Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/20/2015 08:59 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:58 AM, Martin Basti wrote: On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote: On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. I cannot apply patch (and 369-3 was pushed) git am freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2 for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. ACK works as expected. This is optional nitpick, we can fix it later: 1) This should be asymmetric vault not symmetric + Modify symmetric vault keys: + ipa vault-mod name + [--user user|--service service|--shared] + --private-key-file old private key file + --public-key-file new public key file -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/25/2015 04:51 PM, Martin Basti wrote: On 08/20/2015 08:59 AM, Endi Sukma Dewata wrote: On 8/19/2015 4:58 AM, Martin Basti wrote: On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote: On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. I cannot apply patch (and 369-3 was pushed) git am freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2 for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. ACK works as expected. This is optional nitpick, we can fix it later: 1) This should be asymmetric vault not symmetric + Modify symmetric vault keys: + ipa vault-mod name + [--user user|--service service|--shared] + --private-key-file old private key file + --public-key-file new public key file Rebased, nitpick fixed. Pushed to: master: e46d9236d19f714b67fdf2865f19146c3016f46d ipa-4-2: d4969ede51e6098e962ff660daf13e8c61d4ac28 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 8/19/2015 4:58 AM, Martin Basti wrote: On 08/13/2015 07:11 PM, Endi Sukma Dewata wrote: On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. I cannot apply patch (and 369-3 was pushed) git am freeipa-edewata-0371-1-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 5d367b376ef41427ed983f3eafe120ed477018d2 for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Cannot fall back to three-way merge. Rebased. -- Endi S. Dewata From 78d31f8201ab63ecfe93a3f126654a57e9c14d3f Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 31 Jul 2015 07:53:15 +0200 Subject: [PATCH] Added support for changing vault encryption. The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchiving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 --- API.txt | 27 +++- VERSION | 4 +- ipalib/plugins/vault.py | 231 +-- ipatests/test_xmlrpc/test_vault_plugin.py | 249 ++ 4 files changed, 497 insertions(+), 14 deletions(-) diff --git a/API.txt b/API.txt index f23d9a40c647a3c4d209419631794cd36e8e5e2f..749aa41d5cab60e4f2acf7486135ad066db7a8a6 100644 --- a/API.txt +++ b/API.txt @@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None) output: Output('failed', type 'dict', None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?') option: Str('in?') +option: Flag('override_password?', autofill=True, default=False) option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -5530,6 +5531,30 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('truncated', type 'bool', None) command: vault_mod +args: 1,18,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('change_password?', autofill=True, default=False) +option: Str('description?', cli_name='desc') +option: Bytes('ipavaultpublickey?', cli_name='public_key') +option: Bytes('ipavaultsalt?', cli_name='salt') +option: Str('ipavaulttype?', cli_name='type') +option: Str('new_password?', cli_name='new_password') +option: Str('new_password_file?', cli_name='new_password_file') +option: Str('old_password?', cli_name='old_password') +option: Str('old_password_file?', cli_name='old_password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Str('public_key_file?', cli_name='public_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value',
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 08/04/2015 01:20 AM, Endi Sukma Dewata wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
On 8/13/2015 8:06 AM, Martin Basti wrote: The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 Hello, does this patch require any additional patches? I have current master branch and I cannot apply it. git am freeipa-edewata-0371-Added-support-for-changing-vault-encryption.patch -3 Applying: Added support for changing vault encryption. error: invalid object 100644 3b62822366a62c90f843a6293589c28383e782ef for 'ipalib/plugins/vault.py' fatal: git-write-tree: error building trees Repository lacks necessary blobs to fall back on 3-way merge. Martin^2 New patch attached. It requires patch #0369-3. -- Endi S. Dewata From b06e859e51a177369c27c52bff8a70263aed59c0 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 31 Jul 2015 07:53:15 +0200 Subject: [PATCH] Added support for changing vault encryption. The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchiving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 --- API.txt | 27 +++- VERSION | 4 +- ipalib/plugins/vault.py | 232 ++-- ipatests/test_xmlrpc/test_vault_plugin.py | 246 ++ 4 files changed, 495 insertions(+), 14 deletions(-) diff --git a/API.txt b/API.txt index 9dbf86aedf2a1b62dabab21fb30bbceb2f0f237b..26f05cf9e1e27ec4f714bb34174e17972961bda2 100644 --- a/API.txt +++ b/API.txt @@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None) output: Output('failed', type 'dict', None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?') option: Str('in?') +option: Flag('override_password?', autofill=True, default=False) option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -5528,6 +5529,30 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('truncated', type 'bool', None) command: vault_mod +args: 1,18,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('change_password?', autofill=True, default=False) +option: Str('description?', cli_name='desc') +option: Bytes('ipavaultpublickey?', cli_name='public_key') +option: Bytes('ipavaultsalt?', cli_name='salt') +option: Str('ipavaulttype?', cli_name='type') +option: Str('new_password?', cli_name='new_password') +option: Str('new_password_file?', cli_name='new_password_file') +option: Str('old_password?', cli_name='old_password') +option: Str('old_password_file?', cli_name='old_password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Str('public_key_file?', cli_name='public_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_mod_internal args: 1,15,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') diff --git a/VERSION b/VERSION index c42bea06522dae55e1a89ff94ae394594086b467..feb9f4db92c7c7b95e9e5d5907b1f97e96b26886 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 #
[Freeipa-devel] [PATCH] 371 Added support for changing vault encryption.
The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 -- Endi S. Dewata From e80928fa8e8a099576fcdbff08fd90a634600825 Mon Sep 17 00:00:00 2001 From: Endi S. Dewata edew...@redhat.com Date: Fri, 31 Jul 2015 07:53:15 +0200 Subject: [PATCH] Added support for changing vault encryption. The vault-mod command has been modified to support changing vault encryption attributes (i.e. type, password, public/private keys) in addition to normal attributes (i.e. description). Changing the encryption requires retrieving the stored secret with the old attributes and rearchieving it with the new attributes. https://fedorahosted.org/freeipa/ticket/5176 --- API.txt | 27 +- VERSION | 4 +- ipalib/plugins/vault.py | 239 3 files changed, 248 insertions(+), 22 deletions(-) diff --git a/API.txt b/API.txt index 00b47b8709c81217d7f2a69e719093f4a04f1734..bd5c48998056ab94729cb1b475bf444707a883cb 100644 --- a/API.txt +++ b/API.txt @@ -5466,11 +5466,12 @@ output: Output('completed', type 'int', None) output: Output('failed', type 'dict', None) output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Bytes('data?') option: Str('in?') +option: Flag('override_password?', autofill=True, default=False) option: Str('password?', cli_name='password') option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -5528,6 +5529,30 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list output: Output('summary', (type 'unicode', type 'NoneType'), None) output: Output('truncated', type 'bool', None) command: vault_mod +args: 1,18,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('change_password?', autofill=True, default=False) +option: Str('description?', cli_name='desc') +option: Bytes('ipavaultsalt?', cli_name='salt') +option: Str('ipavaulttype?', cli_name='type') +option: Str('new_password?', cli_name='new_password') +option: Str('new_password_file?', cli_name='new_password_file') +option: Str('old_password?', cli_name='old_password') +option: Str('old_password_file?', cli_name='old_password_file') +option: Bytes('private_key?', cli_name='private_key') +option: Str('private_key_file?', cli_name='private_key_file') +option: Bytes('public_key?', cli_name='public_key') +option: Str('public_key_file?', cli_name='public_key_file') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('servicename?', cli_name='service') +option: Flag('shared?', autofill=True, default=False) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Entry('result', type 'dict', Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +output: Output('summary', (type 'unicode', type 'NoneType'), None) +output: PrimaryKey('value', None, None) +command: vault_mod_internal args: 1,15,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') diff --git a/VERSION b/VERSION index c42bea06522dae55e1a89ff94ae394594086b467..feb9f4db92c7c7b95e9e5d5907b1f97e96b26886 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=149 -# Last change: edewata - Added CLI param and ACL for vault service operations +IPA_API_VERSION_MINOR=150 +# Last change: edewata - Added support for changing vault encryption. diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 3b62822366a62c90f843a6293589c28383e782ef..5bee6aaae8ddd306d4ee0c273143c9d0ffc913d5 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -133,19 +133,36 @@ EXAMPLES: ipa vault-show name --shared ) + _( Show a user vault: - ipa vault-show name --user username +