[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 186c84b68e541dabc51707f0bc93f0c69baa2f6e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 01/12] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

The new HTTPS handling class, IPAHTTPSConnection, is prepared
to handle authentication with client certificate for connections
to Dogtag server as RA agent. It allows handling even for handling
separate client cert/private key in separate files and also for
encrypted private key files.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|   3 ++
 ipalib/constants.py |   1 +
 ipalib/rpc.py   |  70 +++---
 ipalib/util.py  | 106 
 4 files changed, 124 insertions(+), 56 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index fa20624..82147f3 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 31ed64e..1ea5d60 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,20 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
-
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, 

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From ca18b7f39e5d8f86ad122a5e66124f9e2ea7fcfe Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 70 ---
 ipalib/util.py  | 94 +
 4 files changed, 112 insertions(+), 56 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..0aeea1b 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,20 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
-
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443,
+api.env.ca_certfile,
+

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 72343881600556e394923489643029781474bd93 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 --
 ipalib/util.py  | 95 +
 4 files changed, 113 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 6038830d9489cdfde4e7ac700a93c0fb2e99c7aa Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 --
 ipalib/util.py  | 95 +
 4 files changed, 113 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 -
 ipalib/util.py  | 97 +
 4 files changed, 115 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From b90e059d793f2b8f5af6246d046f5ecb9e69b71e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 ++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 -
 ipalib/util.py  | 97 +
 4 files changed, 115 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host, 443, 

[Freeipa-devel] [freeipa PR#367][synchronized] Remove nsslib from IPA

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/367
Author: stlaz
 Title: #367: Remove nsslib from IPA
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/367/head:pr367
git checkout pr367
From 182bec40b1611bb5eac6162a49854dfdbb59a6fd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 20 Dec 2016 10:05:36 +0100
Subject: [PATCH 1/7] Remove NSSConnection from the Python RPC module

NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py|  3 +++
 ipalib/constants.py |  1 +
 ipalib/rpc.py   | 69 ++
 ipalib/util.py  | 73 +
 4 files changed, 91 insertions(+), 55 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..8ecada6 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -493,6 +493,9 @@ def _bootstrap(self, **overrides):
 if 'nss_dir' not in self:
 self.nss_dir = self._join('confdir', 'nssdb')
 
+if 'ca_certfile' not in self:
+self.ca_certfile = self._join('confdir', 'ca.crt')
+
 # Set plugins_on_demand:
 if 'plugins_on_demand' not in self:
 self.plugins_on_demand = (self.context == 'cli')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..4f40545 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -226,6 +226,7 @@
 ('conf_default', object),  # File containing context independent config
 ('plugins_on_demand', object),  # Whether to finalize plugins on-demand (bool)
 ('nss_dir', object),  # Path to nssdb, default {confdir}/nssdb
+('ca_certfile', object),  # Path to CA cert file
 
 # Set in Env._finalize_core():
 ('in_server', object),  # Whether or not running in-server (bool)
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 921f5cb..66cd1c3 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -44,7 +44,7 @@
 import gssapi
 from dns import resolver, rdatatype
 from dns.exception import DNSException
-from nss.error import NSPRError
+from ssl import SSLError
 import six
 from six.moves import urllib
 
@@ -60,8 +60,7 @@
 from ipapython.cookie import Cookie
 from ipapython.dnsutil import DNSName
 from ipalib.text import _
-import ipapython.nsslib
-from ipapython.nsslib import NSSConnection
+from ipalib.util import IPAHTTPSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
  KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
@@ -470,48 +469,21 @@ def get_host_info(self, host):
 
 return (host, extra_headers, x509)
 
+
 class SSLTransport(LanguageAwareTransport):
 """Handles an HTTPS transaction to an XML-RPC server."""
-
-def get_connection_dbdir(self):
-"""
-If there is a connections open it may have already initialized
-NSS database. Return the database location used by the connection.
-"""
-for value in context.__dict__.values():
-if not isinstance(value, Connection):
-continue
-if not isinstance(
-getattr(value.conn, '_ServerProxy__transport', None),
-SSLTransport):
-continue
-if hasattr(value.conn._ServerProxy__transport, 'dbdir'):
-return value.conn._ServerProxy__transport.dbdir
-return None
-
 def make_connection(self, host):
 host, self._extra_headers, _x509 = self.get_host_info(host)
 
 if self._connection and host == self._connection[0]:
 return self._connection[1]
 
-dbdir = context.nss_dir
-connection_dbdir = self.get_connection_dbdir()
+ca_certfile = context.ca_certfile
 
-if connection_dbdir:
-# If an existing connection is already using the same NSS
-# database there is no need to re-initialize.
-no_init = dbdir == connection_dbdir
-
-else:
-# If the NSS database is already being used there is no
-# need to re-initialize.
-no_init = dbdir == ipapython.nsslib.current_dbdir
-
-conn = NSSConnection(host, 443, dbdir=dbdir, no_init=no_init,
- tls_version_min=api.env.tls_version_min,
- tls_version_max=api.env.tls_version_max)
-self.dbdir=dbdir
+conn = IPAHTTPSConnection(
+host,