[Freeipa-devel] [freeipa PR#778][opened] ipaclient: fix missing RPM ownership

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/778
Author: MartinBasti
 Title: #778: ipaclient: fix missing RPM ownership
Action: opened

PR body:
"""
FreeIPA package should own all subdirectories to work properly with
3rd party packages/plugins.

https://pagure.io/freeipa/issue/6927
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/778/head:pr778
git checkout pr778
From 53e1325dbf755c36e822d0d45eb714beb481fb4a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 10 May 2017 18:39:22 +0200
Subject: [PATCH] ipaclient: fix missing RPM ownership

FreeIPA package should own all subdirectories to work properly with
3rd party packages/plugins.

https://pagure.io/freeipa/issue/6927
---
 freeipa.spec.in | 16 ++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 87ac7c3..0f9952d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1409,14 +1409,20 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{python_sitelib}/ipaclient
-%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/*.py*
+%dir %{python_sitelib}/ipaclient/install
 %{python_sitelib}/ipaclient/install/*.py*
+%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/plugins/*.py*
+%dir %{python_sitelib}/ipaclient/remote_plugins
 %{python_sitelib}/ipaclient/remote_plugins/*.py*
 %{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
+%dir %{python_sitelib}/ipaclient/csrgen
+%dir %{python_sitelib}/ipaclient/csrgen/profiles
 %{python_sitelib}/ipaclient/csrgen/profiles/*.json
+%dir %{python_sitelib}/ipaclient/csrgen/rules
 %{python_sitelib}/ipaclient/csrgen/rules/*.json
+%dir %{python_sitelib}/ipaclient/csrgen/templates
 %{python_sitelib}/ipaclient/csrgen/templates/*.tmpl
 %{python_sitelib}/ipaclient-*.egg-info
 
@@ -1428,19 +1434,25 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{python3_sitelib}/ipaclient
-%dir %{python3_sitelib}/ipaclient/plugins
 %{python3_sitelib}/ipaclient/*.py
 %{python3_sitelib}/ipaclient/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/install
 %{python3_sitelib}/ipaclient/install/*.py
 %{python3_sitelib}/ipaclient/install/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/plugins
 %{python3_sitelib}/ipaclient/plugins/*.py
 %{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/remote_plugins
 %{python3_sitelib}/ipaclient/remote_plugins/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+%dir %{python3_sitelib}/ipaclient/csrgen
+%dir %{python3_sitelib}/ipaclient/csrgen/profiles
 %{python3_sitelib}/ipaclient/csrgen/profiles/*.json
+%dir %{python3_sitelib}/ipaclient/csrgen/rules
 %{python3_sitelib}/ipaclient/csrgen/rules/*.json
+%dir %{python3_sitelib}/ipaclient/csrgen/templates
 %{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
 %{python3_sitelib}/ipaclient-*.egg-info
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#777][opened] ipa-kra-install manpage: document domain-level 1

2017-05-10 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/777
Author: flo-renaud
 Title: #777: ipa-kra-install manpage: document domain-level 1
Action: opened

PR body:
"""
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD

https://pagure.io/freeipa/issue/6922
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/777/head:pr777
git checkout pr777
From b95f451d8530122be917e4988aa2bb94e36c0c05 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Wed, 10 May 2017 18:04:52 +0200
Subject: [PATCH] ipa-kra-install manpage: document domain-level 1

ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD

https://pagure.io/freeipa/issue/6922
---
 install/tools/man/ipa-kra-install.1 | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
index 0aa9073..51afaac 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -16,26 +16,37 @@
 .\"
 .\" Author: Ade Lee 
 .\"
-.TH "ipa-kra-install" "1" "Aug 24 2014" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-kra\-install \- Install a KRA on a server
 .SH "SYNOPSIS"
+.SS "DOMAIN LEVEL 0"
+.TP
 ipa\-kra\-install [\fIOPTION\fR]... [replica_file]
+.SS "DOMAIN LEVEL 1"
+.TP
+ipa\-kra\-install [\fIOPTION\fR]...
 .SH "DESCRIPTION"
 Adds a KRA as an IPA\-managed service. This requires that the IPA server is already installed and configured, including a CA.
 
 The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys.  It is used as the back-end repository for the IPA Password Vault.
 
-ipa\-kra\-install can be run without replica_file to add KRA to the existing CA.
+In a domain at domain level 0, ipa\-kra\-install can be run without replica_file to add KRA to the existing CA, or with replica_file to install the KRA service on the replica.
 ipa\-kra\-install will contact the CA to determine if a KRA has already been installed on another replica, and if so, will exit indicating that a replica_file is required.
 
 The replica_file is created using the ipa\-replica\-prepare utility.  A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
 
+In a domain at domain level 1, ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica, and does not require any replica file.
+
 KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
 .SH "OPTIONS"
+.TP
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
 .TP
+\fB\-\-no-host-dns\fR
+Do not use DNS for hostname lookup during installation
+.TP
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
@@ -45,7 +56,7 @@ Enable debug output when more verbose output is needed
 \fB\-q\fR, \fB\-\-quiet\fR
 Output only errors
 .TP
-\fB\-v\fR, \fB\-\-log-file\fR=\fFILE\fR
+\fB\-\-log-file\fR=\fRFILE\fR
 Log to the given file
 .SH "EXIT STATUS"
 0 if the command was successful
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][synchronized] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/765
Author: MartinBasti
 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/765/head:pr765
git checkout pr765
From 0d3cf21741dc57c1d8370b49778d08b97949b0e2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 25 Apr 2017 12:13:00 +
Subject: [PATCH] spec file: bump python-netaddr Requires

Bump python-netaddr Requires to the version which has correct private and
reserved IPv4 address ranges.

This fixes DNS server install failure when 0.0.0.0 is entered as a
forwarder.

Backport from: 0784e53f7f8a323acafbbff26a9d1c0276a229b0

https://pagure.io/freeipa/issue/6894
---
 freeipa.spec.in | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1b3ed15..97e67e4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -38,6 +38,8 @@
 %if 0%{?rhel}
 # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
 %global krb5_version 1.15.1-4
+# 0.7.16: https://github.com/drkjam/netaddr/issues/71
+%global python_netaddr_version 0.7.5-8
 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
 %global samba_version 4.6.0-4
 %global selinux_policy_version 3.12.1-153
@@ -45,6 +47,8 @@
 %else
 # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
 %global krb5_version 1.15.1-7
+# 0.7.16: https://github.com/drkjam/netaddr/issues/71
+%global python_netaddr_version 0.7.16
 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
 %global samba_version 2:4.6.0-4
 %global selinux_policy_version 3.13.1-158.4
@@ -646,7 +650,7 @@ Requires: pyOpenSSL
 Requires: python >= 2.7.9
 Requires: python-nss >= 0.16
 Requires: python-cryptography >= 1.4
-Requires: python-netaddr
+Requires: python-netaddr >= %{python_netaddr_version}
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
 Requires: python-pyasn1
@@ -695,7 +699,7 @@ Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
 Requires: python3-cryptography >= 1.4
-Requires: python3-netaddr
+Requires: python3-netaddr >= %{python_netaddr_version}
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
 Requires: python3-pyasn1
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#776][opened] [4.5 backport] Added plugins directory to ipaclient subpackages

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/776
Author: MartinBasti
 Title: #776: [4.5 backport] Added plugins directory to ipaclient subpackages
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6927
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/776/head:pr776
git checkout pr776
From bdd7283c655b56decd768731782655c23dff4712 Mon Sep 17 00:00:00 2001
From: Oliver Gutierrez 
Date: Fri, 28 Apr 2017 15:21:49 +0100
Subject: [PATCH] Added plugins directory to ipaclient subpackages

https://pagure.io/freeipa/issue/6927
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1b3ed15..3a5a9b4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1404,6 +1404,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{python_sitelib}/ipaclient
+%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/*.py*
 %{python_sitelib}/ipaclient/install/*.py*
 %{python_sitelib}/ipaclient/plugins/*.py*
@@ -1422,6 +1423,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{python3_sitelib}/ipaclient
+%dir %{python3_sitelib}/ipaclient/plugins
 %{python3_sitelib}/ipaclient/*.py
 %{python3_sitelib}/ipaclient/__pycache__/*.py*
 %{python3_sitelib}/ipaclient/install/*.py
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#775][edited] Added plugins directory to ipaclient subpackages

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/775
Author: MartinBasti
 Title: #775: Added plugins directory to ipaclient subpackages
Action: edited

 Changed field: title
Original value:
"""
Added plugins directory to ipaclient subpackages
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#775][synchronized] [4.4 backport] Added plugins directory to ipaclient subpackages

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/775
Author: MartinBasti
 Title: #775: [4.4 backport] Added plugins directory to ipaclient subpackages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/775/head:pr775
git checkout pr775
From be6818287204b62ee9df973b60983611100f8270 Mon Sep 17 00:00:00 2001
From: Oliver Gutierrez 
Date: Fri, 28 Apr 2017 15:21:49 +0100
Subject: [PATCH] Added plugins directory to ipaclient subpackages

https://pagure.io/freeipa/issue/6927
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 21f2416..021db96 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1308,6 +1308,7 @@ fi
 %doc README Contributors.txt
 %license COPYING
 %dir %{python_sitelib}/ipaclient
+%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/*.py*
 %{python_sitelib}/ipaclient/plugins/*.py*
 %{python_sitelib}/ipaclient/remote_plugins/*.py*
@@ -1322,6 +1323,7 @@ fi
 %doc README Contributors.txt
 %license COPYING
 %dir %{python3_sitelib}/ipaclient
+%dir %{python3_sitelib}/ipaclient/plugins
 %{python3_sitelib}/ipaclient/*.py
 %{python3_sitelib}/ipaclient/__pycache__/*.py*
 %{python3_sitelib}/ipaclient/plugins/*.py
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#775][opened] Added plugins directory to ipaclient subpackages

2017-05-10 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/775
Author: MartinBasti
 Title: #775: Added plugins directory to ipaclient subpackages
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6927
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/775/head:pr775
git checkout pr775
From c314f0874a72f0056642cb28299aa6132350478c Mon Sep 17 00:00:00 2001
From: Oliver Gutierrez 
Date: Fri, 28 Apr 2017 15:21:49 +0100
Subject: [PATCH] Added plugins directory to paclient subpackages

https://pagure.io/freeipa/issue/6927
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 21f2416..021db96 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1308,6 +1308,7 @@ fi
 %doc README Contributors.txt
 %license COPYING
 %dir %{python_sitelib}/ipaclient
+%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/*.py*
 %{python_sitelib}/ipaclient/plugins/*.py*
 %{python_sitelib}/ipaclient/remote_plugins/*.py*
@@ -1322,6 +1323,7 @@ fi
 %doc README Contributors.txt
 %license COPYING
 %dir %{python3_sitelib}/ipaclient
+%dir %{python3_sitelib}/ipaclient/plugins
 %{python3_sitelib}/ipaclient/*.py
 %{python3_sitelib}/ipaclient/__pycache__/*.py*
 %{python3_sitelib}/ipaclient/plugins/*.py
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/757
Title: #757: ca, kra install: validate DM password

tomaskrizek commented:
"""
Implementing the tests shouldn't block us from pushing this fix. I opened a 
ticket for it: https://pagure.io/freeipa/issue/6941
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/757#issuecomment-300514130
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

tomaskrizek commented:
"""
Sorry, I meant current ipa-4-5. Other PR changed the spec file as well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300514924
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/4] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/4] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/5] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/5] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From

[Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command

2017-05-10 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/774
Author: stlaz
 Title: #774: Deprecate pkinit-anonymous command
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/774/head:pr774
git checkout pr774
From 02e9b01ea1827de218f29279c5707cd5ec87103f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 10 May 2017 15:54:21 +0200
Subject: [PATCH] Deprecate pkinit-anonymous command

Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. Deprecate the command which is
capable of turning this feature off.

https://pagure.io/freeipa/issue/6936
---
 API.txt |  2 +-
 VERSION.m4  |  4 +--
 ipaserver/plugins/pkinit.py | 74 ++---
 3 files changed, 19 insertions(+), 61 deletions(-)

diff --git a/API.txt b/API.txt
index fa7582d..afd664e 100644
--- a/API.txt
+++ b/API.txt
@@ -3738,7 +3738,7 @@ option: Str('version?')
 output: Output('summary', type=[, ])
 command: pkinit_anonymous/1
 args: 1,1,1
-arg: Str('action')
+arg: Str('action?')
 option: Str('version?')
 output: Output('result')
 command: plugins/1
diff --git a/VERSION.m4 b/VERSION.m4
index 6ec56c5..d915fe3 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 225)
-# Last change: Add --password-expiration option to force password change
+define(IPA_API_VERSION_MINOR, 226)
+# Last change: Deprecate the pkinit-anonymous command
 
 
 
diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py
index b6b3f38..81e6449 100644
--- a/ipaserver/plugins/pkinit.py
+++ b/ipaserver/plugins/pkinit.py
@@ -17,36 +17,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
-from ipalib import api, errors
 from ipalib import Str
 from ipalib import Object, Command
 from ipalib import _
+from ipalib import messages
 from ipalib.plugable import Registry
-from ipalib.constants import ANON_USER
-from ipapython.dn import DN
 
 __doc__ = _("""
 Kerberos pkinit options
 
-Enable or disable anonymous pkinit using the principal
-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
-pkinit support.
-
-EXAMPLES:
-
- Enable anonymous pkinit:
-  ipa pkinit-anonymous enable
-
- Disable anonymous pkinit:
-  ipa pkinit-anonymous disable
-
-For more information on anonymous pkinit see:
-
-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+This module is deprecated since FreeIPA 4.5.1
 """)
 
 register = Registry()
 
+
 @register()
 class pkinit(Object):
 """
@@ -57,49 +42,22 @@ class pkinit(Object):
 label=_('PKINIT')
 
 
-def valid_arg(ugettext, action):
-"""
-Accepts only Enable/Disable.
-"""
-a = action.lower()
-if a != 'enable' and a != 'disable':
-raise errors.ValidationError(
-name='action',
-error=_('Unknown command %s') % action
-)
-
 @register()
 class pkinit_anonymous(Command):
-__doc__ = _('Enable or Disable Anonymous PKINIT.')
-
-princ_name = '%s@%s' % (ANON_USER, api.env.realm)
-default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
+__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n'
+'Deprecated since FreeIPA 4.5.1')
 
 takes_args = (
-Str('action', valid_arg),
+Str('action?'),
 )
 
-def execute(self, action, **options):
-ldap = self.api.Backend.ldap2
-set_lock = False
-lock = None
-
-entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock'])
-
-if 'nsaccountlock' in entry_attrs:
-lock = entry_attrs['nsaccountlock'][0].lower()
-
-if action.lower() == 'enable':
-if lock == 'true':
-set_lock = True
-lock = None
-elif action.lower() == 'disable':
-if lock != 'true':
-set_lock = True
-lock = 'TRUE'
-
-if set_lock:
-entry_attrs['nsaccountlock'] = lock
-ldap.update_entry(entry_attrs)
-
-return dict(result=True)
+def execute(self, action=None, **options):
+self.add_message(
+messages.CommandDeprecatedWarning(
+command='pkinit-anonymous',
+additional_info=_('This command was deprecated in '
+  'FreeIPA 4.5.1 because Anonymous PKINIT is '
+  'required for the system to work.')
+)
+)
+return {'result': None}
-- 
Manage your subscription

[Freeipa-devel] [freeipa PR#774][synchronized] Deprecate pkinit-anonymous command

2017-05-10 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/774
Author: stlaz
 Title: #774: Deprecate pkinit-anonymous command
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/774/head:pr774
git checkout pr774
From 09bc1fe1bcd9c7729a8619982d16c18e23a5af20 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 10 May 2017 15:54:21 +0200
Subject: [PATCH] Deprecate pkinit-anonymous command

Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. Deprecate the command which is
capable of turning this feature off.

https://pagure.io/freeipa/issue/6936
---
 API.txt |  2 +-
 VERSION.m4  |  4 +--
 ipaserver/plugins/pkinit.py | 74 ++---
 3 files changed, 19 insertions(+), 61 deletions(-)

diff --git a/API.txt b/API.txt
index fa7582d..afd664e 100644
--- a/API.txt
+++ b/API.txt
@@ -3738,7 +3738,7 @@ option: Str('version?')
 output: Output('summary', type=[, ])
 command: pkinit_anonymous/1
 args: 1,1,1
-arg: Str('action')
+arg: Str('action?')
 option: Str('version?')
 output: Output('result')
 command: plugins/1
diff --git a/VERSION.m4 b/VERSION.m4
index 6ec56c5..d915fe3 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 225)
-# Last change: Add --password-expiration option to force password change
+define(IPA_API_VERSION_MINOR, 226)
+# Last change: Deprecate the pkinit-anonymous command
 
 
 
diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py
index b6b3f38..9d58c6e 100644
--- a/ipaserver/plugins/pkinit.py
+++ b/ipaserver/plugins/pkinit.py
@@ -17,36 +17,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
-from ipalib import api, errors
 from ipalib import Str
 from ipalib import Object, Command
 from ipalib import _
+from ipalib import messages
 from ipalib.plugable import Registry
-from ipalib.constants import ANON_USER
-from ipapython.dn import DN
 
 __doc__ = _("""
 Kerberos pkinit options
 
-Enable or disable anonymous pkinit using the principal
-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
-pkinit support.
-
-EXAMPLES:
-
- Enable anonymous pkinit:
-  ipa pkinit-anonymous enable
-
- Disable anonymous pkinit:
-  ipa pkinit-anonymous disable
-
-For more information on anonymous pkinit see:
-
-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+This module is deprecated since FreeIPA 4.5.1
 """)
 
 register = Registry()
 
+
 @register()
 class pkinit(Object):
 """
@@ -57,49 +42,22 @@ class pkinit(Object):
 label=_('PKINIT')
 
 
-def valid_arg(ugettext, action):
-"""
-Accepts only Enable/Disable.
-"""
-a = action.lower()
-if a != 'enable' and a != 'disable':
-raise errors.ValidationError(
-name='action',
-error=_('Unknown command %s') % action
-)
-
 @register()
 class pkinit_anonymous(Command):
-__doc__ = _('Enable or Disable Anonymous PKINIT.')
-
-princ_name = '%s@%s' % (ANON_USER, api.env.realm)
-default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
+__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n'
+'Deprecated since FreeIPA 4.5.1')
 
 takes_args = (
-Str('action', valid_arg),
+Str('action?'),
 )
 
-def execute(self, action, **options):
-ldap = self.api.Backend.ldap2
-set_lock = False
-lock = None
-
-entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock'])
-
-if 'nsaccountlock' in entry_attrs:
-lock = entry_attrs['nsaccountlock'][0].lower()
-
-if action.lower() == 'enable':
-if lock == 'true':
-set_lock = True
-lock = None
-elif action.lower() == 'disable':
-if lock != 'true':
-set_lock = True
-lock = 'TRUE'
-
-if set_lock:
-entry_attrs['nsaccountlock'] = lock
-ldap.update_entry(entry_attrs)
-
-return dict(result=True)
+def execute(self, **options):
+self.add_message(
+messages.CommandDeprecatedWarning(
+command='pkinit-anonymous',
+additional_info=_('This command was deprecated in '
+  'FreeIPA 4.5.1 because Anonymous PKINIT is '
+  'required for the system to work.')
+)
+)
+return {'result': None}
-- 
Manage your subscription for the

[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host

2017-05-10 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host

stlaz commented:
"""
Yes, that seems to have fixed that. Please do squash them now, I guess we can 
ACK this ;)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/761#issuecomment-300493147
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN

2017-05-10 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

pvoborni commented:
"""
I don't think it makes sense to spend time on configuration of warning - that 
is larger change (ldap attr, schema, api...) and as such out of scope of 4.5.

Simple warning is IMO good, but it should be worded in a sense that SAN is not 
always needed. Probably mention in what general use cases it is needed e.g. web 
services/pages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/773#issuecomment-300491247
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#774][opened] Deprecate pkinit-anonymous command

2017-05-10 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/774
Author: stlaz
 Title: #774: Deprecate pkinit-anonymous command
Action: opened

PR body:
"""
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. Deprecate the command which is
capable of turning this feature off.

https://pagure.io/freeipa/issue/6936
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/774/head:pr774
git checkout pr774
From 83d1b5170ebe9ad1c01c75d6738c3d0fd59c0ef1 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 10 May 2017 15:54:21 +0200
Subject: [PATCH] Deprecate pkinit-anonymous command

Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. Deprecate the command which is
capable of turning this feature off.

https://pagure.io/freeipa/issue/6936
---
 ipaserver/plugins/pkinit.py | 74 ++---
 1 file changed, 16 insertions(+), 58 deletions(-)

diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py
index b6b3f38..9d58c6e 100644
--- a/ipaserver/plugins/pkinit.py
+++ b/ipaserver/plugins/pkinit.py
@@ -17,36 +17,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
-from ipalib import api, errors
 from ipalib import Str
 from ipalib import Object, Command
 from ipalib import _
+from ipalib import messages
 from ipalib.plugable import Registry
-from ipalib.constants import ANON_USER
-from ipapython.dn import DN
 
 __doc__ = _("""
 Kerberos pkinit options
 
-Enable or disable anonymous pkinit using the principal
-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
-pkinit support.
-
-EXAMPLES:
-
- Enable anonymous pkinit:
-  ipa pkinit-anonymous enable
-
- Disable anonymous pkinit:
-  ipa pkinit-anonymous disable
-
-For more information on anonymous pkinit see:
-
-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
+This module is deprecated since FreeIPA 4.5.1
 """)
 
 register = Registry()
 
+
 @register()
 class pkinit(Object):
 """
@@ -57,49 +42,22 @@ class pkinit(Object):
 label=_('PKINIT')
 
 
-def valid_arg(ugettext, action):
-"""
-Accepts only Enable/Disable.
-"""
-a = action.lower()
-if a != 'enable' and a != 'disable':
-raise errors.ValidationError(
-name='action',
-error=_('Unknown command %s') % action
-)
-
 @register()
 class pkinit_anonymous(Command):
-__doc__ = _('Enable or Disable Anonymous PKINIT.')
-
-princ_name = '%s@%s' % (ANON_USER, api.env.realm)
-default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
+__doc__ = _('Originally to enable or disable Anonymous PKINIT.\n'
+'Deprecated since FreeIPA 4.5.1')
 
 takes_args = (
-Str('action', valid_arg),
+Str('action?'),
 )
 
-def execute(self, action, **options):
-ldap = self.api.Backend.ldap2
-set_lock = False
-lock = None
-
-entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock'])
-
-if 'nsaccountlock' in entry_attrs:
-lock = entry_attrs['nsaccountlock'][0].lower()
-
-if action.lower() == 'enable':
-if lock == 'true':
-set_lock = True
-lock = None
-elif action.lower() == 'disable':
-if lock != 'true':
-set_lock = True
-lock = 'TRUE'
-
-if set_lock:
-entry_attrs['nsaccountlock'] = lock
-ldap.update_entry(entry_attrs)
-
-return dict(result=True)
+def execute(self, **options):
+self.add_message(
+messages.CommandDeprecatedWarning(
+command='pkinit-anonymous',
+additional_info=_('This command was deprecated in '
+  'FreeIPA 4.5.1 because Anonymous PKINIT is '
+  'required for the system to work.')
+)
+)
+return {'result': None}
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-10 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 97725d8185e1d9431395ffa1aa39ceaf38090c8e Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 11:25:08 -0300
Subject: [PATCH 1/4] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 29 ++---
 ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..f43f1f0 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+if not _emails_are_valid([gn.value],
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+if not any(principal_emails):
+return False
+
+def lower_domain(email):
+email_splited = email.split('@', 1)
+email_splited[1] = email_splited[1].lower()
+
+return '@'.join(email_splited)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 51c20b6..3bdb60e 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -251,6 +251,29 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com',
+ u'anot...@email.com'])
+assert True == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert False == result, result
+
+email_addrs = [u'invalidEmailAddress']
+result = _emails_are_valid(email_addrs, [])
+assert False == result, result
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):

From ecc44fa5c4e317da96abf48fc440e1a9ad0c482d Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 12:17:15 -0300
Subject: [PATCH 2/4] Fixing tests

---
 ipaserver/plugins/cert.py| 2 +-
 ipatests/test_xmlrpc/test_cert_plugin.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-10 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 97725d8185e1d9431395ffa1aa39ceaf38090c8e Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 11:25:08 -0300
Subject: [PATCH 1/3] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 29 ++---
 ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..f43f1f0 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+if not _emails_are_valid([gn.value],
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+if not any(principal_emails):
+return False
+
+def lower_domain(email):
+email_splited = email.split('@', 1)
+email_splited[1] = email_splited[1].lower()
+
+return '@'.join(email_splited)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 51c20b6..3bdb60e 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -251,6 +251,29 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com',
+ u'anot...@email.com'])
+assert True == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert False == result, result
+
+email_addrs = [u'invalidEmailAddress']
+result = _emails_are_valid(email_addrs, [])
+assert False == result, result
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):

From ecc44fa5c4e317da96abf48fc440e1a9ad0c482d Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 12:17:15 -0300
Subject: [PATCH 2/3] Fixing tests

---
 ipaserver/plugins/cert.py| 2 +-
 ipatests/test_xmlrpc/test_cert_plugin.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

2017-05-10 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 97725d8185e1d9431395ffa1aa39ceaf38090c8e Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 11:25:08 -0300
Subject: [PATCH 1/3] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 29 ++---
 ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..f43f1f0 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+if not _emails_are_valid([gn.value],
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -953,6 +955,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+if not any(principal_emails):
+return False
+
+def lower_domain(email):
+email_splited = email.split('@', 1)
+email_splited[1] = email_splited[1].lower()
+
+return '@'.join(email_splited)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 51c20b6..3bdb60e 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -251,6 +251,29 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com',
+ u'anot...@email.com'])
+assert True == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert False == result, result
+
+email_addrs = [u'invalidEmailAddress']
+result = _emails_are_valid(email_addrs, [])
+assert False == result, result
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):

From ecc44fa5c4e317da96abf48fc440e1a9ad0c482d Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Fri, 5 May 2017 12:17:15 -0300
Subject: [PATCH 2/3] Fixing tests

---
 ipaserver/plugins/cert.py| 2 +-
 ipatests/test_xmlrpc/test_cert_plugin.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index

[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host

2017-05-10 Thread felipevolpone 
   URL: https://github.com/freeipa/freeipa/pull/761
Author: felipevolpone
 Title: #761: Fixing adding authenticator indicators to host
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/761/head:pr761
git checkout pr761
From 3cacc719d86b793fe4c88b5bce8707b234b0 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Tue, 9 May 2017 10:10:36 -0300
Subject: [PATCH 1/2] Fixing adding authenticator indicators to host

The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911
---
 ipaserver/plugins/host.py | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index dcadd54..d9b8331 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -884,7 +884,8 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 msg = 'Principal name already set, it is unchangeable.'
 raise errors.ACIError(info=msg)
 obj_classes = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in obj_classes:
+if 'krbprincipalaux' not in (item.lower() for item in
+ obj_classes):
 obj_classes.append('krbprincipalaux')
 entry_attrs['objectclass'] = obj_classes
 
@@ -920,7 +921,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = _entry_attrs['objectclass']
-if 'ieee802device' not in obj_classes:
+if 'ieee802device' not in (item.lower() for item in obj_classes):
 obj_classes.append('ieee802device')
 entry_attrs['objectclass'] = obj_classes
 
@@ -940,7 +941,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshhost' not in obj_classes:
+if 'ipasshhost' not in (item.lower() for item in obj_classes):
 obj_classes.append('ipasshhost')
 
 update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
@@ -949,14 +950,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
+if 'krbticketpolicyaux' not in (item.lower() for item in
+obj_classes):
 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
 if 'krbprincipalauthind' in entry_attrs:
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
+if 'krbprincipalaux' not in (item.lower() for item in
+ obj_classes):
 entry_attrs['objectclass'].append('krbprincipalaux')
 
 add_sshpubkey_to_attrs_pre(self.context, attrs_list)

From ff0581816d100923ca97493d0c4a76acda5cbfce Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Wed, 10 May 2017 10:07:21 -0300
Subject: [PATCH 2/2] Fixing adding authenticator indicators to host

---
 ipaserver/plugins/host.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index d9b8331..1e1f9d8 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -951,7 +951,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
 if 'krbticketpolicyaux' not in (item.lower() for item in
-obj_classes):
+entry_attrs['objectclass']):
 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
 if 'krbprincipalauthind' in entry_attrs:
@@ -959,7 +959,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
 if 'krbprincipalaux' not in (item.lower() for item in
-

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

HonzaCholasta commented:
"""
@tomaskrizek, this PR is for ipa-4-5, the change is already present in master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300465628
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables

2017-05-10 Thread apophys 
  URL: https://github.com/freeipa/freeipa/pull/745
Title: #745: tests: add missing dependency iptables

apophys commented:
"""
The kdc proxy test requiring the package is also in ipa-4-5 branch. Should it 
not go there as well?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/745#issuecomment-300455303
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

tomaskrizek commented:
"""
Please rebase for current master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300452468
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#770][closed] cert-show: writable files does not mean dirs

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/770
Author: stlaz
 Title: #770: cert-show: writable files does not mean dirs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/770/head:pr770
git checkout pr770
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#770][comment] cert-show: writable files does not mean dirs

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/770
Title: #770: cert-show: writable files does not mean dirs

tomaskrizek commented:
"""
master:

* 33b3d7ad7ada45edbd178fe99f1257c40f39dcaa cert-show: writable files does not 
mean dirs


ipa-4-5:

* 2410023ce6ef3255ddbaaf8939a928e733297d62 cert-show: writable files does not 
mean dirs


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/770#issuecomment-300451638
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#770][+pushed] cert-show: writable files does not mean dirs

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/770
Title: #770: cert-show: writable files does not mean dirs

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless

2017-05-10 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/768
Title: #768: Ticket#6854 caless

MartinBasti commented:
"""
This PR is obsoleted by #769 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/768#issuecomment-300437510
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless

2017-05-10 Thread Rezney 
  URL: https://github.com/freeipa/freeipa/pull/768
Title: #768: Ticket#6854 caless

Rezney commented:
"""
Ah, sorry I was not descriptive enough. I meant a temporary nssdb which is 
created by the script on the controller which is running the integration tests. 
However thanks for your input. Good to know this.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/768#issuecomment-300420449
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][+ack] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

HonzaCholasta commented:
"""
@tomaskrizek, yes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300401586
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN

2017-05-10 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

pvoborni commented:
"""
AFAIK, there was not an agreement not implementing this, otherwise the ticket 
would be closed. The ticket #6663 was created to warn until the change in 
profiles is implemented(#4970).  It was mentioned yesterday on IPA meeting that 
we want to warn - when discussing: 
https://bugzilla.redhat.com/show_bug.cgi?id=1445345 and 
https://bugzilla.redhat.com/show_bug.cgi?id=1445927
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/773#issuecomment-300401288
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

tomaskrizek commented:
"""
Upstream version looks fine, but I wasn't able to verify it is fixed in 0.7.5-8 
in rhel.

@jcholast Is the package version for rhel correct?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300397137
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#770][+ack] cert-show: writable files does not mean dirs

2017-05-10 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/770
Title: #770: cert-show: writable files does not mean dirs

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][+pushed] tests: add missing dependency iptables

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/745
Title: #745: tests: add missing dependency iptables

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][closed] tests: add missing dependency iptables

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/745
Author: MartinBasti
 Title: #745: tests: add missing dependency iptables
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/745/head:pr745
git checkout pr745
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/745
Title: #745: tests: add missing dependency iptables

tomaskrizek commented:
"""
master:

* 6c061b6836c13bf63553c6143b19e89658937e7e tests: add missing dependency 
iptables


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/745#issuecomment-300398099
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][+ack] tests: add missing dependency iptables

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/745
Title: #745: tests: add missing dependency iptables

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

tomaskrizek commented:
"""
Upstream version looks fine, but I wasn't able to verify it is fixed in 0.7.5-8 
in rhel.

@jcholast Is the package version for rhel correct?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300397137
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][+pushed] Turn on NSSOCSP check in mod_nss conf

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

tomaskrizek commented:
"""
master:

* e0b32dac5462164869ab19c3d56c36e80cde4b7b Turn on NSSOCSP check in mod_nss conf


ipa-4-5:

* 4aa7e70fcd1851394f943da669d6af4e11b60940 Turn on NSSOCSP check in mod_nss conf


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-300395391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][closed] Turn on NSSOCSP check in mod_nss conf

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tomaskrizek commented:
"""
Needs re-base for 4.4 and 4.5.

correction: for 4.5 and master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tomaskrizek commented:
"""
Needs re-base for 4.4 and 4.5.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][closed] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: [4.4] Run ipa-custodia under Python 2
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][+pushed] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tomaskrizek commented:
"""
ipa-4-4:

* 307c4bd62609c9ac58633e3ccc61d85e2caacbcc Run ipa-custodia under Python 2


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300394311
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tomaskrizek commented:
"""
Needs re-base for 4.4 and 4.5.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300394053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#762][closed] fix managed-entries printing IPA not installed

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/762
Author: stlaz
 Title: #762: fix managed-entries printing IPA not installed
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/762/head:pr762
git checkout pr762
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#762][comment] fix managed-entries printing IPA not installed

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/762
Title: #762: fix managed-entries printing IPA not installed

tomaskrizek commented:
"""
master:

* 6522c4a8378a22ffe82e8e845698ab104f611888 fix managed-entries printing IPA not 
installed


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/762#issuecomment-300393202
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#762][+pushed] fix managed-entries printing IPA not installed

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/762
Title: #762: fix managed-entries printing IPA not installed

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][closed] Travis CI: explicitly update pip before running the builds

2017-05-10 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/772
Author: martbab
 Title: #772: Travis CI: explicitly update pip before running the builds
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/772/head:pr772
git checkout pr772
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

tomaskrizek commented:
"""
master:

* afe85c37981d2846c26010f22f652c60d9cd0941 Travis CI: explicitly update pip 
before running the builds


ipa-4-5:

* f2b58854bb8df46b7e0ac0a35bf473bc9d8ad607 Travis CI: explicitly update pip 
before running the builds


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/772#issuecomment-300392613
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][+pushed] Travis CI: explicitly update pip before running the builds

2017-05-10 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#771][synchronized] cert-show: check if certificate_out is in options

2017-05-10 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/771
Author: stlaz
 Title: #771: cert-show: check if certificate_out is in options
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/771/head:pr771
git checkout pr771
From cc2eb10ab57403d9ac5bd7b2680491f129af89bc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 9 May 2017 17:45:20 +0200
Subject: [PATCH] ca/cert-show: check certificate_out in options

If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None.

This check was done properly in the ca plugin. Lets' just unify how this
is handled and improve user experience by announcing which option causes
the failure.

https://pagure.io/freeipa/issue/6885
---
 ipaclient/plugins/ca.py   |  8 ++--
 ipaclient/plugins/cert.py | 12 +---
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py
index fcdf484..fe9c55f 100644
--- a/ipaclient/plugins/ca.py
+++ b/ipaclient/plugins/ca.py
@@ -4,7 +4,7 @@
 
 import base64
 from ipaclient.frontend import MethodOverride
-from ipalib import util, x509, Str
+from ipalib import errors, util, x509, Str
 from ipalib.plugable import Registry
 from ipalib.text import _
 
@@ -26,7 +26,11 @@ def forward(self, *keys, **options):
 filename = None
 if 'certificate_out' in options:
 filename = options.pop('certificate_out')
-util.check_writable_file(filename)
+try:
+util.check_writable_file(filename)
+except errors.FileError as e:
+raise errors.ValidationError(name='certificate-out',
+ error=str(e))
 
 result = super(WithCertOutArgs, self).forward(*keys, **options)
 if filename:
diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index a4ee9a9..541b82a 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -49,9 +49,15 @@ class CertRetrieveOverride(MethodOverride):
 )
 
 def forward(self, *args, **options):
-certificate_out = options.pop('certificate_out', None)
-if certificate_out is not None:
-util.check_writable_file(certificate_out)
+if 'certificate_out' in options:
+certificate_out = options.pop('certificate_out')
+try:
+util.check_writable_file(certificate_out)
+except errors.FileError as e:
+raise errors.ValidationError(name='certificate-out',
+ error=str(e))
+else:
+certificate_out = None
 
 result = super(CertRetrieveOverride, self).forward(*args, **options)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#732][synchronized] ipa-custodia: use Dogtag's alias/pwdfile.txt

2017-05-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/732
Author: tiran
 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/732/head:pr732
git checkout pr732
From cef8775779bddf5dd645f004f7e7148e0ca4b593 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 25 Apr 2017 14:52:35 +0200
Subject: [PATCH] ipa-custodia: use Dogtag's alias/pwdfile.txt

/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes 
---
 ipaplatform/base/paths.py  |  1 +
 ipaserver/secrets/store.py | 34 +++---
 2 files changed, 8 insertions(+), 27 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 2d37c71..6c64bd6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -93,6 +93,7 @@ class BasePathNamespace(object):
 NSS_DB_DIR = "/etc/pki/nssdb"
 PKI_TOMCAT = "/etc/pki/pki-tomcat"
 PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
+PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt"
 PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
 ETC_REDHAT_RELEASE = "/etc/redhat-release"
 RESOLV_CONF = "/etc/resolv.conf"
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index 56cbfbc..43502c2 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -34,17 +34,6 @@ def log_error(error):
 print(error, file=sys.stderr)
 
 
-def PKI_TOMCAT_password_callback():
-password = None
-with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f:
-for line in f.readlines():
-key, value = line.strip().split('=')
-if key == 'internal':
-password = value
-break
-return password
-
-
 class NSSWrappedCertDB(DBMAPHandler):
 '''
 Store that extracts private keys from an NSSDB, wrapped with the
@@ -62,20 +51,17 @@ def __init__(self, config, dbmap, nickname):
 raise ValueError(
 'Configuration does not provide nickname of wrapping key')
 self.nssdb_path = dbmap['path']
-self.nssdb_password = dbmap['pwcallback']()
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.wrap_nick = dbmap['wrap_nick']
 self.target_nick = nickname
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 wrapped_key_file = os.path.join(tdir, 'wrapped_key')
 certificate_file = os.path.join(tdir, 'certificate')
 ipautil.run([
-paths.PKI, '-d', self.nssdb_path, '-C', nsspwfile,
+paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile,
 'ca-authority-key-export',
 '--wrap-nickname', self.wrap_nick,
 '--target-nickname', self.target_nick,
@@ -106,15 +92,12 @@ def __init__(self, config, dbmap, nickname):
 if 'pwcallback' not in dbmap:
 raise ValueError('Configuration does not provide Password Calback')
 self.nssdb_path = dbmap['path']
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.nickname = nickname
-self.nssdb_password = dbmap['pwcallback']()
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 pk12pwfile = os.path.join(tdir, 'pk12pwfile')
 password = ipautil.ipa_generate_password()
 with open(pk12pwfile, 'w+') as f:
@@ -124,7 +107,7 @@ def export_key(self):
  "-d", self.nssdb_path,
  "-o", pk12file,
  "-n", self.nickname,
- "-k", nsspwfile,
+ "-k", self.nssdb_pwdfile,
  "-w", pk12pwfile])
 with open(pk12file, 'r') as f:
 data = f.read()
@@ -137,9 +120,6 @@ def import_key(self, value):
 v = json_decode(value)
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 pk12pwfile = os.path.join(tdir, 'pk12pwfile')
 with

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add IPA commands package

2017-05-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add IPA commands package
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 0544a3834cb23d0664300d1f577a1d30ccc59610 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH] Packaging: Add IPA commands package

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore   |   7 ++
 Makefile.am  |   2 +
 configure.ac |   1 +
 pypi/Makefile.am |   1 +
 pypi/ipacommands/MANIFEST.in |  25 ++
 pypi/ipacommands/Makefile.am |  79 ++
 pypi/ipacommands/setup.cfg   |   5 ++
 pypi/ipacommands/setup.py| 194 +++
 8 files changed, 314 insertions(+)
 create mode 100644 pypi/ipacommands/MANIFEST.in
 create mode 100644 pypi/ipacommands/Makefile.am
 create mode 100644 pypi/ipacommands/setup.cfg
 create mode 100644 pypi/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 8b57dbc..e18bcf0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -117,3 +117,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/pypi/ipacommands/COPYING
+/pypi/ipacommands/Contributors.txt
+/pypi/ipacommands/asn1
+/pypi/ipacommands/client
+/pypi/ipacommands/ipasetup.py
+/pypi/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index cbe4f2d..b395033 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -285,6 +285,8 @@ bdist_wheel: $(WHEELDISTDIR)
 	for dir in $(IPA_WHEEL_PACKAGES) ipatests; do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
+	rm -f $(WHEELDISTDIR)/ipacommands-*.tar.gz
+	$(MAKE) $(AM_MAKEFLAGS) -C pypi/ipacommands sdist || exit 1;
 
 wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELBUNDLEDIR)/$(item)-*.whl)
diff --git a/configure.ac b/configure.ac
index c43759c..24e9408 100644
--- a/configure.ac
+++ b/configure.ac
@@ -593,6 +593,7 @@ AC_CONFIG_FILES([
 pypi/Makefile
 pypi/freeipa/Makefile
 pypi/ipa/Makefile
+pypi/ipacommands/Makefile
 pypi/ipaplatform/Makefile
 pypi/ipaserver/Makefile
 pypi/ipatests/Makefile
diff --git a/pypi/Makefile.am b/pypi/Makefile.am
index 5d8be9c..be572c6 100644
--- a/pypi/Makefile.am
+++ b/pypi/Makefile.am
@@ -7,6 +7,7 @@ NULL =
 SUBDIRS =			\
 	freeipa			\
 	ipa\
+	ipacommands		\
 	ipaplatform		\
 	ipaserver		\
 	ipatests		\
diff --git a/pypi/ipacommands/MANIFEST.in b/pypi/ipacommands/MANIFEST.in
new file mode 100644
index 000..659a1f5
--- /dev/null
+++ b/pypi/ipacommands/MANIFEST.in
@@ -0,0 +1,25 @@
+include asn1/*.c
+include asn1/*.h
+include asn1/asn1c/*.c
+include asn1/asn1c/*.h
+include asn1/asn1c/ipa.asn1
+
+include client/config.c
+include client/config.h
+include client/ipa-client-common.c
+include client/ipa-client-common.h
+include client/ipa-getkeytab.c
+include client/ipa-join.c
+include client/ipa-rmkeytab.c
+
+include util/ipa_krb5.c
+include util/ipa_krb5.h
+
+prune client/asn1
+prune client/client
+prune client/util
+
+include Contributors.txt COPYING
+include config.h
+include ipasetup.py
+include setup.cfg
diff --git a/pypi/ipacommands/Makefile.am b/pypi/ipacommands/Makefile.am
new file mode 100644
index 000..645ce7a
--- /dev/null
+++ b/pypi/ipacommands/Makefile.am
@@ -0,0 +1,79 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+pkgname = $(shell basename "$(abs_srcdir)")
+
+# hack to handle back-in-the-hierarchy depedency on ipasetup.py
+.PHONY: $(top_builddir)/ipasetup.py
+$(top_builddir)/ipasetup.py:
+	(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
+
+DEPENDENCIES = \
+	asn1\
+	client\
+	util\
+	COPYING\
+	Contributors.txt		\
+	config.h			\
+	ipasetup.py			\
+	$(NULL)
+
+# Python setup.py can handle symlinks to directories fine
+asn1: $(top_srcdir)/asn1
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+client: $(top_srcdir)/client
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+util: $(top_srcdir)/util
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+# On the other hand files must be copied to create proper sdist
+COPYING: $(top_srcdir)/COPYING
+	cp -p "$<" "$@"
+
+Contributors.txt: $(top_srcdir)/Contributors.txt
+	cp -p "$<" "$@"
+
+ipasetup.py: $(top_builddir)/ipasetup.py
+	cp -p "$<" "$@"
+
+config.h: $(top_builddir)/config.h
+	cp -p "$<" "$@"
+
+
+all-local: $(DEPENDENCIES)
+
+
+check-local: $(DEPENDENCIES)
+	cd $(srcdir); $(PYTHON) setup.py \
+		$(VERBOSITY) \
+		build \
+		--build-base "$(abs_builddir)/build"
+
+clean-local: