Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/20/2015 08:59 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:58 AM, Martin Basti wrote: On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote: On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. I cannot apply patch (and 369-3 was pushed) git am freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2 for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. ACK works as expected. This is optional nitpick, we can fix it later: 1) This should be asymmetric vault not symmetric + Modify symmetric vault keys: + ipa vault-mod name + [--user user|--service service|--shared] + --private-key-file old private key file + --public-key-file new public key file -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/25/2015 04:51 PM, Martin Basti wrote: On 08/20/2015 08:59 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:58 AM, Martin Basti wrote: On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote: On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. I cannot apply patch (and 369-3 was pushed) git am freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2 for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. ACK works as expected. This is optional nitpick, we can fix it later: 1) This should be asymmetric vault not symmetric + Modify symmetric vault keys: + ipa vault-mod name + [--user user|--service service|--shared] + --private-key-file old private key file + --public-key-file new public key file Rebased, nitpick fixed. Pushed to: master: e46d9236d19f714b67fdf2865f19146c3016f46d ipa-4-2: d4969ede51e6098e962ff660daf13e8c61d4ac28 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 8/19/2015 4:58 AM, Martin Basti wrote:
On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote:
On 8/13/2015 8:06 AM, Martin Basti wrote:
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchieving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Hello, does this patch require any additional patches?
I have current master branch and I cannot apply it.
git am
freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3
Applying: Added support for changing vault encryption.
error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef
for 'ipalib/plugins/vault.py'
fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Martin^2
New patch attached. It requires patch #0369-3.
I cannot apply patch (and 369-3 was pushed)
git am
freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3
Applying: Added support for changing vault encryption.
error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2
for 'ipalib/plugins/vault.py'
fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Rebased.
--
Endi S. Dewata
From 78d31f8201ab63ecfe93a3f126654a57e9c14d3f Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 31 Jul 2015 07:53:15 +0200
Subject: [PATCH] Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
---
API.txt | 27 +++-
VERSION | 4 +-
ipalib/plugins/vault.py | 231 +--
ipatests/test_xmlrpc/test_vault_plugin.py | 249 ++
4 files changed, 497 insertions(+), 14 deletions(-)
diff --git a/API.txt b/API.txt
index
f23d9a40c647a3c4d209419631794cd36e8e5e2f..749aa41d5cab60e4f2acf7486135ad066db7a8a6
100644
--- a/API.txt
+++ b/API.txt
@@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None)
output: Output('failed', type 'dict', None)
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
option: Str('in?')
+option: Flag('override_password?', autofill=True, default=False)
option: Str('password?', cli_name='password')
option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
@@ -5530,6 +5531,30 @@ output: ListOfEntries('result', (type 'list', type
'tuple'), Gettext('A list
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('truncated', type 'bool', None)
command: vault_mod
+args: 1,18,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Flag('change_password?', autofill=True, default=False)
+option: Str('description?', cli_name='desc')
+option: Bytes('ipavaultpublickey?', cli_name='public_key')
+option: Bytes('ipavaultsalt?', cli_name='salt')
+option: Str('ipavaulttype?', cli_name='type')
+option: Str('new_password?', cli_name='new_password')
+option: Str('new_password_file?', cli_name='new_password_file')
+option: Str('old_password?', cli_name='old_password')
+option: Str('old_password_file?', cli_name='old_password_file')
+option: Bytes('private_key?', cli_name='private_key')
+option: Str('private_key_file?', cli_name='private_key_file')
+option: Str('public_key_file?', cli_name='public_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('service?')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value',
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/04/2015 01:20 AM, Endi Sukma Dewata wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 8/13/2015 8:06 AM, Martin Basti wrote:
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchieving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Hello, does this patch require any additional patches?
I have current master branch and I cannot apply it.
git am
freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3
Applying: Added support for changing vault encryption.
error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef
for 'ipalib/plugins/vault.py'
fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Martin^2
New patch attached. It requires patch #0369-3.
--
Endi S. Dewata
From b06e859e51a177369c27c52bff8a70263aed59c0 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 31 Jul 2015 07:53:15 +0200
Subject: [PATCH] Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
---
API.txt | 27 +++-
VERSION | 4 +-
ipalib/plugins/vault.py | 232 ++--
ipatests/test_xmlrpc/test_vault_plugin.py | 246 ++
4 files changed, 495 insertions(+), 14 deletions(-)
diff --git a/API.txt b/API.txt
index
9dbf86aedf2a1b62dabab21fb30bbceb2f0f237b..26f05cf9e1e27ec4f714bb34174e17972961bda2
100644
--- a/API.txt
+++ b/API.txt
@@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None)
output: Output('failed', type 'dict', None)
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
option: Str('in?')
+option: Flag('override_password?', autofill=True, default=False)
option: Str('password?', cli_name='password')
option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
@@ -5528,6 +5529,30 @@ output: ListOfEntries('result', (type 'list', type
'tuple'), Gettext('A list
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('truncated', type 'bool', None)
command: vault_mod
+args: 1,18,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Flag('change_password?', autofill=True, default=False)
+option: Str('description?', cli_name='desc')
+option: Bytes('ipavaultpublickey?', cli_name='public_key')
+option: Bytes('ipavaultsalt?', cli_name='salt')
+option: Str('ipavaulttype?', cli_name='type')
+option: Str('new_password?', cli_name='new_password')
+option: Str('new_password_file?', cli_name='new_password_file')
+option: Str('old_password?', cli_name='old_password')
+option: Str('old_password_file?', cli_name='old_password_file')
+option: Bytes('private_key?', cli_name='private_key')
+option: Str('private_key_file?', cli_name='private_key_file')
+option: Str('public_key_file?', cli_name='public_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('service?')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_mod_internal
args: 1,15,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
diff --git a/VERSION b/VERSION
index
c42bea06522dae55e1a89ff94ae394594086b467..feb9f4db92c7c7b95e9e5d5907b1f97e96b26886
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
#
[Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchieving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
--
Endi S. Dewata
From e80928fa8e8a099576fcdbff08fd90a634600825 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata edew...@redhat.com
Date: Fri, 31 Jul 2015 07:53:15 +0200
Subject: [PATCH] Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchieving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
---
API.txt | 27 +-
VERSION | 4 +-
ipalib/plugins/vault.py | 239
3 files changed, 248 insertions(+), 22 deletions(-)
diff --git a/API.txt b/API.txt
index
00b47b8709c81217d7f2a69e719093f4a04f1734..bd5c48998056ab94729cb1b475bf444707a883cb
100644
--- a/API.txt
+++ b/API.txt
@@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None)
output: Output('failed', type 'dict', None)
output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
command: vault_archive
-args: 1,10,3
+args: 1,11,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
option: Bytes('data?')
option: Str('in?')
+option: Flag('override_password?', autofill=True, default=False)
option: Str('password?', cli_name='password')
option: Str('password_file?', cli_name='password_file')
option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
@@ -5528,6 +5529,30 @@ output: ListOfEntries('result', (type 'list', type
'tuple'), Gettext('A list
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('truncated', type 'bool', None)
command: vault_mod
+args: 1,18,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False,
exclude='webui')
+option: Flag('change_password?', autofill=True, default=False)
+option: Str('description?', cli_name='desc')
+option: Bytes('ipavaultsalt?', cli_name='salt')
+option: Str('ipavaulttype?', cli_name='type')
+option: Str('new_password?', cli_name='new_password')
+option: Str('new_password_file?', cli_name='new_password_file')
+option: Str('old_password?', cli_name='old_password')
+option: Str('old_password_file?', cli_name='old_password_file')
+option: Bytes('private_key?', cli_name='private_key')
+option: Str('private_key_file?', cli_name='private_key_file')
+option: Bytes('public_key?', cli_name='public_key')
+option: Str('public_key_file?', cli_name='public_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False,
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', type 'dict', Gettext('A dictionary representing an
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (type 'unicode', type 'NoneType'), None)
+output: PrimaryKey('value', None, None)
+command: vault_mod_internal
args: 1,15,3
arg: Str('cn', attribute=True, cli_name='name', maxlength=255,
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True,
required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
diff --git a/VERSION b/VERSION
index
c42bea06522dae55e1a89ff94ae394594086b467..feb9f4db92c7c7b95e9e5d5907b1f97e96b26886
100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=149
-# Last change: edewata - Added CLI param and ACL for vault service operations
+IPA_API_VERSION_MINOR=150
+# Last change: edewata - Added support for changing vault encryption.
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index
3b62822366a62c90f843a6293589c28383e782ef..5bee6aaae8ddd306d4ee0c273143c9d0ffc913d5
100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -133,19 +133,36 @@ EXAMPLES:
ipa vault-show name --shared
) + _(
Show a user vault:
- ipa vault-show name --user username
+
