[Freeipa-devel] [freeipa PR#732][synchronized] ipa-custodia: use Dogtag's alias/pwdfile.txt

2017-05-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/732
Author: tiran
 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/732/head:pr732
git checkout pr732
From cef8775779bddf5dd645f004f7e7148e0ca4b593 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 25 Apr 2017 14:52:35 +0200
Subject: [PATCH] ipa-custodia: use Dogtag's alias/pwdfile.txt

/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaplatform/base/paths.py  |  1 +
 ipaserver/secrets/store.py | 34 +++---
 2 files changed, 8 insertions(+), 27 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 2d37c71..6c64bd6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -93,6 +93,7 @@ class BasePathNamespace(object):
 NSS_DB_DIR = "/etc/pki/nssdb"
 PKI_TOMCAT = "/etc/pki/pki-tomcat"
 PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
+PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt"
 PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
 ETC_REDHAT_RELEASE = "/etc/redhat-release"
 RESOLV_CONF = "/etc/resolv.conf"
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index 56cbfbc..43502c2 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -34,17 +34,6 @@ def log_error(error):
 print(error, file=sys.stderr)
 
 
-def PKI_TOMCAT_password_callback():
-password = None
-with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f:
-for line in f.readlines():
-key, value = line.strip().split('=')
-if key == 'internal':
-password = value
-break
-return password
-
-
 class NSSWrappedCertDB(DBMAPHandler):
 '''
 Store that extracts private keys from an NSSDB, wrapped with the
@@ -62,20 +51,17 @@ def __init__(self, config, dbmap, nickname):
 raise ValueError(
 'Configuration does not provide nickname of wrapping key')
 self.nssdb_path = dbmap['path']
-self.nssdb_password = dbmap['pwcallback']()
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.wrap_nick = dbmap['wrap_nick']
 self.target_nick = nickname
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 wrapped_key_file = os.path.join(tdir, 'wrapped_key')
 certificate_file = os.path.join(tdir, 'certificate')
 ipautil.run([
-paths.PKI, '-d', self.nssdb_path, '-C', nsspwfile,
+paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile,
 'ca-authority-key-export',
 '--wrap-nickname', self.wrap_nick,
 '--target-nickname', self.target_nick,
@@ -106,15 +92,12 @@ def __init__(self, config, dbmap, nickname):
 if 'pwcallback' not in dbmap:
 raise ValueError('Configuration does not provide Password Calback')
 self.nssdb_path = dbmap['path']
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.nickname = nickname
-self.nssdb_password = dbmap['pwcallback']()
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 pk12pwfile = os.path.join(tdir, 'pk12pwfile')
 password = ipautil.ipa_generate_password()
 with open(pk12pwfile, 'w+') as f:
@@ -124,7 +107,7 @@ def export_key(self):
  "-d", self.nssdb_path,
  "-o", pk12file,
  "-n", self.nickname,
- "-k", nsspwfile,
+ "-k", self.nssdb_pwdfile,
  "-w", pk12pwfile])
 with open(pk12file, 'r') as f:
 data = f.read()
@@ -137,9 +120,6 @@ def import_key(self, value):
 v = json_decode(value)
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add IPA commands package

2017-05-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add IPA commands package
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 0544a3834cb23d0664300d1f577a1d30ccc59610 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH] Packaging: Add IPA commands package

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |   7 ++
 Makefile.am  |   2 +
 configure.ac |   1 +
 pypi/Makefile.am |   1 +
 pypi/ipacommands/MANIFEST.in |  25 ++
 pypi/ipacommands/Makefile.am |  79 ++
 pypi/ipacommands/setup.cfg   |   5 ++
 pypi/ipacommands/setup.py| 194 +++
 8 files changed, 314 insertions(+)
 create mode 100644 pypi/ipacommands/MANIFEST.in
 create mode 100644 pypi/ipacommands/Makefile.am
 create mode 100644 pypi/ipacommands/setup.cfg
 create mode 100644 pypi/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 8b57dbc..e18bcf0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -117,3 +117,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/pypi/ipacommands/COPYING
+/pypi/ipacommands/Contributors.txt
+/pypi/ipacommands/asn1
+/pypi/ipacommands/client
+/pypi/ipacommands/ipasetup.py
+/pypi/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index cbe4f2d..b395033 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -285,6 +285,8 @@ bdist_wheel: $(WHEELDISTDIR)
 	for dir in $(IPA_WHEEL_PACKAGES) ipatests; do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
+	rm -f $(WHEELDISTDIR)/ipacommands-*.tar.gz
+	$(MAKE) $(AM_MAKEFLAGS) -C pypi/ipacommands sdist || exit 1;
 
 wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELBUNDLEDIR)/$(item)-*.whl)
diff --git a/configure.ac b/configure.ac
index c43759c..24e9408 100644
--- a/configure.ac
+++ b/configure.ac
@@ -593,6 +593,7 @@ AC_CONFIG_FILES([
 pypi/Makefile
 pypi/freeipa/Makefile
 pypi/ipa/Makefile
+pypi/ipacommands/Makefile
 pypi/ipaplatform/Makefile
 pypi/ipaserver/Makefile
 pypi/ipatests/Makefile
diff --git a/pypi/Makefile.am b/pypi/Makefile.am
index 5d8be9c..be572c6 100644
--- a/pypi/Makefile.am
+++ b/pypi/Makefile.am
@@ -7,6 +7,7 @@ NULL =
 SUBDIRS =			\
 	freeipa			\
 	ipa\
+	ipacommands		\
 	ipaplatform		\
 	ipaserver		\
 	ipatests		\
diff --git a/pypi/ipacommands/MANIFEST.in b/pypi/ipacommands/MANIFEST.in
new file mode 100644
index 000..659a1f5
--- /dev/null
+++ b/pypi/ipacommands/MANIFEST.in
@@ -0,0 +1,25 @@
+include asn1/*.c
+include asn1/*.h
+include asn1/asn1c/*.c
+include asn1/asn1c/*.h
+include asn1/asn1c/ipa.asn1
+
+include client/config.c
+include client/config.h
+include client/ipa-client-common.c
+include client/ipa-client-common.h
+include client/ipa-getkeytab.c
+include client/ipa-join.c
+include client/ipa-rmkeytab.c
+
+include util/ipa_krb5.c
+include util/ipa_krb5.h
+
+prune client/asn1
+prune client/client
+prune client/util
+
+include Contributors.txt COPYING
+include config.h
+include ipasetup.py
+include setup.cfg
diff --git a/pypi/ipacommands/Makefile.am b/pypi/ipacommands/Makefile.am
new file mode 100644
index 000..645ce7a
--- /dev/null
+++ b/pypi/ipacommands/Makefile.am
@@ -0,0 +1,79 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+pkgname = $(shell basename "$(abs_srcdir)")
+
+# hack to handle back-in-the-hierarchy depedency on ipasetup.py
+.PHONY: $(top_builddir)/ipasetup.py
+$(top_builddir)/ipasetup.py:
+	(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
+
+DEPENDENCIES = \
+	asn1\
+	client\
+	util\
+	COPYING\
+	Contributors.txt		\
+	config.h			\
+	ipasetup.py			\
+	$(NULL)
+
+# Python setup.py can handle symlinks to directories fine
+asn1: $(top_srcdir)/asn1
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+client: $(top_srcdir)/client
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+util: $(top_srcdir)/util
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+# On the other hand files must be copied to create proper sdist
+COPYING: $(top_srcdir)/COPYING
+	cp -p "$<" "$@"
+
+Contributors.txt: $(top_srcdir)/Contributors.txt
+	cp -p "$<" "$@"
+
+ipasetup.py: $(top_builddir)/ipasetup.py
+	cp -p "$<" "$@"
+
+config.h: $(top_builddir)/config.h
+	cp -p "$<" "$@&q

[Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds

2017-05-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

tiran commented:
"""
Needs to be merged into 4.5.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/772#issuecomment-300255483
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][+blocker] Travis CI: explicitly update pip before running the builds

2017-05-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

Label: +blocker
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][+ack] Travis CI: explicitly update pip before running the builds

2017-05-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tiran commented:
"""
@tomaskrizek yes, custodia 0.5 will no longer have the restriction.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300173956
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

2017-05-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tiran commented:
"""
The patch doesn't work with custodia 0.1. It needs at least 0.2.0-1.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300143282
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2

2017-05-09 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: [4.4] Run ipa-custodia under Python 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
From c804d46f1faa265a6951e782213f63ae2e051ede Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 3 May 2017 16:38:21 +0200
Subject: [PATCH] Run ipa-custodia under Python 2

Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 freeipa.spec.in   | 10 ++
 init/systemd/ipa-custodia.service |  3 +--
 install/tools/Makefile.am |  1 +
 install/tools/ipa-custodia|  6 ++
 4 files changed, 14 insertions(+), 6 deletions(-)
 create mode 100755 install/tools/ipa-custodia

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e0f1df2..21f2416 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,8 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
 BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
+# install/tools/ipa-custodia needs custodia 0.2+
+BuildRequires:  custodia >= 0.2
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
 BuildRequires:  python-netifaces >= 0.10.4
@@ -246,7 +247,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.2
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -498,7 +499,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia >= 0.2
 Requires: python-dns >= 1.13
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -546,7 +547,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia >= 0.2
 Requires: python3-requests
 Requires: python3-dns >= 1.11.1
 Requires: python3-netifaces >= 0.10.4
@@ -1069,6 +1070,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service
index ff930fb..63246c4 100644
--- a/init/systemd/ipa-custodia.service
+++ b/init/systemd/ipa-custodia.service
@@ -3,8 +3,7 @@ Description=IPA Custodia Service
 
 [Service]
 Type=simple
-
-ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf
+ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2866a30..66ee9e3 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ EXTRA_DIST =			\
 
 appdir = $(libexecdir)/ipa/
 app_SCRIPTS =			\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..2086a9c
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from custodia.server import main
+
+if __name__ == '__main__':
+main()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2

2017-05-09 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: [4.4] Run ipa-custodia under Python 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
From d30ea463bc0671af542e7d86ec9d753209b7dfa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 3 May 2017 16:38:21 +0200
Subject: [PATCH] Run ipa-custodia under Python 2

Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 freeipa.spec.in   | 9 +
 init/systemd/ipa-custodia.service | 3 +--
 install/tools/Makefile.am | 1 +
 install/tools/ipa-custodia| 6 ++
 4 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100755 install/tools/ipa-custodia

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e0f1df2..0b0761b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,7 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
 BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
+BuildRequires:  custodia > 0.2
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
 BuildRequires:  python-netifaces >= 0.10.4
@@ -246,7 +246,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia > 0.2
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -498,7 +498,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia > 0.2
 Requires: python-dns >= 1.13
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -546,7 +546,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia > 0.2
 Requires: python3-requests
 Requires: python3-dns >= 1.11.1
 Requires: python3-netifaces >= 0.10.4
@@ -1069,6 +1069,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service
index ff930fb..63246c4 100644
--- a/init/systemd/ipa-custodia.service
+++ b/init/systemd/ipa-custodia.service
@@ -3,8 +3,7 @@ Description=IPA Custodia Service
 
 [Service]
 Type=simple
-
-ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf
+ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2866a30..66ee9e3 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ EXTRA_DIST =			\
 
 appdir = $(libexecdir)/ipa/
 app_SCRIPTS =			\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..2086a9c
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from custodia.server import main
+
+if __name__ == '__main__':
+main()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

2017-05-04 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From de75aafdb0de58e57d452b1bc6b69d60d56dfd50 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  3 +--
 tox.ini   |  4 ++--
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 0140fd5..ac947e7 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,11 +50,9 @@
 ],
 },
 install_requires=[
-"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
 "qrcode",
 "six",
 ],
@@ -66,6 +64,7 @@
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
diff --git a/tox.ini b/tox.ini
index ccface9..931b125 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,7 +13,7 @@ changedir={envdir}
 setenv=
 HOME={envtmpdir}
 deps=
-ipaclient
+ipaclient[csrgen]
 ipatests
 commands=
 {envbindir}/ipa --help
@@ -22,7 +22,7 @@ commands=
 [testenv:pylint2]
 basepython=python2.7
 deps=
-ipaclient[otptoken_yubikey]
+ipaclient[csrgen,otptoken_yubikey]
 pylint
 commands=
 {envpython} -m pylint \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][opened] Run ipa-custodia under Python 2

2017-05-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: Run ipa-custodia under Python 2
Action: opened

PR body:
"""
Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
From ad4a281c3543d69f9b27f0b7450efcb639286e97 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 3 May 2017 16:38:21 +0200
Subject: [PATCH] Run ipa-custodia under Python 2

Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 freeipa.spec.in   | 9 +
 init/systemd/ipa-custodia.service | 3 +--
 install/tools/Makefile.am | 1 +
 install/tools/ipa-custodia| 6 ++
 4 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100755 install/tools/ipa-custodia

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e0f1df2..0b0761b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,7 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
 BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
+BuildRequires:  custodia > 0.2
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
 BuildRequires:  python-netifaces >= 0.10.4
@@ -246,7 +246,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia > 0.2
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -498,7 +498,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia > 0.2
 Requires: python-dns >= 1.13
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -546,7 +546,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia > 0.2
 Requires: python3-requests
 Requires: python3-dns >= 1.11.1
 Requires: python3-netifaces >= 0.10.4
@@ -1069,6 +1069,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service
index ff930fb..142c91f 100644
--- a/init/systemd/ipa-custodia.service
+++ b/init/systemd/ipa-custodia.service
@@ -3,8 +3,7 @@ Description=IPA Custodia Service
 
 [Service]
 Type=simple
-
-ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf
+ExecStart=@libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2866a30..66ee9e3 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ EXTRA_DIST =			\
 
 appdir = $(libexecdir)/ipa/
 app_SCRIPTS =			\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..2086a9c
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from custodia.server import main
+
+if __name__ == '__main__':
+main()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC

2017-04-27 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

tiran commented:
"""
I talked to Matt. Dogtag 10.4 will not be pushed to F25 and F26, only 
rawhide/F27. Additionally, Ade will also address the bug in Dogtag. The next 
10.4 release will have a fix, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/737#issuecomment-297749374
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

2017-04-27 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From 8459a73325b175d5a25bafc406a71e39e946da65 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  3 +--
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 0140fd5..ac947e7 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,11 +50,9 @@
 ],
 },
 install_requires=[
-"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
 "qrcode",
 "six",
 ],
@@ -66,6 +64,7 @@
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies

2017-04-27 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: edited

 Changed field: body
Original value:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

2017-04-27 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From f69db99e4e97d51c6b69300453f75fa1f84236f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Make jinja2 an optional dependency and csrgen an optional plugin
* otptoken_yubikey has optional dependencies

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  3 +--
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 0140fd5..ac947e7 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,11 +50,9 @@
 ],
 },
 install_requires=[
-"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
 "qrcode",
 "six",
 ],
@@ -66,6 +64,7 @@
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#744][opened] [4.5] Correct PyPI package dependencies

2017-04-27 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/744
Author: tiran
 Title: #744: [4.5] Correct PyPI package dependencies
Action: opened

PR body:
"""
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/744/head:pr744
git checkout pr744
From 9238366c5aa3be9eff126c2ab4d7320bc588c9aa Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH] [4.5] Correct PyPI package dependencies

* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  4 +---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py | 18 +++---
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 5 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index ccb5396..d39235a 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,8 +54,6 @@
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
@@ -66,7 +64,7 @@
 },
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 2fc039f..10d3831 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,17 +41,15 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
 "python-nss",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 42b0c1b..f48cef4 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -55,17 +55,12 @@
 "ipalib",
 "ipaplatform",
 "ipapython",
+"jwcrypto",
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
+"requests",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-# "samba-python",
 ],
 entry_points={
 'custodia.authorizers': [
@@ -75,4 +70,13 @@
 'IPASecStore = ipaserver.secrets.store:IPASecStore',
 ],
 },
+extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
+# These packages are currently not available on PyPI.
+"dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
+"hbactest": ["pyhbac"],
+"install": ["SSSDConfig"],
+"trust": ["pysss_murmur", "pysss_nss_idmap"],
+}
 )
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 7f9b2c9..245038d 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",

[Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC

2017-04-26 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

tiran commented:
"""
* I haven't verified that the patch actually solves the problem
* Needs backport to at least 4.5
* Either needs backport to 4.4 or 4.4 must required Dogtag < 10.4
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/737#issuecomment-297465052
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#737][opened] Vault: Explicitly default to 3DES CBC

2017-04-26 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/737
Author: tiran
 Title: #737: Vault: Explicitly default to 3DES CBC
Action: opened

PR body:
"""
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/737/head:pr737
git checkout pr737
From 5e764ded04de08fb576ad503fea78fe9595b9b71 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 26 Apr 2017 18:15:40 +0200
Subject: [PATCH] Vault: Explicitly default to 3DES CBC

The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/plugins/vault.py | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 57e1ed7..d46aca8 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -38,6 +38,14 @@
 if api.env.in_server:
 import pki.account
 import pki.key
+# pylint: disable=no-member
+try:
+# pki >= 10.4.0
+from pki.crypto import DES_EDE3_CBC_OID
+except ImportError:
+DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
+# pylint: enable=no-member
+
 
 if six.PY3:
 unicode = str
@@ -1059,8 +1067,8 @@ def execute(self, *args, **options):
 pki.key.KeyClient.PASS_PHRASE_TYPE,
 wrapped_vault_data,
 wrapped_session_key,
-None,
-nonce,
+algorithm_oid=DES_EDE3_CBC_OID,
+nonce_iv=nonce,
 )
 
 kra_account.logout()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#732][opened] ipa-custodia: use Dogtag's alias/pwdfile.txt

2017-04-25 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/732
Author: tiran
 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt
Action: opened

PR body:
"""
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/732/head:pr732
git checkout pr732
From 70296313166b019e040f06f1ce395fc0b0f8199c Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 25 Apr 2017 14:52:35 +0200
Subject: [PATCH] ipa-custodia: use Dogtag's alias/pwdfile.txt

/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaplatform/base/paths.py  |  1 +
 ipaserver/secrets/store.py | 34 +++---
 2 files changed, 8 insertions(+), 27 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 57f185e..7f9297e 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -94,6 +94,7 @@ class BasePathNamespace(object):
 NSS_DB_DIR = "/etc/pki/nssdb"
 PKI_TOMCAT = "/etc/pki/pki-tomcat"
 PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias"
+PKI_TOMCAT_ALIAS_PWDFILE_TXT = "/etc/pki/pki-tomcat/alias/pwdfile.txt"
 PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
 ETC_REDHAT_RELEASE = "/etc/redhat-release"
 RESOLV_CONF = "/etc/resolv.conf"
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index 56cbfbc..43502c2 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -34,17 +34,6 @@ def log_error(error):
 print(error, file=sys.stderr)
 
 
-def PKI_TOMCAT_password_callback():
-password = None
-with open(paths.PKI_TOMCAT_PASSWORD_CONF) as f:
-for line in f.readlines():
-key, value = line.strip().split('=')
-if key == 'internal':
-password = value
-break
-return password
-
-
 class NSSWrappedCertDB(DBMAPHandler):
 '''
 Store that extracts private keys from an NSSDB, wrapped with the
@@ -62,20 +51,17 @@ def __init__(self, config, dbmap, nickname):
 raise ValueError(
 'Configuration does not provide nickname of wrapping key')
 self.nssdb_path = dbmap['path']
-self.nssdb_password = dbmap['pwcallback']()
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.wrap_nick = dbmap['wrap_nick']
 self.target_nick = nickname
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 wrapped_key_file = os.path.join(tdir, 'wrapped_key')
 certificate_file = os.path.join(tdir, 'certificate')
 ipautil.run([
-paths.PKI, '-d', self.nssdb_path, '-C', nsspwfile,
+paths.PKI, '-d', self.nssdb_path, '-C', self.nssdb_pwdfile,
 'ca-authority-key-export',
 '--wrap-nickname', self.wrap_nick,
 '--target-nickname', self.target_nick,
@@ -106,15 +92,12 @@ def __init__(self, config, dbmap, nickname):
 if 'pwcallback' not in dbmap:
 raise ValueError('Configuration does not provide Password Calback')
 self.nssdb_path = dbmap['path']
+self.nssdb_pwdfile = dbmap['pwdfile']
 self.nickname = nickname
-self.nssdb_password = dbmap['pwcallback']()
 
 def export_key(self):
 tdir = tempfile.mkdtemp(dir=paths.TMP)
 try:
-nsspwfile = os.path.join(tdir, 'nsspwfile')
-with open(nsspwfile, 'w+') as f:
-f.write(self.nssdb_password)
 pk12pwfile = os.path.join(tdir, 'pk12pwfile')
 password = ipautil.ipa_generate_password()
 with open(pk12pwfile, 'w+') as f:
@@ -124,7 +107,7 @@ def export_key(self):
  "-d", self.nssdb_path,
  "-o", pk12file,

[Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies

2017-04-25 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/702
Title: #702: Correct PyPI package dependencies

tiran commented:
"""
You are running into a pip bug. I've added band-aid for the issue. To speed up 
testing, tox caches packages. I guess I never ran into the problem because I 
had the packages pre-build and cached.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/702#issuecomment-296999123
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies

2017-04-25 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/702
Author: tiran
 Title: #702: Correct PyPI package dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/702/head:pr702
git checkout pr702
From 21208052af34b21e14840df73ce4b3a000484d81 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH 1/2] Correct PyPI package dependencies

* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  5 ++---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py |  5 -
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 tox.ini|  3 +--
 6 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index ccb5396..0140fd5 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,12 +50,11 @@
 ],
 },
 install_requires=[
+"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
@@ -66,7 +65,7 @@
 },
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..f48cef4 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -55,10 +55,11 @@
 "ipalib",
 "ipaplatform",
 "ipapython",
+"jwcrypto",
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
+"requests",
 "six",
 ],
 entry_points={
@@ -70,6 +71,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
 "Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
 # setuptools < 18.0.
 if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
 for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend

[Freeipa-devel] [freeipa PR#720][synchronized] tox: use pylint 1.6.x for now

2017-04-24 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/720
Author: tiran
 Title: #720: tox: use pylint 1.6.x for now
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/720/head:pr720
git checkout pr720
From c629f1ac97f73e3c4d4a23bcde5b769319368e74 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 19 Apr 2017 10:58:11 +0200
Subject: [PATCH] tox: use pylint 1.6.x for now

FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x
until all issues have been addressed.

Related: https://pagure.io/freeipa/issue/6874
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .wheelconstraints.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.wheelconstraints.in b/.wheelconstraints.in
index eba4ec9..ba37de7 100644
--- a/.wheelconstraints.in
+++ b/.wheelconstraints.in
@@ -9,3 +9,5 @@ ipapython == @VERSION@
 ipaserver == @VERSION@
 ipatests == @VERSION@
 
+# see https://pagure.io/freeipa/issue/6874
+pylint < 1.7
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#727][opened] Regenerate ASN.1 code with asn1c 0.9.28

2017-04-24 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/727
Author: tiran
 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28
Action: opened

PR body:
"""
Regenerate ASN.1 code with asn1c 0.9.28

https://pagure.io/freeipa/issue/6818
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/727/head:pr727
git checkout pr727
From 6468a24595250eaec25d49ac80c0883a4892e093 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 24 Apr 2017 11:12:42 +0200
Subject: [PATCH 1/2] Regenerate ASN.1 code with asn1c 0.9.28

Closes: https://pagure.io/freeipa/issue/6818
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 asn1/asn1c/BIT_STRING.c |  26 +-
 asn1/asn1c/GKCurrentKeys.c  |   8 ++--
 asn1/asn1c/GKCurrentKeys.h  |   4 +-
 asn1/asn1c/GKNewKeys.c  |  10 ++--
 asn1/asn1c/GKNewKeys.h  |   4 +-
 asn1/asn1c/GKReply.c|  10 ++--
 asn1/asn1c/GKReply.h|   4 +-
 asn1/asn1c/GetKeytabControl.c   |   6 +--
 asn1/asn1c/GetKeytabControl.h   |   4 +-
 asn1/asn1c/INTEGER.c|  72 ++--
 asn1/asn1c/INTEGER.h|   8 ++--
 asn1/asn1c/Int32.c  |  10 ++--
 asn1/asn1c/Int32.h  |   4 +-
 asn1/asn1c/KrbKey.c |   8 ++--
 asn1/asn1c/KrbKey.h |   4 +-
 asn1/asn1c/NativeEnumerated.c   |  54 ++---
 asn1/asn1c/NativeInteger.c  |  16 +++
 asn1/asn1c/OCTET_STRING.c   | 103 ++--
 asn1/asn1c/OCTET_STRING.h   |   2 +-
 asn1/asn1c/TypeValuePair.c  |   8 ++--
 asn1/asn1c/TypeValuePair.h  |   4 +-
 asn1/asn1c/asn_application.h|   6 +--
 asn1/asn1c/asn_codecs.h |  14 +++---
 asn1/asn1c/asn_codecs_prim.c|  16 +++
 asn1/asn1c/asn_internal.h   |  68 +-
 asn1/asn1c/asn_system.h |  14 --
 asn1/asn1c/ber_decoder.c|   4 +-
 asn1/asn1c/ber_tlv_length.c |   2 +-
 asn1/asn1c/constr_CHOICE.c  |  94 ++--
 asn1/asn1c/constr_CHOICE.h  |   4 +-
 asn1/asn1c/constr_SEQUENCE.c|  91 ++-
 asn1/asn1c/constr_SEQUENCE.h|   6 +--
 asn1/asn1c/constr_SEQUENCE_OF.c |  36 +++---
 asn1/asn1c/constr_SET_OF.c  |  47 +-
 asn1/asn1c/constr_SET_OF.h  |   2 +-
 asn1/asn1c/constr_TYPE.c|   2 +-
 asn1/asn1c/constr_TYPE.h|  18 +++
 asn1/asn1c/constraints.h|   8 ++--
 asn1/asn1c/der_encoder.c|  18 +++
 asn1/asn1c/per_decoder.c|   8 ++--
 asn1/asn1c/per_encoder.c|   4 +-
 asn1/asn1c/per_opentype.c   |  24 +-
 asn1/asn1c/per_support.c|   8 ++--
 asn1/asn1c/per_support.h|   8 ++--
 asn1/asn1c/xer_decoder.c|  17 ---
 asn1/asn1c/xer_decoder.h|   7 +--
 asn1/asn1c/xer_encoder.c|   8 ++--
 asn1/asn1c/xer_support.c|  16 ++-
 48 files changed, 474 insertions(+), 445 deletions(-)

diff --git a/asn1/asn1c/BIT_STRING.c b/asn1/asn1c/BIT_STRING.c
index 9b98271..997ff41 100644
--- a/asn1/asn1c/BIT_STRING.c
+++ b/asn1/asn1c/BIT_STRING.c
@@ -9,7 +9,7 @@
 /*
  * BIT STRING basic type description.
  */
-static ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
+static const ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
 	(ASN_TAG_CLASS_UNIVERSAL | (3 << 2))
 };
 static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = {
@@ -52,13 +52,13 @@ BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
 	if(st && st->buf) {
 		if((st->size == 0 && st->bits_unused)
 		|| st->bits_unused < 0 || st->bits_unused > 7) {
-			_ASN_CTFAIL(app_key, td, sptr,
+			ASN__CTFAIL(app_key, td, sptr,
 "%s: invalid padding byte (%s:%d)",
 td->name, __FILE__, __LINE__);
 			return -1;
 		}
 	} else {
-		_ASN_CTFAIL(app_key, td, sptr,
+		ASN__CTFAIL(app_key, td, sptr,
 			"%s: value not given (%s:%d)",
 			td->name, __FILE__, __LINE__);
 		return -1;
@@ -86,7 +86,7 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
 	uint8_t *end;
 
 	if(!st || !st->buf)
-		_ASN_ENCODE_FAILED;
+		ASN__ENCODE_FAILED;
 
 	er.encoded = 0;
 
@@ -101,9 +101,9 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
 		int nline = xcan?0:(((buf - st->buf) % 8) == 0);
 		if(p >= scend || nline) {
 			er.encoded += p - scratch;
-			_ASN_CALLBACK(scratch, p - scratch);
+			ASN__CALLBACK(scratch, p - scratch);
 			p = scratch;
-			if(nline) _i_ASN_TEXT_INDENT(1, ilevel);
+			if(nline) ASN__TEXT_INDENT(1, ilevel);
 		}
 		memcpy(p + 0, _bit_pattern[v >> 4], 4);
 		memcpy(p + 4, _bit_pattern[v & 0x0f], 4);
@@ -111,9 +111,9 @@ BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
 	}
 
 	if(!xcan && ((buf - st->buf) % 8) == 0)
-		_i_ASN_TEXT_INDENT(1, ilevel);
+		ASN__TEX

[Freeipa-devel] [freeipa PR#726][comment] Add check for directory name

2017-04-24 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/726
Title: #726: Add check for directory name

tiran commented:
"""
What about other types that might cause trouble, e.g. socket, fifo, device 
files, dangling symlinks?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/726#issuecomment-296572324
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][edited] Make sure remote hosts have our keys

2017-04-20 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
 Title: #679: Make sure remote hosts have our keys
Action: edited

 Changed field: body
Original value:
"""
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6688

Signed-off-by: Simo Sorce 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes

tiran commented:
"""
@abbra is there any reason to delay the merge? I like to get the fixes into 4.5 
for the upcoming 4.5.1 release. This commit may not be sufficient for full 
macOS support, but it's definitely required for macOS support. There is no harm 
to commit it now and fix remaining issues later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/699#issuecomment-295193893
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies

2017-04-19 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/702
Author: tiran
 Title: #702: Correct PyPI package dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/702/head:pr702
git checkout pr702
From 604ed718f621838bf728633043d9e4b0e58ee5d1 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH] Correct PyPI package dependencies

* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  5 ++---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py |  5 -
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 tox.ini|  3 +--
 6 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index ccb5396..0140fd5 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,12 +50,11 @@
 ],
 },
 install_requires=[
+"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
@@ -66,7 +65,7 @@
 },
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..f48cef4 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -55,10 +55,11 @@
 "ipalib",
 "ipaplatform",
 "ipapython",
+"jwcrypto",
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
+"requests",
 "six",
 ],
 entry_points={
@@ -70,6 +71,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
 "Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
 # setuptools < 18.0.
 if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
 for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend

[Freeipa-devel] [freeipa PR#720][comment] tox: use pylint 1.6.x for now

2017-04-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/720
Title: #720: tox: use pylint 1.6.x for now

tiran commented:
"""
Needs rebase to 4.5 **or** 4.5 must be made compatible with pylint 1.7 before 
4.5.1 is released.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/720#issuecomment-295174341
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#720][opened] tox: use pylint 1.6.x for now

2017-04-19 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/720
Author: tiran
 Title: #720: tox: use pylint 1.6.x for now
Action: opened

PR body:
"""
FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x
until all issues have been addressed.

Related: https://pagure.io/freeipa/issue/6874
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/720/head:pr720
git checkout pr720
From 29185f722ae376dc578f63a57f82bbe8a122e1b0 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 19 Apr 2017 10:58:11 +0200
Subject: [PATCH] tox: use pylint 1.6.x for now

FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x
until all issues have been addressed.

Related: https://pagure.io/freeipa/issue/6874
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 tox.ini | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index db551df..f4d307c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -24,7 +24,8 @@ basepython=python2.7
 deps=
 ipaclient
 ipapython[certmonger]
-pylint
+# see https://pagure.io/freeipa/issue/6874
+pylint < 1.7
 commands=
 {envpython} -m pylint \
 --rcfile={toxinidir}/pylintrc \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage

2017-04-18 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/718
Title: #718: configure: fix AC_CHECK_LIB usage

tiran commented:
"""
Is this peculiar behavior of ```AC_CHECK_LIB``` documented somewhere?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/718#issuecomment-294823623
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#702][comment] Correct PyPI package dependencies

2017-04-13 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/702
Title: #702: Correct PyPI package dependencies

tiran commented:
"""
With recent changes, 4.5 needs a different patch. Let's merge this one and I'll 
prepare a new one with a ticket another time.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/702#issuecomment-293900251
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#702][synchronized] Correct PyPI package dependencies

2017-04-12 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/702
Author: tiran
 Title: #702: Correct PyPI package dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/702/head:pr702
git checkout pr702
From 608ebabf0501874bcbd469466685343da8cdf709 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH] Correct PyPI package dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  5 ++---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py |  3 ++-
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 tox.ini|  3 +--
 6 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index ccb5396..0140fd5 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,12 +50,11 @@
 ],
 },
 install_requires=[
+"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
@@ -66,7 +65,7 @@
 },
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
 "six",
 ],
 entry_points={
@@ -70,6 +69,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
 "Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
 # setuptools < 18.0.
 if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
 for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend(setup_kwargs['extras_require'].pop(k))
+if not k.startswith(':'):
+continue
+values = setup_kwargs['extras_require'].pop(k)
+req = setup_kwargs.setdefault('install_requires', [])
+if k == ":python_version

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 794f76e8526ac11fa063357b2c7bb662b01befe4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  |  6 ++--
 configure.ac |  1 +
 freeipa.spec.in  |  3 ++
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 55 
 8 files changed, 209 insertions(+), 3 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index ab69f49..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -299,12 +301,12 @@ pypi_packages: $(WHEELPYPIDIR) .w

[Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/618
Title: #618: Tox testing support for client wheel packages

tiran commented:
"""
I added tox to wheel build requirements. Now you can install all dependencies 
with dnf builddep.

```
$ sudo dnf copr enable @freeipa/freeipa-master
$ sudo dnf install redhat-rpm-config
$ sudo dnf builddep --spec freeipa.spec.in --define "with_wheels 1"
$ tox
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/618#issuecomment-293568255
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From ec1c53805892f3439409e2d2d0d941124583093c Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 freeipa.spec.in  |  3 ++
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 55 
 8 files changed, 222 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT

[Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/618
Title: #618: Tox testing support for client wheel packages

tiran commented:
"""
I've rebased the branch on master, just in case. Tox works for me before and 
after rebase.

```
$ git clean -xdf
$ tox
...
  py27: commands succeeded
  py35: commands succeeded
  py36: commands succeeded
  pylint2: commands succeeded
  pylint3: commands succeeded
  pypi: commands succeeded
  congratulations :)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/618#issuecomment-293562432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From c0f301f1b103268b0853ba569f9a4c9946cec7a8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 56 +
 7 files changed, 220 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#618][comment] Tox testing support for client wheel packages

2017-04-12 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/618
Title: #618: Tox testing support for client wheel packages

tiran commented:
"""
Why are you mixing PRs? Don't mix PRs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/618#issuecomment-293516717
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies

2017-04-11 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/671
Title: #671: Slim down dependencies

tiran commented:
"""
Now depends on PR #702 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/671#issuecomment-293195296
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][edited] Stabilize make pypi_packages

2017-04-11 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stabilize make pypi_packages
Action: edited

 Changed field: body
Original value:
"""
Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages

2017-04-11 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stabilize make pypi_packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/686/head:pr686
git checkout pr686
From be5f43167ed99b9cb508d92a833f5c1acb996140 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 3 Apr 2017 13:35:58 +0200
Subject: [PATCH] Stabilize make pypi_packages

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
lead to bad packages for PyPI. Only build the packages we want with
correct flags.

Placeholder packages from 'make pypi_package' conflict with
'make wheel_bundle' packages. Use a separate destination directory for
PyPI packages.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1989b19..ab69f49 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -254,6 +254,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELPYPIDIR = $(top_builddir)/dist/pypi
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
 @MK_IFEQ@ ($(IPA_SERVER_WHEELS),1)
@@ -273,6 +274,9 @@ $(WHEELDISTDIR):
 $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
+$(WHEELPYPIDIR):
+	mkdir -p $(WHEELPYPIDIR)
+
 bdist_wheel: $(WHEELDISTDIR)
 	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELDISTDIR)/$(item)-*.whl)
 	export IPA_OMIT_INSTALL=$(IPA_OMIT_INSTALL); \
@@ -291,14 +295,20 @@ wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	--wheel-dir $(WHEELBUNDLEDIR) \
 	$(IPA_WHEEL_PACKAGES) $(IPA_EXTRA_WHEELS)
 
-wheel_placeholder: $(WHEELDISTDIR)
+pypi_packages: $(WHEELPYPIDIR) .wheelconstraints
+	rm -f $(WHEELPYPIDIR)/*
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $${dir} bdist_wheel || exit 1; \
+	done
 	for dir in $(IPA_PLACEHOLDERS); do \
-	$(MAKE) $(AM_MAKEFLAGS) -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
 	done
-
-pypi_packages: bdist_wheel wheel_placeholder
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
-	@echo -e "twine upload $(WHEELDISTDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
+	@echo -e "twine upload $(WHEELPYPIDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
 
 .PHONY:
 strip-po:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

2017-04-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From ce8abac5b4f0b8a98b2def8c67c0f853310892f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH 1/2] Correct PyPI package dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  5 ++---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py |  3 ++-
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 5 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..64dc47a 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -51,18 +51,17 @@
 ],
 },
 install_requires=[
+"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
 "six",
 ],
 entry_points={
@@ -70,6 +69,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
 "Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
 # setuptools < 18.0.
 if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
 for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend(setup_kwargs['extras_require'].pop(k))
+if not k.startswith(':'):
+continue
+values = setup_kwargs['extras_require'].pop(k)
+req = setup_kwargs.setdefault('install_requires', [])
+if k == ":python_version<'3'" and sys.version_info.major == 2:
+

[Freeipa-devel] [freeipa PR#702][opened] Correct PyPI package dependencies

2017-04-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/702
Author: tiran
 Title: #702: Correct PyPI package dependencies
Action: opened

PR body:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>

Needs backport to 4.5 for 4.5.1 PyPI packaging.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/702/head:pr702
git checkout pr702
From ce8abac5b4f0b8a98b2def8c67c0f853310892f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 10 Apr 2017 10:00:23 +0200
Subject: [PATCH] Correct PyPI package dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/setup.py |  5 ++---
 ipapython/setup.py |  6 ++
 ipaserver/setup.py |  3 ++-
 ipasetup.py.in | 16 
 ipatests/setup.py  |  3 ++-
 5 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..64dc47a 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -51,18 +51,17 @@
 ],
 },
 install_requires=[
+"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
 "jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
 "six",
 ],
 entry_points={
@@ -70,6 +69,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..2ad57e2 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -101,6 +101,7 @@ common_args = dict(
 "Programming Language :: Python :: 2.7",
 "Programming Language :: Python :: 3",
 "Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: 3.6",
 "Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
 "Operating System :: POSIX :: Linux",
@@ -138,13 +139,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env markers like ":python_version<'3'" are not supported by
 # setuptools < 18.0.
 if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
 for k in list(setup_kwargs['extras_require']):
-if k.startswith(':'):
-req = setup_kwargs.setdefault('install_requires', [])
-req.extend(setup_kwargs[

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-10 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 5aef9ff020a241162145fc4c3113774cf5e5faf5 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 56 +
 7 files changed, 220 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes

tiran commented:
"""
No, we don't need to sync the directory. These are cache files. It's only 
important that we don't have half-written cache files on disk. A missing cache 
file is fine.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/699#issuecomment-292865960
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes

tiran commented:
"""
I wrote that ```fdatasync``` -> ```fsync``` is fine. It's my code after all.

Explanation: fdatasync is a slightly optimized version of fsync that does not 
flush some metadata to disk, https://linux.die.net/man/2/fdatasync

> fdatasync() is similar to fsync(), but does not flush modified metadata 
> unless that metadata is needed in order to allow a subsequent data retrieval 
> to be correctly handled. For example, changes to st_atime or st_mtime 
> (respectively, time of last access and time of last modification; see 
> stat(2)) do not require flushing because they are not necessary for a 
> subsequent data read to be handled correctly. On the other hand, a change to 
> the file size (st_size, as made by say ftruncate(2)), would require a 
> metadata flush. 

When I write the code, I chose ```fdatasync``` because ```st_mtime``` isn't 
strictly required for the cache files. ```fdatasync``` is a micro-optimization 
that fails under macOS. Instead of making the code even more complicated, I 
have approved the platform agnostic ```fsync``` syscall. It doesn't hurt to 
flush all data to disk. The files are rarely written anyway.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/699#issuecomment-292865333
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#699][+ack] ipaclient/ipapython macOS compatibility fixes

2017-04-09 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: ipaclient/ipapython macOS compatibility fixes

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-07 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 61384864d2539729004df0a98bf8f94e82e42e94 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 55 
 7 files changed, 219 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#700][synchronized] Use entry_points for ipa CLI

2017-04-07 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/700
Author: tiran
 Title: #700: Use entry_points for ipa CLI
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/700/head:pr700
git checkout pr700
From 122c95730a3194da5bc1bf9003c33a883e2e7b87 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 7 Apr 2017 15:03:08 +0200
Subject: [PATCH] Use entry_points for ipa CLI

Fix problem with hard-coded shebang in ipa command line tool by using
a proper setuptools entry point for the console script. ipaclient is now
an executable Python package, too.

```
$ python -m ipaclient ping
```

is equivalent to

```
$ ipa ping
```

Related: https://pagure.io/freeipa/issue/6653
Closes: https://pagure.io/freeipa/issue/6850
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipa   |  5 ++---
 ipaclient/__main__.py | 15 +++
 ipaclient/setup.py|  6 +-
 3 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 ipaclient/__main__.py

diff --git a/ipa b/ipa
index 9ef3568..d6e01a2 100755
--- a/ipa
+++ b/ipa
@@ -24,8 +24,7 @@ Command Line Interface for IPA administration.
 
 The CLI functionality is implemented in ipalib/cli.py
 """
-
-from ipalib import api, cli
+from ipaclient.__main__ import main
 
 if __name__ == '__main__':
-cli.run(api)
+main()
diff --git a/ipaclient/__main__.py b/ipaclient/__main__.py
new file mode 100644
index 000..65c706f
--- /dev/null
+++ b/ipaclient/__main__.py
@@ -0,0 +1,15 @@
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+"""
+Command Line Interface for IPA administration.
+
+The CLI functionality is implemented in ipalib/cli.py
+"""
+from ipalib import api, cli
+
+
+def main():
+cli.run(api)
+
+
+if __name__ == '__main__':
+main()
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..ccb5396 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -31,7 +31,6 @@
 ipasetup(
 name="ipaclient",
 doc=__doc__,
-scripts=['../ipa'],
 package_dir={'ipaclient': ''},
 packages=[
 "ipaclient",
@@ -60,6 +59,11 @@
 "qrcode",
 "six",
 ],
+entry_points={
+'console_scripts': [
+'ipa = ipaclient.__main__:main'
+]
+},
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["yubico", "usb"]
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS

2017-04-07 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/699
Title: #699: Fix libkrb5 filename for macOS

tiran commented:
"""
@neffs thanks David. Please squash your commits into a single commit (```git 
rebase -i @~3``` and use fixup on the 2nd and 3rd commit, then git push 
--force).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/699#issuecomment-292534577
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#700][opened] Use entry_points for ipa CLI

2017-04-07 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/700
Author: tiran
 Title: #700: Use entry_points for ipa CLI
Action: opened

PR body:
"""
Fix problem with hard-coded shebang in ipa command line tool by using
a proper setuptools entry point for the console script. ipaclient is now
an executable Python package, too.

```
$ python -m ipaclient ping
```

is equivalent to

```
$ ipa ping
```

Related: https://pagure.io/freeipa/issue/6653
Closes: https://pagure.io/freeipa/issue/6850
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/700/head:pr700
git checkout pr700
From 796f70ca60fd3067d2e0cd3cc508512db9a0c658 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 7 Apr 2017 15:03:08 +0200
Subject: [PATCH] Use entry_points for ipa CLI

Fix problem with hard-coded shebang in ipa command line tool by using
a proper setuptools entry point for the console script. ipaclient is now
an executable Python package, too.

```
$ python -m ipaclient ping
```

is equivalent to

```
$ ipa ping
```

Related: https://pagure.io/freeipa/issue/6653
Closes: https://pagure.io/freeipa/issue/6850
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipa   |  5 ++---
 ipaclient/__main__.py | 15 +++
 ipaclient/setup.py|  6 +-
 3 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 ipaclient/__main__.py

diff --git a/ipa b/ipa
index 9ef3568..d6e01a2 100755
--- a/ipa
+++ b/ipa
@@ -24,8 +24,7 @@ Command Line Interface for IPA administration.
 
 The CLI functionality is implemented in ipalib/cli.py
 """
-
-from ipalib import api, cli
+from ipaclient.__main__ import main
 
 if __name__ == '__main__':
-cli.run(api)
+main()
diff --git a/ipaclient/__main__.py b/ipaclient/__main__.py
new file mode 100644
index 000..513de7d
--- /dev/null
+++ b/ipaclient/__main__.py
@@ -0,0 +1,15 @@
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+"""
+Command Line Interface for IPA administration.
+
+The CLI functionality is implemented in ipalib/cli.py
+"""
+from ipalib import api, cli
+
+
+def main():
+cli.run(api)
+
+
+if __name__ == '__main__':
+main()
\ No newline at end of file
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..ccb5396 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -31,7 +31,6 @@
 ipasetup(
 name="ipaclient",
 doc=__doc__,
-scripts=['../ipa'],
 package_dir={'ipaclient': ''},
 packages=[
 "ipaclient",
@@ -60,6 +59,11 @@
 "qrcode",
 "six",
 ],
+entry_points={
+'console_scripts': [
+'ipa = ipaclient.__main__:main'
+]
+},
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["yubico", "usb"]
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation

2017-04-07 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/697
Title: #697: Create system users for FreeIPA services during package 
installation

tiran commented:
"""
Originally I used a similar approach for the kdcproxy user based on the snippet 
https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation 
. You changed it in ticket https://pagure.io/freeipa/issue/5314 because the 
approach violates packaging guidelines.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/697#issuecomment-292464389
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-07 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 9c9b0f2891c021aadac38824d3bea2862830f85a Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  4 ++-
 pypi/test_placeholder.py | 47 
 tox.ini  | 54 
 7 files changed, 218 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-07 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 6f90b92ac55f32a1a028ffe0faffde21faab8544 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  5 +--
 pypi/test_placeholder.py | 47 
 tox.ini  | 54 
 7 files changed, 218 insertions(+), 7 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies

2017-04-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: edited

 Changed field: body
Original value:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

2017-04-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From b12cb1e72769d43cbe09a77ec79b9b1267e5004c Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  6 ++
 ipapython/setup.py|  6 ++
 ipaserver/setup.py|  3 ++-
 ipasetup.py.in| 15 +++
 ipatests/setup.py |  3 ++-
 7 files changed, 35 insertions(+), 19 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..43e1164 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,15 +54,13 @@
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
 "six",
 ],
 entry_points={
@@ -70,6 +69,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"

[Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies

2017-04-06 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: edited

 Changed field: title
Original value:
"""
[WIP] Slim down dependencies
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stabilize make pypi_packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/686/head:pr686
git checkout pr686
From b166396212a0e5505e2c10213368ca6cb98878e6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 3 Apr 2017 13:35:58 +0200
Subject: [PATCH] Stabilize make pypi_packages

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Placeholder packages from 'make pypi_package' conflict with
'make wheel_bundle' packages. Use a separate destination directory for
PyPI packages.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1989b19..ab69f49 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -254,6 +254,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELPYPIDIR = $(top_builddir)/dist/pypi
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
 @MK_IFEQ@ ($(IPA_SERVER_WHEELS),1)
@@ -273,6 +274,9 @@ $(WHEELDISTDIR):
 $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
+$(WHEELPYPIDIR):
+	mkdir -p $(WHEELPYPIDIR)
+
 bdist_wheel: $(WHEELDISTDIR)
 	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELDISTDIR)/$(item)-*.whl)
 	export IPA_OMIT_INSTALL=$(IPA_OMIT_INSTALL); \
@@ -291,14 +295,20 @@ wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	--wheel-dir $(WHEELBUNDLEDIR) \
 	$(IPA_WHEEL_PACKAGES) $(IPA_EXTRA_WHEELS)
 
-wheel_placeholder: $(WHEELDISTDIR)
+pypi_packages: $(WHEELPYPIDIR) .wheelconstraints
+	rm -f $(WHEELPYPIDIR)/*
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $${dir} bdist_wheel || exit 1; \
+	done
 	for dir in $(IPA_PLACEHOLDERS); do \
-	$(MAKE) $(AM_MAKEFLAGS) -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
 	done
-
-pypi_packages: bdist_wheel wheel_placeholder
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
-	@echo -e "twine upload $(WHEELDISTDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
+	@echo -e "twine upload $(WHEELPYPIDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
 
 .PHONY:
 strip-po:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From a65d13d3640d5dd6500244208de81f18fc779b84 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  5 +--
 pypi/test_placeholder.py | 47 
 tox.ini  | 54 
 7 files changed, 218 insertions(+), 7 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..7608dfa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#618][synchronized] Tox testing support for client wheel packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 372e263ea0082367ddb3251b183275850e277317 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH 1/2] tox testing support for client wheel packages

Add tox infrastructure to test client wheel packages workflow:

* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 94 
 Makefile.am  | 22 +---
 configure.ac |  1 +
 ipatests/conftest.py |  5 +--
 pypi/test_placeholder.py | 47 
 tox.ini  | 54 
 7 files changed, 218 insertions(+), 7 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 pypi/test_placeholder.py
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..8f9d221
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+set -ex
+
+FLAVOR="$1"
+ENVPYTHON="$2"
+ENVSITEPACKAGESDIR="$3"
+# 3...end are package requirements
+shift 3
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+DISTPYPI="${TOXINIDIR}/dist/pypi"
+mkdir -p "${DISTPYPI}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+case $FLAVOR in
+wheel_bundle)
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
+;;
+pypi_packages)
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+pypi_packages \
+PYTHON="${ENVPYTHON}"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages from dist/pypi
+$ENVPYTHON -m pip install \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTPYPI}" \
+$@
+
+popd
+;;
+*)
+echo "Unknown install flavor $FLAVOR"
+exit 1
+;;
+esac
diff --git a/Makefile.am b/Makefile.am
index 1989b19..4c825cc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -254,6 +256,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle

[Freeipa-devel] [freeipa PR#618][edited] Tox testing support for client wheel packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: Tox testing support for client wheel packages
Action: edited

 Changed field: body
Original value:
"""
Depends on PR #613
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][synchronized] Stabilize make pypi_packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stabilize make pypi_packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/686/head:pr686
git checkout pr686
From f65a36954f261c4c02a2de2232e7f83a72b6e86a Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 3 Apr 2017 13:35:58 +0200
Subject: [PATCH] Stabilize make pypi_packages

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Placeholder packages from 'make pypi_package' conflict with
'make wheel_bundle' packages. Use a separate destination directory for
PyPI packages.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1989b19..e93ceac 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -254,6 +254,7 @@ endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELPYPIDIR = $(top_builddir)/dist/pypi
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
 @MK_IFEQ@ ($(IPA_SERVER_WHEELS),1)
@@ -273,6 +274,9 @@ $(WHEELDISTDIR):
 $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
+$(WHEELPYPIDIR):
+	mkdir -p $(WHEELPYPIDIR)
+
 bdist_wheel: $(WHEELDISTDIR)
 	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELDISTDIR)/$(item)-*.whl)
 	export IPA_OMIT_INSTALL=$(IPA_OMIT_INSTALL); \
@@ -291,14 +295,20 @@ wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	--wheel-dir $(WHEELBUNDLEDIR) \
 	$(IPA_WHEEL_PACKAGES) $(IPA_EXTRA_WHEELS)
 
-wheel_placeholder: $(WHEELDISTDIR)
+pypi_packages: $(WHEELPYPIDIR) .wheelconstraints
+	rm -f $(WHEELPYPIDIR)/*
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $${dir} bdist_wheel || exit 1; \
+	done
 	for dir in $(IPA_PLACEHOLDERS); do \
-	$(MAKE) $(AM_MAKEFLAGS) -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
+	$(MAKE) $(AM_MAKEFLAGS) \
+	IPA_OMIT_INSTALL=1 WHEELDISTDIR=$(abspath $(WHEELPYPIDIR)) \
+	-C $${dir} bdist_wheel || exit 1; \
 	done
-
-pypi_packages: bdist_wheel wheel_placeholder
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
-	@echo -e "twine upload $(WHEELDISTDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
+	@echo -e "twine upload $(WHEELPYPIDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
 
 .PHONY:
 strip-po:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][synchronized] Stablize make pypi_packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stablize make pypi_packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/686/head:pr686
git checkout pr686
From cbd52465cace7e50d0da1073490e6eb1a127306c Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 3 Apr 2017 13:35:58 +0200
Subject: [PATCH] Stabilize make pypi_packages

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1989b19..e201663 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -252,7 +252,7 @@ jslint-html:
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
 endif  # WITH_JSLINT
 
-.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
+.PHONY: bdist_wheel wheel_bundle pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
@@ -291,12 +291,15 @@ wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	--wheel-dir $(WHEELBUNDLEDIR) \
 	$(IPA_WHEEL_PACKAGES) $(IPA_EXTRA_WHEELS)
 
-wheel_placeholder: $(WHEELDISTDIR)
+pypi_packages: $(WHEELDISTDIR)
+	rm -f $(WHEELBUNDLEDIR)/*
+	export IPA_OMIT_INSTALL=1; \
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} bdist_wheel || exit 1; \
+	done; \
 	for dir in $(IPA_PLACEHOLDERS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
 	done
-
-pypi_packages: bdist_wheel wheel_placeholder
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
 	@echo -e "twine upload $(WHEELDISTDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][edited] Stablize make pypi_packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stablize make pypi_packages
Action: edited

 Changed field: title
Original value:
"""
Stablize make pypi_packages
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][edited] [WIP] Tox testing support for client wheel packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: edited

 Changed field: title
Original value:
"""
[WIP] Tox testing support for client wheel packages
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#686][opened] Stablize make pypi_packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/686
Author: tiran
 Title: #686: Stablize make pypi_packages
Action: opened

PR body:
"""
Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/686/head:pr686
git checkout pr686
From c74930e6aa97604b9fcd08456b41b5be73310b15 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 3 Apr 2017 13:35:58 +0200
Subject: [PATCH] Stablize make pypi_packages

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
like to bad packages for PyPI. Only build the packages we want with
correct flags.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 1989b19..e201663 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -252,7 +252,7 @@ jslint-html:
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
 endif  # WITH_JSLINT
 
-.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
+.PHONY: bdist_wheel wheel_bundle pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
@@ -291,12 +291,15 @@ wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
 	--wheel-dir $(WHEELBUNDLEDIR) \
 	$(IPA_WHEEL_PACKAGES) $(IPA_EXTRA_WHEELS)
 
-wheel_placeholder: $(WHEELDISTDIR)
+pypi_packages: $(WHEELDISTDIR)
+	rm -f $(WHEELBUNDLEDIR)/*
+	export IPA_OMIT_INSTALL=1; \
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} bdist_wheel || exit 1; \
+	done; \
 	for dir in $(IPA_PLACEHOLDERS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
 	done
-
-pypi_packages: bdist_wheel wheel_placeholder
 	@echo -e "\n\nTo upload packages to PyPI, run:\n"
 	@echo -e "twine upload $(WHEELDISTDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 5a5c840bc994a3e217e22f4ff01eee7f3fe300ab Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 64 
 Makefile.am  |  2 ++
 configure.ac |  1 +
 ipatests/conftest.py |  5 ++--
 tox.ini  | 38 +++
 6 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..9747d14
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+set -ex
+
+ENVPYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${ENVPYTHON}" ]; then
+echo "${ENVPYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+wheel_bundle \
+PYTHON="${ENVPYTHON}" \
+IPA_EXTRA_WHEELS="$*"
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$ENVPYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
diff --git a/Makefile.am b/Makefile.am
index 1989b19..ff3ce2a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
diff --git a/configure.ac b/configure.ac
index 8f8751a..68601de 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,6 +276,7 @@ AC_CONFIG_COMMANDS([po/POTFILES.in],
 			-path "./${PACKAGE}-*" -prune -o dnl dist directories
 			-path '*/build' -prune -o dnl Python builds
 			-path '*/dist' -prune -o dnl Python dists
+			-path './.tox' -prune -o dnl Python tox test
 			-path './conf*' -prune -o dnl generated by configure
 			-name '*.py' -print -o dnl
 			-name '*.c' -print -o dnl
diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 61e889d..ab17575 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -52,7 +52,9 @@
 'ipaserver/build',
 'ipatests/build',
 # install/share/wsgi.py
-'install/share'
+'install/share',
+# integration plugin imports from ipaplatform
+'ipatests/pytest_plugins',
 ]
 
 
@@ -100,7 +102,6 @@ def pytest_cmdline_main(config):
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-
 # XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has
 # been resolved.
 if ipaserver is not None:
diff --git a/tox.ini b/tox.ini
new file mode 100644
index 000..18331af
--- /dev/null
+++ b/tox.ini
@@ -0,0 +1,38 @@
+[tox]
+minversion=2.3.1
+envlist=py27,py35,

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jchol...@redhat.com>
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
Sigh, I got it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-291091639
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jchol...@redhat.com>
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 5420e9cfbe7803808b6e26d2dae64f2a6a50149a Mon Sep 17 00:00:00 2001
From: Ben Lipton <blip...@redhat.com>
Date: Tue, 21 Mar 2017 12:21:30 -0400
Subject: [PATCH 1/8] csrgen: Remove helper abstraction

All requests now use the OpenSSL formatter. However, we keep Formatter
a separate class so that it can be changed out for tests.

https://pagure.io/freeipa/issue/4899

Reviewed-By: Jan Cholasta <jchol...@redhat.com>
---
 ipaclient/csrgen.py| 71 ++--
 ipaclient/csrgen/rules/dataDNS.json| 13 +--
 ipaclient/csrgen/rules/dataEmail.json  | 13 +--
 ipaclient/csrgen/rules/dataHostCN.json | 13 +--
 ipaclient/csrgen/rules/dataSubjectBase.json| 13 +--
 ipaclient/csrgen/rules/dataUsernameCN.json | 13 +--
 ipaclient/csrgen/rules/syntaxSAN.json  | 19 ++---
 ipaclient/csrgen/rules/syntaxSubject.json  | 13 +--
 ipaclient/csrgen/templates/certutil_base.tmpl  | 11 ---
 ipaclient/plugins/csrgen.py|  2 +-
 .../data/test_csrgen/configs/caIPAserviceCert.conf | 34 
 .../data/test_csrgen/configs/userCert.conf | 34 
 .../data/test_csrgen/rules/basic.json  | 13 +--
 .../data/test_csrgen/rules/options.json| 18 +---
 .../scripts/caIPAserviceCert_certutil.sh   | 11 ---
 .../scripts/caIPAserviceCert_openssl.sh| 34 
 .../data/test_csrgen/scripts/userCert_certutil.sh  | 11 ---
 .../data/test_csrgen/scripts/userCert_openssl.sh   | 34 
 ipatests/test_ipaclient/test_csrgen.py | 98 +-
 19 files changed, 145 insertions(+), 323 deletions(-)
 delete mode 100644 ipaclient/csrgen/templates/certutil_base.tmpl
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/caIPAserviceCert.conf
 create mode 100644 ipatests/test_ipaclient/data/test_csrgen/configs/userCert.conf
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/caIPAserviceCert_openssl.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_certutil.sh
 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/scripts/userCert_openssl.sh

diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 8fb0b32..8ca0722 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -244,13 +244,6 @@ def _prepare_syntax_rule(
 return self.SyntaxRule(prepared_template, is_extension)
 
 
-class CertutilFormatter(Formatter):
-base_template_name = 'certutil_base.tmpl'
-
-def _get_template_params(self, syntax_rules):
-return {'options': syntax_rules}
-
-
 class FieldMapping(object):
 """Representation of the rules needed to construct a complete cert field.
 
@@ -279,13 +272,11 @@ def __init__(self, name, template, options):
 
 
 class RuleProvider(object):
-def rules_for_profile(self, profile_id, helper):
+def rules_for_profile(self, profile_id):
 """
 Return the rules needed to build a CSR using the given profile.
 
 :param profile_id: str, name of the CSR generation profile to use
-:param helper: str, name of tool (e.g. openssl, certutil) that will be
-used to create CSR
 
 :returns: list of FieldMapping, filled out with the appropriate rules
 """
@@ -321,40 +312,31 @@ def _open(self, subdir, filename):
 )
 )
 
-def _rule(self, rule_name, helper):
-if (rule_name, helper) not in self.rules:
+def _rule(self, rule_name):
+if rule_name not in self.rules:
 try:
 with self._open('rules', '%s.json' % rule_name) as f:
-ruleset = json.load(f)
+ruleconf = json.load(f)
 except IOError:
 raise errors.NotFound(
-reason=_('Ruleset %(ruleset)s does not exist.') %
-{'ruleset': rule_name})
+reason=_('No generation rule %(rulename)s found.') %
+{'rulename': rule_name})
 
-matching_rules = [r for r in ruleset['rules']
-  if r['helper'] == helper]
-if len(matching_rules) == 0:
+try:
+rule = ruleconf['rule']
+except KeyError:
 raise errors.EmptyResult(
-reason=_('No transformation in "%(ruleset)s" rule supports'
- ' helper "%(helper)s"') %
-

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-04-03 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal i

[Freeipa-devel] [freeipa PR#671][synchronized] [WIP] Slim down dependencies

2017-04-02 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: [WIP] Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From d9906d9e3fd5023ecd577bcac8b55ea9966028ab Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   |  8 +++-
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  6 ++
 ipapython/setup.py|  2 --
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index a0d99ef..0a9ede1 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -4,7 +4,6 @@
 
 import six
 
-from ipaclient.csrgen import CSRGenerator, FileRuleProvider
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -15,6 +14,13 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient.csrgen import CSRGenerator, FileRuleProvider
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..5b02341 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,15 +54,13 @@
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["jinja2"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..650528e 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,12 +41,10 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
 "pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#681][comment] Fix ipadiscovery

2017-04-02 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/681
Title: #681: Fix ipadiscovery

tiran commented:
"""
You can simplify your code a lot with the operator module and sorted(key) trick:

https://docs.python.org/3/library/operator.html#operator.attrgetter
https://docs.python.org/3/library/functions.html#sorted

```
import operator
```

```
answers = resolver.query(qname, rdatatype.SRV)
answers = sorted(answer, key=operator.attrgetter('priority'))
```

Please squash your changes into one commit.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/681#issuecomment-291045102
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From 3b4c9f34c7c5617e2f6dcaac9501072a9fc2880c Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] tox testing support for client wheel packages

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 72 
 Makefile.am  | 14 +++---
 configure.ac |  1 +
 ipatests/conftest.py |  5 ++--
 tox.ini  | 38 +++
 6 files changed, 126 insertions(+), 6 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..ab4a4c5
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -x
+
+PYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${PYTHON}" ]; then
+echo "${PYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+PYTHON="${PYTHON}" \
+IPA_EXTRA_SUBDIRS="ipatests" \
+wheel_bundle
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# build additional wheels, e.g. pylint
+$PYTHON -m pip wheel \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+--wheel-dir "${DISTBUNDLE}" \
+$@
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$PYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
diff --git a/Makefile.am b/Makefile.am
index efa8b73..d1bb12c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -212,6 +213,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -252,7 +254,10 @@ jslint-html:
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
 endif  # WITH_JSLINT
 
-.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
+# Python wheels
+# IPA_EXTRA_SUBDIRS: extra subdirs to build wheels (e.g. ipatests)
+
+.PHONY: bdist_wheel wheel_bundle  wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
@@ -263,19 +268,20 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
-	for dir in $(IPACLIENT_SUBDIRS); do \
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS),$(WHEELDISTDIR)/$(item)-*.whl)
+	for dir in $(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
 wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
-	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS),$(WHEELBUNDLEDIR)/$(i

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
@MartinBasti ```dbus-devel``` is in the ```with_wheels``` section. 
Documentation is part of https://pagure.io/freeipa/issue/6842 .
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-290727605
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal i

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
You need dbus-devel package.

I opened https://pagure.io/freeipa/issue/6842 to track lack of documentation.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-290689299
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make devcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 0e12da497bed19bf28151a284f097bc0f230cdd6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH 1/2] Add make devcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 31 -
 configure.ac| 12 ++
 ipatests/test_ipapython/test_session_storage.py |  1 -
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..efa8b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..b006ccc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for devcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/test_ipapython/test_session_storage.py
index a89fdd9..e050869 100644
--- a/ipatests/test_ipapython/test_session_storage.py
+++ b/ipatests/test_ipapython/test_session_storage.py
@@ -5,7 +5,6 @@
 """
 Test the `session_storage.py` module.
 """
-
 from ipapython import session_storage
 
 

From 9ab173e5428bb0e0c6a6d536a1e178a10ff34997 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 31 Mar 2017 10:53:59 +0200
Subject: [PATCH 2/2] Skip test_session_storage in ipaclient unittest mode

The test class depends on a working Kerberos configuration and session.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipatests/test_ipapython/test_session_storage.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/te

[Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/593
Title: #593: Add make devcheck for developers 

tiran commented:
"""
I split the changes to session storage tests into a separate commit. The other 
commit is in #670 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/593#issuecomment-29066
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make devcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 3d0cfecdece338b6aa711ef9716d8cb92b645a80 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH 1/2] Add make devcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 31 -
 configure.ac| 12 ++
 ipapython/session_storage.py|  4 ++--
 ipatests/test_ipapython/test_session_storage.py |  1 -
 4 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..efa8b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..b006ccc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for devcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 6af064c..1443413 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments):
 krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, )
 krb5_free_unparsed_name.restype = None
 
-CONF_REALM = "X-CACHECONF:"
-CONF_NAME = "krb5_ccache_conf_data"
+CONF_REALM = b"X-CACHECONF:"
+CONF_NAME = b"krb5_ccache_conf_data"
 
 
 def store_data(princ_name, key, value):
diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/test_ipapython/test_session_storage.py
index a89fdd9..e050869 100644
--- a/ipatests/test_ipapython/test_session_storage.py
+++ b/ipatests/test_ipapython/test_session_storage.py
@@ -5,7 +5,6 @@
 """
 Test the `session_storage.

[Freeipa-devel] [freeipa PR#593][comment] Add make devcheck for developers

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/593
Title: #593: Add make devcheck for developers 

tiran commented:
"""
```test_session_storage``` is not a unit test or functional test. It is an 
integration test that depends on a valid Kerberos configuration and session. Do 
you prefer a separate PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/593#issuecomment-290654739
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#490][+ack] certdb: use certutil and match_hostname for cert verification

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/490
Title: #490: certdb: use certutil and match_hostname for cert verification

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
Thanks @MartinBasti 

I rebased the PR and added a small workaround for ```dbus-python```. The 
package uses make to compile some of its internal dependencies. It looks like 
there is a bug in ```dbus-python```'s makefile. It sometimes fails to compile 
with my ```MAKEFLAGS=-j4``` env var. ```Makefile.am``` line 253 sets MAKEFLAGS 
to empty value for ```pip wheel```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-290632826
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make devcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 5ef4045c094d4cfbff216cb0282196273dc06d59 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH] Add make devcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 31 -
 configure.ac| 12 ++
 ipapython/session_storage.py|  4 ++--
 ipatests/test_ipapython/test_session_storage.py |  2 ++
 4 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..efa8b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..0174320 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 6af064c..1443413 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments):
 krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, )
 krb5_free_unparsed_name.restype = None
 
-CONF_REALM = "X-CACHECONF:"
-CONF_NAME = "krb5_ccache_conf_data"
+CONF_REALM = b"X-CACHECONF:"
+CONF_NAME = b"krb5_ccache_conf_data"
 
 
 def store_data(princ_name, key, value):
diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/test_ipapython/test_session_storage.py
index a89fdd9..1ae9f9c 100644
--- a/ipatests/test_ipapython/test_session_storage.py
+++ b/ipatests/test_ipapython/test_session_storage.py
@@ -5,10 +5,12 @@
 """
 Test the `session_storage.p

[Freeipa-devel] [freeipa PR#593][synchronized] Add make devcheck for developers

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make devcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From f41cdacbdf15808a66651761640847514a7f9027 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH] Add make devcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 31 -
 configure.ac| 12 ++
 ipapython/session_storage.py|  4 ++--
 ipatests/test_ipapython/test_session_storage.py |  2 ++
 4 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..efa8b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..b006ccc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for devcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 6af064c..1443413 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments):
 krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, )
 krb5_free_unparsed_name.restype = None
 
-CONF_REALM = "X-CACHECONF:"
-CONF_NAME = "krb5_ccache_conf_data"
+CONF_REALM = b"X-CACHECONF:"
+CONF_NAME = b"krb5_ccache_conf_data"
 
 
 def store_data(princ_name, key, value):
diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/test_ipapython/test_session_storage.py
index a89fdd9..1ae9f9c 100644
--- a/ipatests/test_ipapython/test_session_storage.py
+++ b/ipatests/test_ipapython/test_session_storage.py
@@ -5,10 +5,12 @@
 """
 Test the `session_storage.p

[Freeipa-devel] [freeipa PR#593][edited] Add make devcheck for developers

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make devcheck for developers 
Action: edited

 Changed field: body
Original value:
"""
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Depends on 

- [X] #475
- [X] #587 
- [X] #594
- [ ] #636
- [ ] #670
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-31 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 6419040e0bcf726232f30c4020fbea9bb9e10376 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal i

[Freeipa-devel] [freeipa PR#618][synchronized] [WIP] Tox testing support for client wheel packages

2017-03-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/618
Author: tiran
 Title: #618: [WIP] Tox testing support for client wheel packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/618/head:pr618
git checkout pr618
From e5c90a2ceae2e2e44047f67ca05ad9ff9c272abe Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH 1/3] tox testing support for client wheel packages

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 .gitignore   |  2 ++
 .tox-install.sh  | 72 
 Makefile.am  | 14 +++---
 configure.ac |  1 +
 ipatests/conftest.py |  1 -
 tox.ini  | 38 +++
 6 files changed, 123 insertions(+), 5 deletions(-)
 create mode 100755 .tox-install.sh
 create mode 100644 tox.ini

diff --git a/.gitignore b/.gitignore
index 8941fd8..8b57dbc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,8 @@ freeipa2-dev-doc
 # Root directory
 /freeipa.spec
 /dist/
+/.tox/
+/.cache/
 /*/dist/
 /RELEASE
 /rpmbuild/
diff --git a/.tox-install.sh b/.tox-install.sh
new file mode 100755
index 000..ab4a4c5
--- /dev/null
+++ b/.tox-install.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+set -x
+
+PYTHON="$1"
+ENVSITEPACKAGESDIR="$2"
+# 3...end are package requirements
+shift 2
+
+TOXINIDIR="$(cd "$(dirname "$0")" && pwd)"
+
+# sanity checks
+if [ ! -x "${PYTHON}" ]; then
+echo "${PYTHON}: no such executable"
+exit 1
+fi
+
+if [ ! -d "${ENVSITEPACKAGESDIR}" ]; then
+echo "${ENVSITEPACKAGESDIR}: no such directory"
+exit 2
+fi
+
+if [ ! -f "${TOXINIDIR}/tox.ini" ]; then
+echo "${TOXINIDIR}: no such directory"
+exit 3
+fi
+
+# https://pip.pypa.io/en/stable/user_guide/#environment-variables
+export PIP_CACHE_DIR="${TOXINIDIR}/.tox/cache"
+mkdir -p "${PIP_CACHE_DIR}"
+
+DISTBUNDLE="${TOXINIDIR}/dist/bundle"
+mkdir -p "${DISTBUNDLE}"
+
+# create configure
+pushd "${TOXINIDIR}"
+if [ ! -f "configure" ]; then
+autoreconf -i -f
+fi
+# (re)create Makefile
+./configure --disable-server
+popd
+
+# copy pylint plugin
+cp "${TOXINIDIR}/pylint_plugins.py" "${ENVSITEPACKAGESDIR}"
+
+# build packages and bundles
+make -C "${TOXINIDIR}" \
+PYTHON="${PYTHON}" \
+IPA_EXTRA_SUBDIRS="ipatests" \
+wheel_bundle
+
+# chdir to prevent local .egg-info from messing up pip
+pushd "${ENVSITEPACKAGESDIR}"
+
+# build additional wheels, e.g. pylint
+$PYTHON -m pip wheel \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+--wheel-dir "${DISTBUNDLE}" \
+$@
+
+# Install packages with dist/bundle/ as extra source for wheels while ignoring
+# upstream Python Package Index.
+$PYTHON -m pip install \
+--no-index \
+--disable-pip-version-check \
+--constraint "${TOXINIDIR}/.wheelconstraints" \
+--find-links "${DISTBUNDLE}" \
+$@
+
+popd
diff --git a/Makefile.am b/Makefile.am
index af22315..ba81c55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -57,6 +57,7 @@ EXTRA_DIST = .mailmap \
 clean-local:
 	rm -rf "$(RPMBUILD)"
 	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
 	rm -rf "$(top_srcdir)/__pycache__"
 	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
 
@@ -183,6 +184,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-path './freeipa-*' -prune -o \
 		-path './dist' -prune -o \
 		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
 		-name '.*' -o \
 		-name '*.in' -o \
 		-name '*~' -o \
@@ -223,7 +225,10 @@ jslint-html:
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
 endif  # WITH_JSLINT
 
-.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
+# Python wheels
+# IPA_EXTRA_SUBDIRS: extra subdirs to build wheels (e.g. ipatests)
+
+.PHONY: bdist_wheel wheel_bundle  wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
 WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
 
@@ -234,19 +239,20 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
-	for dir in $(IPACLIENT_SUBDIRS); do \
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS),$(WHEELDISTDIR)/$(item)-*.whl)
+	for dir in $(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
 wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
-	rm -f $(foreach item,$(IPACLIENT_SUBDIRS),$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	rm -f $(foreach item,$(IPACLIENT_SUBDIRS) $(IPA_EXTRA_SUBDIRS),$(WHEELBUNDLEDIR)/$(i

[Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers

2017-03-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make patchcheck for developers 
Action: edited

 Changed field: title
Original value:
"""
Add make patchcheck for developers 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers

2017-03-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make patchcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 0e369bd02d973660e798469efd3aae846fe54997 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH] Add make devcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make devcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am | 31 -
 configure.ac| 12 ++
 ipapython/session_storage.py|  4 ++--
 ipatests/test_ipapython/test_session_storage.py |  2 ++
 ipatests/util.py| 28 +++---
 5 files changed, 60 insertions(+), 17 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..efa8b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..0174320 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 6af064c..1443413 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -214,8 +214,8 @@ def krb5_errcheck(result, func, arguments):
 krb5_free_unparsed_name.argtypes = (krb5_context, ctypes.c_char_p, )
 krb5_free_unparsed_name.restype = None
 
-CONF_REALM = "X-CACHECONF:"
-CONF_NAME = "krb5_ccache_conf_data"
+CONF_REALM = b"X-CACHECONF:"
+CONF_NAME = b"krb5_ccache_conf_data"
 
 
 def store_data(princ_name, key, value):
diff --git a/ipatests/test_ipapython/test_session_storage.py b/ipatests/test_ipapython/test_session_storage.py
index a89fdd9..1ae9f9c 100644
--- a/ipatests/test_ipapython/test_session_storage.py
+++ b/ipatests/test_ipapy

[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet

2017-03-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/672
Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet

tiran commented:
"""
LGTM

For the recording: according to 
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#plugins
 the plugin directive uses ```plugin_base_dir``` as base dir:

> module
> This tag may have multiple values. Each value is a string of the form 
> modulename:pathname, which causes the shared object located at pathname to be 
> registered as a dynamic module named modulename for the pluggable interface. 
> If pathname is not an absolute path, it will be treated as relative to the 
> plugin_base_dir value from [libdefaults].

> plugin_base_dir
> If set, determines the base directory where krb5 plugins are located. The 
> default value is the krb5/plugins subdirectory of the krb5 library directory.

@sumit-bose What happens when the shared library is missing? Does 32bit kinit 
fail or work on a X86_64 system when 32bit ipadb.so is missing?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/672#issuecomment-290312805
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification

2017-03-29 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/490
Title: #490: certdb: use certutil and match_hostname for cert verification

tiran commented:
"""
Your PR is going to remove the last import from python-nss. Awesome!

Please remove the requirement from ```ipapython/setup.py``` and 
```freeipa.spec.in```, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/490#issuecomment-290204064
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#674][opened] Replace hard-coded kdcproxy path with WSGI script

2017-03-29 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/674
Author: tiran
 Title: #674: Replace hard-coded kdcproxy path with WSGI script
Action: opened

PR body:
"""
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.

Resolves: https://pagure.io/freeipa/issue/6834

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/674/head:pr674
git checkout pr674
From c10b628ecc6ef9759300ad96d065566c5e3ca94d Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 17:58:47 +0200
Subject: [PATCH] Replace hard-coded kdcproxy path with WSGI script

mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.

Resolves: https://pagure.io/freeipa/issue/6834

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 freeipa.spec.in  | 1 +
 install/conf/ipa-kdc-proxy.conf.template | 4 ++--
 install/share/Makefile.am| 1 +
 install/share/kdcproxy.wsgi  | 5 +
 4 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 install/share/kdcproxy.wsgi

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 829c3f0..d606996 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1256,6 +1256,7 @@ fi
 # END
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
+%{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template
index 9290ceb..6721219 100644
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -16,9 +16,9 @@
 
 WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
   user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \
   process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi
 WSGIScriptReloading Off
 
 
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 9e539a3..3a34f6e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA =\
 	gssapi.login			\
 	ipa.conf.tmpfiles		\
 	gssproxy.conf.template		\
+	kdcproxy.wsgi			\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/kdcproxy.wsgi b/install/share/kdcproxy.wsgi
new file mode 100644
index 000..be1693c
--- /dev/null
+++ b/install/share/kdcproxy.wsgi
@@ -0,0 +1,5 @@
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+"""WSGI entry point for kdcproxy
+"""
+from kdcproxy import application
+
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#625][comment] [RFC] remote plugins: add option to force compat plugins

2017-03-29 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/625
Title: #625: [RFC] remote plugins: add option to force compat plugins

tiran commented:
"""
I don't understand the implications of this change and the new flag:

* What are the benefits and drawbacks of ```force_client_compat=False```?
* What are the benefits and drawbacks of ```force_client_compat=True```?
* Why does FreeIPA have schema download and compat plugins at all?
* Why is this feature implemented as *either/or* option instead of *optimistic 
try/fallback*?

New feature is missing unit and integration tests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/625#issuecomment-290051095
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers

2017-03-29 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/593
Title: #593: Add make patchcheck for developers 

tiran commented:
"""
Depends on PRs #475, #587, #594
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/593#issuecomment-286665946
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][opened] [WIP] Slim down dependencies

2017-03-29 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: [WIP] Slim down dependencies
Action: opened

PR body:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From 230b7936c479d29416a580428db9f3448d65a125 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaclient/plugins/csrgen.py   |  8 +++-
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  6 ++
 ipapython/setup.py|  2 --
 4 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index a0d99ef..0a9ede1 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -4,7 +4,6 @@
 
 import six
 
-from ipaclient.csrgen import CSRGenerator, FileRuleProvider
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -15,6 +14,13 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient.csrgen import CSRGenerator, FileRuleProvider
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..5b02341 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,15 +54,13 @@
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["jinja2"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 2fc039f..491a5ed 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,13 +41,11 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
 "pyldap",
 "netaddr",
 "netifaces",
 "python-nss",
-"requests",
 "six",
 ],
 extras_require={
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][edited] Add make patchcheck for developers

2017-03-29 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make patchcheck for developers 
Action: edited

 Changed field: body
Original value:
"""
Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][comment] Add make patchcheck for developers

2017-03-29 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/593
Title: #593: Add make patchcheck for developers 

tiran commented:
"""
All dependencies have been merged. PR is ready for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/593#issuecomment-287372325
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#593][synchronized] Add make patchcheck for developers

2017-03-29 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/593
Author: tiran
 Title: #593: Add make patchcheck for developers 
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/593/head:pr593
git checkout pr593
From 7c1f30c54efdee5ec687659c0ff7426fd1eabc8e Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Mar 2017 08:31:38 +0100
Subject: [PATCH 1/2] Add make patchcheck for developers

Ticket 6604 makes pylint and jsl optional dependencies. The change
is controversal, because some developers prefer that pylint and jsl
should be required unless explicitly disabled.

`make patchcheck` is my answer to address the concerns. It's a superior
solution to `make lint` as pre-commit check. It combines several
additional checks under a single, easy rememberable and convenient make
target:

* build all
* acilint, apiclient, jslint, polint
* make check
* pylint under Python 2 and 3
* subset of unit test suite

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 Makefile.am  | 31 ++-
 configure.ac | 12 
 ipatests/util.py | 28 ++--
 3 files changed, 56 insertions(+), 15 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index af22315..2097030 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -152,6 +152,35 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: patchcheck
+patchcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(top_srcdir) $(PYTHON2) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests and pylint on Python 3
+	PYTHONPATH=$(top_srcdir) $(PYTHON3) ipatests/ipa-run-tests \
+	--ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) pylint
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
 .PHONY: $(top_builddir)/ipapython/version.py
 $(top_builddir)/ipapython/version.py:
 	(cd $(top_builddir)/ipapython && make version.py)
@@ -188,7 +217,7 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-name '*~' -o \
 		-name '*.py' -print -o \
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
-	echo "Pylint is running, please wait ..."; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
diff --git a/configure.ac b/configure.ac
index f5c5270..0174320 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,18 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
+dnl - Check for Python 2/3 for patchcheck
+dnl ---
+
+AC_PATH_PROG(PYTHON2, python2)
+AC_SUBST([PYTHON2])
+AM_CONDITIONAL([WITH_PYTHON2], [test "x${PYTHON2}" != "x"])
+
+AC_PATH_PROG(PYTHON3, python3)
+AC_SUBST([PYTHON3])
+AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
+
+dnl ---
 dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
 dnl ---
 PKG_CHECK_EXISTS(cmocka,
diff --git a/ipatests/util.py b/ipatests/util.py
index d877dcc..575d5cc 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -194,9 +194,9 @@ class Fuzzy(object):
 Use of a regular expression by default implies the ``unicode`` type, so
 comparing with an ``str`` instance will evaluate to ``False``:
 
->>> phone.type
-
->>> '123-456-7890' == phone
+>>> phone.type is six.text_type
+True
+>>> b'123-456-7890' == phone
 False
 
 The *type* kwarg allows you to specify a type constraint, so you can force
@@ -236,15 +236,15 @@ class Fuzzy(object):
 >>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True)
 >>> fuzzy.regex
 '.+'
->>> fuzzy.type
-
+>>> fuzzy.type is str
+True
 >>> fuzzy.test  # doctest:+ELLIPSIS
  at 0x...>
 
 To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well:
 
 >>

  1   2   3   4   5   6   7   8   >