fedorahosted.org/freeipa/ticket/6619
---
 configure.ac | 21 ++
 daemons/ipa-kdb/ipa_kdb.c| 42 ++--
 daemons/ipa-kdb/ipa_kdb.h|  2 ++
 daemons/ipa-kdb/ipa_kdb_principals.c | 42 
 freeipa.spec.in  |  4 
 5 files changed, 91 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6cd3a89..e2f71d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+	-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
 #if KRB5_KDB_DAL_MAJOR_VERSION == 5
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
 
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
 .min_ver = 0,
@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = {
 .audit_as_req = ipadb_audit_as_req,
 .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
 };
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 1,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req =

[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files

2017-02-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

tiran commented:
"""
Yes, please keep the test. It should pass with the current regular expression, 
too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/436#issuecomment-277665259
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][synchronized] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/436
Author: HonzaCholasta
 Title: #436: x509: allow leading text in PEM files
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/436/head:pr436
git checkout pr436
From 44717163aa56f7e920650831d83d69a1c3ee952c Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 6 Feb 2017 13:16:11 +0100
Subject: [PATCH] tests: add test for PEM certificate files with leading text

---
 ipatests/test_ipalib/test_x509.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index 750e086..a3e6cda 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -69,6 +69,17 @@ def test_1_load_base64_cert(self):
 x509.load_certificate((newcert,))
 x509.load_certificate([newcert])
 
+# Load a good cert with headers and leading text
+newcert = (
+'leading text\n-BEGIN CERTIFICATE-' +
+goodcert +
+'-END CERTIFICATE-')
+x509.load_certificate(newcert)
+
+# Should handle list/tuple
+x509.load_certificate((newcert,))
+x509.load_certificate([newcert])
+
 # Load a good cert with bad headers
 newcert = '-BEGIN CERTIFICATE-' + goodcert
 with pytest.raises((TypeError, ValueError)):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

HonzaCholasta commented:
"""
Oops, didn't realize that `^` matches beginning of each line in multiline mode. 
I think we can keep the test, though.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/436#issuecomment-277663630
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][comment] x509: allow leading text in PEM files

2017-02-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/436
Title: #436: x509: allow leading text in PEM files

tiran commented:
"""
NACK

The ^ is correct because the regular expression must search for a line that 
starts with ```-BEGIN CERTIFICATE-```. I cannot reproduce the issue 
locally. The regexp matches a cert with leading text:

```
>>> import re
>>> regexp = u"^-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-"
>>> pem = u"leading line\n-BEGIN CERTIFICATE-\nabcd\n-END 
>>> CERTIFICATE-\ntrailing text"
>>> re.search(regexp, pem, re.MULTILINE | re.DOTALL)
<_sre.SRE_Match object at 0x7f667778d0a8>
>>> re.search(regexp, pem, re.MULTILINE | re.DOTALL).group(1)
u'\nabcd\n'
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/436#issuecomment-277661149
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#436][opened] x509: allow leading text in PEM files

2017-02-06 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/436
Author: HonzaCholasta
 Title: #436: x509: allow leading text in PEM files
Action: opened

PR body:
"""
This fixes a regression introduced in commit
b8d6524d43dd0667184aebc79fb77a9b8a46939a.

https://fedorahosted.org/freeipa/ticket/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/436/head:pr436
git checkout pr436
From 7d1e12f773f6b184149936114789ab0d28fe8f09 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 6 Feb 2017 12:45:31 +0100
Subject: [PATCH] x509: allow leading text in PEM files

This fixes a regression introduced in commit
b8d6524d43dd0667184aebc79fb77a9b8a46939a.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipalib/x509.py|  2 +-
 ipatests/test_ipalib/test_x509.py | 11 +++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 87d46ae..33f2bdc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -86,7 +86,7 @@ def strip_header(pem):
 Remove the header and footer from a certificate.
 """
 regexp = (
-u"^-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-"
+u"-BEGIN CERTIFICATE-(.*?)-END CERTIFICATE-"
 )
 if isinstance(pem, bytes):
 regexp = regexp.encode('ascii')
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index 750e086..a3e6cda 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -69,6 +69,17 @@ def test_1_load_base64_cert(self):
 x509.load_certificate((newcert,))
 x509.load_certificate([newcert])
 
+# Load a good cert with headers and leading text
+newcert = (
+'leading text\n-BEGIN CERTIFICATE-' +
+goodcert +
+'-END CERTIFICATE-')
+x509.load_certificate(newcert)
+
+# Should handle list/tuple
+x509.load_certificate((newcert,))
+x509.load_certificate([newcert])
+
 # Load a good cert with bad headers
 newcert = '-BEGIN CERTIFICATE-' + goodcert
 with pytest.raises((TypeError, ValueError)):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#435][opened] py3: cert.py: create principal object from string

2017-02-06 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/435
Author: MartinBasti
 Title: #435: py3: cert.py: create principal object from string
Action: opened

PR body:
"""
Principal object must be created from string not from bytes

https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/435/head:pr435
git checkout pr435
From 75b8399e8075be666e074a7161f1c10079ff4c08 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 6 Feb 2017 12:14:38 +0100
Subject: [PATCH] py3: cert.py: create principal object from string

Principal object must be created from string not from bytes

https://fedorahosted.org/freeipa/ticket/4985
https://fedorahosted.org/freeipa/ticket/6640
---
 ipaserver/plugins/cert.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 5bf4cfb..fb35c2d 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -772,7 +772,7 @@ def execute(self, csr, all=False, raw=False, **kw):
 principal_obj['krbprincipalname'] = [
 kerberos.Principal((u'krbtgt', realm), realm)]
 if not _principal_name_matches_principal(
-gn.name, principal_obj):
+gn.name.decode('utf-8'), principal_obj):
 raise errors.ValidationError(
 name='csr',
 error=_(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation

2017-02-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
From 9bce64a82038442f6d66b7974331740ed61c2570 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 21 Jan 2017 19:34:12 +0100
Subject: [PATCH] New lite-server implementation

The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes 
---
 BUILD.txt  |   2 +-
 Makefile.am|   7 +-
 contrib/Makefile.am|   3 +-
 contrib/lite-server.py | 212 +
 lite-server.py | 158 
 5 files changed, 220 insertions(+), 162 deletions(-)
 create mode 100755 contrib/lite-server.py
 delete mode 100755 lite-server.py

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..10b1943 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin
 
 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session copy /etc/ipa/default.conf into
+```make lite-server```. In the second session copy /etc/ipa/default.conf into
 ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml.
 Finally run the ./ipa tool and it will make requests to the lite-server
 listening on 127.0.0.1:.
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..9135cd5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
-		   lite-server.pyc lite-server.pyo \
 		   pylint_plugins.pyc pylint_plugins.pyo
 
 # user-facing scripts
@@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa
 
 # files required for build but not installed
 dist_noinst_SCRIPTS = ignore_import_errors.py \
-		  lite-server.py \
 		  makeapi \
 		  makeaci \
 		  make-doc \
@@ -119,6 +117,11 @@ _srpms-body: _rpms-prep
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
+.PHONY: lite-server
+lite-server: $(top_builddir)/ipapython/version.py
+	+$(MAKE) -C $(top_builddir)/install/ui
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb contrib/lite-server.py
+
 .PHONY: lint
 if WITH_POLINT
 POLINT_TARGET = polint
diff --git a/contrib/Makefile.am b/contrib/Makefile.am
index 108a808..b28f2e7 100644
--- a/contrib/Makefile.am
+++ b/contrib/Makefile.am
@@ -1,4 +1,5 @@
 SUBDIRS = completion
 
 EXTRA_DIST = \
-	nssciphersuite
+	nssciphersuite \
+	lite-server.py
diff --git a/contrib/lite-server.py b/contrib/lite-server.py
new file mode 100755
index 000..24e8097
--- /dev/null
+++ b/contrib/lite-server.py
@@ -0,0 +1,212 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+"""In-tree development server
+
+The dev server requires a Kerberos TGT and a file based credential cache:
+
+$ mkdir -p ~/.ipa
+$ export KRB5CCNAME=~/.ipa/ccache
+$ kinit admin
+$ make liteserver
+
+Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
+instead of /etc/krb5.conf.
+
+By default the dev server supports HTTP only. To switch to HTTPS, you can put
+a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
+its unencrypted private key and intermediate chain certs (if applicable).
+
+Prerequisite
+
+
+Additionally to build and runtime requirements of FreeIPA, the dev server
+depends on the werkzeug framework and optionally watchdog for auto-reloading.
+You may also have to enable a development COPR.
+
+$ sudo dnf install -y dnf-plugins-core
+$ sudo dnf builddep --spec freeipa.spec.in
+$ sudo dnf install -y python-werkzeug python2-watchdog \
+python3-werkzeug python3-watchdog
+$ ./autogen.sh
+
+For more information see
+
+  * http://www.freeipa.org/page/Build
+  * http://www.freeipa.org/page/Testing
+
+"""
+import os
+import optparse  # pylint: disable=deprecated-module
+import ssl
+import warnings
+
+import ipalib
+from ipalib import api
+from ipalib.krb_utils import krb5_parse_ccache
+from ipalib.krb_utils import krb5_unparse_ccache
+
+# pylint: disable=import-error
+from

[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation

2017-02-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
From afca7ec0e6d55bdd5541be315815afde2292d4ab Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 21 Jan 2017 19:34:12 +0100
Subject: [PATCH] New lite-server implementation

The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes 
---
 BUILD.txt  |   2 +-
 Makefile.am|   7 +-
 contrib/lite-server.py | 212 +
 lite-server.py | 158 
 4 files changed, 218 insertions(+), 161 deletions(-)
 create mode 100755 contrib/lite-server.py
 delete mode 100755 lite-server.py

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..10b1943 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -41,7 +41,7 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin
 
 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session copy /etc/ipa/default.conf into
+```make lite-server```. In the second session copy /etc/ipa/default.conf into
 ~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:/ipa/xml.
 Finally run the ./ipa tool and it will make requests to the lite-server
 listening on 127.0.0.1:.
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..9135cd5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -6,7 +6,6 @@ SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipa
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
-		   lite-server.pyc lite-server.pyo \
 		   pylint_plugins.pyc pylint_plugins.pyo
 
 # user-facing scripts
@@ -14,7 +13,6 @@ dist_bin_SCRIPTS = ipa
 
 # files required for build but not installed
 dist_noinst_SCRIPTS = ignore_import_errors.py \
-		  lite-server.py \
 		  makeapi \
 		  makeaci \
 		  make-doc \
@@ -119,6 +117,11 @@ _srpms-body: _rpms-prep
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
+.PHONY: lite-server
+lite-server: $(top_builddir)/ipapython/version.py
+	+$(MAKE) -C $(top_builddir)/install/ui
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb contrib/lite-server.py
+
 .PHONY: lint
 if WITH_POLINT
 POLINT_TARGET = polint
diff --git a/contrib/lite-server.py b/contrib/lite-server.py
new file mode 100755
index 000..24e8097
--- /dev/null
+++ b/contrib/lite-server.py
@@ -0,0 +1,212 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+"""In-tree development server
+
+The dev server requires a Kerberos TGT and a file based credential cache:
+
+$ mkdir -p ~/.ipa
+$ export KRB5CCNAME=~/.ipa/ccache
+$ kinit admin
+$ make liteserver
+
+Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
+instead of /etc/krb5.conf.
+
+By default the dev server supports HTTP only. To switch to HTTPS, you can put
+a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
+its unencrypted private key and intermediate chain certs (if applicable).
+
+Prerequisite
+
+
+Additionally to build and runtime requirements of FreeIPA, the dev server
+depends on the werkzeug framework and optionally watchdog for auto-reloading.
+You may also have to enable a development COPR.
+
+$ sudo dnf install -y dnf-plugins-core
+$ sudo dnf builddep --spec freeipa.spec.in
+$ sudo dnf install -y python-werkzeug python2-watchdog \
+python3-werkzeug python3-watchdog
+$ ./autogen.sh
+
+For more information see
+
+  * http://www.freeipa.org/page/Build
+  * http://www.freeipa.org/page/Testing
+
+"""
+import os
+import optparse  # pylint: disable=deprecated-module
+import ssl
+import warnings
+
+import ipalib
+from ipalib import api
+from ipalib.krb_utils import krb5_parse_ccache
+from ipalib.krb_utils import krb5_unparse_ccache
+
+# pylint: disable=import-error
+from werkzeug.exceptions import NotFound
+from werkzeug.serving import run_simple
+from werkzeug.utils import redirect, append_slash_redirect
+from werkzeug.wsgi import DispatcherMiddleware, SharedDataMiddleware
+# pylint: enable=import-error
+
+
+BASEDIR =

Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

2017-02-06 Thread Fraser Tweedale 
On Mon, Feb 06, 2017 at 10:37:34AM +0200, Alexander Bokovoy wrote:
> On ma, 06 helmi 2017, Jan Cholasta wrote:
> > On 11.1.2017 02:09, Fraser Tweedale wrote:
> > > On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:
> > > > Hi Fraser,
> > > > 
> > > > I have some rather inane comments. I guess Jan cholasta will do a more
> > > > thorough review of your design. See below:
> > > > 
> > > > On 01/06/2017 09:08 AM, Fraser Tweedale wrote:
> > > > > Hi comrades,
> > > > > 
> > > > > I have written up the high-level details of the FreeIPA->Dogtag
> > > > > GSS-API authentication design.  The goal is improve security by
> > > > > removing an egregious privilege separation violation: the RA Agent
> > > > > cert.
> > > > > 
> > > > > There is a fair bit of work still to do on the Dogtag side but
> > > > > things are shaping up there and it's time to work out the IPA
> > > > > aspects.  The design is at:
> > > > > 
> > > > >  http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication
> > > > 
> > > > first of all, you link a internal document from publicly available 
> > > > design
> > > > page. you should prepare a publicly visible version of the Dogtag-side
> > > > design and link that.
> > > > 
> > > Will do; thanks.
> > > 
> > > > It would also be nice to have a high-level graphical representation of 
> > > > the
> > > > proposed CSR processing workflow. I think you can re-use the one that 
> > > > is in
> > > > the Dogtag part, omit the Dogtag internals and add IPA-specific parts.
> > > > 
> > > I will definitely do this a bit later, once more details of IPA
> > > design are established.
> > > 
> > > > > 
> > > > > Right now, I need feedback about the Domain Level aspects: whether
> > > > > it is the right approach, whether there are mechanisms to perform
> > > > > update steps (specifically: LDAP updates and/or api calls) alongside
> > > > > a DL bump, or if there aren't, how to deal with that (implement such
> > > > > a mechanism, make admins do extra steps, ???).
> > > > > 
> > > > 
> > > > Is the DL bump really necessary? Are you sure we really can not just 
> > > > update
> > > > the profile configuration and let older Dogtag installation handle it
> > > > gracefully? IIRC we have done some profile inclusion work in 4.2 
> > > > development
> > > > and on and never really bothered about older Dogtag understanding them.
> > > > 
> > > The problem is that the new profiles will refer to plugins (i.e.
> > > classes) that do not exist in older versions of Dogtag.  Profile
> > > config is replicated, so if we upgrade profile config with old
> > > versions of Dogtag in the topology, it breaks them.
> > > 
> > > I considered a mechanism where multiple versions of a profile exist
> > > in LDAP (i.e. multiple attribute values), and Dogtag picks the one
> > > that's "right" for it.  (An example of how to do this might be
> > > attribute tagging where tag indicates minimum version of Dogtag
> > > containing components used in that profile version, and Dogag picks
> > > the highest that it supports).  The advantage of such a mechanism is
> > > that we could use it for any future scenario where we introduce new
> > > profile components that we want to use in IPA.  The downside is that
> > > it significantly complicates profile management (including for
> > > administrators), and can result in the same profile having different
> > > behaviour on different Dogtag instances, which could be confusing
> > > and make it harder to diagnose issues.  Given the tradeoffs, I think
> > > a DL bump is preferable.
> > 
> > I don't like the prospect of having to bump DL every time a new
> > component is introduced. This time it might be OK, because the new DL is
> > apparently required for the RA -> GSSAPI change, but IMHO in general a
> > change in a certificate profile does not warrant a DL bump.
> > 
> > I agree that maintaining multiple versions of a profile is not the way
> > to go, but I think there are other options:
> > 
> > * Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific
> > `ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave
> > exactly the same as `raCertAuth`. This will have to be done on all
> > masters, including old ones, which can receive the change in a bug fix
> > update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag,
> > change `auths.instance.ipaAuth` to use external script for
> > authentication. Similar thing could be done for other profile
> > components.
> > 
> > * Do not care about old masters. Update the profile and let certificate
> > requests on old masters fail. This should be fine, as the situation
> > where there are different version masters should be only temporary until
> > all masters are upgraded. If an appropriate error is returned from
> > cert-request, automated requests via certmonger will be re-attempted and
> > will succeed once all masters are upgraded.
> I'd prefer an option number one. Using an IPA-specific auth instance
>

Re: [Freeipa-devel] [DESIGN] IPA permission enforcement in Dogtag

2017-02-06 Thread Jan Cholasta 

On 17.1.2017 08:57, David Kupka wrote:

On 13/01/17 08:07, Fraser Tweedale wrote:

Related to design:
http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

Currently there are some operations that hit the CA that involve a
number of privileged operations against the CA, but for which there
is only one associated IPA permission.  Deleting a CA is a good
example (but it is one specific case of a more general issue).
Summary of current ca-del behaviour:

1. Disable LWCA in Dogtag (uses RA Agent cert)
2. Delete LWCA in Dogtag (uses RA Agent cert)
3. Delete CA entry from IPA (requires "System: Delete CA" permission)

So there are two things going on under the hood: a modify operation
(disable CA) and the delete.

When we implement proxy authentication to Dogtag, Dogtag will
enforce the IPA permissions on its operations.  Disable will map to
"System: Modify CA" and delete to "System: Delete CA".  So to delete
a CA a user will need *both* permissions.  Which could be
surprising.

There are a couple of reasonable approaches to this.

1. Decouple the disable and delete operations.  If CA is not
disabled, the user will be instructed to execute the ca-disable
command separately before they can disable the CA.  This introduces
an additional manual step for operators.

2. Just improve the error reporting.  In my WIP, for a user that has
'System: Delete CA' permission but not 'System: Modify CA', the
reported failure is a 403 Authorization Error from Dogtag.  We can
add guards to fail more gracefully.

I lean towards #2 because I guess the common case will be that users
either get all CA admin permissions, or none, and we don't want to
make more work (in the form of more commands to run) for users in
the common case.

I welcome alternative views and suggestions.

Thanks,
Fraser


Hi Fraser,
as a user with "System: Delete CA" permission calling "ca-del" command I
would be really surprised that I don't have enough privileges to
complete the action.

I would expect:
a) "Cannot delete active CA, disable it first" error.
b) Delete will be completed successfully. All internal and to my sight
hidden operations will be allowed just because I'm allowed to perform
the delete operation.

I think that b) might lead to strange exceptions in authorization
checking and therefore to security issues. So I would prefer decoupling
ca-disable and ca-del as you're describing in 1).


IMO having to disable the CA before deletion is an implementation detail 
and should not be exposed to the user at all. Why do we have to disable 
the CA from IPA in ca-del? I would expect Dogtag to disable it itself 
internally when it's being deleted.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#432][+ack] build: Add missing dependency on libxmlrpc{, _util}

2017-02-06 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-02-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 69533417178c583c927d2e141c7359a5ca19362d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   6 +-
 configure.ac | 253 +--
 server.m4| 119 
 3 files changed, 212 insertions(+), 166 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..24d31c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,11 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po
+
+if ENABLE_SERVER
+SUBDIRS += daemons init install ipaserver
+endif
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index ff5f7b6..56cae6a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
-  AC_CHECK_LIB([$LIBPDB_NAME],
-

Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

2017-02-06 Thread Alexander Bokovoy 

On ma, 06 helmi 2017, Jan Cholasta wrote:

On 11.1.2017 02:09, Fraser Tweedale wrote:

On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:

Hi Fraser,

I have some rather inane comments. I guess Jan cholasta will do a more
thorough review of your design. See below:

On 01/06/2017 09:08 AM, Fraser Tweedale wrote:

Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:

 http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication


first of all, you link a internal document from publicly available design
page. you should prepare a publicly visible version of the Dogtag-side
design and link that.


Will do; thanks.


It would also be nice to have a high-level graphical representation of the
proposed CSR processing workflow. I think you can re-use the one that is in
the Dogtag part, omit the Dogtag internals and add IPA-specific parts.


I will definitely do this a bit later, once more details of IPA
design are established.



Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).



Is the DL bump really necessary? Are you sure we really can not just update
the profile configuration and let older Dogtag installation handle it
gracefully? IIRC we have done some profile inclusion work in 4.2 development
and on and never really bothered about older Dogtag understanding them.


The problem is that the new profiles will refer to plugins (i.e.
classes) that do not exist in older versions of Dogtag.  Profile
config is replicated, so if we upgrade profile config with old
versions of Dogtag in the topology, it breaks them.

I considered a mechanism where multiple versions of a profile exist
in LDAP (i.e. multiple attribute values), and Dogtag picks the one
that's "right" for it.  (An example of how to do this might be
attribute tagging where tag indicates minimum version of Dogtag
containing components used in that profile version, and Dogag picks
the highest that it supports).  The advantage of such a mechanism is
that we could use it for any future scenario where we introduce new
profile components that we want to use in IPA.  The downside is that
it significantly complicates profile management (including for
administrators), and can result in the same profile having different
behaviour on different Dogtag instances, which could be confusing
and make it harder to diagnose issues.  Given the tradeoffs, I think
a DL bump is preferable.


I don't like the prospect of having to bump DL every time a new 
component is introduced. This time it might be OK, because the new DL 
is apparently required for the RA -> GSSAPI change, but IMHO in 
general a change in a certificate profile does not warrant a DL bump.


I agree that maintaining multiple versions of a profile is not the way 
to go, but I think there are other options:


* Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific 
`ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave 
exactly the same as `raCertAuth`. This will have to be done on all 
masters, including old ones, which can receive the change in a bug fix 
update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled 
Dogtag, change `auths.instance.ipaAuth` to use external script for 
authentication. Similar thing could be done for other profile 
components.


* Do not care about old masters. Update the profile and let 
certificate requests on old masters fail. This should be fine, as the 
situation where there are different version masters should be only 
temporary until all masters are upgraded. If an appropriate error is 
returned from cert-request, automated requests via certmonger will be 
re-attempted and will succeed once all masters are upgraded.

I'd prefer an option number one. Using an IPA-specific auth instance
would allow us to be more flexible in manipulating the properties of it
in future without worrying to break older setups. 


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#432][comment] build: Add missing dependency on libxmlrpc{, _util}

2017-02-06 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/432
Title: #432: build: Add missing dependency on libxmlrpc{,_util}

tiran commented:
"""
ACK

ipa-join uses functions from ```libxmlrpc.so``` (e.g. ```xmlrpc_string_new```) 
and from ```libxmlrpc_util.so``` (e.g. ```xmlrpc_env_init```). In the past it 
was no problem because ```libxmlrpc_client.so``` depends on both libraries and 
pulled the function in. Nowadays indirect linking triggers a DSO error. All 
libraries must be linked directly.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/432#issuecomment-277613117
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] Dogtag GSS-API Authentication

2017-02-06 Thread Jan Cholasta 

On 11.1.2017 02:09, Fraser Tweedale wrote:

On Tue, Jan 10, 2017 at 10:48:08AM +0100, Martin Babinsky wrote:

Hi Fraser,

I have some rather inane comments. I guess Jan cholasta will do a more
thorough review of your design. See below:

On 01/06/2017 09:08 AM, Fraser Tweedale wrote:

Hi comrades,

I have written up the high-level details of the FreeIPA->Dogtag
GSS-API authentication design.  The goal is improve security by
removing an egregious privilege separation violation: the RA Agent
cert.

There is a fair bit of work still to do on the Dogtag side but
things are shaping up there and it's time to work out the IPA
aspects.  The design is at:

  http://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication


first of all, you link a internal document from publicly available design
page. you should prepare a publicly visible version of the Dogtag-side
design and link that.


Will do; thanks.


It would also be nice to have a high-level graphical representation of the
proposed CSR processing workflow. I think you can re-use the one that is in
the Dogtag part, omit the Dogtag internals and add IPA-specific parts.


I will definitely do this a bit later, once more details of IPA
design are established.



Right now, I need feedback about the Domain Level aspects: whether
it is the right approach, whether there are mechanisms to perform
update steps (specifically: LDAP updates and/or api calls) alongside
a DL bump, or if there aren't, how to deal with that (implement such
a mechanism, make admins do extra steps, ???).



Is the DL bump really necessary? Are you sure we really can not just update
the profile configuration and let older Dogtag installation handle it
gracefully? IIRC we have done some profile inclusion work in 4.2 development
and on and never really bothered about older Dogtag understanding them.


The problem is that the new profiles will refer to plugins (i.e.
classes) that do not exist in older versions of Dogtag.  Profile
config is replicated, so if we upgrade profile config with old
versions of Dogtag in the topology, it breaks them.

I considered a mechanism where multiple versions of a profile exist
in LDAP (i.e. multiple attribute values), and Dogtag picks the one
that's "right" for it.  (An example of how to do this might be
attribute tagging where tag indicates minimum version of Dogtag
containing components used in that profile version, and Dogag picks
the highest that it supports).  The advantage of such a mechanism is
that we could use it for any future scenario where we introduce new
profile components that we want to use in IPA.  The downside is that
it significantly complicates profile management (including for
administrators), and can result in the same profile having different
behaviour on different Dogtag instances, which could be confusing
and make it harder to diagnose issues.  Given the tradeoffs, I think
a DL bump is preferable.


I don't like the prospect of having to bump DL every time a new 
component is introduced. This time it might be OK, because the new DL is 
apparently required for the RA -> GSSAPI change, but IMHO in general a 
change in a certificate profile does not warrant a DL bump.


I agree that maintaining multiple versions of a profile is not the way 
to go, but I think there are other options:


* Change `auth.instance_id` from `raCertAuth` to a new, IPA-specific 
`ipaAuth`. Configure `auths.instance.ipaAuth` in CS.cfg to behave 
exactly the same as `raCertAuth`. This will have to be done on all 
masters, including old ones, which can receive the change in a bug fix 
update (4.4.x). Then, on upgrade to new IPA with GSSAPI enabled Dogtag, 
change `auths.instance.ipaAuth` to use external script for 
authentication. Similar thing could be done for other profile components.


* Do not care about old masters. Update the profile and let certificate 
requests on old masters fail. This should be fine, as the situation 
where there are different version masters should be only temporary until 
all masters are upgraded. If an appropriate error is returned from 
cert-request, automated requests via certmonger will be re-attempted and 
will succeed once all masters are upgraded.





Anyway I guess we can call `certprofile-import' to load
ExternalProcessConstraint-enabled profile upon setting domain level to 2, we
just have to know where on the FS it is located.


Of course, any other general or specific feedback is welcome.

Thanks,
Fraser



So if I understand correctly there will be no change in CA ACL management
interface and only the code which evaluates them will be factored out into
'ipa-pki-validate-cert-request' command? Also, wouldn't it simpler if the CA
ACL evaluation was delegated to a separate API command instead?
ExternalProcessConstraint would then only ask IPA JSON api and process the
response.


There are no changes to CA ACL management interface as part of this
design, but there are proposals to extend/rework it in future, e.g.
#6424, #6425,